Top Threats to Business Data Security Today
To kick off National Cybersecurity Awareness Month, iCorps hosted a cybersecurity summit with industry experts from Microsoft, Sophos, Datto, and Mimecast. The panelists covered everything from social engineering to the importance of multi-factor authentication. Couldn't make it? In this three-part blog series, we recap the central topics covered at the event. The first question posed to panelists: What are the top three threats to data security today?
Chris Stephenson, moderator, iCorps Technologies: What are the top three threats to data security today?
Alan Toews, panelist, Sophos: I think the #1 threat is user behavior, because they are the first line of attack. If users are not educated, and are susceptible to just clicking on links that show up in their inbox, you have to react to a threat that's just gotten into your network.
Ben Darsigny, panelist, Mimecast: I think the most dangerous threats are not just traditional URL based attacks, but those based in social engineering. These days you're getting a lot of attackers who are very knowledgeable and take the time to craft their attacks. They target an individual who is out there and available on the internet, whether it's LinkedIn, Facebook, a company website, et cetera. They make it very difficult to recognize when one of these attacks is happening, versus getting an email from someone they trust. So the use of that to steal credentials, and get into the broader network has the biggest impact among the attacks that we see today.
Michael DePalma, panelist, Datto: This is what organized crime has shifted to because there is so much money to be made, and very little risk of getting caught, especially with the prevalence of Bitcoin and other cybercurrency. We're seeing foreign governments get into this, terrorist groups. That's why they're so sophisticated—because everything is connected. We hear about the "internet of things" and it has become kind of an annoying term at this point. But it's true—you can get in from anywhere. And their intentions are often much more devious than just trying to exploit a few thousand dollars.
Laura MacDonald, panelist, Microsoft: What we're talking about is stealing data, but too many organizations don't know what data they have. They don't know where it is or how to classify it. So once they get through the first layer of the user, if you don't have a data management or data classification program, you're really setting yourself up for failure. GDPR is subject to that. It's not just about whether data is stolen, and how to respond. Now, any citizen in the EU can reach out and say "You need to tell me where this is, and you need to do it quickly."
Jeffrey Lauria, panelist, iCorps Technologies: So we talk about three pieces. Users are first and foremost the front line. The second thing is shadow IT and cloud services. To Laura's point, we don't know where the data is, or where it sits. Users aren't trying to be malicious. They're trying to be productive. In an organization you may be using Office 365 and SharePoint, but someone is using Box. You don't know what data is sitting there.
So controlling the data and understanding where it is is essential. And the third part is having your team, and your organization adopt security. It is amazing today that I will go in and talk to business leaders who are not using multi-factor authentication(MFA). MFA is the single biggest thing that you can do to protect not only users, but data itself.
Stephenson: 90% of the world's data was created in the last three years. That's how rapidly we are generating content. How do you help and educate your customers about this?
MacDonald: So DLP, data loss prevention, is a term that's been out there for a very long time. At Microsoft we've built it right into the data itself. It's within the email and Office docs. We just announced, last week, that Adobe has the data classification built in. Should it get out, only those with access can actually access it. Start with your crown jewels, the content that is critical, then work backwards.
Darsigny: We're in a pretty unique position because we're often doing the gateway security, both inbound and outbound, and archiving for our customers. That means all the security information cataloged in the gateway is tied back to the email and the archive, which we let our customers keep indefinitely. So we have an audit trail of the history of that entire message. Not only where it came from, but where it is going, and what policies were applied to it. In that way, we're keeping a full audit log of everything that has ever happened to your users through email. So we're providing that piece of the puzzle for our customers. And I think that kind of approach is what needs to be done on a full scale basis within an organization, using a few different tools.
Toews: I live on the network side of things at Sophos—we handle the firewall product lines and firewall management, so when I look at things and where data lives, it's not so much looking at how documents are created or handled themselves, but instead acting as a gatekeeper. You see where data is either entering or exiting the network. And that's your point of interaction, where you can inspect and make decisions—should this go out or not. One of the approaches that we have taken with customers is to say, what if we just encrypt everything? So that when things leave the network, it is done safely.
That is an approach that we have seen, and has been very successful for us. It's interesting in that it takes a different look at the equation and says - instead of looking at that data and having to identify if it is safe, or isn't, let's just blanket say it's not worth it. Let's protect everything and then, at the gateway, we can make decisions about whether traffic is going to leave, and if this is something you want to share or not. It puts it in the users hands a little better.
Lauria: When you are working with a third party vendor, and you ask them about their applications, one of the things you want to be aware of is that a lot of companies will use other people's certifications. So when you're working with third party vendors there are a couple of questions you need to ask: what do you do? Can I see your controls? Are you having vulnerability tests? When's the last time you had a security professional come in and look at your organization? So when you work with your vendors, you have to do that. Security, backing up, that is all on you. If you're running remote desktop, multi-factor, ultimately that is your security shelter.
Multi-factor authentication (MFA) is a security system that asks users to input additional forms of authentication after a password when signing into email, networks, etc. Panelists discuss the importance of MFA and how to implement it correctly.
Stephenson: Would you speak to the importance of multi-factor authentication?
MacDonald: If you try to use multi-factor authentication for everything that employees are using, they're going to get tired. They're going to go around you. It's just not going to work. So, there is a concept called "conditional access" which analyzes the user, the device they're on, the location. If the user is in the office, on a device they always use, and their identity does not appear to be compromised, then MFA is not required. If they're on their grandmother's computer in China then they will absolutely need to use MFA. The one difference would be privileged identities. With privileged identities you need to reduce the number of administrators, and ensure they are using MFA.
Lauria: A very bad practice I see a lot is when people's in-house account is a privileged account. Because it's a lot easier not having to maintain two accounts. Let's say there's a ransomware attack. We know that ransomware is generally limited to whatever it can get its hands on. Well, if you're an administrator with a privileged account, it got its hands on everything. That is something we see time and time again. People use privileged accounts when they shouldn't.
Attendee question: How do the recent chip vulnerabilities, Meltdown and Spectre, affect this? Because in that case it's not the user.
Toews: This becomes a maturity process for the chip vendors. To be building and accounting for the needs of, and finding new ways to optimize performance that don't use these techniques.
Lauria: There are always going to be vulnerabilities. There are always going to be flaws. Obviously patch systems when you can, but all these systems and vulnerabilities need an avenue in which to be executed. And as long as you're aware of what that avenue is, you can craft your defense. Security is not a set it and forget it industry. It is a day in, day out job. Stay aware of what is emerging. This doesn't have to be complicated - it can be a daily RSS feed in your inbox that looks at what's happening outside the United States. In Europe, in India, etc.
No sugarcoating it, the cloud is now the place to do business. The cloud is more secure than an on-premises system, but to many would-be adopters, it's still an unknown. Panelists discuss how to successfully migrate to the cloud, and how it keeps your data safe and secure and increases business productivity.
Stephenson: The cloud has become the place to do business. What security issues are business owners facing there, from a disaster recovery, data storage, or email standpoint? How are these considerations addressed in a cloud migration?
Darsigny: One of our biggest hurdles was getting people comfortable with the cloud. Microsoft has made that conversation so much easier. But it does come with a new set of risk factors because you don't own the infrastructure anymore. There are a lot of great reasons to - it's a lot easier, and it can be more cost effective, but you can no longer go to a data center or server room and get your hands on the issue. So that requires an added layer of oversight, something else that you can rely on in that situation, whether it's a high availability solution or security tool.
Toews: A lot of companies are moving portions of their data centers to the cloud, but are not always thinking about the consistency of their security policies across these platforms. They will still have something on-premise, and something in the cloud, but they may end up with disparate tools to manage both, and inconsistent policies. When they go to make a change they may forget about one, or the other. Usually the cloud.
You need to make sure you are looking at your tools in the cloud and on premise as much as possible. You want to manage all of those policies from a single point where you have visibility and consistency, and you don't have gaps and missteps just from excessive complexity. The point is to simplify your life, not complicate your infrastructure policy in the process.
MacDonald: What is the one common denominator when talking about how this data is being accessed? It's an identity. So I have to look at my security posture through the lens of an identity, and make my risk decisions from that standpoint.