All hands on deck: IT security is everyone’s responsibility
This feature first appeared in the Summer 2015 issue of Certification Magazine. Click here to get your own print or digital copy.
When news about data breaches becomes so commonplace that the incidents all seem to blur together, that’s when you know a shift needs to take place within the culture of business. Throwing up your hands and saying, “Well, these things happen,” isn’t going to cut it. These breaches are no longer quiet, isolated incidents perpetrated by bored script kiddies against easy marks — data theft is an incredibly lucrative business, and sophisticated professional cybercriminals won’t hesitate to exploit even the most intimidating of targets.
Targets like the IRS. In March, IT security journalist Brian Krebs ran a story about a man who went to file his taxes electronically, only to be told by the IRS that his taxes were already filed. Someone had already claimed his return and routed the funds to a different bank account. The attacker was able to obtain the man’s W-2 from the previous year, adjust the financial numbers slightly, and then use this to file the new year’s return.
Obtaining a report of a prior year’s taxes was possible by using the “Get Transcript” feature on the IRS’s website. Although the IRS imposed multi-step authentication measures with this feature, including asking for personal information (Social Security number [SSN], street address, etc.), the attacker was able to answer these questions and was given access to the transcript. Later in May, the IRS disclosed that around 100,000 taxpayer accounts were involved in a breach using similar tactics — and in response, the IRS shut down the “Get Transcript” function on their website. In total, the attacker(s) stole about $50 million in tax refunds.
In June, another high-profile target revealed that it had been breached: the U.S. Federal Government. The Office of Personnel Management (OPM), which handles information about the nation’s civil servants, including security clearance, suffered an intrusion in April. Attackers were able to steal the personally identifiable information (PII) of 4 million members of the federal workforce. The PII included sensitive information such as SSNs, birthdates, arrest records, healthrelated records and more.
Just a week after acknowledging this breach, the OPM revealed that it had been attacked again. The second wave of attackers were able to access and exfiltrate a document called Standard Form 86, a questionnaire for those applying to federal security positions. While claiming that encryption would not have prevented the breach, OPM admitted that some of its legacy systems were not fully equipped to handle data encryption. The cost of this intrusion is not immediately identifiable, but it’s not a stretch to imagine attackers manipulating this PII data or using it for extortion.
Today’s Inadequate Cybersecurity Culture
If customers are losing confidence in organizations that handle their personal information, you can’t really blame them. After all, the current cybersecurity culture in most organizations — governmental or otherwise — seems to come in three equally inadequate flavors: willful ignorance; the general apathy of a “someone else will handle it” attitude; or the idea that old-school solutions are all you need to stop the modern cybercriminal.
The first flavor is self-evidently destructive: Our world is so interconnected, so always online, that intrusions are laughably easy in the face of zero security. All it takes is an attacker with motivation and a competency in computers; no genius black hats are necessary.
But what about the attitude of deferring your security, or expecting someone else to do all the work for you? There’s certainly merit in outsourcing your cybersecurity operations to a firm that specializes in defense, but all too often organizations will just take an out of sight, out of mind approach. They’ll ignore crucial facts about security, including the idea that the weakest link in any enterprise is the human being. Without adequate training, personnel are easy prey for social engineers who can employ any number of deceptive tactics to find a way into your sensitive systems.
Likewise, a security firm won’t necessarily be in complete control when it comes to your other assets. Take the cloud, for instance. Your data is stored on servers all across the world, owned by some third-party provider. How can you prevent a system you don’t even control from being breached? Security is an immediate issue, not one to be offloaded and forgotten.
You may be taking security as an idea seriously, but that doesn’t mean your execution is doing the job. The pervasive notion that “the firewall will protect us” highlights how, in the minds of many professionals, security is completely divorced from technology. The truth is, cybercriminals haven’t necessarily been waiting around, looking for ways to find flaws in your firewall or any other such old-school control. They’ve been discovering other ways, and using new technology to break into your systems and cause havoc.
While your firewall plays one important role in your overall security platform, it is not a panacea. Basic firewalls can only provide a moderate amount of access control from outside the network — they’re useless against a wide variety of internal threats, as well as external threats that operate at higher layers of the network. Your network cannot rely on a single control for its security, especially if that control hasn’t evolved to match the ingenuity of modern cybercriminals.
A Holistic Approach to Cybersecurity
So how do we learn from the IRS, the White House, and every other organization that’s been making headlines due to breaches? A change in cybersecurity culture is a must, and that change should start with taking to heart the mantra that IT security is everyone’s responsibility. By virtue of everyone participating in the process, the organization patches any gaping holes that attackers will inevitably find.
Even personnel who have no IT expertise need to be trained on the basics of safe browsing, e-mail and mobile device usage. Social engineers have a field day with untrained personnel who have key access to sensitive information and systems — and all of the technical controls in the world won’t do your organization any good if an attacker uses your own people against you.
Aside from getting their personnel trained, organizations should establish and disseminate clear, helpful security policies for all users to follow. It’s not just a matter of liability — by making your expectations official, you engender a culture in which everyone understands exactly why they need to be involved in the security process and the role they play.
For IT personnel, having the proper initiative and equipment is vital. As before, it’s not enough to adopt a “set the firewall and forget it” approach. A successful security architecture requires a heavy dose of monitoring. In particular, the idea of continuous monitoring will allow you to detect and respond to issues as soon as they arise.
This proactive approach to monitoring can go a long way in minimizing the damage an attack might cause. Your systems are likely to be constantly in flux, and even if they aren’t, attackers are coming up with new ways to compromise them. That’s why it’s important to establish monitoring that is ongoing and can adapt to a variety of changes. Continuous monitoring can seem daunting, but there are plenty of tools and platforms out there that will help your IT teams automate and optimize the work required.
Of course, it doesn’t help to think that just because you have trained personnel and implemented a continuous monitoring plan, that your organization is bulletproof. No matter how refined your security may be, there are no 100 percent guarantees that you’ll be protected from a breach. A big part of a successful cybersecurity culture is being realistic, and being realistic involves having a response plan in place in case an incident does occur.
This plan should clearly prescribe how your organization responds to a breach, how it can contain or mitigate that breach, and how it can recover. Your incident response team will handle most of the grunt work, but your other personnel still need to know how they should or should not proceed in the wake of an incident. Preparing for the scenario that every organization dreads is a necessary precaution — it can ensure the continuity of business operations and preserve stakeholders’ confidence.
Cybersecurity Training Certifications
Organizations may lack a strong cybersecurity culture, but they can hardly blame that on a lack of training and certifications. There are plenty of programs out there that can prepare individuals in the field, as well as certify their security knowledge and skills on several different levels.
From a vendor-neutral perspective, Logical Operations’ CyberSec First Responder: Threat Detection and Response (CFR) certification is targeted toward working cybersecurity professionals. Incident responders, forensic analysts, penetration testers, and network defense personnel can all benefit. It features live practice with proactive security tools like Kali Linux, one of the most widely recognized cybersecurity platforms. CFR also provides hands-on training for a comprehensive set of security practitioner skills, including network analysis, log analysis, threat analysis, forensic analysis, and more.
CompTIA is another provider of vendor-neutral IT security certifications, with CompTIA Security+ and CompTIA Advanced Security Practitioner (CASP). (ISC)² has had an enormous presence in the market for years with its vendor-neutral Certified Information Systems Security Professional (CISSP) credential. Offensive Security Certified Professional (OSCP) is a certification that focuses on penetration testing using Kali Linux and its many open source tools.
If you’re looking for more vendor-specific security options, the Cisco Certified Network Associate (CCNA) Security and Cisco Certified Network Professional (CCNP) Security certifications focus on the design, implementation, and maintenance of Cisco networking devices in the context of defense. Symantec’s Symantec Certified Specialist (SCS) and Symantec Certified Professional (SCP) programs validate a candidate’s aptitude with one or more Symantec solutions, including those dealing with data protection and the high availability of storage systems.
It may help to contextualize these certifications in terms of the level of expertise they cover. Security+, for example, is a baseline certification aimed at existing entry-level IT professionals who need to take on basic security responsibilities. In contrast, CASP and CISSP are much more expert-oriented, higher-end security management certifications that require several years of prior cybersecurity experience. Logical Operation’s CFR falls somewhere in the middle of the professional spectrum, meeting the needs of active front-line security practitioners.
And let’s not forget the human factor! Non-expert, end-user programs like Logical Operations’ Certified CyberSAFE help an organization reinforce the idea that security is everyone’s responsibility. CyberSAFE trains and evaluates users on safe browsing habits, e-mail usage, and device security. It encourages best practices for users while highlighting the importance of complying with the organization’s own security policies.
To spark a positive change in cybersecurity culture, individuals and organizations alike should identify the gaps in their security activity and fill those gaps with the proper training and certification. An educated, capable workforce of security-conscious users and skilled security professionals is essential in defending your organization from attack.