Industry discusses biggest threats and trends in cybersecurity
NASDAQ and National Cyber Security Alliance Summit panel hits on everything from IoT to CISO and board of directors engagement
Last week my colleague Alex Mosher participated in a panel at the National Cyber Security Alliance (NCSA) and Nasdaq Cybersecurity Summit discussing the biggest threats and trends in cybersecurity with Cisco, Carbon Black and Symantec (LifeLock). The dialog was interesting and enlightening, so I thought I’d share with you some of the questions and panel responses. You also can view the entire summit, which included a fireside chat with Maureen Ohlhausen, Acting Chairwoman of the Federal Trade Commission, and another panel discussing how to operationalize a cybersecurity risk management strategy.
What is one threat that is impacting everyone but not getting enough attention?
Responses ranged from “malvertising” (malware in advertising) to Internet of Things (IoT). With respect to IoT, many devices have old components, software and systems and they were never intended to connect to the internet. By nature, they’re vulnerable and can open doors to sensitive data.
How does IoT change the threat environment? And how should IoT threats be evaluated?
IoT can be weaponized, as seen in a recent DDoS attack, but not everyone is thinking about devices as a weapon. For example, is security for a doorbell really going to be top of mind when installed by the consumer? Is IT security top of mind for the doorbell manufacturer?
“Things” should be viewed as an identity that potentially could be exploited; they must be managed and secured. Organizations need to think about how devices are connecting. Are the APIs controlled? And if there is a human connection, what is the interaction and how do I secure it?
What about ransomware?
Ransomware is not new, but today there is more opportunity to use this attack vector. There’s more online that we absolutely must have access to and therefore, many are willing to pay the ransom. But payment isn’t a solution. There still is an unauthorized entity that has access to your data.
Why would an attacker be interested in me?
According to the Verizon Data Breach Investigation Report 2016, 63 percent of all confirmed breaches use lost, stolen or weak credentials as an attack vector. Every employee or contractor – whether it’s the CEO, someone in sales or a vendor in charge of facilities – represents an opportunity for a bad actor to compromise their credential and identity. Once that happens, the attacker can take his time within the system to escalate access and privilege to the point where he has root control over the most sensitive IT systems.
That is why an attacker is interested in you. You represent an entry point for the attacker.
What should the board of directors do about security? What does the security team need from the board for success?
The CISO to board relationship has grown and it’s now OK to say, “it’s not a matter of if we’ll be breached, but when.” The board needs to measure security by how quickly the team knows about an incident and how effectively it responds. Time to detection should be a boardroom report.
That security report to the board also should address how security is contributing to revenue generation. Security systems such as identity and access management streamline consumer engagement with the business, making experiences positive and free of friction and unnecessary security interruptions.
What’s the one thing to take away from today that could make security better?
For the business, protect your privileged user access. This is the access that a bad actor aspires to gain as they work through a system elevating privilege along the way. For the consumer, turn on two-factor authentication.
What do you think is the biggest threat to IT security in 2017? Share your response!