This blog was written by Wayne Anderson, previous Enterprise Security Architect at McAfee.
Recently the Straight Talk Insights team at HCL Technologies invited a social panel to discuss a critical question at the center of today’s digital transitions: How do companies target investments and change the culture to avoid being the next victim of a cyberattack?
In Part I of the series, we explored IT security trends for 2019 and ways companies can protect themselves from IoT device vulnerability. Today, we’re continuing the discussion by exploring the threat of cryptocrime, the nature of cybersecurity threats in the near future, and the steps that small- and medium-sized businesses can take to protect themselves.
Q3: How great is the threat to companies of “crypto crime”?
The thing about ransomware is that it’s no longer the province of specific groups. At the RSA Conference this year, McAfee’s own Raj Samani shared the advent of the franchise model in crypto crime. As a result, we are seeing greater reach, but less unique systems applying ransomware. Still, we see the enterprises failing in the same ways year after year and falling victim to these families of ransomware at scale.
As you seek to conquer incident response as an effective plank of mitigating the effect of phishing and initial ransomware infections—I’d ask, how does your incident response change in the cloud? Do you have incident response resources and provisions for SaaS vs. IaaS? How do you get the logs and resources that you need from cloud providers to effectively investigate and ensure you have identified all affected nodes, or the initial attack vector? The time to figure out that question isn’t during time-compressed investigation stages when everyone is under stress from an active threat.
With the recent third anniversary of No More Ransom, security leaders like Raj Samani and the companies that make up partnerships like that of the No More Ransom website can help offer basic protection for some forms of ransomware. In this joint project with Europol and AWS, it’s been an amazing journey to watch and even invest in helping protect businesses against ransomware.
Q4: How can small businesses with limited resources protect the privacy of their customers?
The dwell time of threats in small and medium businesses is 45 to 800 days, with the averages moving more towards the latter. Cloud based information security SaaS (Software as a Service) is helping to level the playing field. To make continued progress, venture capital backing small firms, and the public buying from these companies, need to assert an expectation of security as part of doing business.
Many restaurants and retail establishments are still small businesses today, run by families and individuals. In many of these stores, there is a certain level of distrust of cloud and connected platforms, versus point-of-sales systems they can put their hands on and feel like they have control over. How do we gain the trust and their attention to of these small stakeholders, help them either more strongly secure things in-house or make the move to cloud security services? We can’t just have an answer that demands $4,000 or $40,000 to make the fix. Instead we have to find every possible opportunity to go serverless and make more and more walled garden capability for things like point of sale, or small engineering platform.
When it comes to small businesses interconnecting systems and moving into cloud services for consumers, these small companies holding identities is a challenge from a trust perspective. Forums and programs like the OpenID technologies providing standards and enabling identity without spreading the authorization infrastructure unnecessarily has been instrumental in constraining the size of this problem.
Security spans everything. There are basic exercises that you can do as business customers to check your readiness. I am a huge fan of SOAPA from ESG as a method of mapping what assets you have at different levels of the organization. Ask yourself a basic question -can you keep control integrity when you go from one “tower” —like on-premise—of connected capability to mapping the other silos or major cloud environments of your hybrid company? I’d also add it costs nothing to follow some of your favorite security personalities. I follow people like Cisco’s Wendy Nather and Kate Moussouris, the CEO of Luta Security who is helping even small companies understand the market of bug bounties and vulnerability disclosure.
Here, too, public policy potentially has a natural role. Government requires health training, for example in a restaurant, but not information security necessarily at small- and medium-sized business. Actually, the natural consequences and motivations of insurance companies can be an ally here, requiring training in basic computer hygiene, security, and privacy as part of issuing liability policies for businesses.
Q5: What are some new cybersecurity threats that we can expect to see in the next year?
I expect to see the rise of more significant exploitation of the “seams” in cloud integrations. The recent CapitalOne breach was relatively benign in the scheme of things. The actor was a braggart hacktivist, but the media coverage emphasized the weakness of cloud integrations to many who might have more capability. We’ve seen spikes in discussion in the dark web around this, so the profile of the cloud vulnerability is higher, and now we will have to see how the cat-and-mouse game between offense and defense proceeds.
I think it’s worth adding, the next threat isn’t as much the challenge to me, as the enterprise reaching the next run of maturity in the digital environment. Asset management, vulnerability reduction, and preparing the protection of cloud operations and visibility are all critical disciplines for the enterprise, no matter what the threat is.
Protect your devices. Protect your cloud—not in silos, but with an integrated strategy. Demand from your vendors the ability to integrate to maintain a cohesive threat picture which you can use to easily react.
To read Part I of this two-part series, click here.
About the Author
Categories: Cloud Security