Navigating the 2015 Fail Factors - Be security wise

In 2015, expect more business opportunities involving smarter technology and devices using robots and the Internet of Things (IoT). Users and business owners will become more demanding. Users demand better e-Service visuals and uncluttered service responses with their every online click. Business owners demand readily available competitive information and real time statistic to make better-informed decisions in prioritising their business roadmap. Business ventures and proposals not able to address fail factors with these "new normal" demands will be easily dumped and forgotten.

Build your security wise list
A smart person will give you smart answers, but a wise security person will ask you smart security questions. Start off by asking the below:

• Will being security wise matter to the business, senior management and users?
• Will security wisdom help the business avoid being the next Sony Pictures?
• Will security wisdom be realistic and achievable by the business?

The answer to all is Yes. The top on your security wisdom list is really to get senior executives' buy-in first. We should not put the cart in front of the horse and expect success. "Security wise" means educating the stakeholder, managing these risks diligently, assess the impact, formulate remediation measures and verify all deployed controls' effectiveness. Build up your security wise list. The business owns not only the promise of performance, but also the risks associated with it. Let's check out some security wisdom to improve our risk vigilance and stay threat-ready.

1 - Employ positive and actionable security strategy. Integrate security assessment into business innovations.
The defender is always at a disadvantage for timely response. Why? Adversaries lurk in the dark, strike any time, penetrate any place - all at their convenience.

• Traditional security point products (e.g. anti-virus and firewall) are no longer complete preventions against advanced attacks. Build security inside out by doing the first thing right.
• Identify early the missing security assurance activities in the project lifecycle. Introduce validation activity like interactive application abuse use cases that check and secure code into user acceptance test plans.
• Invest having a security mentor lead on related security requirements. Involve one as a problem solver, not a problem seeker.
• Practice both passive and active defending. Set up deterrence schemes to slow down intrusions. One instance for ease of deploying and gathering of intelligence can be the use of SmartHoneynet, a custom and quick undisclosed scheme to entice adversaries and analyse their modus operandi.

 
2 - Dovetail contextual intelligence with existing content based controls. Build threat-centric analysis.

• Watch for business operation anomalies. The existing anomalies detection mechanisms must be supplemented with content-based (IP addresses and port-based) analysis and tap more into contextual intelligence.
• Contextualise with user identity/role/location of activities and services consumed. Introduce into security information and event monitoring (SIEM) and breach detection technology.
• Employ the right analysis scheme. For example, use fingerprint-based for minimal coverage and signature bound threats, reputation-based for external and global real time threat feed coverage, anomaly-based for internal threat coverage and machine-learning-based for pre-emptive coverage.

 
3 - Embrace Mobile computing initiatives by enforcing app awareness and user identity as part of the delivery.
Mobile computing brings about multifaceted mobile threats. This includes the pervasive trojans tampering with transactions, ransomware bricking mobile devices, and point of sales and ticketing systems hijacked.

• Balance risk exposure of business mobile service such that its wide coverage does not lead to inadvertent exposure of personal details.
• Establish clear policies for "bring your own device (BYOD)" so end users are accountable for their actions. User can do their part to verify trusted apps and avoid untrusted mobile applications.

 
4 - People are the first line of security.
At the top of customers' and business owners' security concerns are massive data leaks and privacy compromises. Maintaining secure and safe service is a shared responsibility. Security technology can be bypassed; privileged users are closest to our sensitive asset. Customer can be part of our threat defense.

• Advocate use of multi-factor authentication. Enforce, at a minimum, two factor security keys for privileged users and high risk systems.
• Establish security awareness programmes and campaigns to encourage users to become cyber street wise. Involve everyone (including senior management) and have a plan. Always deliver clear and simple security messages.

 
5 - Dismantle silos of security and network operations. Coordinate workstreams.
Do you see different network and security operation centres such as NOC and SOC guarding their own turf and having disparate views during incident response activities? This requires a second look at how network and security operations are functioning. Sprawling operations centres across the organisation is not cost effective in the long run. Information flows are susceptible to misrepresentation and misinterpretation. Create a more synergistic environment.

• Tap each centre's technology strength to heighten overall situational awareness of security and operations goals. This can include centralising their piecemeal technologies and removing duplicated services. For example, security vulnerability management can be joined with the patch management regime.
• Harmonise relationship on how network health alerts can lead to potential security triggers. Sharpen the overall response with informed decisions by selecting a lead manager for collective security and network governance. Ensure closure (with sign from the systems owner) on all reported remediation actions.
• The technique is key and accurate analysis helps find the root source of penetration fast. However this cannot be achieved by optimising the existing lean resource with automated response technology to work hard and smart while the team focuses on containing and isolating the damage. Hexadite includes some interesting automated incident response strategy to help close the gap holistically with procedures best suited to the actual situation diagnosed.

 
6 - Stay informed and connected to security communities.
Being wiser also means being an extrovert, not a lone ranger. Be opportunistic by looking out for various innovation plans and proposals to consolidate security investments. Aim for "small" security wins in business by tapping into public-private sharing or crowd sourcing initiatives. The whole is greater than sum of parts.

• Extend monitoring for external threats. Tap into expert communities and experienced partners. Check out the Cybersecurity portal that provides rich resources to build up security capacity. Look into receiving online real threat intelligence feeds with threat exchange format. STIX is an accepted intelligence exchange standard.
• Take guidance from the NIST draft guide for information sharing relationships throughout the incident response life cycle. Explore into managed security service provider (MSSP) service offerings and seek advance notification or warning of impending attacks on indirect business dependences like shared infrastructure with related ISP, services of related partners, 3rd party contractors and customers.
• Exploit communities' expertise as an early warning "sensor" offering a bounty for finding vulnerabilities in your apps or online services. This provide a win-win with collaboration to close up any gap before the attacker finds it. One instance is HackerOne Internet Bounty program that serves as safe harbor for researchers to publish their findings.

 
7 - Ready and prepare for influx of Cloud services and outsourcing ventures.
This is a uphill task as businesses are constrained with limited internal resources and environmentally unfriendly energy hungry data centres. Hence, cloud and outsourcing services with some managed service provider becomes attractive to scale more gracefully. A trust relationship is pertinent to the whole engagement.

• Understand the variety of services offerings in the cloud. Decide what can and what should not be in the cloud. Identify and distinguish the risky elements and enforce clear policy and governance when "scaling out" to global market. You must have an understanding of the local authority's legal and compliance requirements affecting businesses.
• Build trusted data flow and service relationships. CloudFlow has created a framework for building distributed cloud applications based on trusted services that can be connected together to form processes and workflows spanning multiple providers.

 
8 - Secure business services in their "scaled-up" portfolio to an external entity.
Security should not be perceived to be selling fear. Although external risk is involved and can have detrimental impacts, we can assess the necessary security measures and demonstrate that with the right capabilities risk exposure can be mitigated. Importantly, this should not compromise owners' privilege in service access, user's privacy in using the services and legislatived compliance.

• Plan early and carefully. Protect "extended" business assets that are exposed to external threats such as DDoS. Consider content delivery networks that provide better user experience in a secure and resilient fashion.
• One key aspect is to ensure true identity of consumers using cloud services. Ensure users' and partners' identities and access right across the offered business services and maintain consistent authentication and authorisation schemes.
• Monitor privileged user and eliminate any Shadow IT (including unauthorised apps) existence as they are potential data leak channel.

 
9 -  Always (and always) verify and not assume trust.
Trust needs to be earned. Security needs to align with business goals. Scrutinise and assess the risk against the true business returns in using free and third party software against potential damages due to its vulnerability.

• Review and educate the owner on existing and new business initiatives about using open source software or bundled software.
• Sift out those free content management systems (CMS) as they are sweet spots for exploitation. They tend to the first spots an intruder tries to penetrate since there is no proper secure coding enforced and they always support many plug-ins including those patchy ones.
• Trust is important but without good means to roll out and guidelines to deploy correctly, you are hindered in the actual defense intended. There are many helpful guides published to aid the whole cyber ecosystem that proliferate the trust chain among all. Some include tutorials on handling malware including ransomware (from BleedingComputer and various known removal means compiled by researchers for ransomware) and compilation of the how-to turn on 2FA for various products.

 
10 - Be realistic: a "user friendly" business cannot run with security perfection.
Robbers and thieves never really need key to steal. They can persist and eventually can get to your crown jewels. Any intruder determined enough can learn fast, find out potential vulnerabilities and attempt to punch through the defenses. Furthermore, we ask ourselves, "Who guard the guards?" We should be prepared for unexpected, and ready with tested contingency plans.

• Spend more time on the validation and verification phases to ensure complete remediation to all discovered vulnerabilities prior to any production release. Seek verifiable test proof and signed off reports. Minimally ensure the use of recognised cryptography schemes instead of any proprietary security protocol.
• Stay ahead by looking at crowd sourcing, such as bounty services (researcher and whitehat community). These efforts promote responsible vulnerability disclosure to pre-empt business owners' concerns.
• Do not be "single tool" minded. The existence of Cyber range further examines the overall security testing effort to ensure consistent security claims from industry. It serves as another neutral checker. There are also recent open security tools like Google nogotofail and Firing Range, but they need time to mature for use.

 
Finally, resources are thin. Be "security wise" in grooming your supply of future security warriors. In fact, people are a necessary evil to businesses on our list of security wisdom. Security technologies and services are only as effective as the people who manage them. With a huge shortage of experienced security professionals, starting active recruitment initiatives will not help much with the depleted and drained resource pool. Instead, think long term; target the next cybersecurity generation by participating actively in scholarship sponsorship programmes. In Singapore most of major learning institutes have introduced cybersecurity courses and training to beef up supply of security expertise. The objective is also to nurture the next generation with correct security skills and ethics.