I am sure that most of you will have chanced upon either of the terms like "Information (IT) Security" and "Cybersecurity" but do you know the differences and the implications as those threats evolve? Find out more in this article on the different security approaches that should be adopted.
ITSec vs CSec
The reason I'm bringing this up here is that the terms have been used interchangeably and organizations are setting the direction of these two to enhance the overall security posture. But do we know what these mean and what they cover? You may be a part of the team to see through the enhancement programme journey or the end user whom may be affected directly or indirectly due to the changes.
In fact, cybersecurity (CSec) is all about the security of anything in the cyber realm, whilst Information Security (ITSec) is all about the security of information regardless of the realm. Here is one short article that gives a quick explanation and appreciation of the two principles as defined by NIST and the Center for Cyber and Information Security (diagram here). They set the stage for later sections.
Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Cybersecurity: The ability to protect or defend the use of cyberspace from cyber attacks.
Evolved Threat Landscape
Beyond just the ITSec and CSec differentiation, the threats have evolved in sophistication and with mobility and more system and smart sensors getting interconnected, the gameplay has changed tremendously. No longer can we be complacent that ITSec controls would be adequate to protect our data against the multi-facet risks.
Key risk points
Data - Leakage due to sabotage by insider threats and poor security hygiene oversight by a contractor
User - Identity theft due to unauthorized access by hackers and remain as the weakest link due to poor awareness
Application - Penetration attack to gain internal access due to vulnerable and untested code deployed
Machine - Malware attacks exploited on a non-patched system and gaining a foothold for hacker remote command controls
Cyber arm chase
If you recall the NotPetya and WannaCry ransomware global infection spread, both would probably have been contained if controls were checked and systems timely patched.
System assumed to be well protected at the time of the attacks were not able to contain the damage spread.
Risk of collateral damage exists too and becomes drastic when critical infrastructure is not segregated off from the affected system and networks.
"Newly" acquired defenses seem to have no impact on preventing the advanced cyber attack as the average to detect a covert attack can remain still for months and years (not even days).
It is worrying. Relook at your current ITSec effectiveness and invest in enhancing CSec as the way forward.
Current state in basic IT security
The strategy is to protect the data with a set of baseline controls standardized across IT client and server machines and put in place a set of process regimes to make sure the controls stay adequate and effective.
Data - Keep the content encrypted during exchanges and stored locally in the machine
Users - Keep the access control to two main account groups as users and administrator
Application - Keep code's implementation on the different tiers and check to ensure they're free of bugs
Server - Keep security hygiene especially in patching AV signatures and ensure OS security fixes are applied to the latest available
Network - Keep the network separated using security devices and send alerts upon anomaly detection
These are basic checks and regimes to make sure data stays secure and safe. But are they good enough as earlier mentioned? There can be pitfalls to be cognizant of:
Next-generation firewalls and the latest anti-malware software cannot prevent insider threats (bad admin).
Perimeter defenses are no longer able to contain threats as sensor and IoT creates an avenue into the Intranet.
Users are no longer the only weakest link. Outsourced contractors and third-party suppliers are a part of the value chain.
Malware has gone "fileless" and no ready signature can be generated fast enough to prevent a data breach
Enhanced state in Cybersecurity
In a CSec strategy, the various "actors" have transformed in scope and regimes need to be beef up.
Data - The inter-connectivity with external entities are getting embedded with no clear point to point connection formed and meshed as one whole
User > People - There are 3rd parties and suppliers where grouping goes beyond just users and administrator
Application > Services - The development stack has gone into software as a service (SaaS), no longer monolithic
Server > System - There will be a server within a server virtualization which together forms a system (of things)
Network > Platform - The segmentation forms as platform highway to provide a device to "ride" on the service bus
Control > Added Governance - Oversight to make sure risk controls stay effective is formalized and approved
Process > Added Assurance - Manage risk through a stringent security audit, scanning, reviews and validation
With the changes, new security technologies (like identity and privileged management) and new risk-based regimes (like mandating each system to undergo criticality classification to prioritize the level of checks and layers of control needed).
In summary, this is to:
Form a governance team to oversee and staff the management to keep the CIO/CISO involved for follow up
Take a risk management approach, the normal IT project management no longer suffices and needs to level up.
Coverage of the threats needs to include supplier chain risk management on the whole value chain, not silo-based.
Invest and test for the right technology which helps reduce complexity, best of the breed may not always fit
Technology automation is desired but do not neglect the need for expertise to lead the operation efficiently and provide accurate insights and situation awareness of the security posture state
Need to know and be able to discover all assets and develop a scorecard to track the compliance level on a regular basis to keep the management updated
Contingency planning is important so always keep reviewing the business-continuity and crisis-management structures and continue to exercise these regimes for further improvement and familiarisation.
Attacks will continue to evolve and we need to continue to review our ITSec and CSec strategy. I hope the above helps to kick-start the conversation on the strategies.
A word of advice - Do not fret over surprises in cyberspace as we will not be aware of everything upcoming. Align to the business context as you continue to push out more digitalized services and smart sensors. Tread with care and be savvy that such smart devices, though aid accurate decision making, they are also a vulnerable channel which hackers will strive to find any opportunities to get control over them for their own use. So be vigilant and harden these devices to protect their data with the RIGHT security.