By Karl J. Paloucek
What could we do to better secure our online markets?
In a cyberworld where breaches have become commonplace, we’re obviously doing something wrong. What needs to happen to ensure that the online marketplace is more abundantly secure? We spoke with cybersecurity experts Jason Witty, Chief Information Security Officer for U.S. Bankcorp., and Michael Phillips, Executive Vice President and Chief Information Security Officer of Rosenthal Collins Group LLC, for their dynamic insight into the sorts of solutions that retailers, financial services and other businesses should be not just considering, but integrating and implementing now.
What’s abundantly clear, first and foremost, is that “steadfastly guarding the citadel,” the dominant mindset of asset protection for millennia, is entirely outmoded. In this new and highly volatile threat environment one of the biggest mistakes is still our own hubris. “The biggest mistake I see companies making is assuming that it’s not going to happen to you,” Witty asserts. “That’s really number one. It needs to be, ‘assume it will’ and how are you going to deal with that type of thought process?”
“It’s clear that the perimeter tools aren’t preventing people from getting data,” Phillips confirms. “So this whole emphasis that the appliance makers and the technology makers are [about] — ‘Buy this tool to stop people from getting in’? People are getting in. But once they get in, and they get the credentials that they need, they’re going to try to get in, from that point. So the thing is, from my perspective, what can you do to prevent them from being effective once they’re inside?”
This is the new reality where security is concerned: The breach should be assumed to be inevitable. It’s what protocols are in place once the breach has occurred that will make the difference. So where do you begin to build and implement those protocols?
“The first step is pick a standard or framework, then start working through implementation of that, so you can have a relatively comprehensive program,” Witty says. “It’s not just one thing, it’s a series of layers. Assuming that any one given layer may have an issue, another layer is there to catch that, so that you’re able to keep the small things small when inevitable attacks happen.”
According to Witty, some homework is required, as there are a number of solid standards and frameworks to consider, from ISO 27002 and NIST 800-53 to the NIST Cybersecurity Framework, which was the result of a 2013 executive order to facilitate raising the bar on cybersecurity. “The NIST Cybersecurity Framework — which is a framework, not a standard — basically allows you to be fairly comprehensive at implementing an information security program, and really, doing five key things: identify, protect, detect, respond and recover,” Witty explains. “And then 98 control areas that are subordinate to those five key actions. [They] formulate a pretty comprehensive program if you’re able to do all of those 98 things. … The framework basically goes into 22 control categories within each of those five areas, and then 98 individual controls that roll up into those 22 control families. That’s a good way of ensuring that we are being comprehensive.”
As a chief information security officer, Phillips examines the problem from a slightly different perspective, but with no less insight. “It was the head of the NSA that said, ‘There are two types of companies — those that are hacked, and those who just don’t know they’re hacked already,’” he says. “If you take that as a premise, you have to then assume, OK, let me just operate as though they’re already in. … I monitor all privileged access, because the first thing someone wants to do when they’re in, they want to escalate their privileges so they can get a broader range of controls so they can actually get around, find stuff, then get it out. … We focus directly on all our privileged-access users. First, we minimize who has privileged access, and then we look at everything that they do, and then at alerts.”
It’s a highly technical job, but Phillips urges that it’s far from strictly an information technologist’s responsibility. “I think the first mistake a lot of folks make is thinking that, purely from an organizational perspective, that it’s strictly an I.T. problem,” he argues. “It’s technology’s issue — let them figure it out, right? I always told my boss that if I had a dollar, I’d spend 65 cents of it on the training, alone. Training, and actually testing that people took the training.”
The good news is that awareness and behavior are evolving. Many of the traps set by threat actors hoping to prey upon carelessness and ignorance are going untripped. “They say culture beats strategy all the time,” Phillips says. “It’s shifting the beliefs and the behaviors — that’s the culture you have to focus on. When I first started [at Rosenthal Collins Group], no one was really into security a lot. But now, everybody calls. ‘Hey, I just saw this thing — I didn’t want to click on it. I wanted to make sure there was not a problem.’ They’re all equally as paranoid as I was when I walked in the door, now, some years later. … People are very nervous about clicking on anything, and that’s what we want them to be. And then, even if they do, we do have some technology controls in place that they’re unaware of. I have an Internet proxy, so if it sees something trying to go to a known bad site, it just won’t let it out.”