Kevin Coleman

Fresh approach to cybersecurity needed

Training must keep pace with the evolution of the cyber threat environment

The threats we face in cyberspace continue to advance at a breakneck pace and that is perhaps the biggest problem for those trying to secure our systems. Without a uniformly accepted set of metrics as a standard, it is nearly impossible to accurately gauge any change in volume, sophistication or success rate.  There are indications that the overall cost of cyberattacks on organizations has increased significantly this year to what some believe to be an all-time high.

We buy a firewall, install antivirus, apply patches and respond to cybersecurity events. That is the current cybersecurity approach for the vast majority of organizations, and some don’t do all that. 


Related coverage:

Don't be misled about Duqu malware


I am bothered by the growing frequency, level of sophistication and the type and volume of information stolen. I am most bothered by the seemingly continuous increase in cyber insecurity that is being driven by acts of cyber stupidity. Users continue to be fooled by e-mails with malicious links, fake security warnings on their screen and other common cyber attack modalities. I am not talking about the ultra sophisticated attacks. I am talking about the things you could put under the heading of we should have known better. 

The cyberattack vector I worry about most is insiders. By most accounts, they are by far the most damaging. In a recent conversation with a chief information security officer of a critical infrastructure provider, I showed him a stack of faxes (1.75 inches tall) that had come in over the past six weeks that were stacked up in plain view on a desk in a cubicle that was unassigned. These faxes contained sensitive, but unclassified in formation. I should also mention that a number of CDs were in plain view in cubicles on multiple floors during the cybersecurity scan. This is just inviting a problem; it only takes seconds to pick these items up. We get sloppy and make mistakes because security is not in the frontal lobes of the average user’s mind.

A change must take place in our approach to cybersecurity. We must integrate training with ongoing reinforcement of security policies and procedures. To do this, we must modify our mental models. Training is not an event; it is an ongoing process that must keep pace with the evolution of the cyber threat environment.  That mindset is very rare these days, but it must become part of the fabric of security – both physical and cyber.

“Due to the cat and mouse nature of cybersecurity, is no such thing as completing your training,” says Art Payne, the senior vice president and cofounder of cybersecurity training services provider Cypherpath.

That statement represents words security trainers should live by. Here are a few suggestions for how to manage information security in organizations:

  • Put together a training matrix that identifies departments and job titles and what information security training they need. Then train the users to that matrix.
  • Offer brown bag lunches where security officials present relevant topics that are in the news.
  • Modernize your cyber defense technologies and put in place a budget that supports integration of new and improved cyber defense capabilities.

Implementing these three simple measures would increase the current level of cyber insecurity to a much more acceptable level. Here is the best part about it, two of the three cost nothing but an investment of a few hours of time from your cybersecurity staff. As for number three: you would not occupy an office that did not have locks on the doors, a physical security alarm systems and other protections appropriate to safeguard your corporate assets, would you? Then why do we have a different standard when it comes to cybersecurity and protecting our digital assets? It is just that simple.

Reader Comments

Tue, Nov 29, 2011 Patrick

When our policy from the top at DoD is that it's ok to touch Facebook, Myspace ect...... then we have to be prepared to accept the consequences.

Mon, Nov 28, 2011 J Walker Michigan

The insider threat is great for 2 reasons: the potential of an insider to intentionally compromise corporate assets; and the potential for an insider to inadvertently compromise corporate assets due to Cybersecurity ignorance. That's why ongoing employee awareness training is so important. One way to keep up with current cyber trends is to keep up with security blogs such as http://anythingcyber.blogspot.com

Thu, Nov 10, 2011

Agreed with the fresh approach is needed to include training. Just as important we also need a fresh approach when it comes to the actual technology that users need everyday to reduce the attack surface and provide more automated protection for them regardless of their skill level, training, etc. The patching model simply does not work in today's world to keep pace with daily interconnected operations and number of attacks. The cyber attack scenarios that you mention are because executables are allowed by the OS. Perhaps there is a better security model we should be looking at to mitigate and prevent advanced persistent threats contained in the malicious links. For instance, immutable firmware kernel read, verified boot, advanced sandboxing, that denies executables at all times with a clean slate upon boot. See http://www.youtube.com/watch?v=A9WVmNfgjtQ

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above