A market maker works on the trading floor at IG Index in London, Britain January 14, 2016.REUTERS/Stefan WermuthEarlier this month, credit reporting company Equifax disclosed that hackers had accessed1 the names and social security numbers of approximately 143 million of its US customers.
The breach tarnished Equifax’s reputation, destroyed its stock2 and decimated3 its executive ranks4. No one wants to be the next Equifax and it’s a safe bet that at this very moment big and small businesses across the country are scrambling to bolster their cyber fortifications. It’s not an easy feat . But Steve Martino, chief information security officer at Cisco, has developed some clever techniques through years of fighting the bad guys.
Cisco employees are constantly kept on their toes as Martino probes them for weak spots and drills a defensive mindset into them.
Martino sat down with Business Insider to share some of his key tactics for creating an organization that won’t become the victim of the next big cyber attack . Here’s what he recommends:
Kill your click-throughs
In online business, big click-through rates are great: it means customers are clicking on links and web pages to buy stuff.
Inside a company though, high click-through rates can be deadly as a daily barrage of phishing emails and other nefarious tricks try to entice susceptible employees into clicking a dangerous link.
Martino sends out fake phishing emails to Cisco’s entire staff every quarter .
Anyone who clicks on the phishing link is brought to an employee training video to teach them how to avoid engaging with suspicious emails in the future . The method works because it helps every employee understand their role in protecting their company against attacks.
“We’ve been able to reduce our click through rates by over 60% by giving them that training,” Martino says.
Protect your treasure
It’s extremely difficult to protect against every possible method of intrusion, so it’s best to focus on protecting the most important data. Figure out which customer and company data is most sensitive, as well as which portals of entry are most vulnerable, Martino advises.
“If you don’t know what your key things are, you’re trying to protect everything and you probably protect nothing,” he says.
Seek and destroy
Expect that attackers will get through some of the time and actively seek out the intruders.
“You have to recognize that in today’s interconnected world, no matter how much you deploy, mistakes will happen,” Martino says . From employees that click on phishing emails, to programmers that build buggy software, human mistake is often at the heart of security.
“Hackers are dedicated, and well funded adversaries, and they’re going to find errors in software,” says Martino.
Because of this, it’s vital that security teams actively look for existing breaches. One way to do this is to look for cybersecurity software which can work together, so that when something goes wrong at one point in the security process, protections are in place to prevent it from going any further.
Practice “fire drills”
Every student and office worker knows how to get out of the building fast if there’s an emergency . The same should be true for responding to cyber threats.
Martino recommends that management teams set up a cybersecurity playbook with defined steps that the team needs to take should their worst nightmares come to fruition.
Once the playbook is established, and roles are doled out to the staff, companies should run drills for security breaches the way that schools run drills for fires: The more a company practices, the better prepared staffers are when something does go wrong.
Spread the word
While a playbook is vital for the cybersecurity team, it should also include a prepared responses from other departments especially the communications team.
Most states have security breach notification laws that require companies to disclose when consumers have been impacted by a hack .
Companies also need plans for how to notify their board of directors, and other major stakeholders at the company .
And don’t forget to prep an apology statement to send to the press.
“If you don’t have a disaster response playbook, you’re going to try to make it up on the fly and make a lot of mistakes,” Martino says.
Nest is a type of home for a bird
GOOGLE OFFSHOOT Nest has announced a new range of products to help it limp back into the smart home market. The smart home pioneer, has lost its mojo of late with so many competitors in the space and a string of security issues1 and is now playing catch up, with a smart door lock, made with Yale, who already have a range of them, an intruder alarm, of which there are myriad, and a video doorbell, which is essentially another camera with a button on it, and unlikely to be better than the Ring range which has a huge head start. The company which made waves as the first popular smart’ thermostat to reach the masses, went on to buy security firm Dropcam and has moved its focus towards home security, particularly focusing on cameras.
Also on the list was an outdoor version of its IQ facial recognition camera, with HDR recordings as you would find in a top-of-the-range telly (why?) however, unlike offerings from the likes of Netatmo, a subscription is required for facial recognition, and that’s on top of the over-the-odds pricing. A Nest Secure starter kit will be $499 ( 368) and on there are further charges if you want a mobile (SIM) backup system . It consists of “Detect” sensors, “Tag” keyfobs to arm and disarm and “Guard” which is a box that makes a noise.
It seems that Nest believes that it can trade on its name and its “Works with Nest” system, based on Google’s IoT infrastructure, but although the build quality of Nest products is excellent, the premium pricing will not be a lure to those being offered similar specs from other companies. The big selling point is the ability to control everything from a single app, but there are plenty of ways to do that now for far less money, without being locked into a system. The rest of the range has yet to be priced but will go on sale in November in the US .
UK release dates are as yet unknown.
‘By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks’ Over a third of national critical infrastructure organisations in the UK (39%) have not completed basic cyber security standards issued by the UK government, according to data revealed under the Freedom of Information Act by Corero Network Security, a provider of real-time DDoS defence solutions. The fact that so many infrastructure organisations have not completed the 10 Steps to Cyber Security programme indicates a lack of cyber resilience within organisations which are critical to the functioning of UK society.
>See also: Ukraine s national postal service suffers 2 day long DDoS attack1 It also suggested that some of these organisations could be liable for fines of up to 17 million, or 4% of global turnover, under the UK government s proposals to implement the EU s Network and Information Systems (NIS) directive, from May 2018. The Freedom of Information requests were sent by Corero, in March 2017, to 338 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations.
In total, 163 responses were received, with 63 organisations (39%) admitting to not having completed the 10 Steps programme . Among responses from NHS Trusts, 42% admitted not having completed the programme. >See also: The cyber security industry is losing the cyber war2
Sean Newman, Director of Product Management at Corero, comments: Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society . These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.
Critical infrastructure operators ignoring DDoS threats
Modern Distributed Denial of Service (DDoS) attacks represent a serious security and availability challenge for operators of essential services . This is why DDoS protection is highlighted within the government consultation on NIS as a mechanism that critical infrastructure should consider when protecting their services and availability from disruption caused by cyber attacks. But while most people equate DDoS with high-volume attacks, like that against DNS provider Dyn in 2016 that took down large parts of America s internet, the vast majority of today s attacks are actually short and low volume in nature. >See also: The security challenges with the Internet of Things3 In fact, 90% of DDoS attack attempts stopped by Corero during Q1 2017 were less than 30 minutes in duration, and 98% were less than 10Gbps in volume. Due to their small size, these stealth DDoS attacks often go unnoticed by security staff, but they are frequently used by attackers in their efforts to target, map and infiltrate a network. Worryingly, the Freedom of Information data revealed that most UK critical infrastructure organisations (51%) are potentially vulnerable to these attacks, because they do not detect or mitigate short-duration surgical DDoS attacks on their networks. As a result, just 5% of these infrastructure operators admitted to experiencing DDoS attacks on their networks in the past year (to March 2017).
However, if 90% of the DDoS attacks on their networks are also shorter than 30 minutes, as experienced by Corero customers, the real figure could be considerably higher. >See also: Luxembourg state internet infrastructure hacked4 Newman, continues: In the face of a DDoS attack, time is of the essence .
Delays of minutes, tens-of-minutes, or more, before a DDoS attack is mitigated is not sufficient to ensure service availability, and could significantly impact the essential services provided by critical infrastructure organisations. By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks . To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it s essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions, as they arise.
The UK s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here56
- ^ Ukraine s national postal service suffers 2 day long DDoS attack (www.information-age.com)
- ^ The cyber security industry is losing the cyber war (www.information-age.com)
- ^ The security challenges with the Internet of Things (www.information-age.com)
- ^ Luxembourg state internet infrastructure hacked (www.information-age.com)
- ^ TechLeaders Summit (www.techleaderssummit.co.uk)
- ^ Secure your place at this prestigious summit by registering here (www.techleaderssummit.co.uk)