When talking about security threats that face companies today, I compare them to the difference between a gas leak in your home and carbon monoxide. Gas companies put a scent in natural gas, so if there s a leak you can smell it, and you know there s a problem . Computer performance is like that . Users notice when their PC is running slower, they don t like it, and they want to get the problem fixed. A security issue is more like carbon monoxide . You can t see it, you can t smell it, and by the time you know you ve got a problem, it s too late. Security breaches within businesses have become commonplace . There are now billions of cyber exploits every day, according to the 2017 Internet Security Threat Report by Symantec* . In 2016, these attacks were successful enough to expose over 1.1 billion identities, according to the same report .
The bottom line is that 90 per cent of security incidents result from exploits against software defects, according to a CSO report attributed to the U.S . Department of Homeland Security.
2017 is on pace to set a new record for compromised identities, with more than 1,200 breaches recorded and 3.4 billion records exposed according to Risk Based Security s Q1 2017 DataBreach QuickView ReportOpens in a new window1 . It s not a matter of if a business will be attacked, but rather, when. Looking back over the past year s data breaches, there s one common thread: weak identity protection at the endpoint. The PC is a front door to a company s network and assets . But all too often, that PC is outdated and lacking hardware-enhanced protection . In other words, the front door is wide open. Older endpoints are vulnerable because their technology only supports single-factor identity protection at the software layer, rather than providing a much more secure multifactor authentication solution rooted in the PC hardware . A common vulnerability is the use of weak or stolen passwords .
This is a problem, as more than 80 per cent of major data breaches come from password issues at the software level, according to the 2017 Verizon Data Breach Investigations Report.
Why multifactor identification matters
There is now a more effective approach to identity and access management: multifactor authentication anchored in silicon inside Intel-based, enterprise PCs . With the Intel Core vPro platform, our security solutions provide a unique, deeper layer of protection at the root of trust: the hardware component of the computing stack . While two-step authentication is certainly stronger than one, true multifactor authentication encompasses:
As a result, cyber criminals have a much harder time gaining access to a PC. As part of the migration to Windows 10, companies can strengthen security today by upgrading to new devices powered by 7th Generation Intel Core vPro processors with Intel Authenticate deployed . This combination gives you customisable, hardware enhanced, multifactor authentication with biometrics, credentials and the IT policy engine all stored and executed securely in hardware below the software layer where attacks are prevalent. More than 50 PC designs have been optimised for Intel Authenticate since its introduction in January 2016 . Our hardware-enhanced solution supports a range of customisable, hardened factors to fit specific business needs and integrates easily into existing environments. And there s a bonus: Users love it because they don t have to remember complex, ever-changing passwords. Endpoint security doesn t end with identity protection . We re also aggressively innovating to make hardware the center of data protection . The 7th generation Intel Core vPro processor-based devices, announced in January 2017, support a new hardware-enhanced file encryption solution called Intel Data Guard.
Intel Data Guard lets IT centrally set policy on how and when to encrypt files, then execute that policy automatically on individual endpoints . IT has the flexibility to decide how and when files should be encrypted automatically (without any user action) or whether certain file types or folder locations can be encrypted at the user s discretion . This dramatically reduces human error from the process, because users no longer are exclusively relied upon to remember to encrypt sensitive data .
The result is less risk of data loss of sensitive company data. The key to staying ahead of today s ever-evolving security environment is to deepen your endpoint protections . Refresh older PCs with modern systems that feature hardware-based security defenses that transform an endpoint problem into a key part of the solution.
‘By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks’ Over a third of national critical infrastructure organisations in the UK (39%) have not completed basic cyber security standards issued by the UK government, according to data revealed under the Freedom of Information Act by Corero Network Security, a provider of real-time DDoS defence solutions. The fact that so many infrastructure organisations have not completed the 10 Steps to Cyber Security programme indicates a lack of cyber resilience within organisations which are critical to the functioning of UK society.
>See also: Ukraine s national postal service suffers 2 day long DDoS attack1 It also suggested that some of these organisations could be liable for fines of up to 17 million, or 4% of global turnover, under the UK government s proposals to implement the EU s Network and Information Systems (NIS) directive, from May 2018. The Freedom of Information requests were sent by Corero, in March 2017, to 338 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations.
In total, 163 responses were received, with 63 organisations (39%) admitting to not having completed the 10 Steps programme . Among responses from NHS Trusts, 42% admitted not having completed the programme. >See also: The cyber security industry is losing the cyber war2
Sean Newman, Director of Product Management at Corero, comments: Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society . These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.
Critical infrastructure operators ignoring DDoS threats
Modern Distributed Denial of Service (DDoS) attacks represent a serious security and availability challenge for operators of essential services . This is why DDoS protection is highlighted within the government consultation on NIS as a mechanism that critical infrastructure should consider when protecting their services and availability from disruption caused by cyber attacks. But while most people equate DDoS with high-volume attacks, like that against DNS provider Dyn in 2016 that took down large parts of America s internet, the vast majority of today s attacks are actually short and low volume in nature. >See also: The security challenges with the Internet of Things3 In fact, 90% of DDoS attack attempts stopped by Corero during Q1 2017 were less than 30 minutes in duration, and 98% were less than 10Gbps in volume. Due to their small size, these stealth DDoS attacks often go unnoticed by security staff, but they are frequently used by attackers in their efforts to target, map and infiltrate a network. Worryingly, the Freedom of Information data revealed that most UK critical infrastructure organisations (51%) are potentially vulnerable to these attacks, because they do not detect or mitigate short-duration surgical DDoS attacks on their networks. As a result, just 5% of these infrastructure operators admitted to experiencing DDoS attacks on their networks in the past year (to March 2017).
However, if 90% of the DDoS attacks on their networks are also shorter than 30 minutes, as experienced by Corero customers, the real figure could be considerably higher. >See also: Luxembourg state internet infrastructure hacked4 Newman, continues: In the face of a DDoS attack, time is of the essence .
Delays of minutes, tens-of-minutes, or more, before a DDoS attack is mitigated is not sufficient to ensure service availability, and could significantly impact the essential services provided by critical infrastructure organisations. By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks . To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it s essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions, as they arise.
The UK s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here56
- ^ Ukraine s national postal service suffers 2 day long DDoS attack (www.information-age.com)
- ^ The cyber security industry is losing the cyber war (www.information-age.com)
- ^ The security challenges with the Internet of Things (www.information-age.com)
- ^ Luxembourg state internet infrastructure hacked (www.information-age.com)
- ^ TechLeaders Summit (www.techleaderssummit.co.uk)
- ^ Secure your place at this prestigious summit by registering here (www.techleaderssummit.co.uk)
Disbanding your security team may not be an entirely dumb idea, because plenty of other people in your organisation already overlap with their responsibilities, or could usefully do their jobs. That’s an idea advanced by analyst firm Gartner’s vice president and research fellow Tom Scholtz, who has raised it as a deliberately provocative gesture to get people thinking about how to best secure their organisations. Scholtz’s hypothesis is that when organisations perceive more risk, they create a dedicated team to address it . That team, he said, grows as the scope of risk grows . With business quickly expanding their online activities, that means lots more risk and lots more people in the central team .
Which might do the job but also reminded Scholtz that big teams are seldom noted for efficiency. He also says plenty of businesses see centralised security as roadblocks . I met one chief security officer who said his team is known as the ‘business prevention department’, Scholtz told Gartner’s Security and Risk Management Summit in Sydney today. He therefore looked at how security teams might become less obstructive and hit on the idea of pushing responsibility for security into other teams . One area where this could work, he said, is endpoint security, a field in which many organisations have dedicated and skilled teams to tend desktops and/or servers .
Data security is another area ripe for potential devolution, as Scholtz said security teams often have responsibility to determine the value of data and how it can be used, as do the teams that use that data . Yet both teams exist in their own silo and duplicate elements of each other’s work . Giving the job to one team could therefore be useful. He also pointed out that security teams’ natural proclivities mean they are often not the best educators inside a business, yet other teams are dedicated to the task and therefore excellent candidates for the job of explaining how to control risk. Scholtz’s research led him to believe that organisations will still need central security teams, but that devolution is unlikely to hurt if done well .
Indeed, he said he’s met CIOs who are already making the idea happen, by always looking for other organisations to take responsibility for tasks they don’t think belong in a central technology office. Making the move will also require a culture that sees people willing to learn, fast, and take on new responsibilities . Organisations considering such devolution will also need strong cross-team co-ordination structures, plus the ability to understand how to integrate security requirements into an overall security solution design.
Even those organisations who ultimately see such devolution as too risky, Scholtz said, can still take something away from the theory, by using it to ensure that business unit or team leaders feel accountable for securing their own tools .
Devolving security can also help organisations identify which security functions have been commoditised and are therefore suitable for outsourcing.