leaders in the digital space give you insights into cloud computing, ... with a global presence, cloud analysis of ... c
12
www.gsabusiness.com
April 17 - 30, 2017
SPONSORED CONTENT
Thought Leaders in the Digital Space A Roundtable Discussion Every day — every moment, really — some new part of life becomes digital. As a leader in business, you are not alone if you find it hard to keep up. That is why it is important to find trusted experts to help guide your business through the digital world. In this special section, thought leaders in the digital space give you insights into cloud computing, cybersecurity, digital agency and forensic accounting.
Reed Wilson
David Johnson
Kevin Wentzel
CEO, Palmetto Technology Group FOCUS: IT, Cyber Security
Director of Network Engineering, Immedion FOCUS: IT, Cyber Security
Chief Operating Officer, KOPIS FOCUS: IT, Cyber Security
1years. 0 Always On. What trends in cyber-attacks have you seen in the last two years? WILSON: If I had to choose one major trend over the
last two years it would be the rise of ransomware (or crypto) style attacks. Ransomware infects a computer or network by encrypting all of the files and holding them for ‘ransom’ usually paid out via Bitcoin. These can be especially damaging if an entire network is infected – which means that the systems are completely unusable unless the company can restore from a backup or pays the ransom.
JOHNSON: Over the last several years, attacks have
become more sophisticated, rendering the perimeter firewall less effective with each passing year. Many of today’s attacks leverage common services that are typically allowed to pass through perimeter firewalls and land on the company’s secured, private network systems, such as Web, Secure Web, or Email. As cyber-attack vectors continue to change, so does the minimum level of network security required to effectively combat network threats. An effective way to identify and combat these threats is to understand your normal network behavior and have
systems in place to alert you of any deviation. Firewalls with Layer 4 through Layer 7 visibility will also support security policies around applications, not just port / protocol as with older firewall technology. WENTZEL: With the growth in value of data, produced
by both individual and company, ransomware continues to grow in popularity. This type of security breach was made popular with Cryptolocker in 2012, but has many spin offs and iterations as people try to work around protections put in place by security firms. Typically, perpetrators demand ransom to allegedly
SPONSORED CONTENT
April 17 - 30, 2017
www.gsabusiness.com 13
Thought Leaders in the Digital Space “Most attacks happen because a user clicks a link they shouldn’t click or opens a file they should not open. Train your users on what to look for and what to do if they open up a file they should not open.”
“Many of today’s attacks leverage common services that are typically allowed to pass through perimeter firewalls and land on the company’s secured, private network systems, such as Web, Secure Web, or Email.”
Reed Wilson, PTG David Johnson, Immedion
prevent one of two things. In the first scenario, paying the ransom prevents damaging data from being released (i.e. trade secrets, information that would cause brand damage). In the other scenario, the perpetrators encrypt important data – ERP database or financials, for examples – crippling companies that cannot restore backups. Paying the ransom unencrypts those files enabling the company to conduct business again. The other observation is that we, humans, are still the target of attacks. Specifically, email remains one of the primary attack vectors for breaches. Our security relies on the ability to make a subjective judgement on the safety of emails that are psychologically designed to fool that judgement. At the speed that everyone works today, we must assume that someone is going to make a mistake and not just protect the outer defenses, but evaluate the security of our systems at all access points. What is the minimum level of cyber security a company should have? WILSON: There really isn’t a minimum – but
if you only have a limited budget the place you should spend the most amount of time and money is on employee awareness. Most attacks happen because a user clicks a link they shouldn’t click or opens a file they should not open. Train your users on what to look for and what to do if they open up a file they
should not open. After user awareness, a good firewall, reliable antivirus, and a robust backup system are the next best bets for your budget. JOHNSON: The sky is the limit when evaluat-
ing systems and services available to secure your network, regardless of size and complexity. However, companies should still rely on the basic security principles first and foremost. Apply operating system updates / patches on a regular basis. Microsoft, for example, releases security bulletins on the second Tuesday of every month. Your patch management strategy should, at a minimum, ensure that critical security patches are installed regularly. The use of a reputable anti-virus product is also important. Many anti-virus products available update near real-time to defend against emerging threats. Select a product with a global presence, cloud analysis of suspect activity, and a basic level of email and web content filtering. Having a written IT Policy is often overlooked when considering cyber security. Creating an IT policy can seem overwhelming, but it does not have to be complicated to be effective. A written IT Policy that encompasses the acceptable use of technology, standards around hardware and software, backup and disaster recovery, and IT support services will reduce cyber security risks and increase productivity. Access rights and user education are also critical. Educating the end user how to identi-
fy and handle suspect emails is key in preventing Phishing attacks, viruses, and malware. Going a step further and limiting user access rights to systems can help to prevent installation and propagation of malicious software on company systems. Failing to address the human element can negate the best security technologies. Data encryption is another area worth considering. Encrypting drives on user computers and company servers helps protect against data theft or exposure due to lost or stolen drives. It is more difficult to recover deleted data from an encrypted drive. Drive encryption technology is present in most current operating systems, bringing the capability within reach of most companies without a large expenditure. One drawback to encryption is reduced performance, so it is important to evaluate this tradeoff before implementation. Patching / updating operating systems, anti-virus, IT policies, user education, and data encryption are all critical aspects in addressing cyber security risks. Those systems and methodologies are within reach of most companies regardless of your IT budget and should be considered before more elaborate systems are implemented. Even with the aforementioned items in place, a perimeter firewall is still needed to mitigate threats outside of your network. As stated earlier, there are an infinite number of products available to address your cyber
14
www.gsabusiness.com
April 17 - 30, 2017
SPONSORED CONTENT
Thought Leaders in the Digital Space security posture. With the ever-changing threat landscape, it is as difficult as ever to identify a minimum level of security for any business. WENTZEL: This is something that is com-
pletely dependent on business, the value of the data stored by the business, and the impact of the release of the data stored by the business. At an extremely basic level, it’s important to have firewalls at each location, antivirus on all systems, and being diligent about updating your systems with security patches. It’s also important to have an ongoing education process to improve awareness in the organization on possible attack types. Transmissions should be secured. Currently, that typically means HTTPS, SSH or equivalent; however, technologies are emerging like Blockchain that will evolve security as we know it. If, or rather, when HTTPS is no longer a strong enough encryption mechanism to reasonably thwart attacks, many businesses will need evolve their software tools to keep up with security requirements.
Critical data at rest should be secured. What is defined as critical is dependent on your business and jurisdiction. This almost always includes Personally Identifiable Information (PII), payment information (PCI) and health data (HIPAA). Lastly, authenticating someone’s identity using multi-factor authentication reduces the risk that all those passwords that are just variations on the word Passw0rd don’t end up being an entry point to your systems. What are the consequences of not having adequate cyber security measures in place? WILSON: There are two factors to take into
consideration: hard costs and soft costs. The hard costs are fairly easy to measure. Symantec Corporation estimates that the average cost of a breach is about $214 per record. On average, this will equal about $7.2 million dollars in hard costs for a company. Although it is harder to measure, the soft costs can be just as drastic. How much
“Data is an asset, so the consequences of not securing your data assets are similar to not securing other types of assets. First and foremost, it could be stolen for the purposes of selling or releasing. As mentioned earlier, your systems could be taken over and used for ransom or blackmail.”
would bad PR and a tarnished brand cost your company? WENTZEL: Data is an asset, so the conse-
quences of not securing your data assets are similar to not securing other types of assets. First and foremost, it could be stolen for the purposes of selling or releasing. As mentioned earlier, your systems could be taken over and used for ransom or blackmail. Unfortunately, that is just the tip of the iceberg. Fines can accumulate from breaches. For example, HIPAA data fines are assessed per record stolen. Then, lawsuits are likely as well from those whose data you collected. Long story short – major financial trouble is a real possibility for data breaches including bankruptcy. And those of us in the security industry get it. It is difficult to make the decision to spend the extra money on IT security infrastructure or spend software budget on security when there are features that bring a more tangible benefit than reducing risk.
“Previously the bad guys just wanted to spread viruses for the fun of it. Now that data breaches can be monetized, the hackers have a goal to stay unnoticed for as long as possible so they can continue to siphon data out of your organization or use your bandwidth to power botnets”
Reed Wilson, PTG Kevin Wentzel, KOPIS
April 17 - 30, 2017
www.gsabusiness.com 15
SPONSORED CONTENT
Thought Leaders in the Digital Space “Specifically, email remains one of the primary attack vectors for breaches. Our security relies on the ability to make a subjective judgement on the safety of emails that are psychologically designed to fool that judgement.”
“A bad actor can go and download exploits online for a few hundred dollars and see a huge return on that investment by deploying ransomware style attacks. I see this only continuing to grow exponentially over the coming years.”
Reed Wilson, PTG Kevin Wentzel, KOPIS
Looking ahead to the next five years, what do you see as being most concerning in cyber security? WILSON: The barriers to entry for cyber crooks
are dropping dramatically. A bad actor can go and download exploits online for a few hundred dollars and see a huge return on that investment by deploying ransomware style attacks. I see this only continuing to grow exponentially over the coming years. I also think that mobile data security is an area where we will continue to see criminals double down. Almost every employee today is a mobile employee and one of the areas where businesses are not focusing is securing access on mobile devices. JOHNSON: Steve Morgan, Editor-In-Chief of
CyberSecurity Ventures, estimates that global spending on cyber security measures will exceed $1 trillion cumulatively over the next 5 years. That is a staggering number given the estimated spend of “only” $120 billion in 2017. This, coupled with the estimated global costs of $6 trillion annually to businesses due to data loss, data leaks, and stolen money, should send the message that the problem of securing your systems is only going to get bigger. The more you do now to identify gaps and tighten security policies, the less you will contribute to those estimated costs. My biggest concern relating to cyber security
is the Internet of Things (IoT). If the last year is any indication, the manufacturing and adoption of IoT components is going to grow exponentially year over year for the foreseeable future. The connected device landscape is expanding faster than it can be secured. Industry experts and common sense alike know that complexity is more difficult to market. As a result, convenience over security (translated: complexity) is favored right now. From a professional standpoint, I am in the Infrastructure as a Service (IaaS) profession and stay up at night worrying about the next large scale DDoS interrupting the Internet. As IoT evolves, so do the cloud based services that power it. IoT device manufacturers understand the efficiency of locating controllers and services closer to the consumer. This results in a higher quality of service for the consumer, lower costs to the manufacturer, and more business for data centers and cloud providers. Unfortunately, this evolution of IoT results in sensitive data being distributed across more servers in more regions worldwide, increasing the threat landscape year over year. The threat landscape is, therefore, outpacing the technology needed to properly secure it. IoT devices are going to make their way into the workplace in the very near future. IT and Security administrators are, to some extent, going to be forced to support it, monitor it, and secure
it. Securing those devices is a bit of a challenge right now as there is limited access and visibility into those components. Couple that with manufacturing that ignores basic security principles and you have a potential cyber security event brewing in your business. In reality, IoT is only going to grow. Along with it comes a lot of neat technology and great conveniences. Unfortunately the good is not without the bad, and the bad side of IoT is one of my greatest cyber security concerns in the coming years. WENTZEL: I see two things. The number of
connected endpoints and the amount of control those endpoints have on our life are going to grow exponentially. Therefore, there is a multiplier effect in play. The number of threat vectors is going to go up in conjunction with the number of endpoints, and the damage each threat can do will go up by the amount of control those endpoints have. The other major concern is that the protocols underlying HTTPS are under attack and have some have already been whittled away. For now, there are protocols that still provide secure transmission, but if those continuing to advance more secure protocols do not keep pace with those trying to break them, we may end up with an underpinning of how so many of us conduct transactions
16
www.gsabusiness.com
April 17 - 30, 2017
SPONSORED CONTENT
Thought Leaders in the Digital Space no longer being secure. This would cause a major disruption and scramble to other types of security mechanisms, much like the scramble for Y2K. As more companies invest in connected hardware and software for the incredible value it brings, it will be critical for the development teams to understand, practice and test to ensure secure development standards are being followed and up to date. Businesses store data on site or in the cloud. What are the pros and cons of each storage option in terms of cyber security? WILSON: There is no ‘straight answer’ to
this question. Typically, cloud storage and cloud services have more robust security measures than the average business can implement. This assumes, of course, that you are working with a reputable cloud vendor such as Microsoft or Amazon. We typically recommend cloud based systems for this reason – with an important caveat: You are responsible for securing your user accounts. If the vendor supports Dual Factor Authentication, you should implement it and put a strong password policy in place. WENTZEL: Public and private cloud provid-
ers like Microsoft, Amazon, and local data centers live and breathe security. When your brand promise is directly tied to it, you are focused security as a core business principle,
which means you are assessing as quickly as new vulnerabilities are discovered. It exists, but isn’t as common until the enterprise level, that some on-site resources are 100% focused on security and can take that kind of action. In addition, many of these companies conduct 3rd party audits to certify some of their offerings for specific compliancies like DoD, HIPAA, PCI, etc. Because they have so many customers, they can spread the cost of this added security – democratizing infrastructure security much like cloud platforms have done for business intelligence, artificial intelligence and many other “microservices”. On the other hand, some companies find that they simply aren’t willing to give up control to others that are not employees of the company. In one scenario, by having total control of your own ecosystem, your team could theoretically patch faster than a cloud provider because the only system that needs to be tested is yours. You could also accept more risk than a cloud provider or determine that the risk doesn’t apply to you by forgoing certain patching. How does a business know if it is under cyber-attack? What are the early warning signs that a company is under attack? WILSON: The cyber security landscape has
changed dramatically over the past decade. Previously the bad guys just wanted to spread viruses for the fun of it. Now that
“Having a written IT Policy is often overlooked when considering cyber security. Creating an IT policy can seem overwhelming, but it does not have to be complicated to be effective. A written IT Policy that encompasses the acceptable use of technology, standards around hardware and software, backup and disaster recovery, and IT support services will reduce cyber security risks and increase productivity”
data breaches can be monetized, the hackers have a goal to stay unnoticed for as long as possible so they can continue to siphon data out of your organization or use your bandwidth to power botnets. In some cases, an organization may not know they have been breached for months. Things to look for would include: slower bandwidth on your network, user accounts that IT did not create, or connections to/from unknown locations in your firewall logs. Again, the goal for the bad guys these days it so make it so that you don’t even know you have had a breach. WENTZEL: Each type of attack is different.
Some show warning signs and some don’t. It depends on the sophistication of the attack method and whether we as stewards of our companies made mistakes – like clicking on the malicious attachment – which essentially let someone in the front door. We have seen things as obvious as large number of login attempts from continents with no employees or customers. On the other hand, there could be only trace evidence. This is where advanced intrusion detection systems come in that many times involve telemetry systems, machine learning and predictive analytics can sometimes be used to identify something isn’t right. Then, a human can investigate and determine if there is an issue. Since the actual malicious event tends to happen months after first touch or breach, this method offers a chance to discover and remedy the breach before the real damage.
“At an extremely basic level, it’s important to have firewalls at each location, antivirus on all systems, and being diligent about updating your systems with security patches. It’s also important to have an ongoing education process to improve awareness in the organization on possible attack types.”
Kevin Wentzel, KOPIS
David Johnson, Immedion
