Today’s security professionals face a daunting reality as the attack surface swells and cyber criminals prey upon the speed at which new devices are hurried to market.
“As soon as we put out a device, there’s going to be somebody who starts tinkering with it and finding vulnerabilities,” said Kimberlee Ann Brannock, senior security advisor with HP. “That’s just a fact.”
Brannock, an ISACA member, presented this week at Black Hat USA on how organizations can leverage governance, compliance and security to protect themselves. She said a comprehensive, multilayered approach is especially critical given powerful trends such as accelerated innovation and globalization. “I’m a huge proponent of defense in layers, security in layers,” Brannock said. “One-dimensional does not work.”
Sound governance and security programs also help drive compliance, she said.
“When you have all of these different layers and all of these different strategies, and you bring all of those together, one of the amazing things is you start to develop security intelligence,” Brannock said. “And then because you’re documenting your processes, you’re documenting your procedures, you’re doing your assessments, you’re getting the evidence from that, that helps you to demonstrate compliance as well.”
Brannock recommended three actions enterprises should take to mitigate their risk:
- Focus on end-to-end security. Include security in considerations when evaluating potential IoT product purchases, such as printers. (The presentation began with a video featuring an organization having its network compromised through a malware attack on an insecure printer).
- Deploy strong administration tools. Avoid using system defaults for user names and password purchases. “It is amazing how many sophisticated organizations that have spent millions of dollars on their infrastructure, on their end points and their devices, they have the default settings,” Brannock said.
- Do not share access. Account access should not be shared with anyone, and secure password practices should be emphasized with those who do have access.
Brannock also encouraged organizations to adopt applicable cyber security frameworks, conduct thorough risk assessments and be mindful of firmware security in their devices.
“Every device that we can think of is hackable in one way or another,” Brannock said. “As security professionals, as IT professionals, we need to be aware, and we need to get the conversation started about it.”
When organizations put governance policies and procedures in place, Brannock said it is important to avoid shrugging off shortcomings that might surface.
“As an organization, you want to tell people what you’re wanting to accomplish and why, and how to do it,” Brannock said. “But you also want to make them accountable … so there has to be consequences.”
Brannock shared industry statistics about the mounting use of data and devices on an everyday basis, leading to a corresponding spike in security threats.
“We are plugged in all the time,” Brannock said. “We carry around a device all the time. We are cyborgs – whether we acknowledge it or not, we are. So, with this digital and physical world colliding, we need to be at the ready to address it from a security standpoint.”