alphaspirit - Fotolia
According to Menny Barzilay, CEO and cyber security strategist at FortyTwo, businesses need to accept that everything is hackable.
“Truly accepting and understanding that everything is hackable is the first and most important step towards a creating a super effective cyber security strategy,” he told Cybercon 2017 in Plymouth.
The next step, he said, is to assess an organisation’s ability to respond to a cyber attack because prevention alone is not enough.
“We have to rebalance between prevention and detection because, although we cannot stop 100% of the attackers, we can detect them.”
Barzilay, a former chief information security officer in the intelligence services of the Israeli Defence Forces, said by bolstering an organisation’s ability to detect attackers through implementing a logging and monitoring strategy, they can redress the balance in power.
“With detection, there is reverse asymmetry. It is easier for the defenders and harder for the attackers. Suddenly, we discover that, in this war, we know how to win.”
However, Barzilay cautioned against amassing too much detection data without knowing how to deal with it to ensure that it delivers a real security benefit. “This is why security automation is super important and why it is the key to the world of detection.
Earlier, Barzilay said, in the traditional approach to security, the only question organisations were asking was if they could be hacked, which led to the implementations of a huge number of firewalls and other similar security controls.
“But this approach leads to asymmetry in the balance of power because attackers are bound by no rules and only have to succeed once at a single attack point, but defenders are bound by so many rules and have to be successful all the time across all possible attack points.”
Programmed to respond
One of the biggest problems, he said, is that people’s minds are not yet programmed to deal with cyber threats. “If we were to encounter a fire, we would immediately recognise the threat, and yet few people believe that they are under cyber attack.
“This is because the first threat is identifiable through our senses. We can see it, smell it and feel it, but at any given time there are hundreds of thousands of state-sponsored hackers engaged in the largest war that faced the world, and yet most are unwilling to accept this as reality because they cannot detect it with any of their senses.
“There are no bombed cities, no casualties, no crying babies and no tanks rolling though the main streets, so it is hard to believe that it is happening. Even if for a second someone were convinced, the moment they moved on to something else they would forget about, but if there was a fire, no-one would be able to forget about that,” said Barzilay.
“Today we have to talk about a multi-dimensional cyber strategy, where we invest in detection and prevention, but in other things as well, such as cyber intelligence and incident response,” he said.
But according to Barzilay, most organisations become good at incident response only after they experience their first major cyber security incident.
“We have to be good at incident response today. We have to have the tools, the people, the processes and the values in place,” he said.
This should include a contract with an incident response company. “You don’t want to be in a position of having to find someone to help you and get to know your company and people only after you discover something bad has happened,” he said.
Collaboration is another important strategy, said Barzilay. Defenders need to learn from attackers he said and work together to achieve a common goal.
“Attackers are good at working together. They share information and tools. We have to get much better at doing the same to become more secure,” he said.
Business must ‘think like hackers’
Looking to the future of cyber security, Barzilay said it is important to begin considering the “megatrend” of the internet of things (IoT).
In this trend, he said each of the real trends of things – such as smart houses, smart cities, driverless cars, smart machinery and smart wearables – will create “amazing” new problems and threats.
While the expectation is that the world will be safer with driverless cars, for example, Barzilay said hackers could see them instead as an opportunity to take control of vehicles – which is technically already possible – and threaten to kill the occupants unless they pay the attackers money.
“It is important to be curious, to ask questions and to share information. We have to work together. Cyber security is not just a technological issue, it is also a business issue. Everyone should be concerned about cyber security,” said Barzilay.
“Security by design is still the best way to go about it. If you are not doing security by design, it is going to cost a lot more money, take more time and be much less effective,” he said.
Barzilay said organisations should also stop thinking about physical security and cyber security as two different things, but rather as two sides of the same coin – they have to have the ability to think like hackers, and they have to have the courage to ask difficult questions.
“We also need to remember that ‘trust’ is only something we can only create together. We have to work together to create a safer future,” he said.