Maksim Kabakou - Fotolia
When it comes to the question of cyber security, there is no one right answer and no one-size-fits-all solution. The motivation, skill, funding and experience of the “bad guys” varies enormously. So, while our “known-bad” approach works well against generic, poorly constructed 419 emails requesting the transfer of money, no amount of awareness training is going to mitigate all the risks associated with more sophisticated targeted attacks.
Instead, we need to contextualise the threats, assess organisational mitigations and make conscious risk decisions.
Show me an organisation that does not rely on technology for critical business operations and I will show you an environment with a shadow IT problem. Email and mobile computing are de-facto methods of communication intra and inter-organisation. Try telling a salesman with an email titled “urgent order confirmation” seemingly from a known contact to check the file is safe with IT or an accountant swamped at year-end not to open an HMRC.docx link.
Pressure and stress alter an otherwise pragmatic approach to security awareness. People need frictionless security and we are failing to deliver this; instead, throwing the blame back to users. Some suggest a zero-trust approach to enterprise security architecture and perhaps we need to extrapolate some of these principles for user awareness. Assume a user is going to click on everything and visit malicious websites and work back from there.
Today’s beautifully tailored web is increasingly constructed of dynamic, user-generated content. The weird and wonderful URLs we see are invariably single-use or customised, based on specific user actions. This is another reason why the whitelist / blacklist model does not work.
Dynamic content can be vulnerable to a myriad of application vulnerabilities such as cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection (SQLi). We are serving static content from content delivery networks (CDNs), which are almost always whitelisted by organisations and subject to little, if any, security protection.
Our world wide web has changed, so it is time we change the way we protect our users.
Jamie Oliver, Spotify, Mr Chows and The New York Times are just a handful of reputable websites which have fallen victim to some form of malvertising. There was a time when malware came almost exclusively from file hosting, torrent and pornography sites.
While it is still statistically probable that these locations are serving the majority of malware, it is sites we historically considered safe which are blasting a huge hole through our traditional security defences. Watering hole attacks and drive-by-downloads are common, require little effort from the criminals and have a very high success rate.
Building a true security platform
When building defences, single-supplier and single-platform solutions are not always the same thing, and it is the latter I would advocate. A true security platform must be:
Modular: Can we select components based on our risk posture and threat landscape?
Centralised: Do we have a centralised management plane? Am I required to maintain multiple logins for each capability? Does the platform protect my users irrespective of their location and device?
Interoperable: It’s no good if your platforms cannot work harmoniously. A strong cyber security strategy identifies the need to prevent, detect and remediate cyber attacks – our security services need to exchange information such as logs, indicators of compromise, to facilitate this approach.
Cost effective: Strong security is no good if it is not cost effective. If our security controls cost more than value of the data they are protecting, there’s a problem. Your security platforms should lower your total cost of ownership when compared to point-based solutions.
Efficient: Efficiency is key, and without it we can’t scale. Platforms should be designed from the ground up. Solutions that do not follow this approach suffer from performance degradation as additional services and capabilities are switched on. This is not a true platform.
Making the right technology decisions faced with a myriad of claims and choices is not easy, and relies on having knowledgeable and experienced professionals. Looking after and managing these systems once in place and ensuring users are aware of the risks and remain wary of common attacks is also a job for professionals. Web security is a complex challenge that relies on a strong combination of people and technology.