Year of ‘fairly unsophisticated breaches’ underscores need for cyber-hygiene, CISOs say
After a year of high-profile breaches, organizations should concentrate on reinforcing crumbling security foundations rather than adopting complex new software, said 25 chief information security officers in a survey by IT security content company Security Current.
“Looking back at 2015, I would say it was the year that redefined APT,” Brian Kelly, CISO of Quinnipiac University, told Security Current. “It went from the long-standing definition of Advanced Persistent Threat to Annoying Phishing Tactics.”
In the survey — which included comments from security professionals working in finance, health care, academia and big tech — each CISO offered a unique perspective on 2015’s cataclysmic string of hacks and forecasted the threat climate of the coming year. Yet, some had similar observations — chief among them was the need for basic “cyber-hygiene” to ameliorate threats like phishing emails, which historically have been the most successful attacks despite their lack of complexity.
“Looking back at 2015, the root cause of the major break-ins often started out as compromised accounts,” said Joel Rosenblatt, director of computer and network security at Columbia University. “The mechanisms for these compromises are varied, some highly targeted attacks requiring much research and planning, and some simple phishing schemes based on the principle of ‘if you throw enough mud against a wall, some of it will stick.’”
Phishing schemes require minimal effort and potentially offer high returns, the CISOs said. Kelly pointed to an FBI warning that “business email compromise,” where criminals send out emails meant to mimic a company’s internal communications, was responsible for $740 million in losses in 2015. He also referenced the Anthem Insurance breach that exposed the personally identifiable information of 80 million people, which was triggered by a phishing email.
Key to reducing the threat, said Darren Death, ASRC Federal CISO, is encouraging employees to use better cyber-hygiene.
“The idea of basic Cyber Hygiene may seem over simplistic; however, it is often times overlooked in favor of flashy tools or is not part of an IT organizations culture,” said Death, echoing statements from other CISOs. “Often times an adversary does not need to implement highly advanced attacks because an organization has not performed their due diligence and has made the attacker’s job very easy.”
Gary Coverdale, CISO for Napa County, California, called 2015 a year of “fairly unsophisticated breaches into systems and data,” and chalked it up loose account management and failure regularly patch software. But he said “a proper cyber-hygiene process can and will minimize” risk.
In addition to emphasizing the need for a robust cybersecurity foundation, CISOs also predicted a swell in the use of cloud technology and the Internet of Things, and underscored the need for more thorough authentication practices.
“My crystal ball is a little cloudy (pun intended), but in my humble opinion, the only way that we are going to stay a little ahead of the bad guys in 2016 is by getting very serious about the elimination of passwords as the final arbiter of identity,” Rosenblatt saud. “Multifactor authentication, while not perfect, is probably the best technology around at this point to make that happen.”