When it comes to cyber attacks, the time for collective resolve is now. Because of low barriers to entry — a group can perpetrate a malware attack without deep expertise or much money — the nature of the threat has invalidated or reduced the effectiveness of current signature-based cyber security protections. The consequences can be devastating. “Industry is starting to realize they’re very much a target of these organized crime elements and group-based threats,” says Jim McClave, vice president and director of SRA’s products and offerings strategic business unit. Recently McClave and Dusty Rhoads, a senior member of SRA’s information assurance and privacy solutions division for the national security sector, shared what their company is doing to strengthen the cyber security posture of its clients — and how your organization can do the same.
What you can do
Be proactive, not reactive. Here’s a typical scenario: An organization is breached, data is exfiltrated, and everybody scrambles to mitigate the problem. “We’re trying to become more proactive versus reactive,” says McClave. “Our view is that a lot of the current cyber security protective technology has holes in it because it basically detects what is already known,” he adds. SRA, by contrast, is repurposing a lot of its internal research and development activity to do anomaly detection. SRA is incorporating that work, as well as other intellectual property such as NetOwl (SRA’s Natural Language Understanding product), into cyber wecurity adaptive network defense reference architectures that are being offered to clients.
- Participate with US-CERT. “It’s very important for our industry counterparts to report cyber security-significant events to US-CERT so that a body of knowledge can be built up and exchanged throughout industry,” says McClave. Participation in IT Industry Security Advisory Council is also key, he adds. Such reporting fosters a holistic understanding of cyber security. Anything less can be disastrous. “You can improve your cyber security posture but create vulnerabilities in other areas,” says McClave, about clinging to a piecemeal approach. “You may make it more difficult for your network to be penetrated but if you have inadequate physical security controls, background checks, etc., a person may still be able to get into your organization,” he adds. McClave recommends a routine exchange of best practices with US-CERT, the IT Industry Security Advisory Council, and with its Government Security Operations Center engagements.
Invest in your people. “The weakest link in any computer system is the individual sitting in front of the keyboard,” says Rhoads. “I would suggest spending a lot more money on training individuals on what the threats are, how to recognize them, what not to do, what is safe and what is not,” he adds. Simple reminders on a regular basis, training that is based on specific and personal examples to bring home, and training focused on the younger employees who live on cyber devices, are key. At a company or department/agency level, training could include entry-level cyber security training courses for all personnel. For administrators, “boot camps” focused on the latest IT and IA certifications required by government can be very useful. Such training would acquaint participants with best practices, certifications such as CISSP and ethical hacking. A company should also consider an exchange program where employees focused on one client site go to another for a half day exchange of ideas about strengthening security operations centers. At the government level these exchanges could be for six months or more.
What are you doing to strengthen your organization’s internal cyber security efforts? Share your comments here.