We need to keep up with our education just like everyone else to keep up with cybersecurity tips and trends. Donna hit some training at SecureWorld and sat in on a 6-hr online seminar offered by Dark Reading. All of that thinking and learning means we have cybersecurity tips and trends to share in this episode. This is not just for those who worry about HIPAA.
Cybersecurity Tips and Trends
When it comes to cybersecurity tips and trends we can never miss a chance to learn more. After hours of sessions and conversations, a few notes had bubbled to the top as important to share with our listeners.
Tech development continues towards robotics and AI
Future tech is getting exciting and terrifying at the same time. As artificial intelligence (AI) and machine learning become more effective we have a lot coming at us quickly. I really like the discussions of being able to merge human thinking with AI. What robots are being developed to do next will be a shock to some people. All of that tech will be tied together with vastly improved communication speeds.
A lot of people have this vision of computers taking over the jobs we do. There is certainly a lot of jobs being done by robots today that used to require people. That trend will continue. When you watch some of these robots walking around like people as they pick up boxes and stack them. Some of them are made to move like people while others are designed to look like a machine.
When you see the robots connected with people it is kind of freaky. The example we saw was a soldier who was accompanied by a robot that looked like a small tank. As the soldier aimed and fired at a target the robot would fire at the target with much bigger firepower. It can shield the soldier, carry supplies, and assist in attacks. That allows the human factor of decision making to be involved.
The AI working with the humans part was pretty impressive. The example that really got my attention was showing architects working with CAD systems AI. In the past, a design may call for a specific size and strength of a specific bolt. If they add in the AI they say I need a bolt that will hold this together. The computer designs a bolt that looks nothing like the normal bolts but they are stronger while using less material. They can also be printed with 3D printers as they are needed. That bolt was really eye-opening to me.
The note I pulled from the session and circled was telling. “AI will have a more profound impact on our lives than fire for early humans and electricity for the early modern age humans.” That is a pretty big impact. I look forward to seeing that come to fruition.
Tie all that cool stuff together with 5G communications that will be rolling out soon and you have serious “nerdvana”! 5G is expected to do to wireless communications what fiber connections have done for wired data services. Hopefully, that will happen but we will still be waiting for it to happen for some time. Fiber has just gotten to me!
The end portion of the session pointed out how many billions of endpoints we will now have to secure. It was funny that the “good news” he could share was that everyone in the room has job security.
Cybersecurity is a new field
Often we forget that people who have experience in cybersecurity are ones who have been there since the early days. When it comes to engineering things like planes, bridges, etc. there are hundreds of years people have been working on these things. There is a vast amount of historical data and knowledge collected. Cybersecurity as a profession has only been around a little more than a decade.
The shortages we hear about are just another indicator of that point. People haven’t spent their lives dreaming of a job in cybersecurity. LOL.
Yes, a big part of the cybersecurity tips we got included multiple discussions about vetting vendors and managing your third-parties. Terms of contracts was a great session. The lawyer had the same issues with BAAs that drives me nuts. Using the same template BAA for all cases means you are creating all kinds of legal loopholes and screwing yourself out of protections.
I made notes about a few specific contract recommendations.
Include data privacy and security requirements in your contracts even if they aren’t BAs. Yes, we are getting to that point. Her biggest reason to get to that point was that the HVAC that infected Target had no data privacy and security requirements in their contract. Of course, Target should have better protected its own network. But, without any requirements in the vendor contracts, they should have no way to send anything directly into your network or have your data.
Return of data specifics included in contracts. I must get my data returned in a certain format and within a certain amount of time. Include things in MSP contracts about getting admin login and controls back immediately.
Cybersecurity tips about defending networks
Military cybersecurity speaker uses all kinds of military examples and analogies.
- We must constantly question any assumptions we are making because that is what will likely be our downfall at some point.
- Faith in static defenses has statistically always disappointed.
- If you do what you have always done, your adversary will eventually get around those defenses.
- Protect yourself from your own vendors.
- The message was in many sessions over and over – we are rapidly approaching a state of zero trust.
- We are fighting a cyber war whether we know it (or acknowledge it) or not.
- If you are at war and don’t know it then it is hard to protect yourself.
- You can’t fight a war without an army. We all have to be part of that army.
- Each of us using technology will be part of the problem or part of the solution.
- Nation-state attackers are well funded and motivated. We don’t have policies and laws to protect us from them.
- Everyone assumes they just want military intelligence or secrets that must be guarded. They want money, they want information, they want access that can be used whenever it is needed.
- The more you collect the more you have to evaluate. Guess what – they have AI working on things for them too!
Cybersecurity tips relating to communications
Great session by one of the CISOs for State of GA departments. We discussed examples of how you should address telling people no due to security. We have to find better ways to communicate requirements that just saying no you can’t do that. Just say no is not working as a cyber security approach.
One story she shared was dealing with a discussion relating to the use of Dropbox. They had a policy that said you can not use Dropbox for any of your work. She wanted to just block it at the network level so no one could go there at all. Seemed like a great idea but the group said they wanted to leave it open in case others sent them things in Dropbox. That alone means people are going to use it. Otherwise, why not block it.
The story gets interesting when she gets a call from a salesperson at Dropbox. They wanted to offer her a master account because they were getting so many individual paid accounts signed up with the state.
At this point, the important thing was to teach people why they shouldn’t do it but also to provide a solution to the problem that causes them to use it. Listen to what the needs are so that you can solve their problem. If people have a problem or a need for a tool they will find a way to fix it themselves if you don’t fix it. That or they will slack off and just not do their work. Either way, you end up screwed in the end because both problems are the “security officer’s fault”.
Using frameworks or some type of guides at all levels
Many sessions talked about different frameworks or guides that are being used for their security program. We have talked often about using these tools to show you are doing what you should be doing to protect your company.
CIS 20 now has it broken down specifically by the size of an organization so no matter how small you are they have things you should be doing. HICP also included options for all sizes of businesses. There are many out there including one called Continuous Diagnostics and Mitigation (CDM) from DHS. It is pretty interesting. I have seen it as overkill for what we do but learned about some interesting ways to use it for defining specific objectives to meet. It gives you a list of vendors who have been vetted and approved to participate in the program of approved cybersecurity tools for Federal agencies.
I was very interested in some of the conversations between other attendees. A specific one was the thought that NIST CSF is becoming the de facto standard for frameworks. Everything maps back to it. I love the feeling of being right! HA!
Cybersecurity is no longer about defending the network
We can no longer concentrate on defending the network. We must defend the network and each device on that network. Understanding what is connecting and moving around your network is essential to having proper protections. That brings us back to you can not assume you have it covered. If you realize you have any assumptions then you must stop and evaluate that assumption.
Incident response is all about planning
The Dark Reading online seminar (When Hackers Attack) was really good stuff. There were folks in the big consulting firms who have managed thousands of data breach incidents. There were several sessions but in the end, the messages were consistent about a few things.
Use multifactor authentication everywhere you can. Account credential theft is rampant. While all 2FA isn’t perfect it is better than nothing. Again, you just have to be faster than the other guy, not the bear.
Plan, plan, plan, test, test, test, train, train, train. Planning for the problem is the only hope you have to manage the damage. “Train like you fight. Fight like you train.”
Your plan defines how you will manage the crisis and protect the business when the inevitable occurs. Make sure you watch the news and evaluate if you have a plan for the things happening to others. Today everyone should have a BEC plan for someone taking over an email account. If there is something you decide you don’t need to worry about, refer to the assumptions message above.
A very good point was that the plan should include cyber elements, yes, but it MUST include the non-cyber elements like the legal, privacy, regulatory, etc. BUT, and this is an important but, your plans shouldn’t be 200 pages. It should clearly define roles and responsibilities so that people know who is handling each area. If you aren’t in that area then you don’t handle it unless you are asked to be involved. Make sure there are 3 or 4 leaders of the team that can be called in at a moments notice. This week with everyone on vacation who would get the call and manage the issues at your office?