CIS Logo
tagline: Confidence in the Connected World

5 Takeaways From The 19th New York State Cyber Security Conference

By: Erin Dayton

1. “When, Not If”

If you've attended your fair share of cyber security conferences in the past, it's almost guaranteed that you've heard the long standing joke “You don’t have to out run the bear, you just have to out run your brother.” Although this joke is still prevalent and ensures a good chuckle from the audience, it's becoming less applicable as the forest has become home to more than just one bear.

The “when, not if” timeframe suggests that organizations can no longer rely on planning based on “if” they will be compromised or breached, but “when". Organizations should operate on the belief that the bad guys are already in their system, and should devote efforts towards identifying how to find attackers and knowing what to do once they've been located. Cyber security efforts should strive toward an advanced model which includes education, prevention, protection, mitigation, response, and recovery. This holistic approach to security provides a potential safety net when facing the perfect storm of the vulnerable technological ecosystem (mobile devices, social media, Internet of Things, etc).

2. Think Like The Attacker

Prioritizing and focusing on risk management continues to rank highly among security professionals and the individuals they report to. However, practitioners recommend that entities change their perspective as it relates to risk. What do they suggest? Remove internal bias and think like the attacker. Instead of fixating and internally debating over what your organization finds most valuable and important, view your assets from the cyber criminal’s perspective. What would the attacker want access to? What would he or she find valuable? What are the organization’s “crown jewels” that the attacker would see as lucrative? Altering your point of view to incorporate the attacker’s perspective will better allow your organization to appropriately prioritize risk and have a well-defined focus on what to protect.

3. Back to Basics

How often do you assume that the more expensive solution or brand is undoubtedly the best of the group? Experts remind those working in cyber security that this is not always the case. No matter how much budget is allocated and expensed to implement the latest and greatest technologies to combat cyber risks, the basics of security remain critical, if not the most critical, preventative measure out there.

Like the urge of immediacy to play with a new toy, it has become common practice to neglect the basic methodology of cyber security and abandon existing projects to focus on ensuring the newest project is flawlessly secure. So what do experts recommend?

Be sure to keep tabs on the security of preexisting, new and emerging projects in your environment.
Get back to basics and practice general cyber hygiene. This could include maintaining a patch cycle, changing default passwords, limiting administrative access, managing identities, privilege authentication, implementing scheduled employee password changes and measuring compliance.

4. Attacker Maturity

The maturity of cyber criminals has drastically changed over the years. The world of the attacker has developed into sophisticated models that follow a business plan, captures revenue streams, and assigns individuals specialized professions based upon their expertise and skill set. Groups will essentially build out departments (much like the organizations they target) allowing individuals to showcase their specific talent and sector. One individual may focus only on money laundering or research while other hackers will direct their skills and target certain specialized sectors such as industrial controls, agriculture, or government. This business model returns high rewards as attackers are able to find their niche and continue to mature and perfect their craft.

Cyber criminals have been able to achieve and excel with these business models because of their willingness to bypass rules and regulations and get the job done no matter the cost or consequence. This ruthlessness is often the driving force that puts attackers at the front of the race as the good guys have to lag behind following the rules, facing potentially siloed collaboration efforts and time and budget constraints. Attackers are beginning to successfully break down barriers and coordinate to help one another prosper while still profiting themselves. Attackers sell and rent items such as root kits in order to generate revenue while supplying one another with the newest and most promising tools.

5. Security as an Enabler

Unfortunately, security seems to have been deemed the bad cop in conjunction with technology. Cyber security experts are making it clear that this can no longer be tolerated or accepted as status quo. Rather than using potential security risks as an excuse to shy away from new technologies, organizations must learn to adapt and prepare for the future. Tim Brown, Dell Fellow and CTO says that CISOs can no longer simply say “No” to technological advancements in order to lock down security. Instead, they must drive the “Yes” and embrace new developments in technology to allow security to act as an enabler as the vehicle for growth, automation, and advancement.