Cyber Security is a very dynamic field; threat landscape is every growing and getting sophisticated while defense measures keep on improving and there is adoption of emerging technologies to fight the attackers. A very interesting field in deed.
Despite all the glamour, there are some old cliché that the industry and players in the industry must do away with. I was in a cyber security conference and I listened to a speaker stressing on a point that I felt was out dated – it made sense probably 10 years ago but not today. The presenter sentiments made me think of the clichés we have accepted as an industry without really putting much thought into it. Lets jump into some of them;
Compliance to a regulatory standard doesn’t equate to security. Regulatory standards prescribe recommendations for protecting data and improving security management in the organization. Compliance to the same is an indication that the organization has met the baselines of what’s expected by law/regulator. The downside of compliance is that it gives a feeling of security but that’s far from reality. Compliance is a good metric for security maturity but should NEVER be confused with your organizations security posture.
Security is both a feeling and reality; and they are different – Bruce Schneier.
Change passwords periodically
The world changes, but humans will always be humans. Asking users to change password so often leads to creating patterns which is counterproductive in security. The developers of the password policy believed that changing passwords regulatory was a good control measure if the accounts were compromised or if there was a breach that leaked the password. What they forgot was that humans love patterns hence users will change password but will follow a pattern – tweak old password so that it’s easier to remember.
New School Knowledge: Opt for other methods of authentications – Multiple Factor Authentication (MFA), One Time Password (OTP).
Password policies recommend that we that we should set complex password with a minimum no. of characters with combinations of Letters, alphanumeric characters etc. Of course a complex password means it will be difficult or take long for an adversary to crack the password. The downside of this is that our brains can process so much and having to remember so many complex password leads to people writing down the passwords on notebooks, sticky notes or saving them on their phones.
Do you know that majority of people save their phone PIN on the same phone!
A long phrase is easy to remember than advocating for complex passwords which the user can’t remember. Bill Burr (former NIST senior official) the guy who came up with the password policy acknowledged the same fact a few years back. Longer phrases are easier to remember to the owner and from a security perspective harder to crack.
How secure is your password?
Test a 8 character password ( H@r&2!xk) against (Nairobisalivelycity) on https://howsecureismypassword.net . Note the disclaimer at the bottom of page.
Organizations invest heavily in market leader solutions and sit back and believe that they are secure since they are using a solution ranked as leaders on the Gartner Quadrant. The product could be a great cyber defense solution but if wrongly configured it can end up being a liability. An attacker can take advantage of mis-configuration to launch an attack on the organization. It’s important for organizations to understand their risk appetite and security maturity program as they invest in cyber sec solutions.
Secondly, technology controls are just part of the equation in cyber resilience. People and processes in place are as important as technology adopted to defend organization against cyber attacks.
Small and Medium sized businesses believe that security is an expensive affair and it’s a cost that can wait. Unfortunately, the loss from cyber attack can cripple down some these businesses. Start now and start small – understand the assets that need to be protected then put in a plan (Cyber Security Strategy) on how best secure those assets. A cyber risk assessment is always a good place to start as the outcome will highlight risks with highest priority. Based on the assessment cyber defense measures can be adopted that are within budget and more importantly address the business cyber risks.
So you think money is the root of all evil. Have you ever asked what’s the root of all money? Ayn Rand
In the cyber crime industry, your data is more valuable than your money. The most valuable commodity in the world today is data and this is no surprise given the power of data. Remember the US elections 2016, Equifax, Cambridge Analytica, Liberty South Africa, the list goes on none of them lost money but the data leaks from those incidents tell us a lot about the power of data.
Once your data is in the hands of the adversary it can be used, re-used, sold, re-sold or even recycled. The adversary is more keen on your data due to fact they have multiple usage for your data can gain more from it over a period of time. That doesn’t mean that if the adversary finds your money they will not transfer it, they will but they will be happier also to take up your identity.
As we get more interconnected and business digitizes their operations we have a shared responsibility of securing the cyber space. This can only be achieved when accept that old ways of doing things will note open new doors in the cyber security.
2018 © Villbo Group Limited.