IT security officers have to monitor technical developments and business-related requirements in equal measure. A look at the strategic challenges associated with security prevention.
Text: Andreas Heer,
The security experts at Risk Based Security added over 11,000 new security loopholes to their VulnDB Vulnerability database – in the first half of 2019 alone. Of course, this figure on its own says little about the current threat status. But 15% of these loopholes (or ‘exploits’) are considered to be critical, and methods for taking advantage of them have been discovered for a third of them. This shows what an explosive set of circumstances security officers working for companies are currently facing. Latent threats and attacks are normal occurrences – if there even is such a thing as ‘normal’ here.
Security measures taken today can already be laid to waste – or at least fall short – tomorrow. Increasing numbers of devices are being connected to networks, not only offering more convenience but also opening up new avenues for attacks. And these attacks are getting more sophisticated all the time. A small sampling of the horrors wrought by attacks and loopholes that chief information security officers (CISO) have been dealing with in recent months:
Google’s Project Zero announced five security loopholes in the iOS browser Safari, which were used by the unidentified attackers to gain virtually unrestricted access to iPhones. The loophole had been around for two years and was only closed with the latest iOS update.
Emotet, a piece of malware for spreading ransomware, for example, uses phishing emails derived from actual email correspondence with potential victims as its gateway and is therefore difficult to detect. The mass distribution of phishing emails has thus taken on a new dimension.
This past August, the Microsoft Security Response Center reported in a blog post that the APT group ‘Fancy Bear’, alias APT28, was using three specific network devices as a gateway for its attacks: a printer, a VoIP phone and a video device.
A security officer therefore not only needs to keep track of their company’s entire infrastructure – they also have to constantly assess how well their security measures are protecting against newly discovered threats. How great is the risk of phishing attacks, and is the current level of protection adequate? Is there a risk that DDoS attacks will paralyse parts of the infrastructure, such as the online shop? And have business-critical systems really been patched to protect against very well-known loopholes? By asking these questions, a CISO’s everyday work will certainly never become routine. The resulting solutions provide a basis for making changes to the IT security strategy and baseline protection.
Questions like ‘Is our company vulnerable to phishing?’ and ‘Are security measures working?’ are as easy to ask as they’re difficult to answer, because the CISO needs data from various sources. Perhaps the firewall log shows that a piece of malware has attempted to access the command & control server from within the local network. But the owner of the infected computer and the reported IP address is found in a different log – on the authentication server.
Ideally, all of this information is compiled in a central dashboard. A security information and management system (SIEM) like this or a security analytics platform can help to provide a quick overview of technical incidents and find the needle in the haystack of log files. This is literally central to the handling of security incidents, as well as for modifying security measures that are already in place.
The technical level of IT security measures is tied closely to an organisational level, which answers the question of which security measures are necessary for which systems. What are the business-critical environments and where might outages be manageable should they occur?
And if nothing else, for the sake of regulatory requirements and data protection laws, the CISO must know where certain data is saved and processed. Only when a security officer has all of this information in one place can they recommend what actions to take and give strategic recommendations in line with the corporate strategy. The IT security team has to adjust its methods to meet the needs of business operations, without interfering with people’s ability to act – a delicate balance.
At the very latest when employees start accessing cloud-based business applications while working from home, another problem then emerges: conventional perimeter protection, the protective wall around the company’s IT infrastructure, has become an obsolete concept in the age of the cloud and flexible work concepts. The CISO must have a solution ready to meet these challenges as well.
The training course to become a Computer Information Systems Security Professional (CISSP) specifies six methods for security prevention:
More on the topic