You Are So Hack-able
Last week, in our ongoing celebration of Cybersecurity Month, we took a look at the Cisco Security Manifesto within Cisco’s 2015 Annual Security Report. We strongly encourage everyone, not just security professionals, to read the complete Annual Security Report, as an overriding message this year is the degree to which security has become the concern of all individuals within an organization.
Because the Annual Security Report is a hefty 53-pager, though, we thought we’d get you started with this seven-minute video interview with Cisco’s Chief Security Officer John Stewart, as he discusses the highlights of the security report. Here’s the video:
Why an Organization’s Security Is Everybody’s Business
But because the message is important, I’m going to make things even easier by providing a transcript below of portions of the interview with John Stewart, conducted by Lindsay Kniffin from Cisco. As you skim this transcript or listen to the video, you will become aware of some predominant themes:
Today’s cyberattackers often go after single individuals within an organization.
There’s a widening gap between how company leadership views its level of protection and how the company’s security operations staff assesses it.
Spam, after a relative hiatus, is back again as a significant threat.
It’s important to have an “all-hands-on-deck” approach when it comes to a cyberattack versus being secretive about it—everyone needs to get involved at all ranks.
Here’s an abbreviated portion of the video transcript:
Kniffin: What were some of the most important findings from the study, and what were some of the most worrisome findings as well?
Stewart: It used to be that you [a cyberattacker] would go out and hack a system. You’d go after a server; you’d go after an application. Now the idea is, go after a single user. Try to get them to infect themselves and then become a lateral jump inside an enterprise.
Unfortunately, that means the user has a whole bunch of responsibility. All of us have to figure out what to click on and what not to click on. And, frankly, that task in and of itself, is pretty daunting.
Kniffin: The report talks about the widening gap between perception and reality among the security professional community. What does that mean exactly?
Stewart: Greater than 50 percent of the leadership of security teams are saying, we’re on the right track, we have the right strategy, and lower than 50 percent of the security operations people are saying, yes, we’re on the right track, we have the right strategy. So, that gap has got to get closed. The separation between leadership and operations can’t stay there.
Kniffin: The report calls out that spam is actually more dangerous even though it’s less common than it used to be. Why is it more dangerous?
Stewart: Spam, for a series of years, was declining statistically. And part of it was because the various vendors were getting better and better at protecting against it and filtering it. And so it was becoming less successful.
Not last year. Last year, spam was up, and the techniques started targeting the individual user with just a couple of messages sent from a whole bunch of different computers across the globe—whereas it used to be, send hundreds of thousands of messages constantly to anybody who would listen.
And so, spam became more dangerous again, because you’re being individually targeted with just a couple of messages that will probably get through, which means that for you, the ultimate person who receives it, it’s not filtered before it gets to you—you’ve got to make the decision. That makes it more dangerous too, because, I don’t know about you, but I get so many emails that I can get into click mode so fast: “Wait, am I supposed to click? I don’t know if I’m supposed to click. ...” So, that’s where the danger starts going up—is that there’s more reliance on the user.
Kniffin: How should organizations handle an active attack?
Stewart: I think there’s this tendency that, if you’re under attack, you don’t want to let that fact out and let anybody know. And it’s got to be the exact reverse. It’s an all-hands-on-deck moment. If there’s a serious problem, then the executive community has got to know, potentially the [executive] board’s got to know, law enforcement’s got to get engaged, and other companies that can help you: “Have you seen this? Do you know what this is? Can you help us?”
Kniffin: That’s great advice. What’s the most important thing that you think our viewers should take away from this year’s report?
Stewart: The criticality of IT in every business has become so important that the idea of security as part of everybody’s thinking process has to be there. It just can’t keep going that somebody else has got it covered. I think boards have got to jump in on this. I think CEOs have got to jump in on this. I think every individual person in the business has got to jump in on this, because the people in the business are the targets—they’re being involved now, targeted to get infected. We can’t afford the outages that we used to be able to deal with and we can’t afford to ignore it.