Gavin Millard, EMEA technical director, Tenable Network Security shares 2016 predictions with IT Security Guru
The Internet was never designed to support the needs of the modern enterprise. It is too insecure, and was always intended to be so. Sir Tim Berners-Lee, inventor of the World Wide Web, designed the Internet to make computers talk to each other and share information. Sir Tim has said that, at the point he invented the World Wide Web 25 years ago, he wanted to create a platform that developers would find familiar and easy to use and that baking in security at that point might have worked against that goal.
Unsurprising then that, since the late 90s, cybersecurity experts— including Gavin Millard, a white hat hacker and EMEA technical director at Tenable Network Security—have been forewarning that there is little thought to securing digital infrastructures, even as the world has rushed to embrace the benefits of connectivity.
“What the barrage of breaches over the last year has shown us is that defensive-only technologies are no longer enough,” said Millard. “While firewalls, anti-virus software, etc. are all useful tools, they leave gaps in cyber defences and these gaps have been exploited. It’s akin to the story of the Emperor’s New Clothes—you might think you’re covered, but really you’re exposed, it’s just that no one is telling you.”
With that in mind, Millard outlined three areas where organisations must focus efforts in the coming months and years if the breaches of 2015 are to be eventually consigned to history:
The Threat Landscape: Tenable recently conducted a global study amongst IT security practitioners in which it asked them to rank the challenges facing IT security professionals today. Unsurprisingly, the ‘overwhelming cyber threat environment’ was continually cited as the biggest challenge.
“The consequences of insecurity in an age of heavy reliance on networked computers is potentially dire,” said Millard. “In many organisations, blissful ignorance is sometimes a preferred state than visibility and action. Many security teams will receive a worse grade if they audit all infrastructure and fix some of those vulnerabilities, than if they don’t audit anything and expose where weaknesses reside. Organisations must commit to both full visibility into their network as well as remediation of all threats that pose risk. Only then can they even begin to consider themselves ‘secure.’”
Vulnerability Management: On this topic, Gavin says understanding your risk is a good first step, but improving the score should always follow.
“Weekly, and sometimes even daily, major new zero day vulnerabilities are identified that pose a massive risk to organisations,” said Millard. “Identifying where your network is vulnerable is just the start of the battle. If you look back over the last few years, many organizations have vulnerabilities that remain unpatched – for example 200,000 systems are still vulnerable to Heartbleed. That’s just not acceptable.
“Security needs to evolve to a holistic, real time picture of what is happening throughout the enterprise IT environment so organisations can identify where defences have fallen and build them back up, before its too late.”
Internet of Things: Tenable’s 2016 Global Cybersecurity Assurance Report Card found that organisations already struggle to assess and mange cyber risk from mobile technology, and yet the wide scale implementation of interconnected devices continues unabated.
“Technology continues to be leveraged to improve every aspect of our lives,” said Millard. “New devices and sensors are being deployed in our homes, cars, and even on us as wearables. New cloud services are also being introduced to collect and analyse this data.
“The problem is that security for these interconnected devices is being ignored in favour of speed to market and price to the customer. And, because most existing endpoint solutions can’t be used to assess these new devices and sensors, I’m sad to say that it is just a matter of time. My bet is that in the next twelve months we will witness the first major breach as a result of accelerating IoT adoption. It’s not just about the consumer for corporates either, as IoT becomes more prevalent in heavy industry, there is a very real concern that the increased cyber attacks targeting industrial control systems that have adopted emerging technologies will lead to another major confirmed case of physical damage related to cyber attacks in 2016.”
At the end of the fable, as the Emperor paraded through the city in his “invisible” threads, everyone else played along, pretending his robes were beautiful. Until one child cried out: “The Emperor has no clothes!”
Still, the Emperor marched on, embarrassed, but too proud to admit he had been fooled.
“With the UK’s cybersecurity assurance score at a middling 73 percent, we know the country’s infosec pros are feeling overwhelmed, understaffed, and are struggling to keep pace with disruption from mobile and cloud,” said Millard. “Just as the Emperor should have listened when the child first called his bluff and should have stopped to put on some real clothes, today’s enterprise needs to admit they don’t have enough visibility into what is happening on their networks, and despite their best efforts, they really have no idea how to answer to the question ‘how do you know you’re secure?’”