Regulators have to force organizations to have independent chief security officers if this country is to make progress fighting cyber-attacks, a security consultant has told a conference of Internet service providers.
“Generally in Canada what we are missing is stronger compliance requirements,” Jacov Zaidman, head of InterLAN Consulting, told the annual Canadian ISP Summit in Toronto on Tuesday.
He pointed out that in the U.S. publicly-traded companies must have a CSO, but that’s not required here.
He also said that a corporate-wide tough attitude to IT security has to come from the board. “Unless this kind of approach comes from the top down on a wide scale, companies will continue to be breached.”
“What we’re missing is a single point of accountability and control,” he said in an interview. “Today security is split in a vague way between different executives — sometimes it’s the CFO, sometimes it’s the CIO, sometimes it’s even the CEO, and many organizations don’t even have the CSO role that would bring it all together.
“The challenge is the CSO needs to be sufficiently independent from the rest of the business in order to achieve anything in terms of security. So if he’s being pressured by other parts of the organization to deliver because they need functionality, they need performance, they need ease of use, and security goes counter to many of those things. Security slows you down… but it’s a necessary evil to protect your assets.
“The CSO needs to have enough power in the organization. that’s why the delegation (of authority) needs to come all the way from the top — from the board of directors, all the way to the CEO.”
Zaidman, who has worked for a wide range of companies including financial institutions and retailers, also had a few pointed pieces of advice for infosec pros.
While it may be impossible at the moment to stop a determined attacker from breaching a system, the goal only needs to be making it harder to get into your company than it is to get into someone else’s.
“There’s a lot of hackers out there, but there are a lot more targets and they can’t go after everybody. So at the end of the day it comes down to return on investment. They want to invest the least amount of effort and money in attacking you and come out with the most value. If they feel you’re harder to attack than the guy next to you they will give up … and move on to the next target. So you don’t necessarily have to be Fort Knox in terms of security — you need to have reasonable and proper security controls, but you don’t need to be completely air-gapped and disconnected from the Internet.”
An increasing number of companies are being blackmailed, either by ransomware or DDoS attacks. As a matter of principle, Zaidman doesn’t believe in negotiating with attackers. But he admits that if an organization has no options — because, for example, it hasn’t backed up data — it may have no choice.
Make sure your organization is tough: Create a honeypot so attackers will go there rather than to your valuables, don’t give application developers production data to work with, never send links to customers in email, encourage staff and customers to use unique passwords and password managers; offer multifactor authentication, limit access to sensitive information. don’t use standard verification information like a mother’s maiden name for password changes (be creative, he says, and ask weird recognition questions).
The company behind the Ashley Madison dating site actually did some things right before a massive hack earlier this year, including not keeping full credit card information of subscribers. But, Zaidman gave a long list of fumbles, including keeping customer IP addresses for no apparent reason, not encrypting databases, and using a weak encryption method on passwords.
He commended the company for not giving in to blackmailers who demanded it close some sites. But given the release of certain information from the breach — for example, that most members are men — and that it is facing a huge lawsuit and its reputation may have been seriously damaged.