The past few years have not been good for cyber security with some major cyber attacks such as ransomeware and DDos attacks on companies like Equifax, Delloitte, Uber, etc. It is a kind of a cat and mouse game between the defenders and the attackers. And the latter are usually found one step ahead of the former. Moreover, change is the only constant today.
A number of cyber security vulnerabilities stem from the fact that organizations need to keep evolving. This has a lot to do with agility. Organizations need new features and modules all the time. As organizations’ needs increase, more importantly as clients’ needs increase, new features and modules are requisitioned which are then developed. So, what was earlier a securely coded application may become unsafe after new modules are added if good coding practices are not followed. Therefore, there has to be a structured approach to cyber security.
Companies need to stick to the basics such as patch management and its crucial to implement them. For example, Microsoft released a patch one month before the WannaCry attack struck. The company knew that these were the vulnerable areas and therefore released the patches. However, organizations did not update the patches. The very same patch was used by the hackers for the WannaCry campaign. This vulnerability was exploited by the attackers.
“If you don’t implement it, then you have no right to blame the vendor after the incident has happened. It is a classic case of us failing because the patch was already there and we failed to update our security posture. Things such as these may not protect you 100% but it can give you 40-50% protection, which is a big thing in the world of cyber security,” says Mihir Joshi, Assistant Vice President & Information Security Officer, DSP Black Rock Mutual Fund. He goes on to give his multi-pronged approach to cyber security. According to him, there are eight basic things that organizations must do to detect, respond and maintain their security posture.
1) Adopt a proactive approach: Organizations have been working on the reactive mode rather than a proactive mode. This has to change if the ever evolving cyber security threats have to be combated.
2) Risk imagination: Cyber security professionals should be in a position to imagine the risk and this risk imagination should be aligned with the new technologies that are being implemented in the organizations.
3) We overly invest in prevention. Now the time has come to focus on detection and response. If you are attacked at this moment how quickly can you bounce back? That is the important question. Therefore, invest in detection, response and planning.
4) Stick to the basics. Many patches were released in the past few years but organizations did not implement them. Patch management process must be followed religiously. We have 48 patches on our servers.
5) CISOs need to have a clear visibility of what is happening in the organization. For example, I have this phone with me. The phone company keeps sending updates. I must keep updating the system.
6) Testing must be rigorous as sometimes bad coding practices are followed. If I am the coder, then I must use secure coding practices.
7) The mantra today should be dev (development), sec (security testing) and then ops (operations). Earlier, it used to be dev, ops and sec. Security needs to be inbuilt at the design stage. Therefore, security needs to come right before operations so that you have a secure product. Things can get difficult if you try to incorporate this element retrospectively. Applications, which were secure earlier, may have become insecure and you might end up breaking it in order to make it secure.
8) Use bug bounty programs. There are cyber security professionals looking for bugs in Microsoft, Linux and other operating systems and their applications. If they make a disclosure and tell the organization about a bug that they found, there is no need to be defensive about it. Be proactive and try to remove that vulnerability as soon as possible and develop a patch to remedy the situation.