Here are the 16 questions posed during a recent “Ask the Experts” webinar about cybersecurity challenges, and a summary of our answers. You can learn more by listening to the webinar.
On September 27th 2017 I took part in a webinar titled Your Cybersecurity Challenges in ITSM. Ask the Experts. The webinar was hosted by Oded Moshe, VP Product at SysAid and we were also joined by Ian Bugeja, Director of Product Management at GFI Software.
We asked people to send in their cybersecurity questions during the two weeks leading up to the webinar, and then answered them during the event. We also encouraged participants to add more questions during the webinar, and answered those at the end.
The questions that we answered during this webinar varied widely. Some were strategic, others more tactical; some were about people and processes, others were about technology. Overall, I think the webinar offers a great overview of the security issues that IT people are concerned about.
Here are the questions that were asked, and a summary of the answers we gave. If you want to hear more detail, then please listen to the webinar.
This was the first question that we answered, and like many of the other questions it does not have a single definitive answer. We discussed the fact that the board of management (or equivalent in public bodies) is ultimately accountable for the security of business assets, but that they will usually delegate the work to many different people in the organization.
This question gave me an opportunity to introduce the idea of Prevent, Detect and Correct. When you are thinking about security, you need to think in terms of preventing incidents from happening where you can, but you also need to be good at detecting incidents and recovering from them. For ransomware, this means that you need to:
What’s important here is to remember that while you do need to think about the risk that the patch will introduce, you also need to think about the risk from running unpatched software. It may be better to put the patch in with little or no testing than to risk being breached through a known vulnerability. There may be a small number of critical business applications that need thorough testing, but for most systems it is probably better to patch first, and fix any issues afterwards.
This question surprised me. A data diode is a network component that only allows data to flow one way, and their use is so uncommon that many IT people will not have heard of them. We talked about how data diodes might, for example, be an appropriate technical control for organizations trying to monitor an industrial control system remotely. However, they would not provide all the security required.
This question followed on from the previous one. Many people mistakenly believe that malware only comes from a direct internet connection, but they are wrong. Malware can propagate on your internal network to systems that have no direct internet connection, and even via USB sticks and other media that involve no network connectivity at all. You need to install patches and end-point protection on all computers.
GDPR is a huge topic, much more than we could cover in a general security webinar, or one short blog. The simple answer to this question is YES, you do need to be concerned about GDPR if you store or process any personal data about any EU citizen. You have until May 2018 to get ready, and it could take a lot of work. If you haven’t started yet, then it is now urgent.
I talked about the importance of story-telling. You need to think about your business, and what it depends on, and what could go wrong. Discuss potential failure scenarios with all the different stakeholders and think about what you could do to recover from them. Turn the results into plans, and once you have the plans in place rehearse them. During a real crisis, people will do the wrong things unless they have rehearsed often enough to do the right things automatically. That’s why most offices run regular fire drills, so that people can practice leaving the building in an emergency.
We discussed some recent attacks where Internet of Things (IoT) devices have been involved in DDoS attacks, which I summarized by saying, “Once the light bulbs and the toasters are attacking the server, you know you’re in trouble.” The short answer to the question is that if you don’t already know how to deflect DDOS then you almost certainly don’t have the capability. You have to buy a DDoS protection service from a network service provider.
Everyone on the panel agreed that cloud service providers are generally much better at providing secure infrastructure than most internal data centers. You need to select a reputable service provider, and then build up a trust relationship with them. There are still risks, but there are risks with internal data centers and staff too. We also discussed the fact that your data may not all need the same protection; you need to classify your data and think about the best way to manage each category of data you hold.
If you watch the webinar you will see that this is a very brief summary of a much longer question about VPN services and cloud service providers.
Oded answered this question, explaining how SysAid Patch Management uses policies to control the release of patches so that they can be rolled out to various categories of computers in a controlled way. Ian talked about the importance of patching applications, as well as operating systems.
This brought us back to GDPR, which requires organizations to report a significant breach within 72 hours of detection, with failure to do this attracting punitive fines. This means that you must understand what happened, who might be affected, how serious it is, and what you are doing about it; and be able to communicate this to the regulator and to any other affected people very quickly. I told a story about one organization where the head of the crisis management team was a marketing manager who understood the power of honesty and transparency. Because of this, the organization suffered very little loss after a significant data breach.
We weren’t completely sure what the person asking this question wanted to know, but Ian discussed polymorphic viruses, and how modern anti-virus software can detect and block these, even though the virus code keeps changing.
Oded talked about the specifics of the SysAid Remote Discovery Service (RDS), and described some of the many security features built into this. I talked about the SSL protocol and suggested that TLS 1.2 is much more secure than SSL, and people should migrate where they can.
Ian explained that protection from DDoS requires a network service, rather than GFI software, but a good patching utility can help to ensure that patches are up to date, which limits the risk of ransomware, and a good AV solution can help to detect ransomware attacks and block them.
Office 365 is probably more secure than what you can provide out of your own data center, but that depends on the nature of your organization.
Indeed there is, and I was a bit cheeky answering this question, as I suggested that people read RESILIA™: Cyber Resilience Best Practice, for which I was the lead author.
Information security covers a huge range of topics, and people clearly need a forum where they can ask questions and get helpful answers. I was very pleased that SysAid invited me to help out on this webinar, and I think that we provided a lot of helpful information.
For me the most important thing is to maintain a balance. Don’t let information security stop you from working, but do think about the risks and how you can best manage them.
Please do listen to the webinar and see what you can learn from it, and let us know what you think in the comments section below.