Strengthen Perimeter Security, Passwords: CU InfoSecurity
Shoring up perimeter defenses and strengthening management’s credentials is necessary to defend against today’s cybercriminals, whose tactics continue to evolve. That’s what security experts explained at the CU InfoSecurity 2016 conference this week in New Orleans.
Sarena O’Donnell, director of risk management for the Alexandria, La.-based Ingalls Information Security, spoke about the Center for Internet Security and its recommended 20 Critical Security Controls for protecting computer networks.
O’Donnell described the current state of cybersecurity, the history of the CIS’ CSCs and reasons for their development.
“These controls are unique because they have been developed using actual attack data and have been practically demonstrated to be capable of stopping known attacks,” she said.
O’Donnell added, “Prevention is ideal but detection is a must.” That statement is included in CSC literature and one that she related as a very current, valuable mindset for information security professionals.
She pointed out that credit unions’ increasing reliance on technology creates security issues.
“Technology creates a competitive advantage and is a business enabler,” she said. “But technology also has inherent vulnerabilities and this creates security risk that needs to be managed.”
O’Donnell continued, “As credit unions we operate within an intense regulatory environment, this creates a significant and evolving regulatory cybersecurity burden that needs addressing.”
She also added, “While a compliance strategy is not unreasonable, in an environment of limited resources it is difficult to realize the opportunity of having a proactive, deliberate strategy for our cybersecurity program.”
She pointed to continued cyberattacks on financial institutions, which include distributed denial of service attacks, schemes involving ATM cashouts, commercial account takeovers, targeted phishing attacks and ransomware.
“It is possible that we are investing our limited resources on controls that while valuable are not directly protecting our networks from current known attack patterns,” the Ingalls director said. “These controls are not theoretical controls, they have actually been practically demonstrated.”
The CIS’ CSCs provide a recommended set of actions for cyberdefenses, including specific and actionable ways to stop today's most pervasive and dangerous attacks.
O’Donnell said the specific goals of the CSCs aim to protect critical assets, infrastructure and information. The controls do this by strengthening defensive posture through continuous, automated protection and monitoring sensitive infrastructure.
In a separate presentation, David Trepp, president/CEO for the Eugene, Ore.-based Info@Risk, described credential management and practical strategies.
Trepp explained Info@Risk personnel are not experts in password solutions but in defeating credential controls. The firm performs audit related functions, including penetration testing, program reviews and security control audits.
“We don’t plan, build or manage any solutions,” Trepp said.
Info@Risk’s primary service for credit unions is penetration testing.
“It is a real world test on whether its information security controls work or not across every possible attack vector,” he said, noting that includes physical attacks against buildings and facilities, human attacks using social engineering, and technical attacks against external and internal information services. “The credit union gets a baseline on which controls are operating effectively and which controls are not operating as expected.”
Info@Risk penetration test scores revealed the 2014 average fell from the 2013 average, and the 2015 average fell further compared to 2014.
“It’s not because IT security suddenly fell asleep on the job. Since early 2014, numerous exploits that target credential harvesting have entered the public domain,” Trepp said.
Trepp said password policies, such as requiring a change after a specific period, strengthens credentialing. In addition, he said, it is a good practice because password changes create additional obstacles for hackers.
Trepp explained using passphrases instead of passwords makes end users, help desk personnel and security administrators happy.
“There is no need to hit the shift key a bunch of times or hunt and peck around on the number pad; it’s just a normal sentence,” he said.
However, soon, both passwords and passphrases will be obsolete as cybercriminals develop password and passphrase cracking resources, and better credentialing technology to protect systems continues to evolve.
One credentialing process that’s in the works involves multi-factor authentication, which combines something one knows (username and password) with something one is (e.g. biometric authentication or pictures) and/or something one possesses (tokens or smartphones).