Published on the 14/09/2016 | Written by Beverley Head
Fully outfoxing attackers depends on ‘radical action’…
As the information security industry runs out of superlatives to describe the full horror of the threats facing mankind, new efforts to scale that linguistic challenge are nevertheless emerging – from governments, no less. Speaking at the first Sinet61 Summit in Sydney, Dawn Meyerriecks, deputy director, directorate of science and technology for the CIA said that nations faced “An existential threat we must deal with collectively.”
Sinet61 is the newly formed local chapter of a global community of interest formed to share information and insight about information security.
Meyerriecks said that in the past, the way to make a system resilient was to harden its perimeters. She acknowledged that this was no longer possible and instead said the most successful approach is to “Change your configuration management every 20 days, plus or minus 5 days, to change the attack surface.”
That, she said, was the most effective way to counter attempts at cyber-attacks, and was an approach taken by the world’s major data centres and cloud vendors. She did however acknowledge that, “Every CIO in the place gets nervous about this.”
While changing systems configuration so regularly may work for cloud computing vendors, it might prove beyond the scope of most enterprise CIOs. Meyerriecks said, however, that there were additional strategies that could help tackle the challenge, such as developing a technical and skilled workforce with experience in security and collaborating with other organisations to share information about security challenges.
One of the proposals of the Government’s $230 million information security action plan is to build an online threat sharing portal to facilitate exactly that sorts of collaboration, and speakers at the conference said that backchannels which shared threat information within a sector were already being leveraged.
Another element of the Government’s cyber action plan is to support a more vibrant local security industry. Adrian Turner is CEO of Data 61 and joint chair of the Cyber Security Industry Growth Centre. He said that the organisation had submitted its business plan to Government and expected to formally get underway in the next few weeks with the twin goals of promoting security and creating a vibrant domestic, but globally competitive industry.
Alastair MacGibbon, special advisor to the PM on cyber security told Summit delegates that while Australian enterprise and Government stood to benefit from sustained digital innovation, it brought with it “complex threats and complex challenges.”
MacGibbon has spent the last month examining the causes of the Census site failure and confirmed to delegates that investigation had revealed that there had been some relatively small distributed denial of service attacks which had led to the Bureau of Statistics deciding to close down the site.
He said that the “Impact in terms of trust and confidence will last a significant period. That comparatively small DDoS will have lasting impact on Government and there is a lot to learn (from it) for the business community.”
Personally, I don’t think we should be promoting “security”. Security has connotations with prevention, and prevention is not always possible. In fact this is one of the reasons the cyber security industry is in a mess today. It has invested all of its efforts in prevention, and when that fails, detection, response and recovery are ill conceived and bungled, costing either taxpayers (for government cyber breaches) or shareholders (for private sector cyber breaches) money.
I think we should be promoting “resilience” which is the ability to have four shots at reducing cyber risk through:
1. discovery and remediation of vulnerabilities;
2. prediction and prevention of threats;
3. detection of, and response to, attacks; and
4. confirmation and recovery from breaches
Mindset and the cultural shift that will follow is what the plan needs to revolve around.