Global State of Information Security Survey 2013

The Global State of Information
Security Survey

Every year PwC, CIO magazine, and CSO magazine publish the result of a survey of thousands of CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from a 100+ countries all over the world. It helps gathering information on the current trends, perceptions and overall state of the IT security from a top management perspective.

Attackers have become better and more aggressive: more attacks, more sophisticated, with bigger impacts, more nation-state controlled attacks... In the era of the cloud, social media, mobile and BYOD cyber security is certainly being heavily impacted. The exposure has increased and it has certainly been noted by this report as well: "The bad guys appear to be in the lead". All is not dark, there are some good news, but we must keep improving.

Assessment and culture

The report finds that good self-assessments continue: It's necessary for companies to understand and verify the risk they are taking. Also most respondents believe their organizations have instilled effective information security behaviors into organizational culture. Almost 50% of new projects see information security being taken into account either at project inception, or during the analysis and design phase. This is a good number, but more education is required, still. Finally most respondents (71%) say their information security activities are effective: This number used to be higher, this may be the result of better self-assessments which allow actual risks to be discovered.

In an post about the survey on CIO's website Colin Slater, partner at PwC says that "we still got a real lack of planning, it came up last year. It came out again this year". This is sad, because Information Security is both cheaper and more effective if it's initiated early in the project process, and supported by strong culture and leadership. “You need to have a strategy that defines what are the outcomes you want,” says Slater.

Capabilities and training

Between the economic climate, the pressure the do more with less and the pace of change of technology it's difficult to keep security on top of the agenda. 

The cloud, social media, BYOD are all trend which can have a severe impact on security. More controls would be necessary when the budget for security stagnates or is being compressed. The report is clear: The economic environment ranks first among the multiple factors shaping security budgets,with information security concerns lying far down the list.
The use of malicious code detection tools went from 83% to 71% in one year. IDS, rogue device detection, vulnerability scanning and other tools usage went done use when down by about 10% each. Sound security practices as well, with less backup, DR and BCP, review of users and access, application security, logging and monitoring, physical security. The authors draw an interesting parallel:

That’s like playing a championship game with amateur sports equipment.

Training and eduction is also being impacted. This is a worry as well as employees are still a major vector for data loss, either intentionally or not.

Seeing a diminution of the capacity to prevent cyber security breaches is a concern as we're facing both a larger exposure and more professional attackers. We could see an increase of successful attacks in the future.

Recommendations

The reports comes with some recommendations for businesses willing to lower their exposure and increase security:

1. Implement a comprehensive risk-assessment strategy and align security investments with identified risks
2. Understand their organization’s information, who wants it, and what tactics adversaries might use to get it
3. Understand that information security requirements—and, indeed, overall strategies for doing business—have reached a turning point
4. Embrace a new way of thinking in which information security is both a means to protect data and an opportunity to create value to the business

The first two are revolving around the same concept:

What gets measured gets done.

You need to know where your business is at, what are the threats, the risks, the current problems, in order to effectively and efficiently protect it. “What is important to the business? Then you can make decisions on what level of investment you need to protect it. If it is subjective, you are never going to get a clear view of your basic building blocks,” says Slater. What gets measured gets done better, should I add.

The third one reflects what I've mentioned in the introduction: Attackers are becoming more professional, sometimes with entire nation-state supporting them. The defence of company assets also needs to become even more professional.

Finally the fourth recommendation mentions the creation of value to the business. I can't see how security could create value. But security can certainly save money. Investments in security is similar to contracting an insurance: You can protect the company from the impact of daily risks. The difficulty is to decide which level of policy is right for you. You can estimate the ROI of you security, and you should.

Internal threats

 Some rights reserved
by Jordan Bracco

Threats to computer systems can come from outside or inside the corporate network. And whilst most of the measures tends to focus on external threats the behaviour of employees, intentional or not, represents a major risk as well.

Employees

Symantec recently published a study (What's Yours is Mine: How Employees are Putting Your Intellectual Property at Risk) showing that a majority of employees are copying corporate data in and out of the network, either on personal devices and cloud-based storage like Google Drive or Dropbox. The finding of the study are as follows:

• Employees are moving IP outside the company in all directions
• When employees change jobs, sensitive business documents often travel with them
• Employees are not aware they are putting themselves and their companies at risk
• They attribute ownership of IP to the person who created it
• Organizations are failing to create a culture of security

This creates many potential leakage points. 

Solutions

Symantec recommend three mitigation measures:

• Education and awareness
• Enforcement of NDAs
• Implementation of monitoring technologies

I would also add that the access to sensitive information should be on a need-to-know basis.

These are all passive solutions. I would suggest a few active solutions as well:

• Control the usage of USB ports, from company approved USB keys only, which come with a usage policy (education), to a flat-out no-USB-storage policy
• Use IRM solutions to protect confidential files 

Active solutions often come with a operational cost, and these need to be compared against the cost of a leak. They may not be worth their cost to protect not sensitive data, but may prove cheap compared fo the loss of critical IP or classified information. Some countries make it a requirement for some levels of classification.

There are more ways the data can go out of a company's network because of employees.

Operational mistakes

There has been many example in the past of administrator doing mistakes which exposed data to the outside world. Yale University recently exposed the social security numbers of 43'000 of its students when they made them accessible via an unprotected FTP server. Another example is MSD (Ministry of Social Development) in New Zealand which allowed access to the whole ministry's network via publicly accessible kiosks. Some pretty important stuff got found there, like information about Care & Protection homes, fraud investigation, debt collection and various admin password in clear text...

Solutions

Mistakes can happen. Here again education and awareness is really important, as well as the implementation of monitoring technologies. Another concept is really important here: Defence-in-depth. In MSD case above several layers of protections were missing:

• Network: Publicly accessible kiosks should not have been able to access the Ministry's network
• Shares: The Ministry's shares should not have been accessible by the user used by the kiosks
• Folders: The access to the content of such sensitive folders should be limited to specific groups only
• Files: Finally an IRM would have helped protecting these sensitive files

For the same reason we use multiple-tier architecture, forbidding direct access to databases and other data repositories to users. The database will control the user has access. The application will control have access. The network will control that the user has access. This way if one protection layer fails we always have additional measures to ensure the data is safe, 

Attackers

Attackers can try to access data in many different ways. The closer the entry point is from the information they want, the easier. The firewalls and other border network security may be strong, but an attacker can use other ways to get in: Social engineering, phishing, malware, etc. There are many 0day exploits out there, and companies are often slow to patch their systems. A smartly worded e-mail will catch a lot of people off guard. A USB key inserted in a computer on a false pretext can easily infect a network if the workstation is poorly protected.

Solutions

As for the other cases education is paramount. Companies could test their employees by sending phishing e-mails for education purposes. Someone clicking on the link would have to go through an eduction program again.

• Protect the information at the information layer, as close as possible from the data. So even if an attacker gets access to you internal network it's not a free-for-all access
• Ensure antivirus on desktops and servers in always recent and the signatures are up-to-date
• Monitor failed connection attempts, as once inside an attacker may try to brute-force his way in more protected areas
• Make sure you have IDS/IPS inside the network as well, not just at the border
• Finally review the logs! It's useless to have a fancy alarm system if you set it on silent.