Jason Mical, VP of Cyber Security, AccessData
There is no one size fits all, says Jason Mical, VP of Cyber Security, AccessData. He also describes some of the most active threats in Asia Pacific.
How would you characterise the cyber security scenario today? What shortcomings do you see in terms of preparedness?
The biggest problem today is a lack of education on how attacks operate which is necessary to understand the appropriate defensive posturing. Without that understanding, there's no context and without context there's no strategy. Even today, there's an undeserved obsession with the initial infiltration vector.
Company XYZ didn't get hacked because an HR person was spear phished. They were breached because they failed to detect the attack in progress as the attacker elevated privileges (Think PW dump and pass the hash), moved laterally through the company intranet from system to system, stole all credentials in the Active Directory database, copied sensitive data off the network, etc. Even if the company was immune to spear phishing, the attacker would have figured that out and moved on to other infiltration vectors.
Additionally, while attackers use hacking tools and backdoors for portions of the attack lifecycle, those tools are very different from viruses, botnets, and mass malware. Lumping all software used for bad under the one name of "malware" is misleading. Again, context is key. Those responsible for security need to understand that if they identify a hacking tool, backdoor, or RAT that isn't prolific in nature, they need to have a response that's very different than disinfecting a system that has a virus.
Chances are, there's a hacker behind the wheel performing lots of manual actions that need to be discovered through an investigation. Much of their activity would look like a system administrator went rogue. This is a concept that most organisations still do not grasp.
Is there a best way to approach cyber security? What could be it?
There is no one size fits all approach. Generally speaking though, organisations need to know what their assets are and make sure those assets are identified as much as possible. Apply the concept of least privileged access and role based access control to ensure access is limited to those that need it and only what they need.
Next, research the known threat actors out there and figure out which ones apply. Learn as much as possible about how they operate and prioritise both preventative measures as well as detection systems to see what gets through. Have well rehearsed response plans in place for likely scenarios. The goal is to make it a pain for the attacker to make progress from victim zero (initial infiltration) to the goal line, and then have eyeballs scanning hosts, network data, and log files to see them running around the field.
Sign up for CIO Asia eNewsletters.