Simple overview of why the state of security is going to get worse, why security is so hard to do well, and what you can start to do to make things better.
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Everything is not awesome!
1.
2.
3.
4.
5.
6. 82 percent of all malware it detects stays active
for a mere hour, and 70 percent of all threats
only surface once, as malware authors rapidly
change their software to skirt detection from
traditional antivirus solutions(3).
(2)
Antivirus "is dead," Brian Dye SVP
INFOSEC at Symantec(1). "We don't
think of antivirus as a moneymaker in
any way."
The problem is we think of Security all wrong. We think it’s a end goal. Its not. It is a changing state. The belief that security as a end goal drives the myth that tools and techniques can stop attacks. They do not. At some point the attacker will be successful especially when they can always attack and attack and attack. We need to change how we think of security.
Furthermore we have security backwards. We tend to focus on security, because we think of it as a static goal, a set of boxes on a check list. Its not. Threats constantly change. The attack surface, the techniques, and even the goals of attackers always change.
More importantly you, the target, have different needs, goals, and risks that cannot be accounted for by a simple checklist. Only you and your organization can decide what's important to you, not a government agency or third party. All your security goals, policies, and procedures must cascade from those business criteria and needs.
This is not just FUD. Attacks are more common and more sophisticated. They are also more likely to succeed. You need to accept this. You will be compromised and its worth repeating.
Latest Verizon suggest the high-end is 58 cents per record and as low as a penny for some datasets
Even your email is worth something. Spammers and hackers will pay between a fraction of a cent to 5 to 10 cents for fully vetted valid emails
ALSO knowledge is power. If you know who is talking to who, who is investing in what, how someone will vote, what new laws are being made, and the like then you have REAL POWER.
Your people are worth a lot. CEO’s, CFO’s, your lawyers, and traveling representatives are now common targets of organized crime and state security apparatus. Everyone wants to know what your CEO is thinking!
In many places its also legal or the risk of getting caught is very low
1- http://blog.erratasec.com/2014/09/the-shockingly-bad-code-of-bash.html#.VE2fPvnF_xU and also read http://blog.erratasec.com/2014/09/many-eyes-theory-conclusively-disproven.html
2- http://www.wired.com/2013/01/uncovering-the-dangers-of-network-security-complexity/ 50+% of respondents' said complexity created security issues.
3 - – Engineers focus to much on one specific area of a system they touch, such a User Interface, instead of the system as a whole
You need to think about who is likely to attack you. If you don’t have a security back ground this might be hard. For example if your NGO helping poor farmers in Africa you might think you have no security risk. Yet one of the NGO’s who are a customer was compromised by a major state security group who has interests in African governments and business. Remember not everyone is after just simply money.
Your biggest threat are also your own people. Choose wisely!
Security has to be thought of as part of your business and your business model. As such only you can determine what levels of investment you need to make to balance risk versus investment. That being said you cannot make this assessment until you have really assessed your security, your threats, and your risks
Humans are better identifying modern threats than computers
People are flexible
Humans assisted by technology are better than either technology or people
Your people and employees can respond to your needs while vendors will not always
That being said finding the right people is very hard.
Talk about what the right people look like and how one good person can build a great team from just decent IT folks but a bunch of developers, IT folks, networking guys, and programmers rarely understand security.
2 - By risks we mean what would happen if you lost data, some got access, and the like not specific technology threats or issues
3 – you can do this yourself but its best practice to work with a third party
4 – don’t just follow a check list. Think this through.
5 – as we mentioned policy complexity leads to confusion and even security failures. Also simple policies and plans allow your team to use common sense and “on the ground” knowledge.
6 – You need to have a detailed plan but it does not need to be complex. Also your staff needs to know when to deviate and when to follow the script. This often requires you hiring good people.
7 – put in place your tools but make sure they are backed up by people who know how to use those tools, know when to get new tools, and know how to respond
8 – you have to test your system and not just penetration tests. You have to game the whole process. This may seem complex and expensive but often can be done in ½ a day with key stakeholders and staff and is far cheaper than a breach.