While hosting a panel on security this week, I talked to Johnathan Nguyen. Nguyen is in charge of the Data Breach Investigation Report at Verizon. He came out of government to focus on enterprise security. One thing we discussed was the massive migration of security professionals out of the U.S. Government to high paying security jobs in the enterprise (some are promised both a significant increase over their current pay, but guaranteed 20 percent annual raises just to get and hold on to them).
Nguyen about how boards are increasingly bringing on security experts so they can be sure security exposures are fully fleshed out and mitigated by technology and insurance. And we spoke about the many firms that believe themselves secure because of the amount of money they spend on security, not on whether the stuff actually works or not.
Two things stood out for me, though. One is that if you implement a strong dual or triple-factor authentication process you can mitigate around 50 percent of your exposure (which is tied to unsecure passwords and IDs). The second is that the U.S. has implemented a kinetic response rule which is likely to be copied by other companies and massively increases the exposure for an attack.
Let’s talk about both.
Biometric multifactor authentication
Back in the 1980s, a massive study determined that passwords and IDs were inadequate. This was before the Internet and based almost entirely on mainframe users. The study showcased that it didn’t matter how much security you wrapped the system with, if users accessed it with passwords it wasn’t secure. Forty years later passwords remain the most common way we access secure information, which means the “secure” part of this sentence is a joke, and not a particularly funny one.
Just by implementing and requiring solid multifactor authentication much of the user-based exposure can be mitigated because it is largely through purloined passwords and IDs that attackers are gaining access to secure information today, according to the Verizon Study.
This suggests that it is critical you move to some form of secure multifactor authentication for all client devices as soon as you can. Doing so may increase your chances of preventing the next Sony or Target breach from landing on your desk.
Fortunately, this year everybody and their brother is bringing out systems with this technology installed. Fingerprint readers in particular have become far easier to use and far more reliable of late. But you have to use them, one of the concerns is that companies that buy PCs with biometric security technology often don’t use it and that could look pretty negligent after a breach that reaches your board.
Kinetic threat response
Johnathan shared one of the things that most concerned him and he kind of scared the crap out of me. The U.S. has approved a kinetic response to a cyberattack. This is a nice way of saying that if they find a server that is the source of a cyberattack they can task a drone with a missile or bomb to take it out.
Once one country puts in place a rule like this it isn’t unusual for other countries to copy the rule particularly after some business inside their boarders has been bombed. A third-party wanting to disrupt a country or a company now has an additional incentive to take over a server so the U.S., or some other country with this rule, can terminate with prejudice that site.
While I doubt this will happen on the continental U.S. anytime soon, foreign offices could become vulnerable and this suggests that it would be advisable not to have servers that could be compromised where a lot of employees also reside. It certainly makes cloud services substantially more attractive particularly if they are replacing vulnerable servers anywhere near your office.
Time to buy a bunker
The world is quickly becoming more dangerous. When we begin talking about the legal use of bombs to address cyberattacks, which could be targeted at your own foreign offices, the requirement to assure your cities are secure has gone up astronomically. The fact that we could reduce our exposure by implementing a readily available technology that firms commonly buy but do not implement suggests we have a big wakeup call coming. The reality that many firms appear to be waiting for a Sony-like event before they fix these problems should scare you as much as it does me.
In any case, take the time to review the report, I bet it changes some of your priorities like it changed mine. (Buying a bunker has moved up on my to-do list).
This story, "Battling cyberattacks with bombs?" was originally published by CIO.