Make cybersecurity great again!

OK I admit we can’t make cybersecurity great again, because it never was great in the first place. We can make it great though, just like we can make America great again!

Making cyber security great won’t be easy but making America great again won’t be easy either. Why? Because we each have our own agenda and understanding of things. You either support crime free neighborhoods, Great jobs and putting America first or you don’t. You either get cybersecurity or you don’t. Besides fake news and ignorance there are so many reasons we are not getting cybersecurity right. I want to share my past experience and knowledge with you to support my belief on how we can make cybersecurity great!

In my most recent article on law firms and cybersecurity, I discussed how law firms and other industries fall between the cracks on cybersecurity, for example they don’t have any required compliance model by default as healthcare has HIPAA and finance has Sarbanes Oxley, credit cards require PCI DSS, the payment card industry data security standard.

I went on to explain that any organization that processes, stores and handles healthcare data must comply with the HIPAA third-party rule. They must meet HIPAA compliance if they are handling HIPAA ePHI. That makes sense. See the issue? We don’t have a uniform minimum compliance model that’s required by law for all internet-connected businesses? Add to the issue HIPAA is a law, not a compliance framework, to implement HIPAA one must use NIST cybersecurity standards or choose from other options.

President Trump recently appointed Rudy Giuliani as cybersecurity adviser. Some reacted to this as a joke, but Giuliani has a track record as a great leader who can build great teams. He certainly turned New York City around! Giuliani stated they will be going to those in the industry for the solution.

Well me and my colleagues are in industry and we see the issues every day, we are the consultants, the IT auditors, systems administrators, security managers and network engineers. No we are not CEOs or business owners but it’s our job to educate and inform these business leaders of the risk of doing business on the internet. Sometimes they listen and too often they don’t seem to hear us.

How ironic, the same government that has pushed electronic medical records (EMR) online, (see 2014 federal mandate for healthcare) has itself suffered one of the most severe and damaging data breaches of all time: The OPM data breach. The Congressional report on the OPM data breach stated:

• The OPM data breach was preventable.
• OPM leadership failed to heed repeated recommendations from its Inspector General, failed to sufficiently respond to growing threats of sophisticated cyber-attacks, and failed to prioritize resources for cybersecurity.
• Data breaches in 2014 were likely connected and possibly coordinated to the 2015 data breach.
• OPM misled the public on the extent of the damage of the breach and made false statements to Congress.

Brian Krebs highlighted the following from the OPM Congressional report: “OPM’s adoption of two-factor authentication for remote logons in early 2015, which had long been required of federal agencies, would have precluded continued access by the intruder into the OPM network,” the panel concluded.

Several senior officials had much to say regarding the OPM breach which impacted me and my family and even the FBI Director, James Comey!

“My SF 86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So its not just my identity that’s affected. I’ve got siblings. I’ve got 5 kids. All of that is there,” Comey said.

Not long after congressional hearings began on the OPM breach, Krebs heard from a source in the U.S. intelligence community who wondered why nobody asked: If the attackers could steal all of this sensitive data and go undetected for so long, could they not also have granted security clearances to people who not only didn’t actually warrant them, but who might have been recruited in advance to work for the attackers? To this date, Krebs stated he has not heard a good answer.

Key recommendations from the Congressional Report are spot on!

Key recommendations:

• Reprioritize federal information security efforts toward zero trust.
• Ensure agency CIOs are empowered, accountable, and competent.
• Reduce use of Social Security numbers by federal agencies.
• Modernize existing legacy federal information technology assets.
• Improve federal recruitment, training, and retention of federal cybersecurity specialists.

Giuliani, if you are listening please consider the voices of IT consultants, cybersecurity professionals and IT security managers. We all have something to add to this important conversation. I’m just scratching the surface in this short article, I’m calling for a chance to be heard. Please consider talking with us as represented by The information Systems Security Association, The information Systems and Auditors and Controllers Association and The International Information Systems Security Certification Consortium, all international non-vendor professional security and audit organizations.

Just a few areas we are concerned with:

• Too many organizations are not funding cybersecurity roles within their organization.

I see this every day as I travel across Florida doing IT audits and assessments. The organizations with a security role funded do 90 percent better than those with no such funded position.

• The NIST cybersecurity framework should be the minimum required by all internet-connected businesses in the US and conducting business anywhere in the world. Remember compliance is the minimum, its legalistic, static and backward looking, while security is proactive, intelligent and forward looking. We must do 100 percent of compliance as it’s the foundation for proactive and intelligent security!

• All US businesses that are connected to the internet should have a cyber security role in place that is responsible for cybersecurity year round. All too often we see organizations relegating cyber security to the IT department. I have said this a hundred times, cybersecurity is a business problem not an IT issue. It’s not acceptable to have the IT department pretend to be involved with cybersecurity when the IT auditor shows up once a year. Cyber criminals plan and attack 100 percent of the time, therefore we need to be proactive 100 percent of the time. We need a strategic and tactical plan and it starts with the CEO and boards getting cybersecurity. (See Cyber security questions for CEOs.)

• All users need cybersecurity awareness training, this includes all K-12, colleges and all companies, and we can no longer afford to ignore this critical training for everyone that uses an internet-connected device!  We are not covering all bases and cyber criminals are taking advantage of us every day!

Finally, we must remember that the internet was not designed to be secure, As Leonard Kleinroick one of the early pioneers of the internet stated in a CNN interview in 2009.

Kleinrock: There’s a very dark side to the Internet, which we’re all familiar with. It started with a worm in 1988, and it became spam in 1994, and now we have pornography, we have denial of service [attacks], we have identity theft, we have fraud, we have things like botnets [pieces of software that cyber thieves use to remotely and secretly control your computer], which really worry me.

One of the problems of the Internet is that we didn’t install what I like to call strong user authentication or strong file authentication. We didn’t anticipate the level of the dark side we see today. The culture of the early Internet was one of trust of all the users.

I knew every user on the internet in those early days. It was an open culture. We shared everything we did. We got our gratification by putting things out there, which people could use. And there was an etiquette — net etiquette if you will, which people behaved.

In conclusion,  my colleagues and I know how to solve this problem. No we don’t have a magic bullet but we are in the trenches every day, educating senior executives, CEOs and users. We are auditing good IT security controls and responding to incidents and yes many data breaches that have become so common place that they make us all numb. We are becoming desensitized from all the noise, just like all the hateful crime in the cities. We can no longer ignore the failures of our society and how the failures have moved to the internet at lightning speed. Now is the time to Make America Great Again and while we are at it, let’s make cybersecurity great for the first time!