October 24, 2016

Ethical Hacker's Notebook, Part 2: Smart FAQs for Securing Data in the Cloud

As I mentioned in Part 1 of this two-part post, I was asked recently to weigh in on cyber-security challenges I see often in my capacity as a certified ethical hacker. Part 1 summarized security trends and prevalent dangers in the cloud. In this post, I hope to encourage enterprises to think seriously about strategies for contending effectively with an expanding threat landscape.

Where should enterprises focus their attention when developing priorities for cloud security?

Enterprises' IT teams are overworked and understaffed. At the same time, there is a shortage of qualified security specialists across the US workforce. As a result, defense in depth is becoming harder and harder to manage by relying solely on internal staff.

Gone are the days when you could just roll out a policy-based firewall at your perimeter and expect it to keep your digital assets secure. Sound layered defense now depends on preventing social engineering exploits. This is the human element that abets the hackers (knowingly or not) by, for example, introducing infected devices or software into the network through a corrupt USB drive or download. This can happen when employees click on the wrong link in an email, or they surf to a virus-infected website. These vectors can only be addressed by the company's management and technical specialists.

Preventing and mitigating intrusions through managed security services can take a huge burden off IT's shoulders for a fraction of the cost of staffing security personnel on a 24/7 basis. While companies must continue to do their part to counter attacks through sound network architectures and people management, they are increasingly seeing the value of outsourcing security. They are doing this to save money as well as time because the security service provider is constantly on the lookout.

Ask any IT professional in a medium-to-large enterprise about the time they've spent just applying patches. I've heard from some that they may have as many as 20 a day.

Is the goal of zero breaches realistic today?

Probably not. The focus in modern cyber-defense is rapid, accurate detection and appropriate action. Defense in depth is key for both detection and response. Statistics show that just about every company gets hacked at some point over time. The real question you should ask now is: “Once they're in, what do I do?" Think about how to minimize the damage, get the malware or hacker out, and plug the hole as quickly as possible. That's where internal security teams should concentrate their energy -- build the defense-in-depth strategy, implement it and run it. With a strong strategy in place, most companies then find they don’t have enough people in house to manage all parts.

What security services are most enterprises starting to outsource, and why?

I'll start with the why. Cyber-attacks are getting more targeted with increasingly persistent hackers armed with a relentless drive to cash in on low-hanging fruit they can feast on anonymously. They can do this with any number of penetration-testing tools, rootkits and appliances that are inexpensive, simple to operate and easy to acquire. Enterprises can't realistically keep up with unrelenting, automated threats from an invisible enemy whose full-time, round-the-clock job is to move stolen data on the black market.

The outsourcing answer is a security service provider, a company to handle tasks that left undone make an enterprise attractive to hackers.

Think of a winding, wooded street in an upscale suburb. Joe Criminal is casing the neighborhood. Does Joe take on the house with the three Rottweilers, armored doors and motion detectors? Or, does he go for the house with the broken porch light, single-bolted front door and unlocked rear windows?

The attacks are often motivated by the promise of a quick and easy payday, and sometimes for ultimate impact via data easily captured for ransom. In response, more companies operating in the cloud are outsourcing roles and functions that include advice and consulting, audit, monitoring and more. Doing so frees up IT and systems security staff for company-specific tasks such as training, cloud access segmenting by responsibility type or level, and security-oriented network architectures.

Any parting thoughts?

The cloud is almost irresistible from a cost and productivity standpoint, but its popularity has also driven its risk. Companies that span industries and geographies have felt the pain of undervaluing security as they've flocked to the cloud.  Some promising businesses failed following a cyber-attack: Nirvanix and Code Spaces come to mind. Small businesses should be particularly concerned: 60 percent fail within six months of a cyber-attack.1

So many bad outcomes could have been prevented, or handled affordably and efficiently, through readily available services. Managed security services fill the expertise gap so that businesses can handle human vulnerabilities through, among other things, training, social-engineering mediation and better authentication drill-down to limit access levels to specific teams.

Companies need to stay ahead of the curve. If they have anything of value that is accessible beyond their physical borders, someone out there is going to stalk or steal it.

Scotty Webb, XO Senior Manager, Sales Engineering, specializes in applying advanced technology to complex Intelligent WAN solutions for enterprises. A certified ethical hacker (CEH), Scotty is XO's regional expert in hosted security and unified threat management. He is passionate about all things cyber-security related.

1Champlain College, "Protecting Your Information in the Digital Age - Is Your Business Prepared?" View the infographic.

Stay Connected

Enter your email address below to receive updates each time we publish new content.