According to WhiteHat Security’s Jessica Marie, companies need to be more proactive in their infosec strategies.
For almost all businesses, cybersecurity is an even bigger priority than ever before. From multinational corporations with thousands of employees and their own cybersecurity offices, to the smallest of online stores, more and more people are concerned about how best to protect their networks, applications and data.
Off the back of a tumultuous year for information security (infosec), Siliconrepublic.com spoke to cybersecurity expert Jessica Marie of WhiteHat Security.
According to Marie, while there are a myriad of fascinating vulnerabilities being disclosed around the clock, the real root of most incidents is the known vulnerabilities. “Just look at the Equifax hack, which was an open source vulnerability and, crucially, a known vulnerability.”
Marie said these familiar bugs and attack vectors are “really the biggest problems”. While the unusual vulnerabilities do cause havoc (see Meltdown and Spectre), it is your run-of-the-mill SQL injection or third-party vulnerability that trips up most organisations.
Judging from her work at WhiteHat and discussions with others in the cybersecurity field, she believes these tried and tested attack methods “will continue to be an issue”.
Time to market affects cybersecurity
These commonly known dangers are something most IT and security admins and DevOps teams should be aware of by now, so why do they continue to crop up? Marie said it is down to several things, but the most crucial of them is time to market. “Unfortunately, what sometimes comes with that is that we tend to start overlooking some software bugs and flaws when we are releasing updates so quickly.”
In this effort to provide top-notch user experience and differentiate their product from the others, some problems slip through the cracks. Marie said firms need to find the balance between user satisfaction and ensuring the security of a digital product.
Where is the strategy?
When asked about cybersecurity strategy issues she sees the most in her work, Marie didn’t mince her words: “Number one: a lot of companies still don’t really have a security strategy.” She said that organisations often end up using a ragtag bunch of point solutions, which may not integrate that efficiently with one another.
In her view, many organisations are taking the wrong approach entirely. It’s something many cybersecurity experts have been talking about for years. Instead of creating an ongoing plan for infosec, “ it becomes a much more tactical and reactive exercise”. This creates panic, while a planned infosec strategy examining “what assets they have and what they need to protect” is a far more reasonable and manageable approach.
Marie has some simple rules for good cybersecurity in any organisation. She explained that really knowing your environment and what assets are business-critical is the crucial foundation. On top of this, having a strategy to deploy when there is a major incident such as a breach should work with the environmental knowledge to help teams respond quickly and properly.
“Look at what needs to be protected at what level and why; look into what needs to be encrypted, if you need application security, network security.” Using this “sound, reasonable approach” is far more effective than hoping for the best with a scattershot defence system.
Increased public consciousness
As well as among cybersecurity professionals, Marie has noticed an uptick in awareness and interest from the public around data protection, privacy and digital security. She said although there is “still a perception that security is kind of siloed, it should be on everyone’s minds”.
While incidents such as the Equifax data breach and the Cambridge Analytica saga are obviously regrettable, the conversations they started are of great value. “Obviously these incidents were awful but I think it’s necessary to pull the wool off everyone’s eyes. Our data is out there and not just a few details.”
Marie concluded: “These events get people to realise, ‘My data isn’t always going to be safe, if ever.’” What’s needed now is continued scrutiny, coupled with legislation. “The law eventually has to catch up with these technological issues.”
Updated, 11.10am, 24 August 2018: This article was updated to clarify a reference to SQL injection, which was mistakenly referred to as sequel.