In a nutshell
Forget everything that you know about information security as what you are doing is not working, you need to completely change your mind-set. Data breaches were going to get worse, they going to cause more damage, and most of us simply are not aware of how little we are doing about it. “Data is the new oil,” “Because it’s just as valuable. The challenges in security we face are enormous,”
Why is data the new oil?
Because it can be monetized !!
A hacker can infiltrate data, extract it, refine it, redistribute it and use it for financial and/or political gain. Data integrity attacks have the power to bring down an entire company.
And the problem is only going to get worse as the Internet of Things (IoT) – the process whereby all products and processes are linked via the internet – proliferates.
“IoT is not your traditional tech,” “It has multiple personas: the manufacturer of the device, the consumer, the cloud provider, the 3rd parties, the APIs, there are five different environments, processes – thus many security risks and attack points for the bad guys While you may think that we are already in the age of data, we have barely crossed the start line. The explosion in data was yet to come, driven mostly by the Internet of Things.
“We create more sensitive data than you can imagine. Every time you click on your phone you’re creating data. “Since 2013, over 5 billion pieces of individual information have been compromised – but that’s only what has been reported. They occur on a daily basis and they are never published,” This mean more data for criminals to get their hands on. Passwords could easily be mined from the web, as could encryption keys as unless they are protected correctly, two of the major controls in use to prevent people accessing data. 15 years ago as an ethical hacker spending weeks to gain access to an organisation” (something at which, by the way, I was 100% successful at) “are gone,” “It now takes minutes, if not seconds.”
A simple google search allows you to gain full access to many business. However there is a solution, it lays in your own hands.
We all need to be a bit more like Jason Bourne.
Bourne, for the uninitiated, is the lead character in the eponymous series of films, who is forever eluding the authorities. He does this by always knowing and assessing what is going on around him – I call this “situational awareness”. We all need to be more like Bourne. The problem is that few understand the critical importance of knowing the impact of people, data and processes, and this was the weakness that cyber criminals were exploiting. There are those that were simply ignorant, who just weren’t looking or considering the impact of people, data and processes. And there are those that are arrogant and think they knew it all, thinking that massive investment in the latest security products will stop a breach. But it was that very arrogance that make them vulnerable. In both cases, there is a serious lack of situational awareness.
A new mindset
“These problems can all be solved overnight but we need to think differently, we have to know what the risks are that we are trying to mitigate. “We need a new mindset, we’re still in the world of breach prevention. You’re never going to prevent a breach, there are too many elements, data in too many places. “We need to change our attitude to one of breach acceptance. The key is knowing what it is that you are trying to protect. “Think like a bad guy – what do they want? They want data,” “Accept that breach is going to happen, but understand what types of data you have, where it is and what the processes are, and you’ll get a head start,” “It all comes back to the same thing; situational awareness.
“I see organisations around the world writing huge cheques for technology to solve the problem, but they don’t know what it is they are trying to protect. “Where is that data? What type of data is it? Personal? Credit card? Trade secrets? “You have to know where it is, what the process is, how people get to it. You have to understand what the risk is. Is it a confidentiality risk? Or an integrity risk? Depending on which, you can apply the appropriate action,”
“It’s really that simple. The world is all about data. Unless we face up to the problem and solve it, it’s only going to get worse.”
Do the basics