Thoughts on the challenges in Information Security

by Troy Cunningham

During the 2nd week of May, I had the good fortune of attending both the Global Cyber Alliance’s CyberTrends 2019 conference as well as Nimbus Ninety’s “Move to Multi-Cloud Breakfast” and I must say I came away feeling overloaded by the pace of change in Information Security, and the ever-expanding scope of security in a modern, IT driven world. New challenges arise, seemingly on the daily and everyone seems to be feeling the pain. It doesn’t seem to matter if you’re the government or a private sector business, or a start-up — the challenge is real.

These two sessions had completely different target audiences, but for me they show the two extremes that good Security people need to operate in. CyberTrends is targeted towards government and business, and as the name implies involves a number of international speakers that describe the changing landscape of Information Security across the world. There were some interesting themes that came up like the possible regulation of IoT standards for the future, the increasing contribution of local authorities in trying to deal with private sector breaches (the event was hosted in Mansion House by the City of London Policy force that have an active cyber crime program called Cyber Griffin).

One of the more interesting themes that permeated the day is how small businesses are vulnerable to cyber crime. This was voiced by several of the speakers, discussed on the panels, and backed by Verizon’s 2019 Data Breach Investigations Report (hot off the press that day), which averages that small businesses made up around 43% of breaches reported during the last year. 71% of all breaches reported were financially motivated, which seems to paint the picture that the businesses who can suffer the least financial damage are the ones getting hit the most. Looking at the breakdowns of the attacks, social engineering is at the top, with phishing making over 80% of the attack type. And when it comes to hacking, you can bet your bottom dollar that hacking businesses through their websites is still the most common form of hacking.

These things are challenges for any business and can be even more so for smaller businesses that lack the resources (whether that’s funds, expertise or time) to shore themselves up. Though it’s good to know that things like the Global Cyber Alliance is bringing answers to the table to help all businesses, including small business. Specifically bringing to light the following initiatives:

  • City of London Police Cyber Griffin (https://www.colp.uk/cybergriffin/): an initiative that helps businesses and individuals in the [City of London] Square Mile protect themselves from cyber crime.
  • National Cyber Security Center (https://www.ncsc.gov.uk/): UK gov portal full of information and advice on keeping everyone secure. The advice on their Cyber Essentials program (https://www.cyberessentials.ncsc.gov.uk/advice/) is a particularly good place to start for organisations trying to shape up their security basics.
  • Quad 9 (https://www.quad9.net/): A free security solution that uses DNS to protect your system against the most common cyber threats by routing your DNS queries through a secure network of servers around the globe.
  • DMARC (https://dmarc.globalcyberalliance.org/): A more recent standard for additional email authentication security. A DMARC policy allows a sender to indicate that their messages are protected, and tells a receiver what to do if one of the authentication methods passes or fails — either send the message or reject the message to junk

This Stuff Is Complicated

If you clicked through the last two links, you may have thought “Cool, but how do I use this?” I think that question represents the other big problem facing the IT Security industry — technical complexity. It really hit me at Nimbus Ninety’s “Move to Multi-Cloud Breakfast,” which was obviously about going cloud. But what was clear for most participants, and what’s already clear for me in my own company is that a move to cloud doesn’t just mean putting a server somewhere else. It’s a shift in architecture, a shift in trust, a shift in technologies, and a shift in how we deliver IT solutions and products. The true move is to be cloud native, be agile, DevOps, build your infrastructure as code, treat your servers like cattle and not like pets, containerise, micro services, e.t.c…

This stuff represents huge technical challenges. Not every company is ready to be native, and the skills to build the tooling, and the architecture that supports the “new” world aren’t out there in vast amounts. I may not be the sharpest tool in the shed but I know a thing or two about technical work — and the amount of time I’ve spent struggling with terraform and docker compose for some simple servers, makes me really appreciate the engineering teams who blast away and rebuild their environments on the daily.

You could understand how I would consider myself a “late bloomer” in the Cloud & DevSecOps world, but the funny thing is, at that breakfast, there were tons of folks that were way further behind. Folks with much bigger budgets, all struggling with the question “How do I Cloud?!” And that gave me pause.

I suppose, the long-winded point I’m trying to make is that security, today more than ever, is actually pretty hard. We’ve got to do the basics — the security hygiene, and that’s just half the battle. Sometimes it feels like the industry is too under-resourced to even do that. But the challenge is much harder than the basics. It’s so easy to lose sight of that with the abstracted services that are now available to us. It’s worth understanding that complexity, spending time training your people, and yourself. It’s worth accepting that part of the journey will be hard. If you’re finding that you don’t understand it all, trust me, you’re not alone! So get help! Join groups like Nimbus Ninety, Global Cyber Alliance, OWASP, or your local DevSecOps group, and siphon yourself some knowledge.