Jun 29, 2012 (04:06 AM EDT)
LinkedIn Breach: Leading CISOs Share 9 Protection Tips
Read the Original Article at InformationWeek
Who's guiding your business' information security program?
In the wake of this month's LinkedIn password breach, rumors began circulating on Twitter that the social network lacked a chief information security officer (CISO), leading many commentators to posit that the company hadn't treated its information security program with sufficient respect. LinkedIn, however, quickly clarified that while it didn't have a CISO--or synonymous chief security officer (CSO)--job title on its org chart, there was indeed a senior-level employee in charge of its information security program.
The security facts of the LinkedIn breach, including how attackers managed to obtain databases with possibly 10 million or more access credentials, as yet remain unanswered. But the "lacks a CISO" criticism of LinkedIn--however misguided--is a reminder that senior executives must keep close track of their organizations' security postures, as well as the risk it poses to the business.
[ LinkedIn isn't the only company on the line for its information security practices. See FTC Sues Wyndham Hotels Over Data Security Failures. ]
Here are 9 techniques for ensuring that CISOs can best help businesses maintain highly effective information security programs:
1. Deploy CISOs In Advance
"We're not the big flak jacket that stands out in front of the organization and takes the bullet." In other words, to get the most benefits out of a CISO, deploy one in advance of suffering a major breach.
2. Acknowledge How CISOs Reduce Security Costs
Why does having a CISO help reduce breach costs, at least in the United States? According to Titus, it has to do with many U.S. businesses and government agencies now having more mature information security programs in place. "Instead of everyone wondering what to do, everyone knows what to do, and it's a repeatable process that's also defendable, if you're audited or have to prove compliance," she said.
3. Allow CISOs To Help Guide New Technology Decisions
4. Make CEOs Demand Security Posture Details
Earlier this year, for example, security vendor CORE Security commissioned a survey (conducted by Research Now) that found a widespread lack of communication between CEOs and the person in charge of their businesses' information security programs. According to the 100 CEOs and 100 security chiefs surveyed, in one-third of companies CEOs never receive updates on their company's security posture from the CISO, while in about one-quarter of businesses, security communications with CEOs happen only on a "somewhat regular" basis.
5. Treat Information Security As A Risk
Jerry Johnson, CIO at Pacific Northwest National Laboratory (PNNL), said a failure to demand regular status updates was the root cause of a breach suffered by PNNL in July 2011, after one of its business partners was hit by a spear-phishing attack that allowed attackers to obtain a privileged account on shared computing resources. After the breach, "we basically did a causal analysis and the root cause was that executive management, and that includes the board, had not recognized cybersecurity as being a significant risk to the organization, and consequently they allowed the cyber program to degrade significantly," Johnson--who's also in charge of the lab's information security program--said via phone.
Accordingly, watch CISO lines of reporting. After the breach of PNNL, for example, the lab modified Johnson's role so that he reports to the lab director--the two meet every week over coffee to detail the organization's security posture--and also to ensure that he gets exactly what he needs. "I have the authority to do whatever I need to do to protect the information resources at the laboratory," he said.
6. Consider A Placeholder CISO
7. Identify Crown Jewels
8. Beware A False Sense Of Security
One benefit of a risk assessment is obvious: it helps businesses identify blind spots. "A company may have this false sense of security, because they've got a really high-end security architecture and implementation, but if they bought that four or five years ago, it's absolutely not safe against the threats that are out there today," said Patterson.
For example, many organizations fail to appreciate encryption nuances. "Companies feel that if they encrypt, they're safe. But the key to encryption is key length, if you salt, what level of SHA you use," he said. "A few years ago people used a SHA1 implementation, and it hadn't been broken by common thieves back then, but now it has. Now, you don't have to be a rocket scientist to break this stuff."
9. Treat Advanced Threats As Common
Furthermore, APTs are fast becoming not just the provenance of nation states, but criminal gangs. "We've traditionally thought that the most challenging threats are the APTs, but the criminal sector is now picking up APT techniques and applying them as well," said Johnson. "For all I know, [the LinkedIn breach] was Russian mafia or a criminal group that may be using the same type of techniques that APT groups used in the past." Just as the attack state-of-the art continues to evolve, so must security programs. Look to CISOs to lead the charge.
More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)