Dr Eric Cole, one of the most prominent instructors at the upcoming SANS London 2013 InfoSec training event, warns that organisations need to build capabilities and be prepared for the inevitable information security breach.
He says: โThere is a level of frustration across the world as organisations spend ever increasing amounts of money on information security technology yet still get breached. The likelihood is that you will be compromised -even with this vast amount of spending and layers of systems. Now we need to focus more on finding the attackers lurking on hijacked systems and minimising the frequency and impact of each incident.โ
Dr Cole is also a SANS Fellow Instructor and author of ten books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He also holds 20 patents and is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole has over twenty yearsโ experience in network security consulting, with clients including International banks, Fortune 500 companies, and the CIA.
Cole believes that organisations have improved their information security over the last 10tenyears, โbut if you compare it to the scope, scale and technical capability of the adversary, it is in fact a net loss of capability and we need a change of mind-set on how we deal with the reality of cyber-crime.โ
He suggests that organisations can learn a lesson from the automotive industry, โairbags, seatbelts and roll cages are recognition that accidents will happen and if you look at the big trends in cyber-crime, it is the human โoperating systemโ that is often the victim or unknowing accomplice in a vast majority of successful cyber-attacks.โ Cole also advocates that organisations should build IT infrastructure defensively, โThis should include limiting individual user access, increasing auditing capabilities and regularly โgoing huntingโ for compromised systems and bad user behaviour.โ
At SANS London this November, Cole will be teaching SEC401: Security Essentials and is the author of follow-up SEC501: Advanced Security Essentials – Enterprise Defender, โIf you look at both of these courses, they are constantly adapting to the real world threat landscape because the attackers are doing exactly the same โ this game of attack, defend, adapt then repeat is constant and unfortunately never ending.โ
However, Cole has seen several good changes in the last few years. โThe vendors like Microsoft, Oracle, Google are taking their responsibilities more seriously which makes defence a bit easier and it seems that CEOโs are starting to expect more than just a โtick boxโ when it comes to the requirements for a Chief Information Security Officer(CISO).โ
Cole has spoken to over a dozen large organisations that have quietly fired their CISO although he looks at this as a positive step in many cases. โThe board knows what failure looks like, but it still has a hard job measuring success when it comes to information security,โ he says, โThe main issue is that there is no 99.999% uptime equivalent for InfoSec which means that the modern CISO needs to be able to provide metrics and potentially educate the board as to what they are doing to mitigate risk and more importantly, find compromised systems and vulnerabilities and close these gaps.โ
In his view, the danger of complacency can be as risky as incompetence. โWhen a large organisation says to me that they have never had an information security breach, an alarm bell instantly rings,โ says Cole. โThe modern and often state-sponsored attacker wants to get in and stay in and if successful then no alarm bell sounds even as on-going frauds are perpetrated and sensitive data stolen.
โThe Advanced Persistent Threat (APT) message is not just a case of FUD and the smarter organisations start with the assumption that it is currently going on and they look for the signs instead of just assuming invulnerability โ which nobody is. A quick look at Wikileaks.org will show just the visible tip of a very large iceberg,โ he concludes.
For more about SANS London 2013 or to register, visit: http://www.sans.org/info/140800
