ORION has long been promoting the need for sharper cybersecurity and, with the University of Calgary’s sharing of their recent ransomware issue, there is no time like the present to engage the community in the conversation.
Where do we start when it comes to tackling network security concerns?
I think it’s important to highlight that security is not just a technology issue. Too often I see organizations trying to make this the responsibility of a technology group and, not surprisingly, it often yields mixed results. In fact, the majority of security breaches come from two, non-technical vectors – the number one is through lost devices, stolen devices, laptops, and mobile devices. The second largest source comes from phishing and socially engineered scams. Talented hackers are able to create campaigns targeting unsuspecting staff or individuals on their networks, and that’s how they gain access. So it doesn’t matter what you put on your network, as far as tooling goes. Those two main breaches are going to be exploited.
Fundamentally, it comes down to developing a culture of security. It’s more of a collective awareness of the security mechanisms, and more importantly, how all of us can contribute to creating a more secure environment. The technology is only one piece of a much wider program.
In the case of University of Calgary, my heart goes out to those folks. Thanks to their brave transparency, they’re showing us how real this problem is, and we can all learn from it. If it happened to them, it can happen to any of us. It speaks of the importance of a sound and comprehensive culture of security.
What have we learned about cybercrime that applies to all Ontario institutions?
I think there’s an intellectual acceptance that our research and education institutions are potential targets. In my personal experience, I’ve observed the cybersecurity landscape change significantly. What I mean by that is, eight years ago, the majority of attacks were somewhat simplistic. Attacks primarily came from independent hackers with no real agenda or from disgruntled employees, and they were not uber sophisticated, so it wasn’t terribly difficult to anticipate them. You had to be vigilant but security was fairly manageable.
However, today’s hackers have evolved into nation states and organized crime and the level of sophistication is significantly different. Now, because of the fact that nation states and organized crime (who have deep pockets) are playing in these spaces, you’re talking about machine-level attacks, which most small organizations just aren’t equipped to deal with. And in the case of our research and education institutions, some of these institutions are phenomenal targets with respect to personal information and identity theft. The amount of staff and student personal information that exists at some of our larger institutions, for example, not including all the historical records, poses a fairly large target for those entities to go after.
How can institutions bolster their security?
Again, and I can’t stress this enough: you really have to develop a culture of security to operate at this level. Essentially, security is a risk mitigation function, so in order to develop effective end-to-end security mechanisms, it is important that top-level support is in place. There will be times when trade-offs may need to be made so it is important to have the right governance structure to help assess the risk. Education programs and effective vulnerability assessments are also key and, of course, there is always a tooling element. That means going through and understanding where you need to have telemetry and more importantly, how to identify the most effective tooling. However, with the rapid adoption of cloud-based solutions, there are definitely more accessible turnkey tooling options now. Just be aware that cloud solutions tend to be structured for the masses, so some options may be too generic for your specific needs. However, you definitely gain a huge advantage with regards to service velocity, as capability can be provisioned and utilized very quickly.
Long gone are the days of the “bagel defense” where you just focused on hardening the outside to keep the threats out. Now it is imperative to operate with the understanding that the threats have gotten in. So you really need to change your approach from a technology perspective: looking for tools that allow you to identify the potential risks as quickly as possible. And then ensuring that there is the complementary process in place to mitigate, stop the issues and remediate them as fast as possible.
So, at the risk of oversimplification, it’s the culture, training, awareness, and ensuring you have mechanisms and policies in place to help support it.
It’s about looking for the right tools that allow you to quickly identify risks and threats, thus plugging the gaps. Then it’s the incident triage processes that allow you to respond quickly. And more importantly, to ensure that you are removing the risk so you don’t fall victim to the same exploit.
What does it mean to develop a culture of security?
Fundamentally, it really starts with garnering the necessary support to ensure you are able to implement a comprehensive program, which includes on-going awareness and training campaigns. Internal processes and workflows need to be assessed with an eye to security-related risks. Obviously, any and all technology-related efforts also need to contain security requirements as an inherent part of the design and compliance checking processes.
Sadly, many still view investing in security like buying life insurance. The human tendency is to say, “Well, that’s not going to happen to me,” and you quickly make a decision to defer those costs. Fundamentally, security is a risk mitigation concept. You’re identifying the risks, you’re looking at the costs and efforts required to contain those risks and it’s a business decision on whether you accept the risks. And unfortunately the longer you go without incurring any pain, the less risk adverse you become.
Security is a risk mitigation concept. The longer you go without incurring any pain, the less risk adverse you become.
Within our own space we see many of our institutions trying to combat incredibly sophisticated cybersecurity issues with limited dollars. In the case of security, this results in a situation in which you’re forced to cut corners. You have people saying, “Okay, we need to spend money here, and I’ve got to get this project done, so do we really have to spend on security? Let’s push that to another fiscal year.” On top of that, some institutions have challenges finding the staffing necessary to deal with cybersecurity at the level of sophistication that we see today. So, if you’re in a smaller market, for example, it may be difficult to find cybersecurity experts that have lived in the front lines of dealing with organized crime or incredibly sophisticated probes.
What are the security opportunities; what’s the next step?
What I love about this space is that there is an openness to collaborate – you just don’t get that in the commercial world. Unless you have deep pockets, the cost of doing things effectively and self-sufficiently can be overwhelming for one organization to handle, especially considering the scale of modern-day attacks. But in research and education, by leveraging a community-based approach, we really have an opportunity to address the scaling aspect of this problem together. I think there is a significant amount that can achieved by being open to community-based approaches, such as establishing federated mechanisms.
The possible outputs of a community approach could be a shared response capability, in which, like a shared services model, the sum is greater than its parts. In the case where you’ve got a lot of common goals and structures, you could pool some of those efforts together. This would produce a gain in efficiency. And because of those efficiency gains, maybe you can invest the savings into developing a more capable solution. For example, a number of institutions are trying to build out their own independent capabilities. They each will have to figure out how to lock down their network independently and do penetration testing and probing applications, and many other tasks. In this scenario of redundancy, each of those institutions can win if they work together and share solutions.
The openness and collaborative spirit of this vertical provides us with a fantastic opportunity to explore federated models – maybe it’s a collection of institutions that are taking on the incident response piece, maybe there’s another collection of institutions who are taking on the education and training piece for the greater collective, and everyone is helping to cover costs and optimizing the cost of technical solutions.
From a security mitigation perspective, you’ve built a large community, so if an institution runs into a problem, they quickly allow the rest of the collective to learn from that, identify how to mitigate those threats, and everyone benefits.
That’s what some of the more effective security companies out there are doing. They build a global cloud, identify threats, quickly develop a solution and push that out to rest of their community. I think we have a very similar opportunity. What is really interesting is that we can truly tailor a framework that is very focused on the needs of our research, education, and innovation community.
Photo credit: Perspecsys