The cyber ecosystem is changing faster than ever, creating new attack surfaces and increasing the challenge of defending against new and evolving threats. The fast-changing landscape requires new ways of thinking and approaches to protect environments that spread across on-premise and cloud infrastructures and connect IT with OT (operational technology) systems.
Just accepting that the expansion of the ecosystem – and the growing presence of technology in our lives – will increase risk isn’t good enough. This is a point (ISC)2 CEO David Shearer made clear at the kickoff of the organization’s Security Congress 2019 this week in Orlando. We cannot accept the idea that “expansion of the cloud must expose us to greater risk instead of greater opportunity,” he said. “As technology becomes more and more prevalent, so too must cybersecurity.”
Of course, developing cybersecurity tools and policies to keep up with new threats is not an easy task. But there is also opportunity in the expansion of the cyber ecosystem, said Curtis Keliiaa, Senior Network Engineer and Principal Investigator at the U.S. Department of Energy’s Sandia National Laboratories.
As new standards such as the IPv6 (Internet Protocol, version 6) specification and the 5G cellular network take hold, the opportunity arises for introducing security controls upfront, Keliiaa said. Both IPv6 and 5G will require the implementation of new hardware, applications and security. Referring specifically to IPv6 during a session on the evolving cyber landscape, he said: “Right now, we have a chance to build security like we never have. Now we know how bad the cyber problem is,” he said.
Data is the focus, he said. As data moves around widely dispersed connected systems, cybersecurity teams need to “follow the data,” Keliiaa said. Data owners are transitioning into the role of data stewards, which requires an understanding of what and where the data is in order to protect it.
The IPv6 specification is intended to replace the older IPv4, but it will be some time before that actually happens. In the meantime, both standards will be in use side by side, creating complexity and challenges in managing risk.
IPv6 needs champions who will approach the C-suite and make a case for migration, Keliaa said. When talking to executives, he advised: “Be right; don’t talk opinion. Be fast; don’t waste their time.” Executives have a lot on their plates besides managing risk; they also have to think about increasing profits and managing the entire organization efficiently.
An example of how changes in technology impact cybersecurity involves penetration testing of cloud systems. Mike Weber, CISSP, vice president of Coalfire Labs, said that moving assets to the cloud adds complexity to the process – and it’s not possible to test everything. With that in mind, he told attendees at Security Congress to put a plan together for cloud penetration tests.
The plan should include rules of engagement, a timetable and methodology. It’s essential to identify the scope, he said. “Your objective needs to be narrow enough so you don’t have to boil the ocean. If you try to test all of an organization’s cloud, then you’re going nowhere.”
Weber stressed the importance of asking permission from cloud providers before doing a test. Unfortunately, different cloud service providers have different sets of rules for testing. If the test involves two or more providers, getting approval from all of them can be time-consuming and delay projects. Thankfully, he said, the rules are starting to converge and these issues eventually will go away.