Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Cybersecurity threats protection: Don't forget the basics

Cybersecurity has become very complicated for businesses as new threats constantly pop up and old ones evolve. Companies have had to adapt business processes and roles to protect data against cybersecurity threats, which was a big topic at the 2014 ISSA International Conference in Orlando, Fla., in October.

In a series of video interviews from the conference, SearchCompliance editor Ben Cole discussed the state of modern cybersecurity with speakers, ISSA members and attendees. Here, former CIA chief information security officer Robert Bigman says many companies remain vulnerable because they overlook the basics when it comes to cybersecurity threat protection.

What are the biggest cybersecurity threats today, and what should companies be doing to react to them?

Robert Bigman: Frankly, the biggest threats are the same as they were five or 10 years ago. There are still threats from unauthorized access, malware attacks from code injections, phishing. Those haven't changed, and they won't change until we fix the problem, which is that computers aren't very secure. What has changed is that we've seen what is called the "democratization" of attacks. Some very sophisticated attacks which I used to see from nation states just a few years ago are now being done by hacktavists, or what I would call "front line" hackers, who really don't have a lot of skills but are using some very sophisticated code.

The problem is most companies have not configured their network architecture and IT programs to defend against these sophisticated attacks. They've been relying on commercial products, antivirus products, and now cyber-intelligence. The problem is none of it works, and is in fact completely ineffective. What they have to think about is how to engineer their systems and networks to minimize the threat of the malware even getting in. Once it gets in, if you have an Internet connection and you are a top-tier target, you are going to get hacked. That's what everyone is now learning.

More ISSA conference coverage

2014 ISSA conference to explore security professionals' growing role

Predictive intelligence proving to be a valuable security tool

Are there any universal strategies that have proven particularly effective for cybersecurity, or is it more important to remain flexible and adapt as threats evolve?

Bigman: Well, you shouldn't remain flexible and you shouldn't adapt. What you should do is be secure. It's kind of like football: We call it the "blocking and tackling" -- you've got to do the basic things right. Since I've retired I've been doing a lot of consulting, and I'll be honest with you, I haven't found almost any company that even does the basics right.

There are vendor and government standards for Windows configuration: it's step by step, do this and do that, turn this on, turn this off. I have not gone into a corporation where they even try to pay attention to those configurations. If they would do the basics, they would lessen their potential attacks. They wouldn't get rid of it, but they would greatly lessen it. However, they prefer to buy products and just pile on layers of products on a rotting foundation. They need to really work on the foundation.

What role do information security professionals play in cybersecurity?

Bigman: I've been working with many organizations, and I've seen them play a wide variety of different roles. What I worry about is two things that I see consistently across the private sector: The first thing is they don't have enough visibility and access to be effective. They are usually buried somewhere in the CIO organization, and it is the CIO who is the representative to senior management on security, not the CISO. It should never be that way, it should only ever be the CISO.

The second thing I see is that CISOs just don't get resources. They get money to buy products, but they don't get resources, funding and people to help build secure systems.

How do compliance regulations influence how companies approach cybersecurity?

Bigman: The simple answer is that it's not helping. The compliance police don't understand the complexity of information security. What they still do today, in 2014, is create a checklist. The problem is this takes up time and it doesn't get to the heart of the matter, which are the real crucial issues that I mentioned before, the blocking and tackling. The other problem I've noticed with the compliance police is that it's very issue du jour. For example, two years ago it was whitelisting. Last year, encryption was big. This year it's cyberintelligence. That doesn't help. The issues are the basic blocking and tackling, not whether they have specific tolls in place.

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

View All Videos

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What measures does your company take to offset modern cybersecurity threats?
Excellent article, but I noticed that specifics weren't given. So, let me give you some. In 2009, I published 14 Golden Rules of Computer Security. It covered the basics of staying safe on the Web. Here's a summary of the main points: https://itknowledgeexchange.techtarget.com/security-corner/14-golden-rules-of-computer-security/
"Well, you shouldn't remain flexible and you shouldn't adapt. What you should do is be secure."

Great on the surface, but it completely ignores the fact that attacks evolve and change. What was considered secure at one point may open up to vulnerabilities if the strategy doesn't take into account the changing nature of use and patterns of work. I don't disagree that there is certainly plenty of room to have a strong foundation, but houses are not just foundations. Also, left to their own devices, house foundations crumble in time as well. Cover the basics, absolutely (btw, Ken, very good list :) ), but realize that there is an evolution to usage and methods. Social engineering and hacking evolve to reflect this. Our solutions to counter them need to as well. 
I see lots of articles on security and data breaches lately. We are getting better but the thing I do not see enough on is in-house data breaches. We see the figures tied to this loss of data. I fear a unhappy or disgruntled employee may see this as an opportunity to make some money. What are the best methods to protect you data while still letting the employee do their day to day work with the same data ?
Indeed, there's some people saying that the Sony breakin is due to this issue; apparently they'd had some layoffs and they think a disgruntled executive provided information to the hackers. 

It's great that someone in such a highly-visible position is touting the basics - the very things in IT and security that are overlooked every day leading to security problems - both known and unknown - far and wide. So many people look for something new and shiny with security (hence the popularity of "cybersecurity") year after year but the solutions they need are right before their eyes...If these people just went back and implemented the security basics that have been around for years, even decades, they would (finally) stand a chance against the threats they face.
There absolutely needs to be a balance between the security basics with the ability to respond to new threats. I think what B. Bigman is saying is that too often companies don't even get the basics right before moving on to more complicated threat protection. Basically companies are putting the security cart before the security horse-
Very true Ben...it's more fun to chase down "newer" and "sexier" solutions the vendors are pushing on us. Of course, the more time you spend on figuring things out and fighting the same fights (i.e "I don't know why these issues keep coming up...let's blame our users - or management.") helps with job security as well...The people doing that are probably the ones you don't want to have in charge of security and/or compliance in your organization in the first place.