Fabian Libeau, EMEA VP, discusses the changing role of chief information security officers (CISOs) within businesses.
The Chief Information Security Officer’s (CISO) role is going through a period of transition. The number of security breaches over the last year is unprecedented and growing, clearly demonstrating the need for a re-evaluation of current security thinking. The required changes must be driven top down and apply across the whole organisation, with the CISO acting as a key enabler.
As organisations move their customer and partner interactions online with unprecedented speed in their quest to remain competitive, an unfortunate result is that their digital attack surface often grows to an unmanageable size. Today’s CISOs are responsible for curbing the inevitable increase in risk for data theft, operational disruption and brand erosion, as well as employee and customer compromise.
As digital assets across web, social and mobile platforms become prime targets for cybercrime, CISOs must find ways to not only defend their digital assets residing on their own networks and endpoints but also their often overlooked digital assets residing outside the corporate network.
Today, spotting cyberthreats lurking on the Internet requires a level of visibility that most organisations lack. Successful CISOs are those investing in surveillance and reconnaissance tools that can show how their digital attack surface appears to attackers; a collection of widely dispersed digital assets that can be exploited in a variety of ways.
Beyond the firewall
For many organisations, digital channels have overtaken more traditional channels in terms of customer preference and engagement. While this brings extended reach, lower cost and, for smaller organisations, levels the playing field against bigger competitors, it also brings new security challenges.
Indeed, threat actors are undertaking reconnaissance on the digital presence of organisations; their registered domains, websites, email systems and other Internet exposed infrastructure, looking for vulnerabilities to exploit.
In addition to direct attack, another common tactic is the impersonation of the organisation and its brands on the Internet, directing employees or customers to what look like legitimate assets.
From there cybercriminals can harvest credentials to gain access to corporate systems or capture personal information for monetary gain. Examples of these types of activities include the registration of domains that look similar to a brand’s domain (typo-squatting), driving traffic to phishing pages that look legitimate, placing fake mobile apps in the app stores and creating fake social media accounts on the major social platforms. Millions of new digital assets appear on the Internet every day, making it extremely difficult for an organisation to monitor for brand infringement and impersonation.
We also see new adversary tactics appear on a regular basis and, when successful, they are rapidly copied by other threat actors, giving organisations yet another threat vector to defend against.
Case study – the credit-card skimming scheme
Consider the recent breaches of Ticketmaster, British Airways and Newegg by the credit card-skimming groups known as Magecart.
In the case of the Ticketmaster breach, RiskIQ discovered it wasn’t an isolated incident but a worldwide campaign that affected tens of thousands of e-commerce sites executed by hacking widely used third-party analytics trackers.
The affected brands had no visibility into the code running on their website, so they were unaware and powerless to protect their customers, many of which had their data stolen directly from the site as they input their payment information.
British Airways and Newegg were similarly vulnerable to web-based attacks. They were victimised by targeted attacks using unique skimmers that integrated with the victim’s payment system and blended with the infrastructure, staying there as long as possible. These attacks showed that they are not limited to specific geo-locations or specific industries – any organisation that processes payments online is a target. The elements of the British Airways attacks were all present in the attack on Newegg.
However, when brands understand what they look like from the outside in, they can undertake measures to harden their attack surface and take down impersonating assets.
The mobile movement
A prime example of the need for this approach are the mobile applications the organisation develops for customer use, as they by default sit outside the perimeter in one or more app stores. Many people aren’t aware of the exponential growth of the mobile ecosystem, both in terms of number of apps and the number of app stores. While Google Play and Apple iTunes capture a significant segment of the market, there are hundreds of other app stores out there competing to drive traffic and increase their market share. Official apps and apps leveraging the brand are widely copied and distributed across the mobile ecosystem.
As a result, the number of mobile apps an organisation owns or that leverages their brand is far higher than they suspect. For larger organisations, the proportion of apps in unofficial stores versus official stores can be more than 90%. Mobile app proliferation has a direct impact on consumers, as there is a risk of using an unsupported application or worst case, a malicious one.
Finding the unknown
Most organisations lack a full view of their Internet-exposed assets. Today’s CISOs must operate on the assumption that their organisation has a far bigger digital footprint than they realise. It is common to have 30% more publicly exposed digital assets than are visible to corporate IT and security teams. Many of these ‘missing’ assets are the result of shadow IT; development activity performed by third parties – i.e. marketing funded web sites, or sites, apps and social media accounts created by line of business teams.
Agile development, in all its forms, helps the business to keep pace with customer expectations, but if the assets delivered are unknown to the corporate IT and security teams, it is unlikely that the proper security controls and governance are in place and, as a result, these unknown or forgotten assets have a higher likelihood of being compromised. They must be actively managed to reduce the low-hanging fruit available for cybercriminals to exploit.
An ever-evolving role
The traditional security strategy for the previous generation of CISOs has been a defence in-depth approach starting at the perimeter and layering back to the assets to be protected. As outlined earlier, there are clearly disconnects between that kind of strategy and the threat landscape in which companies need to protect themselves today.
In a world of digital channels, users – customers and prospects – sit outside the perimeter, an increasing number of corporate digital assets sit outside the perimeter on third party hosting services or are exposed on the Internet, and the majority of the malicious actors sit outside the perimeter. As such, CISOs need security strategies that encompass this change while continuing to defend the corporate network and all that sits inside it.
The good news for CISOs is that there is now much more data available, which can provide needed Internet visibility to compliment existing security tools and processes. Experienced CISOs need to be trusted to invest in security strategies that encompass this change by leveraging the vast amounts of data that is at their disposal and by better aligning their external threat programme with other IT security and operations teams. By understanding their exposures, expediting enterprise-wide threat investigations and monitoring their Internet attack surface, CISOs can proactively address external threats and reduce their online risks.