Security Congress 2021 kicked off its virtual conference last week with opening remarks from CEO Clar Rosso, who then introduced Chris Krebs, Founding Partner at Krebs Stamos Group LLC. The agenda was rich with educational offerings across multiple tracks, from Cutting Edge to Human Factors, Regulations, ICS/Critical Infrastructure and Pursuers & Newcomers. Though I was not chosen as a participant in Keith Barry’s Virtual Brain Hacking Experience, I did sit in on a few sessions. Here’s a brief overview of what was covered. If you missed any of it, you can catch it all on demand.
Defend Today, Secure Tomorrow
For the past year, Krebs has reportedly been traveling the country trying to get a sense of what people’s cybersecurity concerns are. Overwhelmingly, he noted, the consistent questions he hears from Advisory Board members to CISOs are: Why is it so bad? When is it going to get better? What is the government doing about it?
It’s that last inquiry that was the basis for the keynote Defend Today, Secure Tomorrow. Krebs walked through the “greatest hits” of 2016–2020 to make the point that ransomware is the number one threat model every organization should be setting up to defend against. Still, geopolitics became a prevalent theme in early 2020.
“China, Russian, Iran and North Korea are the ‘Big 4,’ but every country is developing some sort of cyber offensive capability. If you’re not trying, you’re really not in the game,” Krebs said.
Regardless of who the malicious actor is, right now, the economics of cybercrime continues to allow attackers to profit. The attack surface continues to grow, and cryptocurrencies remain largely unregulated, making it easy for cybercriminals to receive significant amounts of money outside of the purview of regulators the world over.
“It’s a profitable enterprise where there is not a lot of economic opportunity otherwise. There haven’t been a lot of consequences to date. Until consequences are meaningful and it’s not profitable, it’s going to continue. So, defenses have to improve. We need to do the basics better,” Krebs said.
How to Prepare and Secure Critical Infrastructure for the Future of Digitalization
From the several concurrent sessions following the keynote, I decided to sit in on a session with Dr. Tim Nedyalkov, Technology Information Security Officer at the Commonwealth Bank of Australia, who presented on securing critical infrastructure.
Starting with the premise that digital is the new normal, Nedyalkov walked attendees through a model for mitigating risk in OT networks. In outlining the risks of converged IT and OT environments, Nedyalkov said, “Every increasing attack surface expanded opportunities for criminals to plan and execute attacks, and there is now a growing interest of cybercriminals in industrial enterprise.”
Recognizing that cybersecurity is key to protecting critical infrastructure, he developed a model with nine specific steps accomplished in three phases: prepare, secure and protect. Nedyalkov said these three phases have helped to ensure the long-term protection of environments.
He started with a pathway for preparing to close the gap by first advising that security teams try to identify a common purpose and mandate. As a guideline, Nedyalkov said to use the three considerations every time you do something with cyber to make sure you don’t impact any parts of your environment.
While it’s important to know whether you have appropriate internal security safeguards to avoid HSSE damage, it’s equally as critical to understand contractual obligations, who your stakeholders are and how to engage with them.
“The reality is, over the past few years, regulators have improved cybersecurity environments. Make sure that we have open communication, ask for feedback and have a robust conversation. They have visibility into what is coming,” Nedyalkov said. “Regulators have been putting a lot of effort into making sure industries are involved in forums and issues around upcoming frameworks.”
Timelines and having visibility on transformational initiatives, such as knowing who is in charge of the delivery, are also critical. “Quite often, if we have internal resources when the project is finished, they will be moved to something else, but we still have the ability to work with them and have knowledge transfer,” Nedyalkov said. That’s not always the case when working with contractors.
But We’ve Never Done It That Way!” Disruptive Security Change in Times of COVID
I have to admit; the title drew me into this session with Michael D. Weisberg, CISO at Garnet River, who noted, “The theme of this presentation is based around the idea of things that I’ve found in the real world during the COVID crisis and how they’ve affected information security.”
Disruption reigned supreme, which I’m sure comes as no surprise to security professionals. What might be surprising is the idea that Weisberg, a veteran of the industry, is the one advocating for change. He said that senior members of security teams tend to sit on the sidelines, but when they propose a change, it’s often met with consternation and, “But we’ve never done it this way!” The pandemic has forced some of those changes, and now it’s time to embrace the new.
“First of all, almost everyone is working remotely now, although we have seen some motion back to work. Even now, I’m sitting in my home office. The home environment has become very important to business. Zero Trust was something that we talked about, but now people are working from home. People are working from remote locations. We’re starting to see Zero Trust really move up the scales,” Weisberg said.
Given that there’s evidence of workers being more productive working from home, there’s a strong likelihood that this could be the new normal. “In the security space,” Weisberg said, “it turns out a lot of times when we’re doing scans, or we’re doing remediation work, or even when we’re effectively just watching consoles to see what’s going on, it’s sometimes better to be able to do that in an environment where it is interrupted and somewhat less formal.”
As a result, Weisberg said he’s seen a rapid retooling of the environment, creating a situation where you can sometimes even retool into a better-quality environment. One word of advice Weisberg offered: “Take the time to plan. Set up for the future. Do not rush into this. I mean, even though it may seem as though it hurts productivity, nothing hurts productivity more than days-long outages.”