Blog

“Effective defense in depth is not just shiny overlapping technical controls,” said Director of IT and Security Kayne McGladrey. “Rather, it’s the combination of culture, documented and tested processes, policies, and technical controls. For example, an organization with a policy of least privilege, a process for approving account privileges, and a process for auditing and harvesting unused privileges does not need multiple technical controls to implement the desired outcome.” It’s best to start with policy and then enact that in culture, where feasible.

Venture capitalists will accelerate feature development via mergers and acquisitions. In recent years, VCs have funded point solution vendors for technologies like SOAR and UEBA. These are features, not stand-alone technologies, and it’s often cheaper for market leaders to buy rather than build new features. CISOs should be aware of this market reality, as buying early-stage cybersecurity from a startup carries the risk of unintentionally having a business relationship with a much larger vendor within two years, and consequently needing to either buy the larger technology solution or rip and replace after the acquisition closes.

“There’s a perception that it is all hands-on-keyboards — people sitting in a basement somewhere drinking soda,” McGladrey said. “That perception, unfortunately, drives a lot of talented individuals who would have made a lot of meaningful contributions to the field to make other career choices.”

McGladrey wants security pros to talk to their colleagues, friends and families about the field and its diversity of roles. He also urges organizations to widen their candidate pools to include those with more varied backgrounds and life experiences.

“Right now in cybersecurity, we’re doing the same thing over and over and expecting a different result — the definition of insanity,” he said.

Cloud computing will continue to grow despite the frequency of breaches due to a lack of administrative controls and unintentional configuration errors. When an administrator had access to an on-premises server, they could only administer that server; a “cloud administrator” can administer all the assets in a given cloud instance, including backing up and exfiltrating entire servers. This is like the unintentional configuration errors that have plagued so many Amazon S3 buckets in 2019, where organizations have stored PII in S3 in a default configuration, and then those data have been accessed by security researchers.

Keeping an organization secure is every employee’s job. Instead of the obligatory employee training, Director of Security & IT for Pensar Development Kayne McGladrey recommends continuous engagement with the end-user community. “Provide opportunities and instrumentation to demonstrate policy violations rather than lecture at people.” Examples include leaving a USB data stick in a break room or using phishing tools to falsify emails from known employees that seem suspicious. “This helps educate and creates healthy suspicion,” said McGladrey.

Recognizing that fact, Kayne McGladrey, director of security and information technology at Pensar Development, an engineering consultancy in Seattle, says continuously phishing end users is the best way to help them identify phishing and other potentially malicious content. “This continuous exposure [to phishing] should take a variety of forms, from email-based phishing to direct messages on social media.”

McGladrey says short, actionable, culturally relevant education initiatives on a regular schedule are recommended because “users don’t want to sleep through the mandatory ‘October is cybersecurity month,’ two-hour, PowerPoint presentations.”

Kayne sees a greater challenge educating younger generations about creating similar habits. How young is too young? “If you’re targeting high school-age students, you are probably too late. Focus on teaching healthy skepticism at middle school along with identifying phishing and the importance of updating devices with security patches.” The adage that if something is too good to be true, it probably is may not be familiar to this age group because they have not been personally impacted. “Question the benefit or reward claims made by a mobile game before it’s downloaded and installed. Be suspicious.”

Security expert Kayne McGladrey, who serves as director of security and IT at Pensar Development and is a member of the Institute of Electrical and Electronics Engineers, said companies need to add extra steps to everything.

“The company could choose to add friction, whether it’s multi-factor authentication or an email link just to put a little additional scrutiny and raise the bar so it is materially more difficult for threat actors who have obtained someone’s credentials to be able to reuse those,” he said.

“The benefit of this strategy is that it applies universally. All of the automated attacks these days around credential stuffing and credential spraying do what the Yahoo hacker had done on a much larger scale. They get compromised credentials and test them across a whole bunch of websites using a distributed botnet.”

“The explosion of connected devices also requires re-thinking the protection mechanisms to apply to those endpoints,” says Kayne McGladrey, Director of Security and IT, Pensar Development. “Similarly, the widespread adoption of cloud-based services means that there’s no single network to protect.”

Much of the media focus has been on the financial damage from supply chain breaches, the nation-state actors behind the breaches, and the ill-defined “supply chain” itself. But surprisingly, despite the overheated media coverage, most electrical engineering (EE) firms are not the targets of a bear, kitten, or panda, which are frequently cited as advanced persistent threat groups behind the attacks. Most EE firms are targeted by threat actors of opportunity because they have two necessary ingredients: people and computers. This article lays out four best practices for individual EEs to help protect their firms.