Former Twitter CISO: Biggest cybersecurity threats are old problems, not new ones
BOSTON – It’s perhaps not surprising that many cybersecurity conferences focus discussion on the newest ingenious ways hackers are launching attacks, and the equally ingenious ways security professionals must find to defend against them.
But while it's important to prepare early for the threats of the future, it’s even more important to be vigilant in protecting against long-existing threats such as phishing scams, exploitation of known vulnerabilities and brute-force credential-stuffing attacks.
"No one is going to do the hard thing to breach your organization when the easy thing is going to work every single time," said Michael Coates, CEO and cofounder of Altitude Networks, who previously served as CISO at Twitter and head of security for Mozilla.
Keynoting the opening day of the HIMSS Healthcare Privacy and Security Forum on Monday, Coates pointed out that major breaches in recent years – the Equifax breach, the Target breach – were not especially sophisticated attacks. For instance, the Target attack could have been stopped with better phishing protection strategies and by improving access management for vendors.
"Security breaches aren’t happening because attackers are outsmarting us," he said. "Attackers are simply finding the one hole in the massive surface area to defend. We must be more effective at operationalizing security at enterprise scale."
So how should security professionals plug up all those holes? Coates offered a few concrete suggestions.
One is to abandon the perimeter approach to healthcare security, and instead employ security measures at every access point inside the organization.
“A perimeter approach means attackers need one breach to get inside, and then it’s a free-for-all,” he said. “So if you can’t defend against one insider, all the outsiders are just one step away.”
An organization also has to align accountability and authority for security breaches. That is, the people who are making the decisions that can lead to breaches need to be the same people who are accountable when breaches occur.
One step Coates took at one organization was to have his security team create security report cards for the team leaders at a former company, and rank them based on their preparedness and adherence to controls.
“A person at the bottom of the list didn’t care much about the controls, but they did not like being last, so they sent an email to their team saying ‘fix this,’” Coates said. “It worked pretty well.”
At another organization, he went as far as to send an email from a disguised address to his own company’s press team, informing them of a fictitious breach and asking for a comment. He then documented how the organization responded and investigated the breach, taking notes that he then used to improve their response practices.
“I don’t believe security can be everyone’s responsibility, contrary to what we like to say,” Coates said. “But it does have to be integrated into everyone’s actions, into what they do.”