Today we publish an interview with Rishi Narang from CyberSins, “a blog on sun, sins, and security.” Rishi is a consultant, researcher, and blogger on digital security & cyber intelligence, describing himself as a tech aficionado & evangelist. We asked Rishi some questions about the data protection, how to encourage people to pay attention to protecting their online information and how to automate this process.
Curious what are the best Rishi’s data protection tips? Read the interview below and don’t hesitate to leave the feedback in comments!
Data Protection Tips: an Interview with Rishi Narang from CyberSins!
How do you evaluate people’s awareness regarding the need to protect their private data?
Enterprise Security is as closely related to the systems as with the people interacting with them. This is an interesting question as we have often faced challenges during data protection training on how to evaluate with certainty that a person understood the importance of data security & is not just mugging for the test. One such way to perform evaluations is to include surprise checks and discussions within the teams.
A team of security aware individuals are trained and then asked to carry on the tasks of such checks.
For example, if a laptop is found logged-in, and unattended for long, the team confuscates it and submits to a C-level executive (e.g., CIO or COO). As a consultant, I have also worked on an innovative solution of using such awareness questions as ” the second level” check while logging into the intranet applications. And, we all are aware of phishing campaigns that management can execute on all employees and measure their receptiveness to such emails. But, it must be followed up with training on how an individual can detect such attack, and what can it can do to avoid falling prey to such scammers in the future.
We must understand that while data protection is key, all the awareness training and assessment should not cause speed bumps in a daily schedule.
These awareness checks must be performed regularly without adding too much stress for the employee. More the effort, more the employee would like to either bypass or avoid it. Security teams must work with the employees and support their understanding of data protection. Data protection must work as an inception of understanding security, and not a forced argument.
Do you think that an average user pays enough attention to the issue of data protection?
Data protection is an issue which can only be dealt with a cumulative effort, and though each one of us cares about privacy, few do that collectively within an enterprise. It is key to understand that security is a culture, not a product. It needs an ongoing commitment to providing a resilient ecosystem for the enterprise. Social engineering is on the rise with phishing attacks, USB drops, fraudulent calls and messages.
An employee must understand that their casual approach towards data protection, can bring the whole business to ground zero. And, core business must be cautious when they do data identification and classification. The business must discern the scope of their application, and specify what’s the direct/ indirect risk if the data gets breached.
Data breach is not only a direct loss of information but a ripple effect leading to disclosure of the enterprise’s inner sanctum.
Now, how close are we to achieving this? Unfortunately, we are far from the point where an “average user” accepts data protection as a cornerstone of success in the world where information in the asset. Businesses consider security as a tollgate which everyone wants to bypass because neither do they like riding with it, nor being assessed by it. A well-balanced data protection can be achieved when it’s not a one-time effort, but an inherent base to build our technology on. Until unless we use the words “security” and “obvious” in the same line, positively, it would always be a challenge which an “average user” would try to deceive than achieve.
Why is the introduction of procedures for the protection of federal information systems and organizations so important?
Policies and procedures are essential for the protection of federal or local information as they harmonize security with usability. We should understand security is a long road, and when we attempt to protect data, it often has its quirks which confuse or discourages an enterprise to evolve. I have witnessed many fortune 500 firms protecting their assets and getting absorbed in like it’s a black hole. They invest millions of dollars and still don’t reach par with the scope & requirements. Therefore, it becomes very important to understand the needs of business, the data it handles, and which procedures apply in their scope.
Now, specifically, procedures help keep the teams aligned in how to implement a technology or a product for the enterprise.
Team experts or SME, usually have a telescopic vision in their domain, but a blind eye on the broader defense in depth. Their vision is tunneled by their skills, but a procedure helps them to attain a sync with the current security posture, and the projected roadmap. Also, a procedure reduces the probability of error while aligning with a holistic approach towards security. A procedure dictates what and how to do, thereby leaving a very little margin of misunderstanding in implementing complex security measures.Source: https://www.enisa.europa.eu
Are there any automated methods to test the data susceptibility to cyber-attacks, for instance, by the use of frameworks like Metasploit? How reliable are they in comparison to manual audits?
Yes, there are automated methods to perform audits, and to some extent, they are well devised to detect low hanging fruits. In simpler terms, an automated assessment has three key phases – Information gathering, tool execution to identify issues, report review.
Security aware companies and the ones that fall under strict regulations often integrate such tools in their development and staging environments.
This CI (continuous integration) keeps the code clean and checks for vulnerabilities and bugs on a regular basis. It also helps smoothen out the errors that might have come in due to using existing code, or outdated functions. On the other side, there are tools which validate the sanity of the production environment and also perform regular checks on the infrastructure and data flows.
But, are these automated tools enough? No. They are not “smart” enough to replace manual audits. They can validate configurations & issues in the software but they can’t evolve with the threat landscape. Manual audits, on the other hand, provide a peripheral vision while verifying the ecosystem resilience. It is essential to have manual audits, and use the feedback to assess, and even further tune the tools. If you are working in a regulated and well-observed domain like finance, health or data collection – the compliance officer would always rely on manual audits for final assurance. The tools are always there to support, but remember, they are as good as they are programmed and configured to do.
How to present procedures preventing attacks in one’s company, e.g., to external customers who demand an adequate level of data protection?
This is a very important concern, and thanks for asking this. External clients need to “trust you” before they can share data, or plug you into their organization.
The best approach that has worked for me is an assurance on the basis of what you have, and how well are you prepared for the worst.
The cyber world is very fragile, and earlier we used to construct “if things go bad … ” but now we say “when things go bad …”. This means we have accepted the fact that an attack is pertinent if we are dealing with data/ information. Someone is observing to attempt a strike at the right time especially if you are a successful firm. Now, the assurance can be achieved by demonstrating the policies you have in place for Information Security and Enterprise Risk Management. These policies must be supplemented with standards which identify the requirements, wherein the procedures as the how-to document on the implementation
Most of the cases if you have to assure the client on your defense in depth, the security policy, architecture and previous third-party assessment/ audit suffice. In rare cases, a client may ask to perform its own assessment of your infrastructure which is at your discretion. I would recommend making sure that your policy not only handles security but also incidence to reflect your preparedness for the breach/ attack.
On the other hand, if your end customers want an assurance, you can absolutely reflect that by being proactive on your product, blog, media, etc. on how dedicated you are in securing their data.
For example, the kind of authentication you support tells whether your commitment to protecting the vault. Whether it’s mandated or not depends on the usability and UI, but to allow support shows your commitment to addressing the aware security customers & understanding the need for the hour.
Rishi Narang, consultant, researcher, and blogger on digital security & cyber intelligence
You can contact Rishi via his website and find him on Twitter and Instagram!