Have defence in depth, says Canadian expert

IT World Canada, Howard Solomon writes:

CISOs shouldn’t sweat about the latest allegation by Wikileaks that the CIA has the ability to hack almost anything – so long as they’re prepared with defence in depth, says a Canadian international security expert.

“What they [the CIA] have? God knows,” said Richard Zaluski, CEO of the Centre for Strategic Cyberspace and Security Science. “What you can do as a CIO is get a game plan. You have to do your homework … Bring in third parties to do security tests.

“How you handle this really depends on what your resources are.  A basic plan can really save your bacon. If you have the funds do due diligence. Bring in a third party audit, pen testers.” In addition, locking down workstations so staff — or visitors — can’t plug in USB keys and copy data is vital.

He also said CISOs that allow data to be stored in the cloud have to take care of where the provider is located and what security standards are adhered to.

Similarly, Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada, said the report is “a timely reminder” that infosec pros have to look after basic security, including regular patching.

“By definition, there’s nothing you can do about zero days (exploits) until you know about them,” he said in an interview. But, he added, some the vulnerabilities the CIA allegedly can exploit that are described by WiikiLeaks are old and by now have been closed by software updates. “These are things we should all be doing anyway.”

“The main takeaway for me from this story is the basics are still important, regardless of whether you’re concerned about this story or any other form of cyber crime, espionage or hacking.”

Meanwhile security vendors have been quick to take advantage of the headlines on the WikiLeaks allegation to issue warning statements. “The real danger here is the potential for a tidal wave of Zero Day attacks aimed at enterprises, especially enterprise web applications,” said Dublin-based Waratek Inc. It advises CISOs to prioritize patches, harden applications, use a rules-based approach to security and look for and protecting against vulnerabilities in every part of your software stack.

Read the full article