Bob Flores, former CTO for the Central Intelligence Agency, answers questions around security strategy at the Next Big Thing Summit in Melbourne.
Bob Flores, former CTO with the Central Intelligence Agency (CIA) in the US, and now managing partner for Cognito Corp, has shared some key insights around data security in Australian businesses.
Speaking as part of Connect Expo’s Next Big Thing Summit in Melbourne, Flores featured a number of key facts and figures around the state of local and global enterprise security, including key resources that demonstrate the extent of the world’s security problem, while offering solutions for how to create a culture of secure cyber intelligence.
Here’s a list of the crucial security data resources that he relies on.
1. The Verizon Data Breach Incident Report
In his presentation, Flores cited numerous statistics from the latest Verizon Data Breach Incident Report, which details the confirmed breaches in just a one year time period, as well as the exact type and frequency of those breaches.
A key focus from this report was the extent to which phishing emails can threaten a company’s security, with 23 per cent of all phishing emails globally being opened by staff. A further 11 per cent have clicked on the attachments in these emails.
“Once you click on that attachment, the malware is delivered. If I send a phishing email to 100 people, 11 of them will allow me to get into their network,” he said.
“Depending on how good my malware is, I can reside inside your network for years – kind of like sleeper agent – before I rear my ugly head and start doing something – stealing data, whatever.”
To classify the level of security risk Australian businesses may face, Flores said he used the relatively new Shodan search engine to provide a “vulnerability snapshot” of Australia.
Shodan has been described as the Google for the Internet of Things, and was originally designed to provide technology companies with information about where and how their products were being used.
However, this search engine can also find routers with exposed backdoors, unsecured webcams, and industrial control systems still using default passwords – information valuable both for organisations looking to better lock down their environments or investigate potential partners, as well as hackers looking for avenues to exploit.
The service is available publicly and free of charge, but enterprise clients can also buy raw, real-time access to all the data it collects.
“Shodan looks out at all of the IP addresses connected to other IP addresses, and you can further classify those like, say I want to look at what’s happening with just traffic cameras,” said Flores.
“Last week we took a snapshot of what’s going on in Australia – it showed a tremendous number of vulnerabilities.” A large and detailed list was presented to the audience identifying servers still utilising default passwords from the main factory.
3. NTT Group’s Global Threat Intelligence Report
Perhaps even more shocking than the current global vulnerability rate was Flores citing that actually, many companies are aware of existing vulnerabilities, but do nothing to secure these. To demonstrate, he cited some key figures from the latest NTT Group Global Threat Intelligence Report around patching.
“I’m often asked by people and clients, how often should we patch? You’re probably not doing it enough.
“According to NTT Group, 74 per cent of organisations have no formal incident response program – you found the issue, so what are you going to do about? It’s important to understand that.
“Generally, organisations with no vulnerability management program take nearly 200 days to patch their systems,” he said.
According to the report, more than 99 per cent of identified vulnerabilities are still active one year after they’re discovered.
“Your people, or you, found a problem on your network in a computer somewhere and did nothing about it. In a year later, it’s still there,” Flores said.
Further, 76 per cent didn’t do anything to patch discovered vulnerabilities until after two years, and nine per cent didn’t do anything for 10+ years.
4. The Cyber Threat
In the effort to combat security risks, Flores recommended this book by Bob Gourley, director of Intelligence in the US’s first Department of Defense cyber defense organisation, and lead for cyber intelligence at Cognitio Corp.
“I encourage you to read this book, available electronically for next to nothing on Amazon – it’s really useful,” said Flores.
The book, which is also recommended by some other top players from the Cia, the US Air Force, the US Navy and the National Security Association (NSA), aims to teach technology and business executives how to enhance their business’ ability to defend against cyber-attacks. It focuses on developing ‘cyber intelligence’ as a way of making threat information actionable in support of business objectives.
“It includes lessons from historic and current operations, insights from companies under attack, and ways to enhance cyber intelligence support at strategic, operational and tactical levels,” said Flores.
As a free online resource, Flores recommended executives familiarise themselves with Threatbrief.com – a helpful online resource created by Flores’ analyst firm, Cognito, which is updated with 8-12 new articles daily.
Threatbrief’s content offers insights into the global security landscape, offers advice on how to reduce personal and business risks, and better inform readers’ strategic decision-making.
In particular, Flores’ recommended technology leaders access the featured paper discussing the five questions that executives should be asking around cyber security – “then ask yourself those,” he said.
Finally, in emphasising the need for organisations to develop their own cyber intelligence programs internally, Flores concluded by stressing how important constant user education was, including a change in attitude around users and security generally.
“Everyone in the corporation must understand that part of their job is to be a security officer – employees must know and practice security daily,” he said.
When asked ‘who is responsible for data on a day-to-day basis?’ They always say ‘no, not me, that guy over there is [the CIO], I just use the data’ – That’s the wrong answer.”
Flores suggested that moving forward, official employee evaluation methods should incorporate a review on a staff member’s knowledge and practice of security.
“Employees have to be continually educated. Educate them again and again. And again. Not just once when they enter the company, which is then long forgotten by the time they leave the company.”
Join the CIO newsletter!