SC Congress Chicago: Assessing the "threat of the hour"
An organization's “threat of the hour” is best realized through collaboration – whether among its own members or employees, or through interactions with industry peers, was the consensus of a panel of information and IT security experts at SC Congress Chicago on Thursday.
Scott Gerlach, director of information security operations at web hosting company Go Daddy, said a sense of trust within one's industry is necessary to build awareness about critical threats – as they can run the gamut from attention-grabbing attacks led by hacktivists to stealthy malware launched by nation-states.
Weeding through the central security concerns for a business requires a network that is in touch with its operational priorities.
“It's really hard to operate effectively in a vacuum,” Gerlach told SCMagazine.com before Thursday's SC Congress Chicago show. Gerlach was one of several panelists who spoke about the latest threats.
In April, the Scottsdale, Ariz.-based company founded the online Hosting Security Forum, where hosting service providers can discuss and share critical security information that can help protect users. Gerlach said forums, and other venues that bring industry professionals together, help to scale one major hurdle: building a sense of trust among companies and organizations.
“Figuring out who is going to get this threat info and can I trust them – that's one of the hardest things to do,” he said.
Gerlach also mentioned the importance of having security incident drills that include PR and legal teams, so that a company is able to respond properly internally and with customers or the public, should an incident occur.
Go Daddy was placed in the spotlight itself in September, when the web hosting company experienced an outage that affected a significant number of the five million websites it services. The company later cited “a series of internal network events,” which corrupted its router data tables as the cause, though a member of Anonymous took credit for a claimed distributed denial-of-service attack on the company's DNS servers.
Kirsten Bay, principal of The Bodkin Group, which provides risk management consulting, told SCMagazine.com that it's key for businesses to have intelligence in place to determine where they are susceptible to being targeted.
Bay, who joined Gerlach on the panel, said this week she was planning to offer advice for management to pre-empt and respond to attacks. A critical component is prioritization.
“What are the three to five things you really do as a company, and what are the threats to those key revenue drivers and priorities?” Bay said. “And how will you manage the threats to the organization?”
Mary Chaney, incident response leader for GE Capital Americas, also spoke on assessing business risk based on a company's vertical industry and the information it manages.
“In the financial industry, for instance, we are looking at a type of environment where we were historically more concerned about an internal threat,” Chaney told SCMagazine.com before the panel. “But now, with state-sponsored attacks, the threat landscape has changed. You have to look at who is after you.”
During the session, the panelists agreed that organizations are doing a better job at protecting the perimeter, but because of attacks like spear phishing that use "watering hole" techniques, a brunt of the burden is on the end-user.
"The trouble is I work with a lot of companies who do a phenomenal job but your workers are out there in the world, and there's nothing you can do," Bay said.
As well, despite initiatives like the Open Source Web Application Program (OWASP), developers are still churning out shoddy code, Chaney said.
"You can train people to securely develop this stuff, and it's still not happening."
Executive Editor Dan Kaplan contributed to this report.