While common security measures can help companies and their employees avoid becoming victims of cybercrime, they aren’t foolproof, said Shakour A. Abuzneid, a professor of cybersecurity and networking and incoming program director at Roger Williams University.
Even the experts aren’t immune, he said. Just two months ago, global technology and networking conglomerate Cisco Systems Inc. revealed that a ransomware attack had breached its cyber defenses.
“The companies that are helping us are getting hacked,” Abuzneid said.
In today’s increasingly connected world, strategies that seek to solely prevent cybercrimes are now outdated, said Abuzneid, speaking at Providence Business News’ 10th annual Cybersecurity Summit, held on Oct. 6 at the Crowne Plaza Providence-Warwick.
When approaching cybersecurity, “we have to have an active response to attacks – proactive,” Abuzneid said. “We have to move from defense to offense. We have to attack [cybercrimes] ourselves.”
Part of the issue is that on average, it takes a company more than 200 days to identify a breach in its network, Abuzneid said, and 176 days to remedy that vulnerability.
“Even if we detect something, we can’t respond fast enough to stop that attack or breach,” Abuzneid said, “so prevention is not a solution, detection is not a solution by itself.”
And not only are there more hackers than ever, but they also have more avenues of attack.
In the past two to three decades, the rise of cloud computing and mobile devices has created an “internet of things,” where it’s not just phones that serve as hackable smart technology.
Eventually, “everything will be connected to the internet,” Abuzneid said. “Look at this room: The chairs you’re sitting on will be connected, the door, the lights. … We’ll have billions, eventually trillions of devices connected to the internet.”
Meanwhile, there aren’t enough professionals to address rising cybercrime rates, Abuzneid said, noting a global shortage of at least 1.5 million cybersecurity professionals.
When industry leaders first realized that common measures such as next-generation firewalls and antivirus software cannot broadly prevent cyberattacks, they developed a strategy known as “Defense in Depth,” which prioritizes various layers of defense. But without carefully connecting these layers, Abuzneid said, this approach still has many inadequacies.
“It’s time to declare defense in depth is not enough,” Abuzneid said. “Some people say it’s dead. I’ll say it’s not enough. So, it’s time to look at the security as holistic security, promptly.”
And security event and incident management, another popular tool for managing cybersecurity, also does not suffice. SEIM technology detects less than 1% of attacks, Abuzneid said, because it was built for compliance reporting, rather than security.
Abuzneid advocates for an interconnected, holistic approach that involves measures such as identifying and protecting all devices connected to a network, a thorough understanding of security needs, creating tests and data to monitor security needs, and creating a proactive protection strategy.
Abuzneid purposefully highlights protection, rather than prevention, and encouraged attendees to forget the word “prevention” altogether.
Also differing from the defense-in-depth approach, companies need to prioritize regular updates to their cyber defense strategy, Abuzneid said.
“It’s a continual process,” he added. “The moment we fix something, someone else will break it.”
Following Abuzneid’s opening remarks, attendees had their choice of attending one of two concurrent workshops.
One panel included Jason Albuquerque, chief operating officer at Envision Technology Advisors LLC; Doug White, professor of cybersecurity at Roger Williams University; and Linn Freedman, chair of data privacy and the cybersecurity team at Robinson & Cole LLP, and highlighted how prevention can help a company’s return on investment.
A second panel featured Eric M. Shorr, president, and Lisa A. Shorr, vice president, at Secure Future Tech Solutions in Warwick, and taught attendees how to “think like a hacker” while building their cyber defense strategies.
Panelists, including White, echoed Abuzneid’s idea that businesses need to prepare for when, not if, they fall victim to a cyberattack.
“Someone in your company is going to get phished,” White said, due to what he calls an “infinite series.”
“You essentially have an infinite number of people trying to do this,” he said. “They have an infinite number of attempts to do this.”
Eventually, that means the hacker will find a vulnerable employee, White cautioned.
Panelists also advised on how breached companies should approach ransoms.
Businesses need to carefully consider the consequences of paying a ransom, Freedman said.
“You need to understand what the risks are, and what the pros and cons are,” she said, adding that every ransomware attack she’s responded to on a client’s behalf in the past two years has involved exfiltration, meaning that companies are asked to pay a ransom not just to receive their stolen data back from hackers but also for the hackers to destroy the data.
“They don’t. They sell it to other clients,” Freedman said. “Your data is not safe even if they give you a certificate of destruction. It’s not worth the paper.”