By definition, a CIO’s responsibility is to support the computer systems, technology and data for the enterprise relying on their judgement and expertise to keep digital assets and environments secure and running smoothly. But according to an article published in National Mortgage News on April 22nd, 2015, CIOs can many times actually be doing a disservice to their responsibilities by focusing too heavily on making sure all the i’s are dotted and t’s are crossed when it comes to company policy and industry best practices, and not enough focus on getting an outsider’s perspective regularly.
Best practices and sound policies are of course instrumental to effective cyber security, but they are just playbooks, playbooks that many hackers know inside and out as well, from common defense tactics to widely used emergency response practices. What cyber security professionals from outside the organization bring to the table is a fresh look from a real-world perspective, and that’s not just instrumental, it’s crucial.
Social engineering, beating the human element
Joe Caruso, founder and CEO/CTO of Global Digital Forensics (GDF), a premier national provider of cyber security solutions headquartered in New York City, has helped businesses of all sizes navigate the ever evolving cyber threat landscape since the infancy of the Internet, and if there is one thing he has seen proven time and time again, it’s that, “cyber security does not come in a one-size-fits-all solution, and that’s a problem when security is looked at through a purely academic lens. Trust me, the real world of cyber threats is far more brutal than what you’ll learn about in the halls of academia, and when the stability and success of an entire organization rests in the balance, the stakes are just too high to not approach the problem from a real-world cyber attacker’s point of view. If there are six words that need to get pounded into the heads of CIOs responsible for cyber security as often as possible, they are social engineering, social engineering, and social engineering. That’s how even goliaths that have every resource and security technology available to them still manage to get bested and victimized, from Target, to Sony, to Anthem and beyond.”
First assess, then test
Comprehensive cyber threat assessments and penetration tests by Global Digital Forensics are designed to look at the entirety of the big cyber-security picture. On the cyber threat assessment side, GDF takes a look at all those i’s and t’s CIOs love so much, by reviewing and understanding existing policies, procedures and enforcement, looking at any specific regulatory compliance issues a client may face in their particular industry, mapping the digital architecture and addressing the whole scope of it, including the burgeoning problems related to the increasing popularity of BYOD (Bring Your Own Device) policies, understanding the intricacies of the daily data flow, making sure emergency response plans are well designed to effective and fast, and helping clients recognize and remediate any other issues that may be found.”
The right way to really test cyber security is from a hacker’s perspective
“On the penetration testing side, GDF assumes the role of a real-world attacker, launching simulated cyber attacks just like the ones they would use. The tests get customized to a client’s unique situation, which can include everything from realistic and advanced spear phishing campaigns, to devious and clever ways we’ve devised to get a “GDF-infected” USB stick inserted into a target network, and much more. We take great pride in the fact that, so far, we have a 100% success rate when it comes to infiltrating a targeted network. And there is nothing more effective than actually showing a CIO, an executive, a manager, or even an employee that we did get by them, here’s how and here’s how to fix it. It’s also not unusual for us to then get retained to give cyber security awareness seminars for the entire organization afterward, and I can tell you that all eyes are forward and paying attention when you successfully phished 60-70-80% or more of the company, or can point out how many were fooled into inserting one of our “infected” USB sticks, effectively compromising the network. And if you can raise that awareness and make it stick, you already won more than half to the battle when it comes beating cyber attacks at the source,” Caruso says. “Those are just some of the tricks in our bag, but like today’s hackers, there’s always more things we can dig out of our arsenal to get the job done right for any unique situation and identify any weak links in the chain.”
It just takes one misstep for a disaster to unfold
“If you plug the holes which can lead to that initial intrusion that hackers use as the springboard to start moving sideways across the network, make everyone aware of their responsibilities and understand the ramifications even a single lapse in judgment can have and show them how to avoid being an unknowing accomplice to a cyber attacker, for both businesses and critical infrastructure alike, everyone will be safer in the long run,” says Caruso, “including whomever is filling that monumentally important position of Chief Information Officer for an organization in today’s dangerous digital world.”
*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit our cyber security page.