From CNBC to You: Leo Taddeo Former FBI Agent Talks Cybersecurity
Former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office, Leo Taddeo, and now Chief Security Officer at Cryptzone joined Jason Garbis VP of Product to discuss webinar-attendees’ questions related to cybersecurity. Listen to the recording now or read this snapshot of what was discussed.
Achieving the balance between privacy vs. security (or Apple vs. the FBI)
Many in the media have framed the issue as Apple vs. the FBI, but it shouldn’t be framed as a contest between these two important institutions. Up until some recent technology changes i.e. the advent of increasingly secure smartphones, there was a balance between law enforcement’s need for security and people’s privacy. With the advent of new operating systems and security features, we see law enforcement locked out of certain types of phones which has created the issue.
What’s needed is a balance – a compromise between the technology companies producing these very secure phones and law enforcement agencies that have a legitimate need to access the phones to perform some very important functions.
In the US and in other countries, there is precedent to achieving the balance between giving law enforcement agencies access to people’s data in a structured way via warrants, wiretapping, etc. What’s different now is that the technology to keep law enforcement out of a phone comes as a default in some of these phones. In the past, some users with technical expertise would apply encryption to the phone. Now we have companies like Apple including security functions like encryption as a default – everyone has it. There is an ease of application of very strong encryption and an increase in the amount of people who have these phones. That is narrowing the number of phones law enforcement can access and impacting the amount of resources needed for law enforcement to access the phones, leading to an imbalance of threats vs. resource to detect threats.
We are going to see that as more of these very secure phones are purchased, more will be found at crime scenes and more of them will become the central part of these important investigations. This is just the beginning of the application of this lawsuit across the US.
Privacy vs. Security on Enterprise Managed Devices
For BYOD or corporate managed devices, there are a broad set of legitimate reasons for law enforcement to gain access. There are also a number of risks for enterprises if they allow an individual access to their systems via unmanaged devices. Employees could introduce unmitigated risk – an unmanaged device may have vulnerabilities you haven’t protected against. The other risk is that the employee might be accessing information they shouldn’t via these devices, opening the company up to risks or compliance breaches. The challenge is that employees are going outside of their responsibilities in these areas or they have access to network resources that introduce risks to the organization. IT security must mitigate this risk. What’s needed is a way to ensure employees only have access to the network resources that they need to do their jobs and that rights are granted based on granular permissions.
Enterprises need some level of management to ensure they have access to devices to review what employees are doing, validate that access policies are being met, etc. It’s a challenge though to achieve the right balance of supporting a BYOB culture, while not exposing enterprises to unnecessary risk.
It isn’t a perfect environment at the moment, we can set policies to limit what an employee SHOULD do. But from a technical point of view, it’s almost possible to limit what an employee CAN do.
Cybercrime is an Organized Industry
Cybercrime has evolved from crime of opportunity where skillful hackers could monetize information they could steal, deny service or monetize making network defenders uncomfortable. It has transitioned from a cottage industry into a full-blown money making industry. We now have specialization, hierarchy within organizations, R&D, talent acquisition, and infrastructure.
We also have many very smart and talented people in Asia and Eastern Europe who have no outlet for their skills i.e. ability to enter into a legitimate career, so they turn to cybercrime.. The result is more serious threats for enterprise organizations. The cybercrime industry has created a flexible and nimble suite of capabilities. We see types of attacks such as ransomware go from simple attacks in 2012/2013 to sophisticated campaigns in 2015/2016 because the money being made has attracted a lot of talent. In addition, there has been a lot of time spent in R&D by these cybercrime professionals, so the malware became better.
Cybercrime is not going away. Staying ahead of these hackers is essential, and needs to be done with the right level of resources, especially because cybercrime has evolved to become an organized industry.
More isn’t always better
More network security tools aren’t always better. More tools introduce complexity because your team needs to manage them to close all the gaps. That’s a challenge. In addition, you might not always have the headcount to manage a large tool set. Also, if you purchase tools without the people to manage them, you may never use them to their full capabilities. It gives you the false sense of security. With a more is better approach, you may be introducing vulnerabilities.
There is a significant shortage of security professionals. Many IT security professionals are communicating to their boards that their security posture is appropriate because they have a suite of different tools that protect their environments. The bottom line here is you need the people to manage these tools.
In the cybersecurity industry, we are also seeing significant turnover for most enterprises. It isn’t enough to have the employee, it is also important to keep that employee long enough to get the tools working properly. Employee retention is essential.
For more insights and recommendations from Leo Taddeo, listen to the recording now.