For many IT managers, being cyber aware is a hard thing to pin down. Does this mean that you (really) understand the various potential threat modes that can put your organization at risk? Or that you have some form of regularly scheduled cyber security awareness training happening? Or that you have multiple threat detection and response tools in operation to protect your endpoints? If you have been reading my columns, you know that the best answer is that there is some combination of all three of these elements.

Let’s put this in context, because it is once again time to highlight that October is Cyber Awareness month. Last year I wrote about how security awareness has to be “celebrated” every day, not just in October. Let’s look at some of my recommendations from that blog post and see how far we have come – or not.

My post mentioned four major themes to improve security awareness:

• More comprehensive adoption of multi-factor authentication (MFA) tools and methods,
• Ensuring better backups to thwart ransomware and other attacks,
• Paying more attention to cloud data server configuration, and
• Doing continuous security awareness training.

Sadly, all four of these suggestions are still needed, and many of the past year’s breaches happened because of one or more of them were neglected. There are some bright spots: MFA projects seem to be happening with greater frequency. Single sign-on tools are improving their MFA support, documentation and overall integration making it easier for corporate security developers to add these methods to their own apps. And security awareness training seems to be on the rise as well, with many companies implementing more regular assessments to motivate users to be more careful. This is good, because the bad guys are constantly upping their own game to try to trip us up and force their way into our networks.

But there are also problem areas that have arisen in the past year that bear mention. While ransomware continues to plague many companies, the way that attackers are getting to delivery their ransom attacks is troubling. The news over the past year has shown increased targeting by bad actors. This happens in several ways, including:

• Looking for customers of a single VAR (such as what happened with many local Texas governments),
• Finding those targets who are using a common software supplier (such as what happened with takeovers of disused Github projects), and
• Injecting code into scripts used in other software (such as these Magecart attacks with the ecommerce code used by college campus bookstores).

For these cases, a single exploit caused multiple attacks because of the common software used by their customers. This means that better backups aren’t enough anymore: you also must secure your software supply chain and treat any external software supplier as a potential source of a threat.

This means you need to think about whether your existing security tools can catch such exploits, and if not, what protective measures you can put into place that can. For example, do you have a subresource registry to verify the integrity of your source code? Or do you have a policy to host as many of your third-party scripts on your own servers rather than on any of your suppliers’ servers? Both are worth investigating.

Part of the problem is that attackers are getting more determined: we’ve seen evidence (such as what happened this past year at British Airways) where they have tried multiple entry points and adjusted their methods to find a way inside a targeted network. But a big part of why attackers succeed is because we have very complex technologies in place with multiple failure points. Some of these points are known and protected, but many aren’t. This is why security awareness is a constant battle. Standing still is admitting defeat. So the title of this post isn’t as rhetorical as you might think. Chances are you aren’t as aware as you think you should be, and hopefully I have given you a few ideas to improve.

Analysts predict that the multi-factor authentication (MFA) market will continue to grow, fed by the demand for more secure digital payments and rising threats, phishing attacks and massive breaches of large collections of passwords. This growth is also motivating MFA vendors to add new factor methods (such as some of the newer hardware tokens shown here) and make their products easier to integrate with custom corporate and public SaaS applications. That is the good news.

The bad news is twofold, and you can read my latest update for CSOonline on MFA trends here to find out more about how this market has evolved.

One of the things that I like about our hyperconnected world is how easy it is to virtually attend just about any tech conference. Most conferences today have streamed or recorded sessions that are well indexed and of high enough quality. Today’s post is about a session at the RSA Singapore conference in July. Before I talk about that, let me discuss why I think Singapore is so important for IT security professionals.

I have been interested in the island nation since I gave a talk there more than 20 years ago. Back then I saw the beginnings of where the country could go with playing a key role in IT. My audience had folks who spoke more than a dozen different languages and who came from almost as many nearby countries. Since then, Singapore has invested big-time in its IT development, particular with respect to smart city technologies: this is its fifth year of a series of major investments that include improving commutes, digital payments and secure identities. This year, the country will spend more than an additional US$1B in new smart city enhancements.

Part of these expenditures is in how the country has taken a page from the Israeli playbook. The nation has created various cybersecurity programs that are coming from a number of directions. For example, this summer it launched its third bug bounty program to improve its various digital services. And the government has helped to encourage startups with the incubator Innovation Cybersecurity Ecosystem@Block71, a partnership between the government, private investors and its National University. These government initiatives have encouraged others: in the past year, both BT and Cisco have opened up offices there to conduct research and support their southeast Asian customers.

Let’s turn to the RSA conference session that was led by President Rohit Ghai and covered issues on smart cities, privacy, and digital transformation by three panelists:

• Vishal Salvi, the CISO for InfoSys, a private cybersecurity consultancy based in India,
• Aswami Ariffin, Sr. Vice President of the Malaysian Cybersecurity Responsive Services Division, and
• Andrew Woodward, the Executive Dean at the School of Science at Edith Cowan University in Perth Australia

This panel is typical of the role that Singapore plays in that part of the world. It shows the diversity of nationalities and stakeholders that have to be assembled for successful cybersecurity solutions. If you watch the recorded video, you will first hear this panel express their concern about the cybersecurity toll that companies doing business in smart cities will have to deal with. Aswami Ariffin thinks that “we are opening the cyber floodgates with smart city implementations. We have to better understand the risks involved and make sure we have the right solutions.” He suggests that businesses look to partner and work collaboratively with government and communicate with the right stakeholders. Vishal Salvi pointed out that different industries have different cybersecurity implications when it comes to smart cities, both in terms of data risk and operations. “This could change conversations for their boards of directors, both in terms of basic cyber hygiene and infrastructure protection.”

When it comes to dealing with digital disruption, Andrew Woodward was concerned that many companies are still conducting business as it was done decades ago. “For many, their approach is still with a pre-digital mindset when it comes to risk management, with the justification that we have always done it a certain way.” Salvi mentioned that cybersecurity has always been behind IT innovation, particularly in the financial sector. “Now we have the sharing economy and connected cars where change happens in weeks, not months. This rate of change is putting pressure on CISOs and business owners to embed security while and where this change is happening. We have to provide agile solutions to support that transformation.” Ariffin gave his perspective for the appropriate role of government: “We don’t want to force businesses to create any white elephant projects. Our goal is to try to help private businesses over security hurdles and to educate them about other risks besides cybersecurity, such as with their operations and following regulations.” The Malaysian government has its Intelligence, Incidence and Investigation program as one of these activities.

Salvi mentions that cybersecurity should be front and center and set the foundation for any digital transformation future activities. But the price of doing nothing is also an issue. “Failing to do any digital transformation is the largest risk. You are looking at rapidly changing the foundations of your business models. We have to embed security in everything.”

Part of this challenge is when we empower users to take control over their data, it creates issues for security managers to protect this data and control appropriate access. “There is a tension between security and privacy, at some point we need a better balance,” said Salvi. “Eventually, the world will adopt better rights management and more common encryption methods.” Woodward said that this creates an “interesting tension with the drive to increase cybersecurity through regulation but we also want users to take control and be custodians of their own data.” This complicates how breach laws will be enacted and enforced, for example.

Given the dearth of qualified cybersecurity professionals worldwide, academia is rising to meeting these challenges by changing the way they are educating future cybersecurity workers. “The key is be able to work together with industry and government to address the right problems,” said Woodward. They have also reworked their curriculum and have created more online classes, even at the master’s level. “It isn’t one job for life anymore. We call them ‘conversion classes’ and they are designed for workers to become cybersecurity professionals in mid-career. Nowadays, students want on-demand classes with content-rich media and don’t want to attend lectures. It is all about reskilling and upskilling. We want our students to have hands-on experience when they graduate, so they are ready to join the workforce.” His reach goes beyond the traditional four-year degree too. “We have programs for elementary school students to get them to think about cybersecurity as a career.”

This panel could have taken place just about anywhere on the planet: cybersecurity challenges and solutions are truly universal.

Security expert Lesley Carhart tweeted last month, “If you’re a CEO, CFO, or CIO, you’re directly responsible for the caliber of cybersecurity at your company.” During the RSA conference in Singapore a few weeks ago, RSA’s CTO Zulfikar Ramzan described several different C-level executives who could have direct responsibility for some portion of your security infrastructure:  CEO, CIO, CSO (or CISO), CTO, and the Chief Data Officer. If three is a crowd, then this is a herd. Or maybe a pod, I never really learned those plural descriptors. And that is just the top management layer: for a large corporation, there could be dozens of middle managers that handle the various security components.

From the IT folks that I have interviewed over the years, this seems sadly all too typical. And that is a major problem, because it is easy to just pass the buck (or the token or packet) from one department to the next. Even something as simple as your firewalls could be an issue. You might think that they clearly are run by your network administrator. But this person could report to the CIO or the CTO or maybe there is that dreaded “dotted line” responsibility so the network admin needs to report to both of them. That can get messy.

What I am saying here is that security should be everyone’s responsibility, and not just the executives but the worker bees too. This is not a new idea. This post lists four reasons why:

• Humans are always going to be the weak link
• Tech is continually evolving, and everyone needs to stay on top of these changes
• Our hyper-connected world magnifies mistakes
• Our data privacy is under siege

But if the various execs can’t sort this out on their own, how do you expect your rank and file to get a clue?

Here is a short test to see how you have distributed your security responsibilities across your enterprise. Try to answer these questions truthfully.

1. Who owns the breach response? When a breach happens, who is in charge, meaning who directs the deployment of resources and analyzes the investigation and mitigation?
2. Taking the answer to the first question, is this the same person that owns a response to an accidental data leak? Or a leak that is done on purpose from a rogue employee? If they are two (or more) different execs, why?
3. Who owns the day-to-day security operations, whether that be a SOC, NOC, SOC-as-a-Service, or some combination of those entities?
4. If one of your C-level execs doesn’t follow best security practices, can you do something about it? What if it is the CEO who doesn’t ever change his default password?
5. If you move a server out of your data center and spin it up in some cloud service, how many executives have to approve that move? And who takes ownership of the server afterwards?
6. You probably have a few desktops that are running Windows 7 (or even older versions). Do you know how many outdated desktops you have? This isn’t completely a rhetorical question, given the research that shows that more than 800,000 XP endpoints are still unpatched and could be exploited by Bluekeep Whose budget pays for these updates? Whose budget pays for the endpoint protection software and keeps track of those PCs that haven’t been properly protected? If these are three different folks, how do they communicate in the time of a crisis, such as in the aftermath of a successful phishing attack?.
7. Speaking of phishing, let’s say you want to establish a regular phishing awareness training effort. Who picks up that tab, and who handles the problems that are uncovered?

I hope you can see a pattern emerging: Chances are, the same person might not be involved in the problem and its resolution. That is what the bad actors count on: they can drive a wedge between these departments. This is how exploits can happen, and how your company can end up in trouble.

By now, you know that I don’t just raise issues, but try to provide some solid action items and offer a few practical suggestions on how to fix things. You mission, should you decide to accept it, is to try to align responsibilities to be more effective in managing your IT security.

First, develop a clear line of authority between different departments to handle breaches, leaks and exploits. Next, have a game plan when it comes to breach response, rehearse it regularly, and make sure that you update this plan as people or equipment change to keep it current. Third, security budgeting should be a joint exercise among the desktop, network, apps, data owners, legal and server department heads. It makes no sense to favor one over another: we all have to learn to share. Finally, in this spirit, identify where your information silos have been built and start thinking about ways to tear them down, encourage cooperation and collaboration to reduce your overall risk profile. That is a lot of work, to be sure, but it is needed, and there is no time like the present to start too.

RSA recently published this eBook on three tips to secure your cloud. I like the direction the authors took but want to take things a few steps further.  Before you can protect anything, you first need to know what infrastructure you actually have running in the cloud. This means doing a cloud census. Yes, you probably know about most of your AWS and Azure instances, but probably not all of them. There are various ways to do this – for example, Google has its Cloud Deployment Manager and Azure has an instance metadata service to track your running virtual machines. Or you can employ a third-party orchestration service to manage instances across different cloud platforms.

Here are my suggestions for improving your cloud security posture.

The Domain Name System (DNS) is showing signs of strain. Attacks leveraging DNS protocols used to be fairly predictable and limited to the occasional DDoS floods. Now attackers use more than a dozen different ways to leverage DNS, including cache poisoning, tunneling and domain hijacking. DNS pioneer Paul Vixie has bemoaned the state of DNS and says that these attacks are just the tip of the iceberg. This is why you need to get more serious about protecting your DNS infrastructure and various vendors have products and services to help. You have four key options; here’s how to sort them out in a piece that I wrote for CSOonline..

I first wrote about polymorphic malware four years ago. I recall having a hard time getting an editor to approve publication of my piece because he claimed none of his readers would be interested in the concept. Yet in the time since then, polymorphism has gone from virtually unknown to standard practice by malware writers. Indeed, it has become so common that most descriptions of attacks don’t even call it out specifically. Webroot in its annual threat assessment from earlier this year reported that almost all malware it has seen had demonstrated polymorphic properties. You can think of it as a chameleon of malware.

In this post for Dark Reading, I describe how polymorphism has gotten popular with both attackers and defenders alike, the different approaches that the vendors have taken, and some suggestions on keeping it out of your infrastructure.