How and why enterprise website security fails.
David Hahn (Chief Internet Security Officer, Hearst) moderated a panel on "Malware and You: The Fallibility of Enterprise Website Security Strategies." The panelists included Ann Barron-Dicamillo (Vice President, Cyber Threat Intelligence and Incident Response, American Express), Tim Booher (Chief Information Security Officer, Colgate-Palmolive), John Felker (Director, National Cybersecurity and Communications Center (NCCIC), US Department of Homeland Security), Ondrej Krehel (Digital Forensics Lead, Chief Executive Officer and Founder, LIFARS), and James C. Foster (Chief Executive Officer, ZeroFox).
There are two trends affecting enterprise website security: the emergence of the browser as the basic tool of data access and collaboration in the workplace, and the rapid disappearance of lines between business and personal accounts.
Discussion opened with the CISOs describing their concerns about social engineering and securing the user. Barron-Dicamillo said that American Express had adopted restrictive policies with respect to use, but that they're working on technologies that would take the problem out of the hands of the users. Booher advocated strong policies around plug-in management, and described Colgate-Palmolive's interest in creating an environment around browsers to sanitize them.
Hahn turned to the two security company executives on the panel, and asked what they were seeing "from the outside in." Krehel (after suggesting that he was performing a public service by speaking with his customary accent, since "the guy who calls to tell you he's infected you with ransomware is probably gonna sound like me") answered with a question: "Should the browser be naked, and should code be rendered elsewhere?" The browser is almost surely the future of the way we access data, and more attack tools will focus on the browser. We're looking for API-based solutions, he said, but API integration never really happened in cybersecurity. And he cautioned that it's a mistake to think that, if you scan something once, it's safe. A piece that completes malicious code can show up a week later, and you'll have missed it.
Foster explained that ZeroFox has for years trained its users to be very careful on what they clicked. But about three years ago such training became very difficult. With the introduction and general adoption of url-shorteners, "There's no longer an opportunity to train people not to click on a link that looks bad." Social networks inherently tend to induce trust in their users, he added, and so we need a new security paradigm.
Felker took up the point about trust, and noted that security professionals themselves can be among the most naively trusting victims of social engineering. He is a strong advocate of swift, unclassified information sharing, and reviewed Department of Homeland Security initiatives at the NCCIC and elsewhere that are designed to accomplish this.
Foster concluded with observations about the vanishing line between the personal and the professional. "Adversaries don't distinguish corporate from personal assets. The line's blurred, and the cloud makes it blurrier."