Bruce Schneier: IT Teams Need Cyberattack Response Planning More Than Prevention
Corporate and government IT teams have been rushing to prevent the kind of large-scale cyberattack experienced recently by Sony Pictures, Blue Cross, Anthem, Target, Home Depot and the U.S. Department of the Interior, among others. In each of these cases, hackers from locations around the globe were able to gain access to computer networks housing sensitive information, accounts, and personal data, such as the social security and credit card numbers of consumers and employees. The consequences of such security breaches can be devastating.
"Everyone is hoping that they're not next," said Bruce Schneier, a security guru and internationally renowned security technologist.
But prevention is only part of the solution, Schneier says. An organization's response to a breach needs even more attention, he says. "We simply need to get better at incident response. We need to be smarter, faster, and more effective."
Schneier will give a keynote on "Attacks, Trends, and Responses" at LinuxCon, CloudOpen and ContainerCon North America in Seattle, on Tuesday Aug.18, 2015. Here, he discusses the need for a conceptual shift on security and what organizations can do to better prepare for the - inevitable - cyberattack.
Schneier has authored 12 books as well as hundreds of articles and essays. He writes a popular and respected newsletter "Crypto-Gram" and his blog "Schneier on Security" boasts more than 250,000 readers.
Linux.com: What do you think is the biggest conceptual problem related to security in tech today?
Bruce Schneier: I think we need a major conceptual shift about how an organization relates to data. It used to be something separate, managed by the IT department. That doesn't work anymore. Data is central to every aspect of an organization, and often an organization's most important asset. This means that information security is basically corporate security. And while we've seen executive positions like CIO and CISO in response to this fact, I don't think it's really sunk in enough how much data is part of everything.
One of the things this means is that information security is not technical, although it has a technical component. It is much bigger than that. I am starting to see the conceptual shift in this direction. Conversations about resilience are part of it, because resilience is about a lot more than IT security. Resilience is an emergent property of a way to think about organizations and risk and security.
What would you say are the biggest takeaways of the recent, large-scale attacks (like Sony)?
Schneier: The most important takeaway is that we are all vulnerable to this sort of attack. Whether it's nation-state hackers (Sony), hactivists (HB Gary Federal, Hacking Team), insiders (NSA, US State Department), or who-knows-who (Saudi Arabia), stealing and publishing an organization's internal documents can be a devastating attack. We need to think more about this tactic: less how to prevent it—we're already doing that and it's not working—and more how to deal with it. Because as more people wake up and realize how devastating an attack it is, the more we're going to see it.
How is the industry addressing this now?
Schneier: Everyone is hoping that they're not next.
What is the most important way organizations can improve their security practices?
Schneier: Security is a combination of prevention, detection, and response. Right now, response is the worst of the three and the area where organizations need the most improvement. We simply need to get better at incident response. We need to be smarter, faster, and more effective. We need to integrate IT incident response into corporate crisis management. We need to be able to figure out what's happening to our organizations and what to do about it. And we need to do it in a way that makes us more resilient as an organization. I know some of this sounds fluffy, but right now it's the most important thing we need to focus on.
How can we address security issues at a global scale?
Schneier: If I knew that, I would be doing it. International issues are very difficult, and not only in cyberspace. Espionage is global. Cybercrime is global. Legal corporate surveillance is global. This is going to be a major issue in the coming years.