Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/1001288
www.vanguardcanada.com JUNE/JULY 2018 23 have an average of 22 online passwords, far more than most people can realisti- cally remember. So they reuse them, using the same password for an average of four websites. Many of these passwords will be weak ones, with research based on five mil- lion leaked in 2017 suggesting that the fa- vorite choices remain "123456" followed by "password". Security professionals can help with more user-friendly authentication processes. NCSC backs the use of password manage- ment software for individuals, which can generate strong passwords for each service – it is more likely that users can remember a single strong master password than two dozen. For organizations, a single sign-on service provides a similar option. NCSC also discourages organizations from forc- ing users to change passwords regularly, on the grounds that many people will use a similar weak one as the replacement. There are also technology-focused ap- proaches for spotting insider threats, such as behavior analysis, a useful technique that I will discuss in a future article. Integrating IT security into IT operations On process, it makes sense to integrate security into day-to-day IT operations. Some organizations run separate network operations centers (NOCs) and security operations centers (SOCs). I believe that having a separate NOC and SOC is not only inefficient, insofar as it is doubling up in some ways, but it is also ineffective. It is much better to run a single NOC- SOC, both for efficiency, but also because this makes security an integral part of the process of running an organization's net- work. A combined NOC-SOC can be con- troversial, and many people believe they should be totally separate. As a practitio- ner, I believe that it's much more sensible to bring them together, and this is increas- ingly happening in the market. I'm a great believer that 'operate' and 'defend' are two sides of the same coin. Good cyber hygiene is no different from good IT operations hygiene – to take an- other example, business continuity and disaster recovery plans aren't just a mark of good cyber security but of good IT op- erational practice. IT leaders can either take a "defence in depth" approach, where they build an ecosystem that integrates products and layers from multiple vendors, or go with a single provider and accept that they are not going to have best of breed in every area. Both approaches present benefits and risks, but I recommend defence in depth. In my opinion, there is a wide-open mar- ket opportunity around the provision of To help tackle this, organizations need education – not just about cyber threats such as phishing, but more broadly about how you treat any form of information sharing or access. a 'security orchestration bus' that would take the input from the various products and layers and make that data available to the others through an API to allow true 'plug and play' across the enterprise and throughout the course of business. None of this takes away from the fact that cyber security is a very real problem, and I don't want to take people's eyes off the ball. But I do want people to concen- trate on what actually is important – and that means considering culture and process at least as much as technology. References: 1. Source: UK National Cyber Security Centre, 'Password Guidance: Simplify- ing Your Approach', January 2016 2. Source: Fortune, 'The 25 Most Com- mon Passwords of 2017 Include 'Star Wars'', December 19, 2017 3. Source: UK National Cyber Security Centre, 'What does the NCSC think of password managers?' January 24, 2017 and 'The problems with forcing regu- lar password expiry' Mike Stone is KPMG's Global Head of Technology Transformation for Infra- structure, Government and Healthcare. He served as an officer in the British Army for 28 years and has worked as Chief Digital Information Officer for the UK Ministry of Defence as well as Presi- dent of Service Design and Chief Infor- mation Officer for BT Global Services. This is the second in a series by Mike Stone on cyber defence in depth. The first part of this series was published in the December 2017/January 2018 issue of Vanguard. Cyber seCUrity