As the CTO for a company that provides cloud-based directory services, my job is to be on the cutting edge of IT security – not just for us, but for a wide variety of businesses across sectors.
From my conversations with other executives and IT staff, it’s clear that they have a lot of questions about how they can prevent being hacked. While most executive teams now understand how important good security practices have become, they’re having trouble keeping up with them and establishing them company-wide.
What advice would you give to a systems admin or DevOps engineer?
Reactive protection can only take you so far. Dropping antivirus on machines means that you’re always playing catch up with the latest exploits and threats.
Closing down ports and locking down your infrastructure isn’t a panacea either, though. Sophisticated threats involve multiple tiers of attack, sometimes involving a series of exploits to get behind your firewall and into your vulnerable underbelly.
Also, there’s no security through obscurity. Pushing your keys into the toe of your shoes at the beach wouldn’t be effective against millions of thieves constantly prowling the shore. The internet is brimming with bad guys with time and resources on their side.
How about for the CEO or other people on an executive team?
Even if you have a team of engineers working to protect you, you have to be vigilant yourself. Just like the safety features in a car won’t save you from reckless driving, you can undermine your company’s security through reckless action.
Don’t click links in emails, don’t download attachments without being sure you know what they are. Don’t email passwords — this one happens ALL the time — and don’t send them over IM either.
Executive names and personal data are often easy to find online. Email addresses are trivial to spoof. A recent attack going around involves the CFO getting an email from the CEO saying to initiate an emergency money transfer or something of the sort. It can look very convincing, using the same signature block and referring to the CFO by first name. Of course it actually comes from an attacker.
The CTO or CIO (or CSO, if you have one) has a special responsibility to not only train technical staff to be security conscious, but also imbue the entire company with a security-first culture. It also means making sure the executive team takes it to heart that they will be personally targeted, and to not shy away from forcing them to act in a secure way as well.
Advice for Developers?
I had a First Sergeant in the Army who used to always say “Don’t do dumb things.” Think about how often you know that what you’re doing isn’t the ‘right’ way, but it is the expedient or easy way. Those are exactly the things that get exploited later on, and building a product quickly doesn’t matter at all if it destroys the reputation and position of your company.
Also, security isn’t something you can tack on after everything else is done. Every decision must be made with the mindset of “what would I do to break this?”
Don’t fall into the thinking of “Meh, why would they bother targeting me?” Getting a virus or key logger into your company’s network is often just the first step in a broader attack. Clicking links, downloading attachments… these are the vector of attack commonly used.
Also, be aware of social engineering. An unknown caller might be screaming at you on the phone, pressuring you into doing something that they can exploit. “I’m losing ten thousand dollars a minute! Change my password now or I’ll have your fucking job!” If it’s outside of your normal operational duties, push it up to someone who has the authority — and the training — to assess the risk and make the call.
Overall, this comes to training and constant reinforcement. It’s easy to get complacent. Without security at the forefront of your mind, eventually you will make a mistake, and it doesn’t take many mistakes before you’re explaining to the press how you’ve been compromised.
Resources to Learn More about IT Information Security
Trends for 2014: The Challenge of Internet Privacy [pdf]
This thorough report covers the NSA, cyber-crime, and “The Internet of Everything.”
The Guide to Doing More Faster, Now with IT Control [ebook]
This is JumpCloud’s very own guide to navigating the opportunities and challenges that new advances in IT offer, including a chapter on DevOps.
7 Ways to Prevent Being Hacked [article]
From Globe University, this quick guide is exactly what it sounds like.
Top 15 Security Threats 2015 [List]
This run-down of the biggest security threats facing businesses in 2015 includes polymorphic malware and shadow IT.
Best VPN Services [article]
This 2015 PC Mag Article provides a chart showing the features of ten leading VPN services.
Topher Marie is co-founder and CTO of JumpCloud Inc, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. The bulk of his time is spent wrestling with the concepts and mechanisms of provable identity – SAML, IWA/Kerberos, PKI, OAuth, OpenID, and multi-factor authentication to name a few. He also had ample opportunity to get his hands dirty with protocol level internet communication and to use his skills in the area of cloud security.