Q&A with Jason Mical: Approaching cyber security

There is no one size fits all, says Jason Mical, VP of Cyber Security, AccessData. He also describes some of the most active threats in Asia Pacific.

How would you characterise the cyber security scenario today? What shortcomings do you see in terms of preparedness?

The biggest problem today is a lack of education on how attacks operate which is necessary to understand the appropriate defensive posturing. Without that understanding, there's no context and without context there's no strategy. Even today, there's an undeserved obsession with the initial infiltration vector.

Company XYZ didn't get hacked because an HR person was spear phished. They were breached because they failed to detect the attack in progress as the attacker elevated privileges (Think PW dump and pass the hash), moved laterally through the company intranet from system to system, stole all credentials in the Active Directory database, copied sensitive data off the network, etc. Even if the company was immune to spear phishing, the attacker would have figured that out and moved on to other infiltration vectors.

Additionally, while attackers use hacking tools and backdoors for portions of the attack lifecycle, those tools are very different from viruses, botnets, and mass malware. Lumping all software used for bad under the one name of "malware" is misleading. Again, context is key. Those responsible for security need to understand that if they identify a hacking tool, backdoor, or RAT that isn't prolific in nature, they need to have a response that's very different than disinfecting a system that has a virus.

Chances are, there's a hacker behind the wheel performing lots of manual actions that need to be discovered through an investigation. Much of their activity would look like a system administrator went rogue. This is a concept that most organisations still do not grasp.

Is there a best way to approach cyber security? What could be it?

There is no one size fits all approach. Generally speaking though, organisations need to know what their assets are and make sure those assets are identified as much as possible. Apply the concept of least privileged access and role based access control to ensure access is limited to those that need it and only what they need.

Next, research the known threat actors out there and figure out which ones apply. Learn as much as possible about how they operate and prioritise both preventative measures as well as detection systems to see what gets through. Have well rehearsed response plans in place for likely scenarios. The goal is to make it a pain for the attacker to make progress from victim zero (initial infiltration) to the goal line, and then have eyeballs scanning hosts, network data, and log files to see them running around the field.

Have game plans in place to chase them down and kick them off the field. The most important thing is that you need to have people that can do these things. There are newer training courses geared for this from places like SANS.

What are some of the most active threats in the Asia Pacific region?

Although most threats span globally, I am aware that there's a tremendous amount of energy being spent to hack and commit fraud in online games. Much of this activity is coming from hackers in China. The attackers have even been bold enough to go after the gaming companies with the level of sophistication usually only seen with APT intrusions and targeted, large financial crimes. Speaking of APT, the Chinese state sponsored APT groups are hacking into other AP countries. Singapore, Japan, Australia to name a few.

In view of the increased waves of state-sponsored attacks as well as hacktivism, should security vendors work with government agencies to tackle local and global attackers? Are they the new arms dealers?

This is already happening. It's all via unofficial communications. Because the agencies tend to classify everything as classified by default, it makes information sharing very difficult. Additionally, government entities, intelligence agencies, and law enforcement agencies will look to the private sector for expertise and support when dealing with these adversaries. Sometimes, they'll contract out work, but that's very sensitive and not discussed in public.

How would BYOD impact businesses in the Asia Pacific region? What are BYOD's implications in terms of risk management, data protection, and data management?

As far as I'm aware, there's nothing unique to the AP region on this topic. I could be wrong though. I'd say there are two very large risks to BYOD in general. The first is that an employee could accidentally lose or leak sensitive information. The second is that organisations have little to no control or visibility into employee owned devices. The lockdown mechanisms that can be enforced are pretty generic and not very relevant to modern day hacking.

I have observed APT attackers get kicked out of a corporate network after months of investigation and planning for remediation only to get re-compromised because the attacker had backdoors planted on employee owned assets.

How can local businesses change their strategy to cope with the new threats?

My advice has always been the same for SMB. Computer systems used for business operations should be separate from systems used for email, web browsing, etc. They should be segmented into two networks that either have no connectivity between them or only the bare essentials needed to conduct business.

Have the business owner talk to someone who's gone through a card data breach. Then ask them if letting employees browse Facebook from the same system they use to run their business or accept credit card payments is worth the risk. Most business owners wouldn't want to risk losing their whole business because someone clicked on a bad link.

Join the CSO newsletter!

Error: Please check your email address.

Tags AccessDatasecurity

More about AccessDataAPTFacebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zafar Anjum

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts