What we can do about cyber security in Singapore

When it comes to cyber security for enterprises large and small, we are only as strong as our weakest link, says Anthony Lim from the Cloud Security Alliance.

Singapore’s Smart Nation vision will bring all of us to the forefront of 21st century living – better lives for our citizens, more opportunities, and building stronger communities. 

With the openness and connectivity that we enjoy through technology, security becomes equally important. Cyber security and vigilance should become as much of our daily lives as technology will be.

Industry observers, academics and security solution providers have come forward to offer opinions and observations on the trends and threats of cyber security, and all of them are valid and applicable.

There are many areas that we can look into and here are areas that Singapore should pay attention to – and I would like to share the 3 key areas of concern that individuals and companies can play a larger part in being vigilant. 

Continued proliferation of cloud services

The proliferation of cloud services is in itself not necessarily a security issue, given all the cost savings, cash flow management, flexibility and scalability that cloud services promises.  

We see more data-centers (DCs) being built each day in Singapore, Taiwan and some other parts of Asia. This is a big indication that cloud services are already huge and will continue to grow.

The issue is that while more apps and services, take advantage of the cloud, consumers are not really sure what security issues to look for, or to ask of in service level agreements.

Yet, there are still security issues dogging cloud services and solution providers are working hard to tackle these areas, namely: 

• Data Breaches (unauthorised or accidental access) 
• Data Loss (backup or storage failure) 
• Account or Service Traffic Hijacking 
• Insecure APIs (trying to meet many different platforms)
• Denial of Service (system failure)
• Malicious Insiders 
• Abuse of Cloud Services (eg hijacked by hackers)
• Insufficient Due Diligence 
• Shared Technology Issues (eg. Hypervisor in a multi-tenant environment)

Application Security

Currently, application security is one of the more important areas that we have to be more vigilant of, as threats coming through apps is the most popular method used by hackers at this moment. 

Network firewalls presently are not able to protect threats coming through apps, though security for apps is developing rapidly. 

As more software gets into the mobile device environment — cloud services, mobile services, SCADA/ICS, software-defined networks — this is certainly an area we should pay attention to. 

The reasons for the weaknesses in the app security area are many. 

There is a huge demand for apps and often developers are rushed to meet very tight deadlines. Quality assurance and testing, including security, gets compromised or minimised.  

Software goes into production beset with bugs, vulnerabilities and other hacker-exploitable artefacts.

Automated QA tools do help in highlighting issues and bugs in applications — but they do not solve the problem. 

Recoding is still done manually, making it a tedious and unpopular task.  

Software development is focused on features and performance, but security? Not so much. 

Hence, hackers have been known to inject code into an app to crash a device, hijack or make it leak confidential data.

Cyber-resilience : Incident Management Strategy

Today it is best to assume that we will be attacked, or an attacker or malware is already in our systems.

Something is bound to happen: data will leak, systems or services will go down. 

So how do we react, recover, stay cyber-resilient and proceed?  

In the past, CIOs were put to task for an incident or security breaches. These days, they are questioned on how they handle or manage an incident instead.

The security industry has always focused on prevention and detection solutions. Incident response (IR) was not strategic — leaving security teams to use manual tools such as email or spreadsheets, and inefficient, inconsistent processes to deal with cyber incidents.  

What is needed today is a system or process that enables faster and more effective response through the orchestration and automation of Incident Reporting processes. 

It works seamlessly with the prevention and detection systems to create a central hub for Incident Reporting management.  

An incident is not just about a cyber-breach or network issue anymore – it transcends into and involves company policy and non-technical spaces. 

Business management executives sometimes see business operations differently from a data security executive. For example, some organisations see the loss of a laptop as a HR or management issue – rather than a data security issue. 

So how does an organisation decisively ensure quick protection and recovery action in line with business continuity, while ensuring some learning, and facilitating investigation, remediation and improvement?

One of the top takeaways from a recent Ponemon Institute 2015 report on cyber resilience is that our industry is moving beyond the “awareness” stage. 

Organizations are becoming quickly aware that cyber resilience is the new standard to strive for – now they’re asking, “How do we get there?”

Start with planning and preparation. The reports have identified many steps and strategies for increasing cyber resilience, but “planning and preparation” stood out in particular as a critical step for making a significant and immediate improvement. Incidence Reporting is now a C-level conversation. 

Security leadership needs to get executive support to make proactive response a priority – making time, developing and continually refining Incidence Reporting plans, breaking down silos and implementing Incident Reporting strategies across the organization. 

It is crucial that every single staff member —  and not just the leadership — is involved as well, because we are only as strong as our weakest link. 

This commentary was contributed by Anthony Lim, Director, Singapore, Cloud Security Alliance. The views expressed are solely the contributor's own, and does not reflect any official position of IDA.

All photos courtesy of Cloud Security Alliance.