A Robust Cyber Strategy needs firm foundations
Updated: Mar 31, 2019
Despite numerous information/cyber security frameworks, we are still seeing large corporations being subject to successful cyber-attacks, where the affected business are being significantly impacted. This could be through the negative press from large-scale data breaches, or from the inability to do business because of the critical data, systems or services not being available for them to do business (e.g. Distributed Denial of Service (DDoS), Ransomware, etc.):
The Harbinger of Doom
How is it that big corporations are included in the list of victims falling victim to cyber-attacks, surely they understand the need to keep essential services operational? Do they fail to invest enough in cyber defence or is there a lack of appreciation for the threat?
In most cases, the affected organisations are doing their very best but still the opportunist attackers manage to find a way in, e.g.
As a Participating Organisation of the Payment Card Industry @pcisecuritycouncil, surely they are demonstrating their intent to safeguard their customers payment card information.
Being that their main business function is customer related, they will have wanted to ensure that their customers had faith that they bank account details and personal information was safe.
Okay, so with this in mind, if the ‘big players’ can’t keep the bad people out, what hope is there for the smaller company?
This is a battle that has raged throughout history, where offensive entities have sought to cause disruption or gain unauthorised access to sensitive data. Technology has made this issue far more complex, where organisations need to make data/services available to their business partners and customers.
Lessons from History
There are a great deal of lessons that can be learned and applied to enhance an organisation’s cyber strategies. For example, the Romans are recognised as having invented the concept of Defence in Depth, having adapted their defensive strategies to be more effective as they expanded their Empire. Defence in Depth (DiD), is now the favoured term used by any tactician in their attempts to develop an effective strategy. However, the major flaw with DiD is that it no longer relates to the development of today’s technical environment, which supports increased data sharing, mobility and flexibility across millions of portable devices. No longer does a business environment reflect the traditional topology that of a single core. No each smart phone, laptop and has its own layered topology, which then might connected to the traditional network topology:
Throughout these systems and network layers, there is an increasing reliance on the sharing and transmission of data, in support of an organisations business operations. However, the criticality of this data does not remain equal, with some needing to be prioritised over others.
British Airways would have sought to ensure that they were PCI DSS compliant, through the outsourcing all the data processing to a PCI DSS compliant Payment Service Provider (PSP). This would have all but elimated the need for any card payment processing across the inner 3 layers (Core; Inner (Trusted & Untrusted). Consequently, they were able to reduce their compliance burden to only the controls from an SAQ A.
However, this failed to reduce their risks, as the attackers identified a vulnerability involving the injection of malicious code at the interaction between the Perimeter layer (Web Application) and the Outer Layer (3rd Party PSP). The SAQ A does not include any protective measures against such a threat. Consequently, this allowed the attackers to circumvent the cyber defences and to stealing the data from over 380,000 customers.
In the mind of your attacker
With the average dwell times (the time an attacker remains in a network undetected) being reported as being averaging upto 6 months (@ComputerWeekly) shows that today’s attacks are not just ‘Hit n Run’ style attacks, which traditional warfare would have experienced. Today’s cyber-attackers are willing to ‘chance their arm’ for greater rewards and ‘Cyber-Space’ de-personalises the effects of their actions on their victims, whilst the modern criminal has identified the ease at which they can monetarise data and how sanctioned countries (e.g. North Korea, Iran, can seek some revenge on their oppressors/enemies (State-Sponsorship).
How the advances in technology is changing the Human Psyche is has been well researched and presented in the fascinating and though-provoking book – The Cyber Effect (@DrMaryAiken) and as a consequence cyber attacks have less emotion.
Like the Trolley Problem, the use of the internet for attacks becomes like pulling the switch, it distances the attacker from the victim.
As a result, more organisations can be targeted by an assailant – be that an organised criminal gang, state-sponsored hacker, or that bored teenager. The common thing from all your enemies is that they are intent on causing maximum damage or gaining a maximal return on their efforts. Hence, no longer should any business consider themselves not to be a target of an assault.
Can you afford not to pay that Ransom, to regain your critical data or services after a ransomware or DDoS attack?
Getting the fundamental right
These facts help to focus an organisation’s mind and focus is what is needed to help ensure that you have the best approach to the development of your cyber strategy. Thus, I recommend that the following 5 areas become the foundation of any cyber defensive efforts:
1. Asset Management (inc. Secure configurations)
Not all things being equal – identify your most critical services/business operations and the associated systems for each data/communication flow, across their specific life-cycles.
You can’t protect what you don’t know.
Ensure that the network devices, systems and software is configured according to their specific roles, removing any unnecessary Services, Ports & Protocols.
2. Vulnerability Management
The increasing demand for rapid technological advancements makes for an increasingly dynamic infrastructure, which in turn, creates newly identified opportunities for an attacker to exploit. Consequently, having completed item 1, new vulnerabilities need to be identified, prioritised and remediated against in a timely manner. This timeline will be driven be the importance of the affected asset and an organisation’s risk tolerance.
16.6% of vulnerabilities in 2017 were rated as Highly Critical, and 0.3% as Extremely Critical.
3. Privileged User Management
Until systems are fully automated, there will always be a need to grant users with ‘Super Powers’ (high-level permissions), which if abused can allow an assailant to do considerable damage. Therefore, these users will need to understand the additional responsibilities that come with these higher privileges and be closely managed.
4. System & User Log Management
It is rare that an attacker will have prior knowledge of an organisation’s network and will spend considerable time trying to navigate their way around, and to identify their targets. These activities leave a trail, which if actively monitored can be used to identify unusual or malicious activity.
5. Incident Management
Be prepared. Think about how well your teams could respond in the event of an attack on your critical business operations. Could you identify an attack or intrusion and could you respond quickly, so as to cut off the attacker before they do too much damage?
Think WHEN, not IF.
The success of today’s business is heavily reliant on technology and data, so it is essential that the strategic approach is aligned to ensure that the most essential business operations have been identified and adequately protected. Having built firm foundations for your most critical business processes/services, then enables you to commence adding additional defensive layers on top (e.g. Anti-virus, user awareness training, etc.) from your chosen/favoured framework – be this for assurance (e.g. Certification) or compliance (e.g. PCI DSS).
Don’t get me wrong the layered approach, provided by DiD is still extremely effective. However, this approach needs to be tailored to align with increasingly complex network and systems topologies. This will help to ensure that the most essential parts of the business are sufficiently defended from today’s ever-present threats.
If you haven't got your foundations, how can you ensure that you focusing your efforts on protecting your most valuable parts of the business and provide senior management with the information they need to understand the risks to the business, e.g.
Key Risk Indicators (KPIs)
Key Performance Indicators (KPIs)
Penetrations Test results