I'm pleased to be a part of the publication of a substantial Cybersecurity Guide for Directors and Officers announced yesterday. I hope you will visit www.securityroundtable.org and enjoy the entire book and more.
Following is my contribution (Chapter 27):
What are they after?
A threat-based approach to cybersecurity risk management
Intercontinental Exchange & New York Stock Exchange - Jerry Perullo, CISO
Given finite resources and the ongoing threat of the “next big hack,” cybersecurity is not the place to let a thousand flowers bloom. How does a governance body that is balancing this complex topic with so many other complex risks pick the right questions to ask? The spectrum of popular guidance ranges from an end-to-end program that generates hundreds of inspection points to a kneejerk reaction to the latest headlines. Distilling the truly critical areas of focus requires a balanced approach that is well served by beginning with the end in mind and asking, “What are they really after?”
Traditional guidance has centered security program construction and audit on comprehensive standards-based frameworks. Although the popularity of specific standards has waxed and waned, general principles have revolved around identifying assets, establishing a risk management program around those assets, and establishing preventative, detective, and corrective controls to protect those assets. There is nothing wrong with this recipe at the tactical level. In fact, boards should expect a continuous program cadence around this type of strategy and expect to see third-party auditors, customers, vendors, and regulators use this approach in examination. Controls should be mapped to an established framework and any gaps or vulnerabilities identified. The challenge, however, is that this produces a massive corpus of focus areas and controls that cannot be digested in a single targeted governance session. And finally, it does not produce a ready answer to the top board concern: “How could we be hacked?”
Likewise, reacting to headlines and rushing to establish the controls and technology cited in the latest news story will divert all resources to someone else’s vulnerability, whereas yours may be very different. Simply asking, “Could what happened last week happen to us?” may at best result in a false sense of confidence or a mad dash to address a gap that isn’t relevant to your organization. Vendors cannot be faulted for preying on this tendency and the result is a barrage of solutions to the last headline’s problems: “You desperately need encryption.” “You need behavioral technology to baseline administrator activity and to alert unusual access times or locations. “ “You need to give up on securing everything and only focus on the critical assets.” “You need stronger passwords.” All of these solutions have their place, but if they are not responsive to the threats facing your business, they may cause more distraction than protection based on your unique requirements.
Identifying a relevant and reasonable agenda for a governance session requires a targeted and balanced approach. Let us group the major cyber headlines of the last decade into several large categories. With a finite grouping of threats, we can begin to model what each threat would look like to your organization, which leads to an assessment of likelihood and impact. With this picture of viable threats, the board can hone in on specific questions that will produce the most value. By all means, all of the threats listed below should receive treatment in some capacity in any cybersecurity plan, but prioritizing which are most relevant to your organization will expose the most valuable areas to explore with limited time. Further, identifying business practices that expose you to a particular threat category may lead you to reconsider them in light of new costs that were not included in previous assessments. The calculus around maintaining a lower profile or outsourcing targeted data may change when you factor in cybersecurity risk.
■ Threat category 1: Data theft
Do you manage assets that can be easily monetized? Credit numbers and social security numbers—in bulk—are the drivers behind many newsworthy breaches. Criminals have established the proper fencing operations and can justify enormous risk and effort to capture millions of card numbers or pieces of personally identifiable information (PII) that allow identity theft. Capturing 100 or 1000 is not, however, alluring enough. Do you have bulk card or PII data? Card processors, retail institutions, and health-care providers are clear targets for this type of penetration. If this is your world, the major breaches of the day serve as case studies. Lessons learned in these areas lead to an emphasis on the following questions:
- Do we know all the places where these sensitive data live, and have we limited it to the smallest set of systems possible (ring-fencing)?
- Is access to the systems housing this data tightly controlled, audited, and alarmed, including via asset-based controls?
- Is this data encrypted in a manner that would thwart some of the specific c tactics observed in major breaches?
If you do not hold easily monetized data, these questions may not be the right place to start. Again, this does not mean that data theft is acceptable in any organization. Confidential email, intellectual property, customer login credentials, and trade secrets are some of the many examples of data we must protect. Close examination often show that ring-fencing, asset-focused controls, encryption, and other concentrations born of the rash of recent card and PII breaches may not be appropriate for more common and less frequently targeted data, however. If the data you are protecting are much more valuable to you than to an assailant, traditional controls such as company-wide access control, permission reviews, and identity management are probably the right emphasis and should not be neglected in pursuit of stopping a phantom menace.
■ Threat category 2: Activism
Is your organization the target of frequent protest or activism? Perhaps the issue is climate change. Perhaps it is labor relations. Perhaps you are caught up in the storm of anti-capitalism, anti-pharma, anti-farming, or simply high profile. You may or may not know if there are groups with an ideological motivation to put a black eye on your business. Cyber opens up a whole new realm of ways for people to accomplish this, and often with anonymity. When attacks fall into this category, the most likely impact is an action that can be touted in public. This usually means one of two things: Denial of Service (DoS) or defacement. The former category will attempt to demonstrate your powerlessness by rendering a component of your business unavailable to your customers or the general public. Although attacking customer access or more internalized systems may be more damaging in reality, remember that the goal is to make a splash on a big stage with minimal effort or exposure. More often than not, that means attacking your public website. The same target (plus social media accounts) is most common for defacement attacks. The only thing more satisfying to an activist than rendering your service unavailable is replacing it with a pointed message. High-profile attacks in this category include the near-incessant Distributed Denial of Service (DDoS) attacks against major banks, particularly those with names evoking western countries. Targets of defacement include Twitter and Facebook profiles of targeted companies and government entities. If this type of threat is likely to be pointed at your organization, good questions to ask include the following:
- Can we sustain a DDoS attack on the order of magnitude recently observed in the wild?
- If we have a DDoS mitigation plan, how long would it take to activate during an attack? Is an outage for this duration acceptable, or would it be considered a failure in the public eye?
- Are we continuously scanning our primary website(s) for common vulnerabilities that may allow unauthorized changes?
- If our website were defaced, how long would it take to restore?
- Are credentials to official company social media accounts tightly controlled by a group outside marketing that is more security conscious?
If this type of threat is not applicable to your organization, focusing controls and review on mitigating such attacks may not be the best allocation of resources.
■ Threat category 3: Sabotage
Are you a provider of critical infrastructure? Do you or your key executives issue politically charged statements publicly? Would the interruption of your business further an extremist objective? Although these threats require more sophisticated tactics and more time to perpetrate, they often bring highly motivated and coordinated threat actors. Adversary objectives in this area usually go well beyond website attacks. Physical control systems, data integrity, or even the functionality of employee workstations may be the target in this type of attack. Although there are many vectors for this type of attack and several are often used in conjunction, a common theme quickly becomes targeting employees individually. Social engineering and phishing preys on common habits and assumptions to dupe people into disclosing a password, clicking a malicious web link, or opening an attachment. These attacks can be the most difficult to defend against, but their reliance on persistent access and a longer lifecycle to build towards the final goal makes detective and corrective controls more valuable and decreases reliance on absolute prevention. Additionally, the actors involved and potential impact to national interests likely make mitigation assistance available to you if you focus on detection and have the right contacts in place. Good questions to ask if you are at risk of this category of attack include the following (and employees include contractors and vendors):
- Do individual employees recognize the importance of their role in securing the organization and what an attack may look like?
- Are employees routinely reporting suspicious activity?
- Are employees educated and incentivized to act responsibly with regard to cyber?
- Are systems detecting suspicious employee behavior that may indicate credentials under the control of an outsider?
- Has contact been established with incident response firms and law enforcement, and could they quickly be mobilized if a compromise is detected?
■ Threat category 4: Fraud
Do you operate a system that makes or processes payments? Although any pay-for-service you offer may be the target of someone looking for a free ride, nothing attracts the sophisticated criminal element like cash. If you offer the ability to move money, you should have a focus here. Although fraud is certainly not a new challenge, Internet connectivity has certainly brought it to new levels. If this is relevant to your organization, you have likely been dealing with the ramifications long before cyber considerations were added. The following questions, however, may be helpful to ensure cybersecurity efforts are aligned with traditional fraud protections:
- Have we deployed and enforced two factor authentication such as text messages, mobile phone apps, or physical tokens to require our customers to have more than a username or password to authenticate?
- Are we using adaptive authentication to identify suspicious locations, access times, or transaction patterns in addition to classic credentials?
- Are we tracking and trending the sources, frequency, and value of losses?
- Are we working closely with peer institutions and competitors to share threat intelligence and identify common patterns we should detect and/or block?
■ Threat category 5: Commoditized hacking
Although specialized threats are associated with specific targets, all organizations have exposure to the most common family of commoditized threats. These threats are opportunistic and warrant different controls than advanced threats. At a minimum, automated attacks look to procure access to your IT environment so that your computing resources can be made available for more nefarious aims. Even if you do not host critical infrastructure or easily monetized data, commodity threats look to compromise your computers so that they can be used as agents of more sophisticated attacks. Malware looks to enlist your computing, storage, and bandwidth to help criminals blast out junk email, store pirated media, or contribute to a Denial of Service attack. Attackers in this category do not care (or often know) if your computers belong to a financial services firm, manufacturer, university, home network, or hospital. Protecting your organization from these common attacks requires being less exposed than the next target. Ask yourself:
- Have we identified a role in our organization that is responsible for cybersecurity?
- Are only absolutely required services exposed to the Internet?
- Are PCs and email servers protected from common viruses and malware in an automated fashion?
- Does our corporate email employ controls to filter out the most common virus and spam campaigns?
- Does our corporate Internet access incorporate controls to block access to malicious websites?
One special form of opportunistic attack involves ransom. Some malware encrypts the content of infected computers so that it becomes unavailable until a payment is made. This type of attack can be crippling. In addition to the preventative controls outlined above, you should ask the following:
- Are our file servers backed up and tested regularly, and could we recover quickly if all current data were unavailable?
- Have we, via policy and practice, established the principle that PCs and laptops are disposable, that data on these devices should not be relied upon, and that network storage should be used to house any critical data?
Although cybersecurity is a relatively new field, it has already grown into an expansive area requiring monitoring and controls around mission critical infrastructure and data. Attention to governance has ramped up dramatically in a short period, and it can be difficult to sift through the advice of experts. Investing time in analyzing threats and identifying what assets adversaries are truly after is a critical first step in establishing an effective governance policy around cybersecurity.