[BreachExchange] The principles of cyber risk management: What does good security look like?
Destry Winant
destry at riskbasedsecurity.com
Mon Apr 15 08:53:49 EDT 2019
https://www.propertycasualty360.com/2019/04/15/the-principles-of-cyber-risk-management-what-does-good-security-look-like-414-152996/?slreturn=20190315082103
In the world of cyber risk, we are dealing with unprecedented events.
Apart from headline grabbing attacks such as the global malware
incident that impacted Mondelēz’s business and the Russian
military-run global cyber-attack, NotPetya, we are now seeing an
epidemic of cyber attacks.
Concern has shifted from dealing with data being stolen and sold on
the dark web to handling serious ransomware and destructive attacks,
where attackers are looking for immediate monetary output. This is the
new threat.
Malware such as TrickBot can infect an entire corporate network
allowing hackers to surreptitiously gain access to systems, embed
nefarious files and clean themselves, leaving no trace. The source of
the attack is not, however, dealt with — allowing hackers time to
monitor what is valuable to an organization and prepare a more
sinister attack.
At a later date, entire networks are encrypted, and companies are
brought to their knees, unable to access email, payment systems, and
operational systems. Everything goes down, including email, calendars,
Skype and VOIP, leaving a company unable to operate or communicate.
What remains is a ransom note demanding payment, usually in
cryptocurrency, to regain keys to unlock the systems. These attacks
can cost companies from $100,000 to over $1 million and specialist
services are required to negotiate with the hackers.
We have seen companies with their entire information technology
infrastructure brought down over multiple countries leaving them
completely crippled. Added to that, companies face fines for data
breaches, breached contracts with their customers due to an inability
to perform services, the consequences of being unable to pay invoices,
and of course their overall reputation is damaged.
Why are companies getting it wrong?
It has become much harder to protect a company’s digital assets
because the digital landscape is shifting rapidly under our feet,
catching many mature businesses off guard. Businesses need to
determine which components of their business rely on technology and
digital assets, exactly where those assets are (being less tangible
than hard assets like real estate or cash), and how to protect them
and the data flowing through them.
Often new systems are deployed, and the data being processed is not
fully understood, classified or safeguarded appropriately.
The old “protecting the center” model of the last decade is no longer
enough to keep companies secure. The old model involved protecting
your network and protecting a company at its perimeter. Now with data
being commonly housed in cloud applications with third parties and
mobile devices, a new approach is needed.
Many companies now have legacy systems that cannot simply be replaced
given the associated cost. These systems are not “safe by design” like
some of the newer systems, and many lack even basic security
mechanisms and still rely on non-complex passwords, which an attacker
can easily overcome.
Protection methodologies have also gone out of date, including the
“air gapping” of environments designed to isolate systems from each
other and protect sensitive data. The old “people and process”
security model has evolved, and we now rely on “people, process, and
technology.”
Before the technology boom, security was a manual process — people had
to monitor systems or processes looking for threats. Technology is now
able to help automate threat monitoring.
What does good security today look like?
Firstly, it’s important to note that “good” is not a static state and
what is needed for security should be dynamic and agile. Second, one
can never totally eradicate risk, but can only reduce it to a level
that any particular organization finds to be commercially acceptable.
“Good” is no longer having the highest walls or the deepest moats to
stop the bad guys getting into a company’s systems. In a controlled
environment “good” means:
- Having increased visibility of potential threats which will tell you
how and where to protect your systems.
- Understanding how current threats could impact your organization and
its information;
- Understanding your key business processes and data.
- Knowing how your data is regulated in each region and appreciating
other risks relating to your business data, such as commercial risk.
- Understanding where your business is underpinned by technology.
- Understanding the degree of control you exercise over that
technology, for example is it a legacy system with out of date
security or is it controlled by a third party.
- Understanding the skill of your workforce is and the effectiveness
of your governance structure.
- Quantifying the cost spent on cybersecurity versus the value that
protected technology brings to the business.
Technically this means having visibility of the people and processes
in your business that interact with your technology and data so that
you can identify risks. It also means having visibility of attacks
through advanced threat detection and containment technology. You also
need to be aware of times of heightened risk when the threat of cyber
attack may be higher, for example, when a patent is being granted or
when an M&A deal is announced.
Controls that respond to your business environment?
What is needed now are dynamic controls — controls that respond to
your business environment or to the threats around you. A major
utility company with an aggressive business strategy to develop
software-based service offerings may find that its security posture is
not dynamic and almost entirely built around a physical security
strategy (protecting physical assets) — and therefore ineffective.
Businesses often have on-premise security tools to protect their
businesses and then realize they have purchased cloud-based platforms
that are entirely unprotected. Big banks in the UK, for example, have
invested heavily in security over the years.
After the Financial Conduct Authority clarified its stance on the use
of public cloud services through the publication of FG 16/5, none of
this capability was effective in any of the public cloud offerings
they developed. This has given challenger banks a clear advantage.
In other situations, major companies in the energy sector have made
exorbitant investments on advanced threat intelligence but have an
inability to change their controls to respond to the intelligence
gleaned. For one company, the threat increased or decreased
week-to-week but the control landscape could not respond or adapt to
the changing landscape, rendering the investment ineffective. The
result was that the control bore no resemblance to the threat level.
Why is agility so important?
Agility is crucial when it comes to reducing cyber risk and requires
companies to understand their business and model their security
strategy on current and future business strategy. Referring again to
the big banks and oil and gas companies, many have offshored all their
IT and processing centers, but not kept enough internal knowledge or
skilled staff to manage third-party suppliers. This means they do not
understand their environment and therefore cannot respond quickly to
changing threats.
Agility in a control environment also means adapting to security
threats. This could be allowing users greater degrees of functionality
and freedom through the deployment of advanced threat detection tools
instead of locking users down.
We have seen small organizations save themselves from significant
impact by pulling the cables on the Internet during an active cyber
attack. This approach is now being used in critical infrastructure
organizations. By designing red button type processes, they can shut
down an entire gas compressor or segment of the control network, for
example, if it poses a risk to the entire grid.
In the old world, a plant operator would simply not be able to obtain
the required executive authority to shut a plant down (given that it
would cause millions in damages) within the time required to defend
against an active cyber attack. Crisis plans need updating to consider
and embed rapid responses to cyber specific threats.
What do best practices look like?
The approach to security that we advocate is risk-based. Risk based in
this context means evaluating the business desires and goals, and
underpinning and assuring elements that are the most reliant on
technology. It also means that the level of investment in security
should be linked to the value of the asset being protected within the
specific commercial landscape.
A company can examine the types of threats it is exposed to and select
where to deploy controls that reduce the risk to an acceptable level,
but not at an untenable cost to the business. This might involve
deployment of some enhanced detection controls, network segregation,
and system recovery controls to a manufacturing environment to detect
and contain threats and, if needed, rebuild parts of the environment.
Contrast this to a full redesign of the factory before it naturally
becomes obsolete, bearing in mind a typical 30-year lifecycle of such
assets.
Integrating controls and layering defenses to make sure they fit into
one another is also important. Buying all the latest tools will not
protect your business. Coherent security is an end to end integrated
system of people, processes and technologies coming together to
protect business value.
We often see customers deploy Office 365 because they have been told
that it is secure, but then they neglect to deploy multi-factor
authentication (MFA) and other advanced controls available to protect
it, due to the perceived impact it has on users and usability. This is
the akin to refusing to wear a seatbelt and then claiming that a car
is unsafe.
In 2017 and 2018, Ankura dealt with approximately 1,000 data breaches
— over half of which were due to business email being compromised, and
90% of which were due to a lack of MFA or other basic Office 365
security controls.
How do you weigh risk and cost?
Risk-based security is inherently business focused. If IT and security
departments are not business focused, they will be viewed as cost
centers rather than business partners. When practiced correctly,
security should understand and advise the business but not seek to
block it.
As such, security also needs to be cost appropriate. A security
investment plan should always consider the value at risk and underpin
that value with appropriate controls up to a percentage of the value
and should never seek to deploy security for security or compliance
sake.
Being able to articulate the business proposition of security is
essential. Failure to do so is currently resulting in an
underinvestment in technology evidenced by the significant number of
breaches being reported in the media daily.
On the positive side, efficient cybersecurity can be a huge
differentiator for example, when used to pursue opportunities in
heavily regulated markets. Cybersecurity strategies can be leveraged
to de-risk technology during mergers and acquisitions, investments in
emerging technology such as the cloud, the Internet of Things and
artificial intelligence to give a business the competitive edge.
More information about the BreachExchange
mailing list