[BreachExchange] Agencies need cyber risk strategies for modern adversaries

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jul 5 19:22:04 EDT 2016


http://www.federaltimes.com/story/government/solutions-ideas/2016/06/24/cyber-risk-strategy/86182084/

Government leaders spend a great deal of their time pondering this
question: How can we prevent the thousands of data breaches that happen
every year from happening to me?

But what they should ask themselves is this: Can we develop a cyber risk
strategy that will defend us against present and future threats — while
supporting our agency/operational needs?

Why should they take this route? Because if the modern age has taught us
anything, it’s that cybersecurity alone can no longer safeguard
organizations. Cybersecurity is focused principally on the use of
protection mechanisms to shield systems from threats or damage. It is about
acquiring anti-virus, firewalls, intrusion prevention and other solutions
designed to stop attacks known at the moment. Unfortunately, the threat
landscape is constantly and unpredictably shifting, rendering traditional
defensive products/tactics as insufficient, pretty much by the time they’re
out of the box.

A cyber risk strategy, however, takes organizations to a far more mature,
holistic level. It recognizes that data protection extends to every single
facet of an agency: public affairs, finance, HR, legal, engineering,
recruiting and, ultimately, its culture. It assesses a comprehensive
breakdown of everything your agency does — how it operates, who “touches”
sensitive data, what third-party vendors are “allowed in,” etc. — to gain a
full view of your risk posture throughout all operational functions.

In other words, a cyber risk strategy drives toward a single, invaluable
quality: trust

With this in mind, here is how an agency-wide cyber risk strategy can help
you address four key components of today’s threat environment:

The invisible threat

As indicated, cybersecurity-based methods can only counter what’s “known.”
But the 21st-century digital enemy thrives upon the polymorphic nature of
his schemes, making himself “invisible” through a wide range of evolving
ploys and disguises. This is why, in the legal world, something as
time-honored as attorney-client privilege does not apply here. If the
protected communications between an attorney and client are violated, then
the attorney sues the violator, right? But, in the aftermath of a network
incident in which proprietary information is breached, you can’t prosecute
an adversary you can’t see.

Given the invisibility cloak, you have to examine your current blacklisting
and whitelisting policies and processes, and transition to a model that
permits access on a “default deny” basis. Why? Because the invisible
adversary is growing increasingly skilled at searching for — and operating
in — spaces that are available to them, coming up with methods that
organizations aren’t aware of yet. When “deny” rules the day, you make it
that much more difficult for adversaries to slip through the cracks.

The third-party risk factor

The Target and Home Depot incidents famously shined the spotlight on
third-party risk in the corporate world. But the lesson applies to
government as well. After all, you are only as strong as the weakest link
among your suppliers, service providers and partners. But, again,
cybersecurity methodologies consider the protections which come into play
within these relationships. (Such as vendors’ encryption practices, or if
they’ve plugged an infected USB drive into one of your computers.)

A cyber risk strategy scrutinizes these areas. But it also looks at the
entire trust profile of third parties, going well beyond cybersecurity
efforts. It asks “Does the vendor conduct effective background checks on
employees?” and “Does our contractor provide strong awareness training to
employees about recommended network/device usage?” These are the kinds of
questions that will enable you to effectively evaluate third-party trust.

The human element

Cybersecurity tools are not designed to account for the “people factor.”
But this can’t be ignored, not when human error has emerged as the top
cause of data incidents. Meanwhile, nine of 10 organizations are vulnerable
to an insider attack. Whether we’re talking about malicious employees or
simply undertrained and/or gullible staffers, a cyber risk strategy
determines trust levels within the agency to assess how gaps could lead to
exposure. The social dynamics of establishing trust with people means
government leaders are asking themselves, “will my employees, vendors and
partners do the right thing even when no one is looking?”

The crown jewels

Clearly, this is what every bad guy seeks — the keys to the crown jewels,
i.e., your confidential, proprietary and sensitive data, whether it’s
Social Security numbers, classified materials, agency credit cards, tax
returns, etc. Again, cybersecurity merely covers the protection mechanisms,
like encryption and authentication. What is often lacking when implementing
data protection controls is a business understanding of valuable data
access, movement and change. A cyber risk strategy evaluates where every
valuable data asset is traversing: Where has it been and where is it
heading? Who touche” it, and what do they do with it? How trustworthy are
they?

We know there are risks, for instance, associated with the migration of
data to a cloud provider. Yet, competitive realities dictate that we can’t
“lock it all down.” Some assetshave to exist in the Internet. So you must
measure the how much you trust your cloud service providers versus the
agency need?

For decades, cybersecurity defenses performed a noble purpose by attempting
to protect largely non-technical users from technical threats and avoid
making mistakes in handling data. While falling short of “catching
everything,” they did stop a lot of “bad things” from happening. But
today’s invisible digital adversaries are proficient in exposing and
exploiting the non-tech savvy audience that isn’t aware that an unencrypted
stolen laptop can burn you worse than a spilled cup of coffee … until after
it’s happened.

This is why a cyber risk strategy remains a vital part of a healthy agency
diet. You’re not just buying another firewall. You’re building a culture of
awareness which impacts the whole organization. With awareness, of course,
comes trust. And that will do far more to thwart the intentions of
attackers than any haphazard assemblage of security products.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160705/9a2c7649/attachment.html>


More information about the BreachExchange mailing list