[BreachExchange] Cybersecurity checklist is a cyber strategy tool for increasing attack cost

Thu Mar 3 19:03:29 EST 2016

http://searchsecurity.techtarget.com/news/4500277953/Cybersecurity-checklist-is-a-cyber-strategy-tool-for-increasing-attack-cost

This week at RSAC 2016, two top officials of the U.S. Cyber Consequences
Unit, John Bumgarner, chief technical officer, and Scott Borg, director and
chief economist, took to the podium to unveil what they call a "new type of
cybersecurity checklist" that makes "preventing penetration only one part
of a much more comprehensive strategy, greatly expanding the defensive
options." The checklist is currently in draft form, but should be released
in a final version later this year.

The new draft checklist, organized in a matrix, works symmetrically:
Reading it in one direction provides "an attacker viewpoint," but read in
the other direction, it offers the defender's viewpoint. The new checklist
will be freely available, as was the original cybersecurity checklist.

Borg emphasized that the key to using the new cybersecurity checklist,
which includes over 1,000 items, is using it to increase costs to attackers.

"The game is not about stopping penetration," Borg said "but making it not
worth the attacker's time and expense." The idea of the matrix is to make
it easier to see how "to increase those costs."

Bumgarner pointed out specific actions that could make potentially
devastating attacks far less so. One such action is to make attacks
reversible. Bumgarner used the ransomware attack against Hollywood
Presbyterian Medical Center as an example: Backups, if the hospital had had
them, could have been used to make the attack easily reversible.

Increasing the costs to attackers

"When an attacker steals your data, provide them false data," Bumgarner
said, suggesting the use of "honey tokens" alongside a password, because
they can be used to "set an alarm that it's being used to indicate that the
data has been stolen."

Borg noted that there are a lot of things included on the cybersecurity
checklist, but he said that it is meant to be comprehensive, which means "a
lot of it will be security 101." However, it also includes some
controversial things that "everybody should consider."

For example, Borg suggested making a policy of changing network resource
names and addresses periodically, because that forces attackers to "remap
everything periodically." He also highlighted the possibility of using
"poisoned-bait data" to cause harm to attackers if they try to use it.

"You can use this matrix and the material in the checklist to analyze
attacker paths and attacker activities," Borg said, noting that "you can
watch cases where the attacker has to cycle through activities two or more
times."

Cybersecurity checklist will have new focus

The new checklist is offered in draft form because, Borg said, "there are
more cybersecurity countermeasures still to be discovered than we've
already found. There's a whole realm of other possibilities that open up
when you look at increasing attacker costs"

When Borg and Bumgarner introduced the first version of the US-CCU
checklist about ten years ago, they were concerned with the nightmare
scenario of attackers who, instead of stealing or disabling networks, took
over networks and systems and, in time, altered critical data so that the
systems could no longer be relied on. This was a concern echoed this week
at RSAC 2016 by a number of speakers, including Admiral Mike Rogers,
director at the National Security Agency and commander of U.S. Cyber
Command, who said that one of his three major concerns for the next few
years is attackers who manipulate data so that "we can no longer trust the
data we get."

"The big worry shouldn't be that someone's going to shut down a company's
computer system," Borg said in 2006. "If you shut down almost anything in
our economy for a couple days, the damage is minimal. We have enough
inventory to timeshift our activities so we're not badly hurt. But if the
attacker causes physical damage or makes it so the business process is
faulty, the damage can be horrendous."

The U.S. Cyber Consequences Unit (US-CCU) is an independent, non-profit
(501c3) research institute that "provides assessments of the strategic and
economic consequences of possible cyber-attacks and cyber-assisted physical
attacks.

Borg has previously predicted major shifts in cybersecurity, including a
2002 prediction that attacks would transition from being disruptive
generally to becoming the work of organized cybercriminals. He also
predicted, in 2013, that the next shift would see criminals evolve to the
point of manipulating financial markets.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160303/224b8413/attachment.html>