I first became exposed to the concept of information warfare in 1989 when I worked for the government as a leader of a security evaluation program. We all learned that a devastating cyber attack to rival the impact of Pearl Harbor was a possibility. At this time in our cyber history, it was difficult for many people to truly understand what an “electronic Pearl Harbor” could mean. There had not yet been many significant security breaches, but we had experienced the Morris Worm, which took down what was then known as the Internet. So the premise was not that far-fetched—but not nearly as many people were familiar with the Internet then.
Now, with the passage of time, the increase in technology and skills, and the massive amount of money spent on offensive security techniques by cyber criminals, as well as nations states, information warfare is now a reality. Not only is it reality, but it has been in active use for years. We have verified intelligence related to several attacks attributed to nation-state actors going back several years. We have seen a few vendor products hacked that are attributed to compromise of government agencies and commercial industry.
Become a Cyber Exterminator
Any company that has services actively running on the Internet is not safe. Malicious actors troll the Internet and the Dark Net, looking for easy prey. Your organization may not be the primary target. But if you are susceptible to breach, you are likely to be leveraged to (a) assist in the development of cyberattack skills for adversaries, or (b) be the unknowing launching pad for an attack on another company, organization, or institution. One last fact before we move on to how we get our heads wrapped around this. Cyber attacks do not execute with shock and awe. The attackers are smart and savvy at their craft. They find a hole, compromise services inside your network, and then execute low and slow, staying under the radar, so they can maximize their impact before they are likely to get caught—like cyber termites in your network foundations.
During speaking events, I always have a few key takeaways for the audience. My top one is—become a student of threat. If you still think that your company is not big or notable enough to be attacked, you are dead wrong.
Students of Threat
If you’re concerned about a potential break-in at your home, you prepare to address that threat: an alarm system, cameras and motion sensor lights around the perimeter, upgraded locks, and of course—my favorite—a great dog. You identify the threat, and you prepare a protection, detection, and reaction strategy to address it. Why would you not, as a security risk manager or owner, take the same approach to address a very real threat to your organization? A threat that can and will attack you from 5,000 miles away. Subscribe to threat services and feeds, and routinely read security sites (safe ones of course) that contain vulnerability, threat, and active attack information. Recognize that you must have a comprehensive incident response plan and the trained personnel and technology to operate this plan. Prepare for the “when,” not the “if.” You will experience a cyber attack.
Students of Risk
My second takeaway is to conduct frequent comprehensive technical security testing of your entire ecosystem, to ensure you understand how that threat translates into direct risk to your organization. One of the most critical objectives is to establish an effective security risk testing strategy to uncover and document your risk. You also need to document a risk mitigation roadmap based on risk criticality and priority. Having a risk roadmap will allow you to focus on the most critical security risks, in priority order. This is the best way to focus limited resources and budget toward the reduction of risk of breach and to improve the breach detection and response capabilities.
Here are few things that you need to do:
- Regularly perform external and internal security penetration testing (fixed and wireless).
You need to know what an attacker will see and try to exploit from the outside in. And you need to know what they will be capable of doing when they are on the inside. (For example, how easy would it be for them to escalate privilege and steal sensitive data or take over a domain controller?) Invest in very experienced third-party resources to help you here—those that use the same tools and techniques as the malicious actors.
- Regularly perform social engineering testing.
Your employees are essentially a human firewall. How strong is their policy and rule set? Is it consistent across all human firewalls? Do those human firewalls that protect the most sensitive data have an enhanced rule set? Will they click malicious links or expose sensitive data over a phone call? You must test to determine these risks. Similar third-party resources can also help you here.
- Regularly perform application and Web security penetration testing.
What will the attacker be able to see and do, when they target your externally facing Web services or gain access to applications from the inside? The skills to test Web applications are very unique, a higher skillset than your average penetration tester. Turn to your third-party partner for extra backup.
- Create a risk roadmap or risk register.
Frequent and comprehensive ecosystem security testing is essential for success. You must utilize a third party to do this. A group of experts, who have very little understanding of your infrastructure as configured, no preconceived notions, and target your enterprise just as a malicious actor would, will uncover the warts. Organize and prioritize the documented risk data and socialize with your leadership so they understand how important the risk is, and what they need to do to support you to mitigate it.
Prepare for the “When”
Think of how much easier it is to follow all aspects of a baseball game when you have the program. You know who the players are, what positions they play, and plenty of relevant statistics and history. Now you have context for following the game. The same is true for an information security program plan. You document it so all of the players know their roles and what level of oversight, ownership, or support they have to run the plan. The overall information security program is only as strong as the sum of all its parts. Any kink in the chain can cause a break. One of the most important parts of any information security program is clear guidance for all on what to do when something looks suspicious, or when the breach occurs.
What should your plan cover? Here is a good outline:
- Organization of Information Security
- Authentication and Privilege Management
- Security Policy and Management
- Communication and Operations Management
- Personnel Security
- Physical Security
- Asset Management
- Identity and Access Management
- Roles and Responsibilities
- System Architecture and Integrity
- Application Security
- Data Security Management
- Systems Security Management
- Security Risk Governance
- Security Incident Management
- Disaster Recovery
- Business Continuity
- Security Education and Awareness
- Audit and Compliance Management
- Summary (This is the way)
Have a third party help you with this as necessary, but make sure you create the program. This will prepare you for the “when” and help you mitigate damage.