7 steps organizations can take to better protect data
The expression 'a chain is only as strong as its weakest link' is particularly applicable to information networks, which has numerous links of fixed and mobile devices, software, and people, any of which could be weak enough to enable a cyber attack.
Social media and the Internet of Things (IoT) are dramatically fueling expansion of these links. The number of ways that a stranger can virtually “reach out and touch you” never existed in the pre-Internet age.
Concurrently, the wide availability of automated hacking tools, crypto currencies and anonymous dark web marketplaces has both democratized and capitalized cyber crime. With very little risk, anyone can now make money from data they steal. A new dimension has been created for the traditional activities of criminals, activists and nation-states, one that offers greater targeting efficiency and less risk of getting caught.
For the rest of the world, the rampant proliferation of easy-to-use hacking tools and number of bad actors willing to deploy them means that everyone needs to “up their game” to stay safe.
But how? Reading the headlines and seeing some of the world’s largest organizations devastated by breaches, the complexity of the matter can be overwhelming. It doesn’t have to be. The right approach can simplify matters greatly.
These three principles will guide and streamline your efforts:
- Protect only what needs protection.
- Think holistically.
- Think like an attacker.
First, it’s important to understand that the goal isn’t to protect everything. This selectivity is important because there are always limited resources and we can’t absolutely secure everything. In the words of Alexander the Great: “When you defend everything, you defend nothing”. So, the goal is to first determine what an attacker wants and to then make the effort so great as to move them onto other, easier targets.
We do this by securing only the data that:
- You’re required by law or regulation.
- You can’t afford to be made public.
- Is truly critical to your continued operation.
- Can facilitate attacks against you or your clients.
Second, you need to determine what information an attacker wants and how they would take it. To do so, you must think holistically and like an attacker. Essentially, you need to know how real attackers would actually take action, and not how defenders imagine them to act.
The Holistic Approach
The cliché “the whole is greater than the sum of the parts” truly applies to cyber security. As you may have read, there is acceptance within the field that technology alone cannot address the threats we face.
This realization is driven by the growth of several complementary issues:
- The number and scope of cyber-attacks.
- The widening range of victims.
- The growing use of multiple domains by attackers.
- The use of third-party vendors as attack vectors.
- The refined use of social engineering.
- The empowered role of the insider.
Simply, attackers are using the growing number of points where you are exposed (called “threat vectors” and “attack surfaces”) to the extent that technical, physical, or human countermeasures must work together to stand a chance of success. It doesn’t help that in the rush to get new consumer products to market, device and software manufacturers are giving little attention to security.
Central to this issue is the age-old balance of security and efficiency. To make good use of the efficiency and convenience that computers and the Internet offer, we open up access to ourselves and our organizations. This greater sharing means that we’re forced to rely upon humans to exercise good judgment. As we know, judgment is one of those things that technology can help with, but cannot be solely responsible for.
So, even though we may wish to apply purely technical solutions to what we generally view as purely technical problems, we need to understand that even the best technical security tools are rendered ineffective by improper human action. There is some good news, however; good cyber hygiene enhances these same technical tools.
The question then is how to harden technology, personnel and physical defenses so they work together?
The answer is a holistic cyber security perspective.
Only by comprehensively examining the technical, human and physical cyber security vulnerabilities that could endanger you can a truly effective information security program be developed. By viewing the organization as an association of people and processes within a physical domain rather than just a series of devices on a network, you gain a far more accurate perspective of an organization’s defensive capability and resiliency. Importantly, this is exactly how an attacker sees any organization.
If you’re not quite convinced, here are more specific reasons for expanding your cyber defense beyond technology:
- Almost all attacks compromise a person at one point.
- More than half of all attacks are facilitated either by an insider, benign or malicious.
- Most technical countermeasures are undermined by poor cyber hygiene.
- Recent major attacks have exploited multiple vulnerabilities in multiple domains, i.e. the technical, human and physical.
- The firms having the greatest success in preventing attacks employ a holistic cyber defense.
The Attacker Perspective
The perfect complement to a holistic security approach is the attacker perspective. The true value of any security assessment is an accurate analysis of how real attackers would actually take action, and not how defenders imagine them to act. By thinking like an attacker, you increase the likelihood of developing truly effective security measures. This is the core concept of ‘red teaming’ and penetration testing.
Worth noting is that while it may be easy to say that you are adopting the attacker perspective, this is actually quite hard for most people, simply because they don’t have the natural capacity to think that way.
On the other hand, it is completely natural for attackers to:
- Use public data for targeting.
- Determine who has direct and indirect access to what they want.
- Know how to manipulate those persons.
- Identify, analyze and rank order security gaps.
- Know how those gaps can be used to achieve their goals.
- Find buyers for stolen information.
- Use stolen data to target, plan, and execute separate attacks.
In most cases, a malicious actor will use the easiest and safest way to mount an attack, following this general process:
- Collect & Analyze Public Data on the Target
- Use the Data to Craft an Attack Plan
- Conduct Pre-Attack Surveillance
- Execute the Attack Plan if no Roadblocks are Identified
The second point - attack planning - is what separates the amateurs from the professionals. Whether an attack upon the confidentiality, integrity, or availability of data, the most effective plan is usually also the safest one. The best way to remain safe and still accomplish the criminal goal may require them taking advantage of multiple vulnerabilities spread across the physical, technical, and human domains. This is why we’re witnessing multiple methodologies (social engineering, hacking and physical access) combined by attackers into a single attack.
As an example, the attacker point of view is critical to answering these key questions:
- What valuable information or accesses exist on the network?
- Who can access to these parts of the network?
- What is the safest and most efficient way to move against those items?
- What would cause an attacker to fail?
Making it a little more complicated is the fact that there are two broad categories of attackers, and they have different attack methodologies. These two categories are those operating from outside your organization and those operating from inside. As the outsiders are operating with limited information, their environment is called (“black box”). As the insiders have the benefit of inside information, their environment is called a (“white box”).
A “black box” perspective is derived by:
- Using only public data and personal observation.
- Knowing the full range of possible motives for outsiders.
- Knowing what sensitive data could reasonably be expected on the network.
- Using public and observed data to formulate an attack plan.
A “white box” perspective is derived by:
- Using public data, observed activity and privileged internal information.
- Knowing the full range of possible motives for insiders.
- Knowing what insiders know about their organization’s sensitive information.
- Using both inside and public data to develop an attack plan.
Hardening Yourself to Attack
Flipping from offense to defense is easy. We know what we need to protect and how it could be attacked. The next step is the creation of countermeasures specifically for that data and who has access to it. Employing a holistic approach, we strengthen our defenses across all attack surfaces to any possible way of accessing that data.
Once that is done, we develop plans to ensure that we can quickly and efficiently respond to a breach and to minimize damage when one occurs. Notice that I didn’t say “if one occurs”. Those days are over.
The following are seven areas to consider when creating countermeasures. Note that while a few may involve technology, none are purely technical in nature. More of a mindset than a guide, they provide a thought process that will help knowing when technical measures like encryption, data monitoring, segmentation and multi-factor authentication are required.
1. Define What Requires Protection
While intellectual property, trade secrets, marketing plans, and the private data of clients and employees are obviously sensitive, there are many other bits of aggregate data that are valuable to outsiders for their own use or for sale to others. It is worth taking time to get this right, as it will impact almost every decision made in your cyber defense strategy.
2. Determine Who Has Access
Once you have accurately identified your sensitive information, you need to determine who within and outside the organization has access to it. Most organizations are surprised to find this to be broader than they imagined. Access held by partners, vendors and contractors is often overlooked in the rush to streamline business processes.
Access is also the area where the physical domain intersects most predominantly with cyber security. If an attacker can steal or alter your data simply through physical means, the damage is the same as if it was accessed technically. This is particularly true if an attacker wants to deny you access to your data, which can be done by damaging or destroying servers and network infrastructure. Thus, physical access must be assessed, evaluated, and hardened just as technical and human access.
3. Define What “Right Looks Like”
The first step in hardening your defenses is creating and disseminating concise ground rules and accountability. People need to know what they should and shouldn’t be doing, and what the ramifications are for negligence or malicious action. Cyber security governance is the best way to do this. It is the defensive building block upon which all other security measures rest.
As more cyber breaches result from a user’s inadvertent action than any other single cause, the value of clear and concise policies and procedures cannot be overstated. Many organizations overlook this critical step, either being too focused on the business at hand or believing that their people inherently know the right thing to do. These are almost always inaccurate assumptions that lead to disaster.
4. Harden Your First Line of Defense
As noted, there is growing acknowledgement within the cyber security community that humans are the “Achilles heel” of most network security programs, and security safeguards are often undermined by human activity. The best way to mitigate this risk is through cyber security training that creates awareness and hardens personnel to attack.
Specifically, employees need to know the tactics and techniques used by attackers, why they could be targets themselves, and how to protect against data collection and attacks. Without this, employees are at risk of manipulation and exploitation through spear-phishing or social engineering efforts aimed at stealing network credentials.
5. Understand the Insider Threat
One of the first things to understand about the insider threat is that it can be someone acting intentionally or unintentionally. While we normally think of an insider as someone who is intending to harm an organization, the overwhelming majority of insiders unwittingly provide access to attackers.
That said, the greatest risk for maximum damage from a breach comes from a true insider that is wittingly working to harm the organization. Their ability to access the most sensitive information, to do so over long periods of time, and to cover their tracks can result in devastating damage.
Again, cyber security awareness and a positive cyber security culture are the best ways to address the insider threat. Beyond that, psychosocial events like anomalous, suspicious or concerning behavior can be monitored and analyzed as well as online activity, downloaded or transferred files, and badge records.
Of course, central to the insider threat issue is the balance between security and employee privacy. While it is generally understood that there is no expectation of privacy when using an organization’s network and devices, employee monitoring is an area that many organizations shy away from. This is an area where senior leadership support is critical, and input from the IT, HR, and General Counsel staffs invaluable.
6. Prepare for the Inevitable
The accepted mantra in today’s highly connected cyber world is “not if, but when” you will experience a cyber breach. The question then remains – how will you prepare for the inevitable?
The best way is to own the risk, educate shareholders and partners of that risk, and create a validated incident response plan. Crisis management, business continuity, and disaster recovery planning all work together to reduce the damage of an attack. Testing these plans through structured walk-throughs, tabletop and live exercises gives you the best chance of limiting damage from a breach.
7. Build a Positive Security Culture
More than any single factor, a strong organizational culture and morale helps create a positive security culture.
A common sense of pride, belonging, teamwork, collaboration, and loyalty supported by a strong cyber security education program creates an incredibly powerful security measure. Accordingly, organizational culture both creates and reinforces a security culture.
The interrelationship and interdependence of organizational and security cultures, of people and devices, and devices and physical defenses underlines the need for a holistic approach to cyber security.
As you know, the pendulum has been swinging toward accountability for those responsible for protecting information and access. HIPAA lawsuits, FTC fines and class action suits are prime examples.
One way to get clear of the pendulum swing is to be out ahead of it. While others may wait for forced compliance, you have the opportunity to do the right thing in terms of information security and become a role model in your industry.
Acting proactively will pay dividends over the long-term. Just as the impact of cyber breaches are now quantified by lost revenue, reputational damage, and unrealized potential; cyber resiliency and due care will soon be quantified by market share, reputational fortitude and seized opportunities.