Not IF but WHEN You are Hacked: Intel-Driven Incident Response Strategies
“Luck is what happens when preparation meets opportunity” -Seneca.
The count-down for when you will be hacked is always running!
Breaches and Hacks are two different concepts in cybersecurity with the latter being more difficult to manage than the former. Breaches can be mitigated through security policies enforced by security awareness training, asset inventory, hardware and software configuration best practices, and various security tools/technologies. A breach, mostly associated with accidental spill of sensitive data, is best exploited by lack of internal processes, procedures, and training. Thus, breaches result in more executive terminations than hacks do because many of them are preventable.
A lack of appropriate controls can give malicious actors or adversaries easy access to sensitive data. Department of Veteran Affairs in 2006, the U.S. National Institutes of Health (NIH) in 2008, Accretive Health in 2012, SterlingBackCheck in 2015, Western Health Screening (WHA), and Washington State University in 2017, are all examples of lost or stolen unencrypted devices that contained sensitive information. In many cases, these incidents could have been prevented, but a lapse in control resulted in data loss, steep fees, lawsuits, and resignations. Although the concept is simple, the implementation and management can be challenging.
Hacks Can Lead to Breaches
Consider the recent Equifax data breach. Hackers exploited a flaw, not in Equifax’s software, but in their implementation of best practices. Failure to patch a known web application vulnerability enabled hackers to penetrate and access up to 143 million American consumers. Because of this failure, we may witness another executive resignation this year. For a hacker to locate a vulnerability, they must be looking for a vulnerability. You can have an alarm system, locks on all doors and windows, and a roaming security guard, but if someone wants in, they’ll get in. Hackers are persistent, determined, dedicated, and in many cases, highly skilled and financially supported. Stopping them is very difficult; even with the right tools, finances, and strategies, having a strong security infrastructure may only slow them down.
Yahoo’s 2013 data breach, now recorded as the largest data breach in history, is an example of a state-sponsored entity breaching a large firm. In Yahoo’s case, the data taken contained encrypted passwords. Whether some or all passwords were encrypted or hashed is unknown, but we didn’t see resignations result from this incident (although the CISO and CEO eventually left the organization).
The graph from CNBC shows a trend over the past 10 years as breaches caused by hacks begin to rise over breaches caused by unintended disclosures, physical loss, and portable devices combined.
Let’s acknowledge that companies need to start investing in cybersecurity, as implementing best practices and adhering to compliance are only first steps – first steps that many companies are still struggling to achieve. Leverage the CISO and CSO roles by integrating them into the business and hearing their voice, not as guidelines but as warnings. Senior Security Officers need to continue asking “what if…” for any and all business endeavors. Their role is not to say ‘no’ but to make everyone think about the security implications associated with a suggested activity.
New York’s Department of Financial Services’ (DFS) new cybersecurity requirements defined within the New York Code Rules and Regulations (NYCRR) Title 23 Part 500 leads the way in pushing organizations to leverage a CISO and establishing cybersecurity programs. John P. Melville, Commissioner, New York State Division of Homeland Security and Emergency Services stated, “Cyber-attacks on individuals, businesses, and government agencies have increased exponentially in recent years, so it is vitally important that New Yorkers safeguard their personal information and remain alert to potential scammers.”
New York is recognizing that cyber-attacks are continuing to escalate and finds it necessary to implement regulatory standards to drive organizations to assess their risk profile, and implement or enhance a cybersecurity program aligned with their risk to best protect customer information. In a recent press release, Financial Services Superintendent Maria T. Vullo stated, “The data breach at Equifax demonstrates the necessity of strong state regulation like New York’s first-in-the-nation cybersecurity actions.” While New York is first in the nation, hopefully it is not the last, as it is setting the stage for other states and organizations to begin defining robust standards on securing sensitive data.
We have come a long way, but still have far to go. Companies are moving away from asking how much cybersecurity costs, and moving towards asking how much it costs not to. However, we need to remove the question all together and integrate cybersecurity into the business culture, and start asking how can we sustain security as the cyber-landscape changes.
Change is coming and is constant. Markets change, competitors change, consumers change, technologies change, and cyber threats change. It is now time for organization’s culture to change. Cyberattacks are becoming more sophisticated and costly. From WannaCry to Petya, organizations need to practice vigilance and incorporate patches, updates, and communication strategies quickly to reduce the impact of these attacks. In some cases, we can begin further reducing impact by implementing intelligence driven incident response techniques, understanding the principles of cyber resiliency, and proactively addressing trends and predictions within the cyber community.
It is said computers do what you tell them to do. If a CISO’s job was to manage computers, they would soon be out of work. Luckily, and unfortunately, this is not the case. A CISO’s job is to manage the people who interact with these machines. Integrating cybersecurity into the business culture is about integrating cybersecurity into the people of the business. Companies tend to write policies, spend thousands of dollars on tools and technologies to enforce the policies, and then discipline employees for breaking policies. This may work best in military structures, but it is not an effective approach for private organizations, especially those seeking to balance their employee retention rates.
One strategic and productive approach is to first dive into your people, processes, and technologies (PPT) already in place, gaining a deep understanding of why they do what they do. Follow this by mapping outcomes to customer or service expectations, ensuring that the PPTs are enabling quality and trust while sustaining competitive advantage within the industry. Then seek process efficiencies that leverage people and technology capabilities. It is here that policies can be applied to ensure identified processes and technology perform as defined. This promotes employee buy-in for policies and ultimately security across the organization. This also enables cultural transformation, because employees are viewing the concepts of policies and cybersecurity as something they already do rather than new regulations they must adhere to overnight (warm pot meet hot pot).
Gartner’s Six Principles of Resilience for Digital Business Risk and Security
Remember, focus on defining people, processes, and technology, while leveraging the people to gain their buy-in towards cybersecurity implementation. These are concepts being highlighted within Gartner’s Six Principles.
Principle No. 1: Stop Focusing on Check Box Compliance, and Shift to Risk-Based Decision Making
Principle No. 2: Stop Solely Protecting Infrastructure, and Begin Supporting Business Outcomes
Principle No. 3: Stop Being a Defender, and Become a Facilitator
Principle No. 4: Stop Trying to Control Information; Instead, Determine How It Flows
Principle No. 5: Accept the Limits of Technology and Become People-Centric
Principle No. 6: Stop Trying to Perfectly Protect Your Organization, and Invest in Detection and Response
Principle No. 1 “Stop focusing on check box compliance, and shift to Risk-based decision making,” implies an understanding of business risk associated with the people, processes, and technologies that enable the business to function, and not exclusively IT risk. Simply put, examine ‘what do we do and why’, identify business risk profile, then apply appropriate protections that enable the organization to meet customer expectations (product quality, company trust, service confidence, etc.).
The fourth principle, “Stop Trying to Control Information; Instead, Determine How It Flows,” asks leaders to understand how their data moves in and out of their organization (again, processes). Many organizations currently fail to know where their data is going and how it gets there, and instead focus on implementing controls to meet regulatory compliance that manages data flow “on paper.” For many, data is the business, data is commodity worth billions of dollars, and should seek to obtain cyber resilience by examining the people, processes, and technology that interact with data and undergo a digital transformation, “by identifying the strategic objectives, identifying the right technology solutions, identifying operational improvements, and driving adoption” (MSSBTI).
MSSBTI is working to guide organizations through digital transformation objectives, and will be conducting several workshops in the first quarter of 2018. One of the workshops provides an evaluation of Gartner’s ‘The Six Principles of Resilience for Digital Business Risk and Security’ resulting in the development of strategies and roadmaps for establishing cyber resiliency within your organization. Learn more about the Cyber Security Workshop here.