People and Endpoints First: New Perspectives on Enterprise Information Risk in the Age of Nation/State Cyberattacks
Explosive data growth and an expanding pool of cyber threat actors call for new perspectives on enterprise information risk and security. Recently Blackstone CISO Jay Leek and Cylance Global CISO Malcolm Harkins met to discuss emerging best practices.
"Many of the more recent nation-state attacks have evolved from being primarily cyber crime or cyber-espionage, threats to threats of destruction, disruption or retaliation"
Current Threat Landscape
Over the past year or so, we have seen that attacks from new nation state threat actors have elevated to the same level or even a greater level of concern than the ones we have traditionally focused on because of the difference in their nature. Many of the more recent nation-state attacks have evolved from being primarily cyber crime or cyber-espionage, threats to threats of destruction, disruption or retaliation. This fact has resonated in a serious way with our security team, senior management and boards of the companies we work with.
If property or data is completely destroyed or your business is taken out of service for some extended period of time, it could be catastrophic. Many companies have begun to classify this risk to their business as one of the most uncontrollable risks that they face. It is not just in the category of cyber risk, but in general-particularly if a catastrophic or destructive event were to happen to critical infrastructure they depend on to conduct business. If you think about this recent threat companies are now experiencing, someone has to first identify a gap in the infrastructure or control systems, then they have to be able to get in or exploit it, find what they are looking for, and finally they have to somehow get that data out.
The motivations of the threat actors and agents may vary over time, depending on what is provoking them. We have to consider organized crime, hacktivists, and even small groups of individuals who just have a bone to pick with an organization and who might not care about the disruption they cause, as well as the potential insider risk. Cyber threats are no longer just a nation/state issue. Over the past few months, I have learned more about a new term: ransomware-as-a-service. What this means is that ransomware has been made available to anybody at a very affordable price. Anyone with the very little money even can lease the ransomware infrastructure and use it to hold an organization for ransom. These organizations must then pay large sums of money to unlock all their stolen assets. So there is this repurposing of what we would traditionally think of as targeted, nation-state attack malware for lesser purposes by smaller groups or individuals that are opportunistic in nature. Things have changed. Our adversaries are all around us. I have never been a big proponent of using fear, uncertainty, and doubt (FUD) as a motivator, but the reality of what we are dealing with often sounds like FUD if you are not careful. We have done a good job in raising the awareness of cyber threats in the media and in the awareness of the common person, but the side effect of this is that it has also planted a few seeds in the minds of new threat actors about ways that they can capitalize on larger attack methodologies and malware.
Raising the Alarm
The real challenge lies in contextualizing the risk into the appropriate enterprise risk framework so that your executive management can understand what it might mean in terms of potential extinction events if an attack was severe enough to really damage or shut down the business or damage the company’s reputation. If we can separate that challenge from all the noise we hear day to day, we can do a better job of prevention
I am a big believer in having transparency as one of the core principles of an information risk and security program. This does not mean that we can share everything throughout all the levels of the organization, but we should have some degree of transparency. I have to take the example of email phishing, it is helpful for them to be aware that things happen and security teams have to look into alerts and incidents every day. If they are aware that they are not living in a perfect world and security events are happening around them, it can really help to change the mindset of the individual to be more mindful of his or her actions and the impact they can have.
We run phishing tests continuously, and that is a metric that we follow at the most senior levels of the organization. We also share results with employees and have a bit of a competition on click rates, and also on “speak up” rates for reporting something suspicious. When someone reports something that looks suspicious, we can quickly determine if someone else in the organization received something similar and not be as aware of the risks, so we can take action to get ahead of the problem by reaching out proactively to warn the other people. This really drives better behavior and empowers individuals to make smarter decisions.
Shaping the Security R&D Agenda
I think the security professional should be focused on defining what needs protection and then finding the right niche solutions that can be integrated to implement a control system that effectively protects the needs of your organization. We are working to be on the “connective tissue” that brings these different technologies together to make them work as a cohesive unit. We are doing a lot of automation, orchestration, and working with disparate vendors to bring together a cohesive control system or information security risk program to right size for the firm and protect our organizations.
We have to manage the outcomes to business needs, not just check the box on the deployment of technology.
The problem, however, is that we all are suffering from the people problem. It does not matter if we have the budget to hire great security people—we just cannot find enough of them.
The ease of use for the security team for these tools is also important. Many of them negatively impact the security team by having poor ease of use, so there is a high degree of complexity and a high level of skills required to administer or use them effectively.
New Anti-Terrorism Law Passed in China: Beneficial or Disadvantageous?
On the privacy question, the challenges of law enforcement following events like those in San Bernardino and Paris are vexing the issues, but requiring companies to put back doors in their technology is not the answer. A recent piece of commentary from the Hewlett Foundation and the Berkman Center for Internet and Society at Harvard reflected on a number of things still evolving in technology that raise difficult questions. The piece said that we must carefully consider whether providing access to encrypted communications for the purposes of thwarting terrorist acts and investigate crime might actually increase our vulnerability to these things more than reducing them. Some are saying that we are “going dark” because of these consumer encryption capabilities that make it hard for law enforcement to intercept communications, but do not fully describe the future capacity of a government to access communications of suspected terrorists and criminals.
Certainly encryption technologies can potentially impede that, but there are so many technology developments and market forces to consider, and with the Internet of Things and new network sensors, there are other means and mechanisms that continue to evolve that will allow law enforcement to do its job. Also, not every company or user will actually deploy encryption technologies that might encumber law enforcement from gaining access. It is a vexing issue with no easy answers, other than the simplest one, which is not built back doors that may reduce the effectiveness of security technologies. That will not work.