Allow me to offer you a piece of Cybersecurity advice: be threat-led, but be monumental in the real-world. This is purely pragmatic advice. In my interactions with peers I often encounter those that worry about threats that most likely will never affect them. This is generally an honest mistake but can lead to some serious misguidance. Defensive security teams have limited resources and need to stay focused on threats that matter, that are real.
Over time we develop keen instincts that lead us to think of many angles and imagine many edge cases. But focusing on events that are unlikely to happen can lead to wasted resources and important areas left unprotected. Some of my observations and commentary below might be cynical. But when you have been in this game since the 90’s certain real world perspectives develop.
Nation State Threats
The bad news is that, yes, these are very real. The good news is that to a nation state the majority of businesses out there are probably not interesting. For example if you are selling Pokeman cards online I doubt a nation state is targeting your online presence and/or database(s) right now.
FOSS Threats
There has been a lot of talk lately about securing Free Open Source Software (FOSS). And yes there are security issues in that space (as with most pieces of software). But, if one steps back and analyzes the sheer volume of code that exists in FOSS projects, do you really think your focusing on this issue is going to have an impact? Couple the volume with the fact that in 2022 so many developers, especially FOSS contributors, still honestly don’t care about security, and you have to ask yourself if this is really a space worth your resources (energy, attention, etc).
Insider Threats
I have given this area much thought throughout my career. When I worked in the federal government this was a major concern. But truth be told most mere mortals are downright scared of getting in deep trouble (prison time, etc). This puts them in a conflicted state where their level of disgruntlement takes a back seat to the fear of being taken away in handcuffs.
Now there are of course those anomalous cases where an insider (typically a malicious/disgruntled employee or contractor) does lose touch with reality and takes nefarious action. They do have a great advantage in the domain knowledge gathered throughout their employment. But, an “insider” can also be an infiltrated foreign/corporate spy. Hah, caught ya 🙂
Admittedly, if you are an important enough entity to attract the attention of a nation state this type of threat is real.
Vulnerabilities in SaaS products
There is an undeniable trend to not want the headaches of hosting anything these days. As such cloud based solutions, in particular Software as a Service (SaaS) solutions, are very popular. But they have bugs and security weaknesses too. Should you focus on getting those fixed? Can you actually get any of them fixed? Maybe you can, if you are Netflix or Disney and you go to AWS asking them to fix/address something. But normal sized companies, especially in the SMB size range, don’t have that kind of influence and probably have limited security resources. This mean SaaS security might be an area that will yield very little for possible a lot of effort.
Zero-Day Vulnerabilities
A zero-day vulnerability is simply an undiscovered issue before a point. Once used that vulnerability loses its status as a zero-day vulnerability. This means there is a window of time when nefarious actors can actually take advantage of the vulnerability in question. But these are not easy to discover and the discovery process typically requires a very advanced skill set.
In the past many CISO’s led with FUD and zero-days very nicely fed into that horrible strategy. Zero-days are stoppable if your security program is properly thought out and has enough protective layers. The bottom line with zero-days is that they are far and few in between. Frankly there isn’t much you can directly do about them unless you have a research team hunting them down full time.
Real-world Threats
It’s March of 2022 and relatively speaking gone are the days of hacking for bragging rights; this has become organized and is now big business. Many of those script kiddies grew up and realized they could make money off this stuff. But like most businesses there are reality based rules and constraints. This means the bad guys have agendas, bosses and resource constraints just like we, the defenders, do. Phil Venables did a great write up on this exact subject, definitely worth a read.
So taking the business approach to analyzing the world of Cyber crime leads us to acknowledge that efficiency is a positive for these nefarious actors. Efficiency leads to smooth money. And so for instance we now see frameworks providing attack technology for rent. Why write custom code when you can just rent it? Re-usability comes into play as well, if something become repeatable then it leads to good business.
It isn’t just about the threats. If we take emotion out of the equation it becomes pretty clear that what most organizations need is basic Cyber hygiene. They just need to get back to the basics and build from there. They need to pragmatically put controls in place that are relevant. Relevance is important here. For instance implementing a specific SIEM “because this is what mature organizations have/do” is a wrong reason for this action.
Some areas to focus on
Modern day Cybersecurity is challenging and complex in both breadth and depth. We have to cover many areas while remaining pragmatic and focused. Moreover, every organization has different needs, even if they are just slightly unique. The following sections are high level thoughts and they by no means represent an exhaustive list:
Ransomware and phishing
Ransomware and phishing attacks are obviously very real. They require much attention due to the evolution of the sophistication we are encountering. The days of the solution being “having good backups” may be behind us. We need to be far more proactive. End user awareness has proven that it wears off over time so we continuously have to remind users to be vigilant (amongst other things). Going back to the hygiene point, and spilling into the reactive, we have to also make sure all relevant sources of log data are being covered. And then once centrally available all of that log data has to become actionable intelligence via analytics.
Endpoint
Endpoint concerns (including the human at that endpoint in the case of laptops/desktops) are in abundance. Preventative measures against standard fair malware are table stakes now. This just has to be in place. Limiting other attack surfaces, such as macros, requires some diligence but can go a long way in a stronger posture for an organization. Another obvious control that is now becoming commonplace is multi-factor authentication (MFA).
Users
User concerns will always be around. Until an organization can go fully passwordless, and/or implement a real zero trust environment (not a trivial task, and no product X by itself cannot solve all of your zero trust needs), using a password manager will prove very useful.
Incident Response
There will be breaches, problems, outages, events, incidents, etc and so having a formal and documented incident response plan/program will prove invaluable. When something happens, you need a tested and repeatable way of responding irrespective of what human is at the helm.
Resilience
Resilience is an area that requires some focus. Roughly speaking resilience is equal to a combination of an organizations Business Continuity Plans (BCP), Disaster Recovery (DR) plans and any proactive measures (Global Server Load Balancing (GSLB), high availability architectures, etc) aimed at increasing availability time of their solutions. Sometimes resources constraints force a focus on just those elements that are critical and those are sometimes identified by a crown jewel analysis.
Proactivity
Being proactive should be a goal for every Cybersecurity and/or Information Security program to strive for. This hopefully puts you in a position such that when something happens you have a way of preventing things from escalating to an all out breach. Techniques here range from the use of Web Application Firewalls (WAF) to implementations of Intrusion [Detection | Prevention] Systems (IDS/IPS) that help you detect and possibly block nefarious activity. Automation is another area where some investments may prove worthwhile, you just have to strategic about it and focus on relevant areas for your organization.
Patching
The age old practice of patching is still a must that can spare you some serious heartache. Following some simple steps can mitigate the risk of patching. And yes patching sometimes causes problems. So have non-production instances of your solutions available. This way patches will be safely applied and tested with your automated regression suites, or an army of manual testers, before getting pushed to production systems.
API
Irrespective of the size of your organization at this stage in the tech game your organization most likely has a web presence (i.e web applications, web sites, etc) and possibly web based Application Programming Interfaces (API). Securing those areas are obviously critical and approaches range from code level reviews (i.e. shift left, SAST, etc) to implementations of Web App Firewalls (WAF) to the use of Dynamic Application Security Testing (DAST) tools. Pay close attention to protecting your APIs as that can get tricky.
Cloud
Cloud security. Many of the elements already covered apply to securing cloud hosted resources. In particular we can focus on securing/protecting data stored on cloud resources. Typically this is data at-rest (i.e. files stored on some cloud storage) or data stored in some data store (i.e. relational database (DB), key/value or no-sql DB, etc). In the case of files lets be explicitly clear – volume/disk encryption is NOT the same as file encryption. When folks claim their data is secure at-rest, and the basis for this claim is volume encryption, their claim is arguable. Native file level encryption is different and a hybrid approach makes a lot of sense. Here is a good simple breakdown of this area.
Third Party Risk Management
Closely scrutinize your third-party vendors. Your vendor on-boarding process should be fairly thorough and followed up with periodic checks to ensure that all is still in order. Your procurement folks won’t like the delays caused by thorough checks but it is a core component of a good strategy to protect your organization.
Attack Surface Management
Having an asset / software inventory is absolutely critical in this day and age. But more important is what you do with that data.
Your asset inventory should be a critical component of your overall attack surface management strategy. The awareness you develop about your attack surface, and its continuous evolution, is super important and should be a major source of directive data in terms of where to focus some protective resources.
Your software inventory gives you a more granular perspective within those assets. If you have good threat intelligence sources, or have a dedicated team doing vulnerability management/discovery, then coupling some of those data points with elements from your software inventory can again help you be strategic in terms of where to expend resources.
Obviously, I can say much more about many of these areas. I hope to invest time in doing exactly that as things progress. Stay safe, vigilant and focus on those real threats.