By Valarie Findlay
For as much as “white-hat” technologists (the good guys) have made advancements, it has become abundantly clear that the risks remain and go beyond technological vulnerabilities and remedies. In other words, cyber-threats have become much more than surreptitious, malicious software that attack our assets; likewise fighting cyber-threats doesn’t always require a technical safeguard.
Formed decades ago, the axioms and what we have come to believe about cyber-security and the characteristics of cyber-threats persist, but these outdated notions only stand to hinder efforts, ignoring the capabilities of the new threat landscape
Naturally, security controls and risk management have been, and will remain to be, revolving themes in discussions on improving cyber-security, but at the policy level we’re still fighting these battles as we did in the 1990s. The old-school approaches, such as “shared responsibility” between stakeholders and enforcement through pseudo-regulatory measures, aren’t working and won’t – and here’s why.
Domains and Asymmetry
Cyber-threats are rooted in unbridled, malicious innovation and the results are constantly evolving technologies with increasingly complex attack vectors. Additionally, cyber-threats have become asymmetrical, designed to capitalize and exploit multiple domains – the various avenues of opportunity for information-gathering and acquisition of an asset or target. Years ago, exploits occurred through primarily network vulnerabilities, but today they can originate in one or many domains, including physical, application, device, resource (people) and policy security.
For that reason, an organization’s cyber-security framework must consider more than just technological responses to threats; it must consider design, development and implementation of practices and measures across various domains to collectively address threats. However, technological “tunnel-vision” – that the only means to counter a cyber-threat is through cyber-defence – is rampant.
We already know that often cyber-threats target “inherent-to-the-design” vulnerabilities, and also deficient maintenance practices and misidentified assets that result in a lower security posture. Like the emperor’s new clothes, a false sense of risk mitigation shields exposure and liability leading to unnecessary technological safeguards acquired under the auspices of “hardening the environment.” Eventually these fail and diminish in their returns and new safeguards are sought, further draining the IT budget.
A crucial step in moving beyond “technology as a solution” is the development and implementation of an effective, well-implemented, cross-domain cyber-security framework, as well as instituting supportive processes and accurately identifying organizational assets and their value to threat actors. If the problem is anchored in exploiting multiple domains, the solution must address the vulnerabilities of those domains.
But before all of this frame-working and planning starts, a shift in mindset should occur: we need to start thinking differently about cyber-threats.
Think Like The Criminals
In order to drive this shift in thinking, three concepts should be adopted and should lead the prevention and detection phases of cyber-security:
1 Think and plan like the “bad guys” – Face it, the “bad guys” are winning. In part because that is their full-time job and it is part of their daily practices. With technology outpacing our efforts to implement countermeasures, and legislation lagging behind, it’s time we adopt a new strategy. Foundationally, cyber-security approaches must mirror the approaches of the actors behind cyber-threats we’re trying to prevent; approaches must be cross-domain and asymmetrical, target and asset-focused, and differentiated by committed, skilled resources. This becomes more important where electronic assets – telemetry, biometrics and trace evidence records – require a higher level of integrity due to the asset’s applied value.
2 Targets are as important as assets – No one puts a lock on a door to prevent the theft of the door. Often we forget to view targets along with assets, as well as their value, but as distinctly different entities. Not unlike a property crime, for a criminal there is the thing you want to get and the stuff you have to break to get it; think of targets as the stuff that needs to be broken. By adopting this perspective, one starts to view security safeguards not as single remedies but as part of a layered approach to protect an asset.
Targets may be laptops, devices and databases (that store an information asset), device firmware (that stores configuration values), electronically-locked rooms (that store documentation, controlled substances ammunition, evidence, etc.) or network connections (that transmit asset data). Assets are the Holy Grail of your threat actors and can vary in criticality or classification and require securitization to maintain organizational integrity and reputation, availability, confidentiality and credibility of data, public safety, and investigative and judicial processes.
3 Threat actors are less important than threat scenarios – As much as profiling a threat actor is important to downstream intelligence formulation, in the earlier stages of prevention and detection (and sometimes, deterrence) the focus must be on the actual threat scenarios: theft, modification, destruction/disruption and in some instances, planning and executing (surveillance, etc.). Understanding these operational-level exploits will dictate the required countermeasures of protection, much more than understanding the modus operandi of the actors. Basically, this considers the possibility and probability of threat scenarios and the associated damages should the asset be breached; it forces the valuation of the asset from the perspective of the malicious actor.
“They Weaponized Pikachu!”
It’s true. Although a low-level means to extract credit card numbers while silently installing further viruses and recording data from unsuspecting Pokémon-Goers, the Pokémon malware has fed the coffers of who knows who. Not uncommon and often paired with ransomware, it’s still a threat, and the weaponization of technology and its introduction to secure environments remains one of the most serious advancements in recent decades.
Appropriately enough, in his book “The Art of War” Sun Tzu said, “If you know your enemies and know yourself, you can win a hundred battles without a single loss.” While lofty, it holds substantial truth – knowledge is everything and armament doesn’t hurt either. In this context, technology has augmented criminal tradecraft of the theft, modification and destruction of data, as well as key planning, espionage and surveillance activities. In the post-Snowden security climate, the civic laws of cyber-security have evolved to emphasize personal and classified data security and impacts to privacy and integrity increasing liability in these areas.
Knowing and responding to these concepts in an operational environment refines the new constructs of cyber-security. More and more, the weaponization of technology is a reflection of the sophistication of threats and their ability to leverage the various security domains: the more domains that are accessed to breach sensitive information, the more asymmetrical and more difficult to counter the threat.
Single Point (Domain) Failure
A domain failure is essentially when only the most obvious domains are secured, such as an organization’s network and connected devices meet the required security posture, but its software and device updates and patch management policy is weak or non-existent. The maintenance falls apart and the security posture collapses, allowing for unknown vulnerabilities to leak through.
Similarly, weak employee screening or access policies may allow for unauthorized, uncredentialed access to sensitive assets, relying strictly on their physical hardening to protect them. In this case, if a cross-domain, multi-layered approach is in effect, this will balance the risk-stress over several domains to close gaps and to act as a failback. Anything less amounts to leaving the lights on and doors open for the malicious actors.
Moving to cross-domain (or multiple domain) and multi-layered security approaches will increase initial resource costs, but the downstream benefits will make up for the upfront investment. Also, the higher degree of compartmentalization and isolation of security approaches is going to improve prescriptive countermeasures and increase the ease of maintenance and agility of the environment once implemented.
Here are some examples of detailed domain categories that would make up a framework, and eventual security assessment:
- Corporate security policies and procedures – documentation that makes the organization and its resources act and behave in a certain way;
- Physical security – traditional hard-wall, room and building security;
- Resource security – your people, their screening and their access to things;
- Device security – techy stuff;
- Network security – more techy stuff;
- Network and Application Development (as in OSI layers) security – really techy stuff;
- … and possibly more depending on the organization.
There Is No End Game
Behind every malicious threat is a human – for now – and cementing a proven cyber-security framework will be easier today than when the Internet of Things, machine-to-machine learning and custom cipher technology bear down on our systems, delivering unbelievably complex threats. Not unlike countering other criminalized activities, communication and collaboration remain to be effective methods to “close command and control” of an active threat.
But until we master that dialogue and the means to share information, threat mitigation and vulnerability management must become part of the daily conversation and habitus of organizations. Adopting a higher strategic view along with multi-disciplinary, short-cycle approaches and renewable cyber-security practices, organizations will evolve to continuous assessment as an ongoing activities, instead of an end-game.
Valarie Findlay is a research fellow for the Police Foundation (USA) and has two decades of senior expertise in cybersecurity and policing initiatives. She holds a Masters in Terrorism Studies from the University of St. Andrews.