General Security Reflections for 2017
2017 was an exciting and terrifying year in cybersecurity news. The digital world saw an upsurge in headlining ransomware, disclosure of large-scale data leaks of personally-identifiable information, increased media coverage of nation-state-level cyberthreat activities, as well as the discovery of closer-to-the-metal issues such as various Intel Management Engine vulnerabilities, speculative execution vulnerabilities (Spectre) and the out-of-order execution vulnerabilities.
All of the above happenings represent a selection of newsworthy discoveries that stood out against against the backdrop of an ever-growing body of known vulnerabilities in every layer of the modern computing stack.
The question for many enterprises in the midst of growing information insecurity might be “How can[we] navigate this kind of cybersecurity threat landscape to preserve business continuity”? As a small information security team in a non-profit tech organisation that aims to drive sustainable improvements in global wellbeing, a strong set of principles to steer our organisation’s cybersecurity is key. Here are some we’ve identified that serve as good starting points:
1. Turn cybersecurity news into actionable information for your team
After the wave of anger, frustration, and ridicule subsides for a security scandal subsides, internalising the learnings from the event can extend the value of this knowledge beyond the current news cycle.
A key action in the wake of a security breach is reflection. Reflecting on the root causes of high-profile breaches and security scandals can help connect those events to required improvements in one’s own organisation. For example, in light of the discovery that US-based company Equifax had used ‘admin:admin’ as the login credentials to its Argentinian database, an organisation could review the password habits of its employees, identify social or technical obstructions to good password practices, and address them in order to reduce its own risk of breaches.
2. Don’t be the low-hanging fruit
Don’t let reports of breaches using Zero-Day vulnerabilities fool you: many high-profile breaches actually occur from common vulnerabilities that require little effort and expertise to exploit. The flip side of this is that these vulnerabilities are well-studied and usually straightforward to remediate — from patching and updating software to better secret management to writing code that distrusts user input.
The OWASP Top Ten is a list of the most salient web application vulnerabilities in a given year and is actively maintained by a non-profit foundation. Combined with regular auditing and root-cause analysis in principle 1, remediating all well-known, high-risk vulnerabilities is key in ensuring that the quick win is scored by your organisation and not by its attackers.
3. Be mindful and proactive about managing risks
It’s easy to feel like a boat thrown around by the waves of the latest security panic. However, these should be opportunities in starting proactive dialogues within your organisation to manage risk efficiently.
Key leading questions to ask when a high-profile vulnerability is discovered: Is this vulnerability or exploit relevant to my organisation’s human or software stack? How is it exploited? What is our attack surface on the affected platform? Have we been exploited yet? This can help with determining whether your organisation should mobilise in response to the finding.
That being said, the inability to mobilise in response to a relevant threat is often the reality for many enterprises. In these scenarios, fatalism is intuitive but inappropriate. The truth is that prevention is not, and should not be, the only strategy that can help your organisation manage its security risks. When prevention is infeasible owing to operational, resource, and/or technical constraints, deeper insight into the organisational risk landscape can allow you to spend energy into building technical and legal damage-control mechanisms to attenuate immediate risk until you can remediate the core vulnerability.
4. Look beyond tech, look beyond the now
What are the effects on data law and international policy if a multi-national charitable foundation is breached, leaking millions of personal records of its beneficiaries? How might that affect the operating ability of organisations like it? What does that mean for the trust relationships between the relevant actors in this scenario?
It is important to be mindful that cybersecurity threats do not exist in a vaccuum — they are deployed within, and enabled by, human sociopolitical contexts, in service of sociopolitical goals. As lawmakers scramble to produce legal frameworks to support our increasing interdependency with data and technological services, high-profile cyberattacks often occupy key narrative positions in the journey to robust cyber governance.
With this in mind, high-profile cyberattacks can serve another function besides being case studies for security readiness: they could be flags for key shifts in the operational contexts of your organisation.
The ability to recognise these shifts and align your business strategy accordingly could be key in managing possible obstructions in its growth and ensuring your organisation stays relevant. By looking beyond the immediate, technical impact of cybersecurity scandals, and observing their ripple effect on the sociopolitical contexts of your organisation, you could gain valuable insight into its path ahead and leverage this information in service of your organisations longevity.
All of the above principles assume that your organisation already has a robust threat intelligence strategy; one that keeps up with the latest news and developments in cybersecurity while simultaneously filtering the ‘signal’ from the ‘noise’.
As vulnerability disclosure in social media and peer-to-peer information sharing become serious competitors to traditional top-down disclosure protocols from vendors, one could reasonably expect improved visibility of cybersecurity scandals and vulnerabilities in vended hardware and software. So brace yourselves and your security management processes for more threat intelligence than ever before — 2018 is going to be a hell of a ride.