TOP 10 Cyber Security Shortfalls 2018
As cyber security professionals we understand how a Top 10 approach, can be useful to broadcast security awareness messages, to avoid common security mistakes, for example OWASP Top 10, Portswigger Top Ten Web Hacking Techniques, etc.
Having almost two decades of security experience, I would like to shortlist my personal Top 10 with a special focus on the cyber security strategy’s most common shortfalls. I found Top 10 approach too focus on specific security specializations, for example on web application security, but I would like to enlarge the picture to the overall company cyber strategy common MISTAKES, listed below:
1. Be RISK FOCUS, instead of being THREAT FOCUS
Risk governance is playing an important role in defining a security strategy but a narrow risk focus can let you forget how risk is only a result of a threat and, unfortunately, threats are in continuous evolution. The success of worldwide recognized projects like MITRE ATT&CK highlights how a threat modeling approach is nowadays a must, keeping the risk changes continuously monitored. If companies don’t evaluate threats, one by one, they will struggle to figure out the overall company risks and security posture. Threats are not just a sterile IT technical analysis, in fact each line of business, does present different threats and attack trends. For example consider how a retailer adds security complexity by payment terminals in their physical stores or specific attack trends, like malicious javascript credit cards skimmers, for example Magecart. If your company has a threat modeling, continuously keep it up to date by threat feeds updates. Your company will start to have a winning strategy, adding to the picture the attacker’s view.
2. Be ASSET CENTRIC, instead of DATA CENTRIC
Asset inventory is a wise and mandatory step to start to master an ISO 27001 framework. Having an asset inventory is a requirement, but the cloud transformation to PaaS, SaaS and FaaS is moving to the real value of your company, which is DATA. Unfortunately it isn’t rare to know all the assets involved in a cyber incident, but missing a basic data flow and data inventory to be provided to a data breach manager or a forensic professional. It is important to know which assets your company owns, but at the same time, ephemeral cloud environments could complicate your picture. Protecting your company data, together with company assets, has to be the first focus. Data Loss Prevention investments are a key element to a successful cyber strategy.
3. DON’T invest in FORENSIC, instead of EMPOWERING FORENSIC continuous analysis
Security vendors have pushed hard on highlighting how visibility is vital to the business success, see Threat Hunting and SOC 2.0, but still nowadays the average time to discover an attacker within a company network is too long and still close to 2015’s first analysis of an average of 98 days (source Ponemon Institute research). File less malware and complex APT attacks, based on a multitude of exploitation techniques, should force a cyber strategy to consider how forensic supports the business to understand in a timely manner how to react to a cyber incident. Pentesting and Threat Hunting are mandatory assets in a modern company’s security strategy, but a continuous forensic automation is also the key of a prompt reaction to cyber incidents, with a clear direction toward the understanding of the overall kill chain of an attack. Considering a forensic integration in a company’s security architecture road map is a responsible decision and a sure long term return of investment, also showing valuable due diligence to regulators and customers.
4. Under estimate INTERNAL THREAT, instead of tailor an INTERNAL THREAT STRATEGY
In almost 20 years of security history, internal threat is still scoring high across the company threats. Aggressive business outsourcing strategy and access to perceived secure market place to sell company information, like Dark Web, amplified an organized crime Eco-system that is abusing the weak link of company security posture. Tackling the problem is complex and needs joint efforts across intelligence activities, Data Loss Prevention policies, HR management, company policies, management and law enforcement. The complexity of the topic, mandate an ad-hoc strategy that consider company processes, social engineering and technology layers. Consider internal threats only as another threat to be added to the list, without evaluating the privilege access that an internal resource can have and how disruptive their exploitation can be, invalidating massive investments of your security program and strategy, is a big mistake.
5. FEAR isn’t a cyber strategy, focus on RECOGNIZE employees and partners’ EFFORTS to contribute to your security strategy
Company simulated phishing exercises are becoming the standard across the industry and continuous marketing campaign hammering around risk of GDPR fines are establishing a continuous fear of failure. If a scared employee panics with each mail received, your company’s productivity could decrease. If a simulated phishing exercise is the only tool to analyze a difficult problem, instead of thinking about the big picture, for example by a zero trust architecture to focus on how to mitigate and reduce the attacker technical capabilities, on the long run, the security strategy will not win. Be sure to recognize the efforts of your employees, for example, by thanking them on the results obtained, gamifying the phishing exercise sending congratulations to whoever marked the mail for further analysis and updating the overall results showing the positivity of the step by step progresses, avoiding a fear vibe.
6. Consider a DATA BREACH an EXCEPTIONAL event, instead of having DATA BREACH RUNNING BOOKS
The shortfall of business continuity are well documented on a multitude of books. Unfortunately the same is happening with Incident response failures and even if newspapers are not stopping to beat the drum for data breaches errors, some organizations are still considering a data breach an alien event to be handled on an ad-hoc basis per each cyber incident coming in. In the same fashion as the first responders’ training can save a life, in business terms, a data breach management process can limit business damages. Alike your company scheduled disaster recovery testing, it should test data breach management, considering how a prompt internal and external communication to regulators and customers can contribute to the success, as per NIS directive and GDPR regulation. Don’t perform it only for the potential economical impact but make it part of a solid cultural shift across the entire organization.
7. Don’t consider COVERT CHANNEL, instead of THINKING LIKE AN ATTACKER
Keep your knowledge of other companies’ security incidents up to date, by case studies, can be a good way to maintain the big security strategy picture, but it is not always enough. Covert channel are the simple attacker solution, to exfiltrate and hide data passing under the radar. There are a multitude of cover channels and some are strictly related to the technique used to hide data, example Steganography. It is sad to be aware of common attack patterns, like DNS exfiltration and see so little investment in one of the most famous ways to pass under the monitor. Just checking how many pentest tools are implementing DNS covert channel communication should be a simple bell ring to be noticed, but unfortunately it is not always the case. As I wrote there are many covert channels to worry about, a proper threat modeling and security architecture should help to show them all. Thinking like an attacker is a mandatory skill to design an effective cyber strategy.
8. DIFFERENTIATE SECURITY STRATEGY across cloud and on-prem, instead of having an HYBRID SECURITY STRATEGY
Company data travels across networks and environments by MPLS, VPNs and WAN connections. Each type of infrastructure can present different security challenges and we are all aware of the cloud shared responsibility model. The approach to an overall security strategy, starting to list exceptions for cloud environments, to quickly modify and adapt an existing company security strategy, highlights security gaps that soon will become a “lesson learnt session” for a post cyber incident discussion. Be proactive, the modern CTO road map is clearly pointing to a multi-cloud portability and an hybrid approach to systems handling and storing company data assets. Tailoring a security strategy that is consistent across all infrastructure types owned, as it is a responsible choice. Cloud Security Alliance efforts to sponsor a Software Define Perimeter strategy by Cloud Access Brokers should enforce this statement.
9. Continuously ADD NEW SECURITY SOLUTIONS, instead of pointing to REVIEW, CENTRALIZE, DIMINISH the number of security products
In security architecture terms, adding a new security control, will introduce a new potential asset or layer to be exploited by an attacker. In fact a new attack vector like a bug on a security control is going to be added to the attacker’s long list of opportunities. Layered security is still a valid architecture principle but it is also prone to add complexity at the same time that it is adding a valid multi layer security approach to data protection. Adding Zero Trust architecture and Defense in Depth principles, can challenge an overall balance across the continuous add-on of new security mitigations and controls. Make a continuous effort to periodically align the cyber strategy with the new security architecture choices, continuously challenging the previous choices with modern threats. It is for sure a difficult task but it will add enormous effectiveness to a cyber security strategy.
10. Rushing to SUPPRESS ALARM’S NOISE, instead of perform continuous exercises, for example during pen test sessions, to EVALUATE what it is MISSED in terms of SOC VISIBILITY
In my career I have been working as security analyst digesting pcap and logs from various security sensors, enough to understand what a false positive is. Tuning SIEMs and threat hunting products I understood how people shortage can be used as industry alibi to suppress more than they can the noise of alarms. Even vendors don’t want to flood SOC with unmanageable volumes of alarms and Machine Learning and future AI, crunching and performing User Behavior analysis will help to tune down the noise, in an effective manner (at least we hope). But experience in cyber investigations and knowing the danger of first match SIEM rules logic, contributes to enforce my nightmare on attackers passing under the monitor, due to domesticated noise of security systems. Continuous auditing session of security tuning by red team pentest exercises, for example, should be part of the continuous auditing strategy, part of the overall cyber security strategy.
I am willing to maintain a Top 10 cyber security strategy shortfall, updated for each year, following the attacker, technology, business and regulation trend.
Please, if you liked this blog post, share it across your preferred social network, mentioning the source, helping me to broadcast a cyber security awareness message.
Thanks!
Carlo
Article subject to Creative Commons license
Type: Attribution-NonCommercial-NoDerivs
Code: CC BY-NC-ND
This article does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my own personal opinion.
