There was a time when information systems security was simpler. It focused on the appropriate time frame to take a sample of a one-dimensional system log that tracked events like blocked traffic, virus detection and machines taken off-line. Reporting on routine operations is a best practice, and following best practices is always… well… a good practice. Include some metrics for the percentage of your personnel trained in cyber risk avoidance and endpoint compliance and you have a nice corporate report.
But, does it really mean anything?
Clearly, the continuous barrage of media reports on breaches, data theft and cybercrime are not abating. In today’s Cray blog post, I would like to take you through a few cybersecurity “best practices” and discuss their implications.
Basic best practices are important, but they only maintain a defense against yesterday’s threats. For example, hacking telephone PBX (private branch exchange) systems has been a persistent issue since the 1970s. Fraud committed using these hacks amounts to annual losses of more than 40 billion dollars. The U.S. alone, and the FBI recently apprehended two of their ten most wanted cybercriminals in Pakistan on charges of theft via PBX hacking. The criminals’ techniques are not much different today than they were in the 1990s — or even back in the 1970s. Following a simple checklist for securing a PBX system will stop almost all hacks. Best practices are effective and educating personnel about them is important.
But what about techniques that are never detected, such as telephone calls not charged by a billing system? This is a much more difficult question: How does one detect and assess the impact of a telephone “stowaway?” To quote a January 2015 report by Senator Tom Coburn, “While patch management and cyber hygiene are clearly important, they are only basic security precautions, and are unlikely to stop a determined adversary, such as a nation state seeking to penetrate federal networks to steal sensitive information.”
The term “determined adversary” (DA) defies simple categorization and is often tangled up with descriptions like “advanced,” “commodity,” “persistent” and “opportunistic.” But what exactly is “persistent” or “opportunistic?” The DA concept doesn’t escape me, but when vague or relative terms are used to describe a determined adversary, as a security professional I know being vague is a very bad thing that can lead to severe failure.
Securing information on a network has more to do with things unknown rather than known, but assigning value to unknowns is a difficult problem for any organization. Expending resources to discover an unknown is a hard sell when compared to finding a known issue that was found and managed x times last month and y times this month — especially when routine metrics are so easily aligned with absolutes such as percentage of compliance, number of systems updated and number of IP addresses blocked by a firewall.
An unknown may not even have caused any detected issue. It might be nothing more than an observed presence — a stowaway. In the most pragmatic terms, today’s cyber stowaway may become tomorrow’s intrusion vector. Much like a stowaway on a ship, its impacts are clear: More weight requires more fuel and resources, it’s sustained by low-level theft, and it exposes a vector for penetration. Catch a stowaway after the ship leaves port and the impacts — both tangible and intangible — still occur; resources are expended and reputations tarnished.
The key is to influence behavior before there is a stowaway attempt. Find that unknown behavior and then work backwards to determine what created the unknown. That is where real security starts.
The goal of best practices (e.g., patch management, cyber hygiene, encryption and physical access controls) is to channel behaviors into manageable paths. But the real task of cybersecurity is to determine what behaviors look, feel and smell like threats — then head them off before they become problems.
The next blog post will relate to how we move “beyond best practices” and provide more effective cybersecurity through cyber compute.