And yet cybersecurity breaches remain at a dangerous level, with eight in ten executives saying their organisation has suffered a security breach in the last two years. Probe deeper, and business leaders admit to having low confidence levels in the organisation’s ability to deliver the fundamentals, such as routine patching and controlling user access to services.
How can organisations rebuild trust in cybersecurity measures?
Employees in large organisations fall into two categories: those who work in cybersecurity, and those who don’t.
The cybersecurity people have the job of protecting and enabling the business to securely transform by defining policies, processes and security controls, and by educating those who don’t work in security. All the other employees have the responsibility of making sure they don’t compromise any security controls while they do their job, be it accidentally or maliciously. They’re usually supported in this by awareness and education activity provided by their cybersecurity colleagues.
So much of what we expect people to do to keep organisations secure is based on trust. We trust people not to use passwords that are easy to guess or to write them down. We trust them to keep their laptops and phones secure, and we trust them to report breaches. It’s difficult to operate in any other way in large organisations, and this is usually balanced by adequate controls and policy, that manage elements of risk, reducing the danger of cybersecurity breaches.
But what if the trust we have in our employees or our suppliers is not what we thought or unintentionally compromised? What if we think we’re doing the right thing, but it turns out to be catastrophically bad?
Patching, for example. Keeping software up to date with the latest security (and other) features is critical to ensuring known vulnerabilities are not exploited by hackers. It’s part of an organisation’s continuous vulnerability management, which is number three on the list of top twenty things a company needs to do to keep themselves secure.
So, when a software supplier asks us to patch the software they’ve supplied, we implicitly trust them. We believe that the patch is essential and that it’s going to do nothing but good, and that it’ll play a crucial role in keeping our organisations secure from attack. It’s a gift. Usually, it’s something easily accepted and implemented to update our systems with protection from the latest discovered security vulnerabilities. Or is it?
Like the trojan horse, there’s a possibility that the patch we’ve just been sent contains something malicious. If we download a patch from anywhere other than the official source, there’s a risk that it’s not genuine. That’s why it’s important to have processes and policies in place that prevent the accidental download of malicious software.
The recent SolarWinds hack is a prime example. Hackers used something called a supply chain attack where they attacked a supplier to get to their customers. By hacking into SolarWinds, and modifying a patch intended for users of their Orion software, they managed to add a back door to an estimated 18,000 companies’ software systems. Because of the stealth, this distinct breach of trust went undetected for months. Some users may never know that they’ve been hacked, or the extent of the damage the hack has caused.
We believe you need to assume such highly sophisticated and stealthy attacks will occur, and then take action to assess how a business would react to such an attack. Our Assume Breach approach helps customers to understand whether they have the right policies and procedures in place to detect, respond to and recover from a cyberattack. It also helps them to identify the weak spots in their policies, procedures and estate that an attacker could exploit.
To use an analogy, the service assumes a fire will start and investigates how quickly it can be extinguished and how far it will spread.
Recently, our team worked with a large global shipping company that was worried about the harm a shore-side cyberattack could inflict on ships at sea. The team successfully travelled across the onshore network onto ships’ systems through a process of active reconnaissance. Through this, they gained access to data that meant they could escalate privileges on compromised critical systems accounts. From there, they could extract valuable data.
They discovered several weaknesses, including: some poor age and compliance auditing of passwords, no monitoring of active directory groups (or the data they had access to), little or no security on file sharing, and insufficient network monitoring. This left the company open to data being exfiltrated undetected and their systems being manipulated illicitly.
Trust is incredibly important in the world of cybersecurity, but can we ever fully trust what we believe to be good intentions and good practice? If we assume we’ll be breached, we can build defences against it.
Start assessing your current position by asking yourself these questions:
When it comes to next steps, I’d recommend registering for an upcoming webinar: ‘Supply chain consequences: managing a dirty network’. We’re going to look at how to evolve your strategy and response, from assuming a breach position to putting the right controls and mechanisms in place.
Plus, to find out more about consumer, employee and business leader attitudes to cybersecurity and what you should do about them, download our new whitepaper, ‘CISOs under the spotlight’.
