Blog · 09 Feb 2021

How far should trust extend in cybersecurity?

In the wake of the SolarWinds hack, organisations need to assume cyber attacks will happen, and work to identify their weaknesses before a breach occurs.

Rob Partridge
Head of Commercial Development, Penetration Testing

Our latest security research reveals a confident belief within enterprises that they’re secure.

And yet cybersecurity breaches remain at a dangerous level, with eight in ten executives saying their organisation has suffered a security breach in the last two years. Probe deeper, and business leaders admit to having low confidence levels in the organisation’s ability to deliver the fundamentals, such as routine patching and controlling user access to services.

How can organisations rebuild trust in cybersecurity measures?

Two tribes, operating on trust

Employees in large organisations fall into two categories: those who work in cybersecurity, and those who don’t.

The cybersecurity people have the job of protecting and enabling the business to securely transform by defining policies, processes and security controls, and by educating those who don’t work in security. All the other employees have the responsibility of making sure they don’t compromise any security controls while they do their job, be it accidentally or maliciously. They’re usually supported in this by awareness and education activity provided by their cybersecurity colleagues.

So much of what we expect people to do to keep organisations secure is based on trust. We trust people not to use passwords that are easy to guess or to write them down. We trust them to keep their laptops and phones secure, and we trust them to report breaches. It’s difficult to operate in any other way in large organisations, and this is usually balanced by adequate controls and policy, that manage elements of risk, reducing the danger of cybersecurity breaches.

The weaknesses of trust in cybersecurity

But what if the trust we have in our employees or our suppliers is not what we thought or unintentionally compromised? What if we think we’re doing the right thing, but it turns out to be catastrophically bad?

Patching, for example. Keeping software up to date with the latest security (and other) features is critical to ensuring known vulnerabilities are not exploited by hackers. It’s part of an organisation’s continuous vulnerability management, which is number three on the list of top twenty things a company needs to do to keep themselves secure.

So, when a software supplier asks us to patch the software they’ve supplied, we implicitly trust them. We believe that the patch is essential and that it’s going to do nothing but good, and that it’ll play a crucial role in keeping our organisations secure from attack. It’s a gift. Usually, it’s something easily accepted and implemented to update our systems with protection from the latest discovered security vulnerabilities. Or is it?

Like the trojan horse, there’s a possibility that the patch we’ve just been sent contains something malicious. If we download a patch from anywhere other than the official source, there’s a risk that it’s not genuine. That’s why it’s important to have processes and policies in place that prevent the accidental download of malicious software.

What can happen when the trust in patching is breached

The recent SolarWinds hack is a prime example. Hackers used something called a supply chain attack where they attacked a supplier to get to their customers. By hacking into SolarWinds, and modifying a patch intended for users of their Orion software, they managed to add a back door to an estimated 18,000 companies’ software systems. Because of the stealth, this distinct breach of trust went undetected for months. Some users may never know that they’ve been hacked, or the extent of the damage the hack has caused.

Changing stance to assuming breaches will happen

We believe you need to assume such highly sophisticated and stealthy attacks will occur, and then take action to assess how a business would react to such an attack. Our Assume Breach approach helps customers to understand whether they have the right policies and procedures in place to detect, respond to and recover from a cyberattack. It also helps them to identify the weak spots in their policies, procedures and estate that an attacker could exploit.

To use an analogy, the service assumes a fire will start and investigates how quickly it can be extinguished and how far it will spread.

A successful use case

Recently, our team worked with a large global shipping company that was worried about the harm a shore-side cyberattack could inflict on ships at sea. The team successfully travelled across the onshore network onto ships’ systems through a process of active reconnaissance. Through this, they gained access to data that meant they could escalate privileges on compromised critical systems accounts. From there, they could extract valuable data.

They discovered several weaknesses, including: some poor age and compliance auditing of passwords, no monitoring of active directory groups (or the data they had access to), little or no security on file sharing, and insufficient network monitoring. This left the company open to data being exfiltrated undetected and their systems being manipulated illicitly.

Trust, but with caution

Trust is incredibly important in the world of cybersecurity, but can we ever fully trust what we believe to be good intentions and good practice? If we assume we’ll be breached, we can build defences against it.

Start assessing your current position by asking yourself these questions:

  • How well do you know your inventory and how do you ensure routine software patching is never missed?
  • Do you take a ‘Zero Trust’ approach? Despite its name, Zero Trust means verifying any asset or user that interacts with your infrastructure before you trust them (and even then, you continually verify that the user and asset can remain on the level of trust you have assigned them).
  • Do you regularly review your security strategy and policies to ensure they align with your new boardroom priorities? The threat landscape is ever changing and architecture that was secure a year ago may now have vulnerabilities (especially in the wake of coronavirus and widespread remote working).
  • How mature is cybersecurity awareness training in your business as the first and best line of defence?
  • Where don’t you have visibility and control of cyber threats in your business?

When it comes to next steps, I’d recommend registering for an upcoming webinar: ‘Supply chain consequences: managing a dirty network’. We’re going to look at how to evolve your strategy and response, from assuming a breach position to putting the right controls and mechanisms in place.

Plus, to find out more about consumer, employee and business leader attitudes to cybersecurity and what you should do about them, download our new whitepaper, ‘CISOs under the spotlight’.