You did what?? - Cybersecurity Accidents
Accidents happen, although accidents in managing security can have some serious and unexpected consequences.
This article discusses what should be basic measures for most organisations, yet still some lag way behind (aka the slow moving gazelles - a much loved staple of the carnivores).
During a discussion some time ago about SCUBA diving, I enquired:
why do divers carry knives? - Is it to defend against an attack by something scary?
The somewhat unsettling (joke) answer was:
no, it is to cut or disable other divers
(inferring that this would result in someone else being attacked by something scary)
This illustrates common principles (and beliefs) of:
Safety in numbers (perhaps I can use my fellow divers as human shields)
Survival of the fittest (perhaps I can swim faster than my fellow divers)
Being prepared to acknowledge and address the risks of the environment (perhaps I want to go diving in a swimming pool instead)
(The real [and far more politically correct] answer was to cut free from entanglements such as ropes / weed etc)
So what happens when all positions on the food chain are at risk, and the predators are automated (e.g. Terminator)?
A few things are likely to occur:
If an attacker is motivated and capable of exploiting a weakness that you have, and they have opportunity to do so, chances are they will.
If you are uninformed, unaware or rely on belief, but make no attempt to ensure your assets are protected - chances are you will become a target.
If you have a large, complex and vulnerable attack surface (e.g. your network, your data, your people, your supply chain, your systems) and are less vigilant than an attacker - chances are you will be attacked.
In much the same way as the injured moving tuna in a school of sharks can be open to becoming lunch, vulnerable systems on the Public Internet are exposed to attack.
The critical factors involved in this are (as above) that there is a threat, a vulnerability and a foreseeable (and probable) consequence .
So what can we do to avoid security mishaps (credit to Sun Tzu)?
Know yourself - establish security situational awareness, and be aware of your assets
Know the enemy - understand the realistic threats and attacks you may be exposed to
In time of peace, prepare for war (response) - don't rely on prevention alone
In addition, (to those of us without large armies and the backing of a nation state)
Prioritise - address the most important concerns on the basis of risk
Baseline - understand what normal looks like, so abnormal can be detected
Expanding on these concepts, effective management of security is typically based on some simple principles:
Understand your critical business processes (and objectives)
Understand the systems and information that supports these critical business processes
Understand relevant threats and risks to these systems and information
Understand your internal and external obligations (e.g. compliance)
Empower business stakeholders to make informed risk decisions around security
Adopt security strategies based on the cyber kill chain and your risk appetite
Maintain a flexible and adaptive security incident response plan that has playbooks for key / common incidents.
In order to implement security controls where they are needed most, you need to know what asset(s) you are protecting, the threats and risks you consider credible, where these assets are, and what other controls you have in place.
In the physical world, these are reasonably simple things. As an example, one of your family may ride (the process) a bicycle (the asset) to work:
you are concerned about safety of the rider - so you obtain a helmet and a light.
you are concerned about theft of the bike - so you obtain a chain and padlock.
you are concerned with equipment failure - so you obtain a spare tube and pump.
Whilst your loved one could break the road rules (external compliance) - you educate, inform and empower her, trusting that she will make good and informed decisions (e.g. to wear a helmet, and obey traffic signals).
Key takeaways are to seek to fully understand the interactions between your attackers, your defences and your assets (i.e. the cyber kill chain), establish controls based on your risk appetite, prioritise your controls and have a flexible incident response process.
If you would like to better understand your security exposures and gaps or confirm whether your defences are resilient to attack - contact us
Author: Clinton Smith