Identifying Risk, or Finding a Needle in a Haystack

Newer regulations and industry standards are now mandating a risk-based approach to security that’s forcing many organizations to transition from a compliance check box driven approach to a more proactive risk-based view of security.  Risk is made up of many factors such as compliance posture, threats, vulnerabilities, reachability, and business criticality.  For many years, businesses have focused on achieving compliance or taking preventive measure to strengthen their security posture due to endless data breaches.  When an organization is focused on strengthening its compliance posture to pass an audit, they usually look at control failures and gaps to try to mitigate them. 

On the road to risk management, a variety of factors must be taken into account to derive a holistic view and ensure the efficient alignment of resources for remediation actions.  In mid-sized organizations, there are dozens of regulations that mandate thousands of controls that have to deal with hundreds of pages of security findings that range from vulnerabilities, threats to incidents.  With new technology of big data risk management, it’s emerging to help not only to aggregate compliance, threat, and vulnerability data but more importantly is correlates data feeds with is business risk to the organization.

Building Blocks for a Proactive CyberSecurity Strategy

Over the past six months, cyber-attacks against financial organizations, government sites and critical infrastructure have escalated.  In early spring, financial institutes such as Wells Fargo, Bank of America and JP Morgan Chase has been hit hard by cyber-attacks costing the organizations millions of dollars.  Last month, Homeland Security officials issued a warning from ICS-CERT to warn U.S. companies about attacks on critical infrastructure about chemical and energy companies to take added measures to protect their systems.

Cybersecurity is now our responsibility because these attacks not only pose severe consequences to our government but it also impacts a lot of our private organizations that own our electric and cellular networks.  Under new regulations, the chairman of the Joint Chiefs is making changes to the U.S. military’s standing rules of engagement that dictate when, how and with what tools America will use to respond to an attack.

The building blocks for a robust cybersecurity strategy is to trust no one, inspect and log all traffic, and ensure secure access to all-important assets in the data center.  Compartmentalization or network segmentation is the key component of Zero Trust and is important to limit the exposure of attacks.  Internal employees tend to be the weakest link when it comes to targeted attacks but now that has been expanded to the ecosystem of partners, contractors and supply chains. 

The reality is that there’s a need for a more robust cybersecurity strategy that requires a comprehensive approach to malware that’s similar to the attacker’s lifecycle approach of infecting a network.  This means that identifying all traffic that malware tends to hide and managing the unknown in addition to the virtual sandbox analysis.  The last piece of monitoring that’s needed is a reporting and logging system that can provide visibility into the network and enable proactive actions if something suspicious is found.

Heartbleed Vulnerability Still Beating Strong

It’s only been one month since the Heartbleed vulnerability in OpenSSL became public and still many organizations remain vulnerable.  According to Netcraft, only 43 percent of the company sites were scanned and reissued their SSL certificates due to this bug and many more sites are still susceptible.  They also noticed that seven percent of the reissued SSL certificates were reissued using the same private key while fifty-seven percent of the sites took no action.

The Heartbleed vulnerability is due to certain versions of OpenSSL not properly handling Heartbeat extension packets and the ending result of the remote attackers can steal sensitive information from process memory using specially-crafted packers that cause a buffer over-read.  After the Heartbleed vulnerability broke, experts made it clear that the SSL keys needed to be replaced and not reissued.

Exploits have shown that private keys could be stolen from servers and the stolen keys would allow websites to be impersonated and traffic to be decrypted.  With thousands of applications from companies such as IBM, Juniper, Cisco, Symantec, McAfee, and many more are vulnerable to Heartbleed behind their proxies and firewalls.

Building Blocks For A Robust Cybersecurity Strategy

One of the unique considerations for cyber-attacks is identifying the avenues of attacks. While internal employees tend to be the weakest link when it comes to targeted attacks, cyber-attackers are also now looking at the extended ecosystem of partners, contractors and supply chains for alternative avenues of attack. Additional effort needs to be made to secure, control and safely enable the application access for these extended users.

Inspection and logging of all traffic also needs to extend to targeted, modern malware. The industry is moving toward piecemeal technologies that attempt to tackle this one attack component via virtual sandbox analysis. But, the reality is that a robust cybersecurity strategy requires a comprehensive approach to malware similar to an attacker’s lifecycle approach of infecting a network. This means identifying all traffic and how malware tends to hide (encryption, tunnels, evasive tactics), controlling risky applications and users, and managing the unknowns in addition to the virtual sandbox analysis.

In summary, the building blocks for a robust cybersecurity strategy are not uniquely different from security requirements for a traditional enterprise. However, in most cases, the attackers are more sinister and, more importantly, where there is an attack, the stakes and impact is much higher for all of us.