The SolarWinds hack and the never-ending stream of revelations about the attackers’ tools, techniques and other targets has been occupying the minds of CISOs and organization’s cyber defenders since mid-December.
The breach announcement came as a shock to many, but Greg Touhill, President of Appgate Federal Group, says that he wasn’t surprised – just disappointed.
“When I retired from government service as the US government’s [first] Federal CISO, I was already ‘all-in’ on the zero trust security strategy and extremely concerned about the integrity of the supply chain of our products and services,” he told Help Net Security.
“I certainly wasn’t alone: in 2019, my colleagues in the Information Technology Sector Coordinating Council and I participated with the Communications Sector and the government in an Information & Communications Technology Supply Chain Risk Management Task Force that identified numerous risks to our supply chain. Many of us forecasted the risk of an adversary penetrating a supplier’s software development lifecycle and deliberately insert a backdoor. We thought it a feasible scenario we ought to plan for as part of our enterprise risk plans.”
Best practices and the best technology
CISOs of organizations that have been hit by the attackers (whether they’ve used the compromised SolarWinds Orion platform or not) are now mulling over how to make sure that they’ve eradicated the attackers’ presence from their networks, and those with very little risk tolerance may decide to “burn down” their network and rebuild it.
Whichever decision they end up making, Touhill believes that implementing a zero trust security model across their enterprise is essential to better protect their data, their reputation, and their mission against all types of attackers.
And, though a good start, this should be followed by the implementation of the best modern security technologies, such as software defined perimeter (SDP), single packet authorization (SPA), microsegmentation, DMARC (for email), identity and access management (IDAM), and others.
SDP, for example, is an effective, efficient, and secure technology for secure remote access, which became one of the top challenges organizations have been faced with due to the COVID-19 pandemic and the massive pivot from the traditional office environment to a work-from-anywhere environment.
Virtual private network (VPN) technology, which was the initial go-to tech for secure remote access for many organizations (particularly in the public sector), is over twenty years old and, from a security standpoint, very brittle, he says. Not to mention that, in 2020, the US CERT, the NSA, the US Cyber Command, and the FBI issued well over a dozen critical vulnerability alerts about VPNs.
Another recent urgent security challenge was the BYOD risk explosion that came with the pivot from office to work-from-anywhere.
“Most organizations didn’t have the luxury of issuing fully configured enterprise-owned and managed devices to their workforce in the massive scramble to send people away from the traditional office environment under public health guidance. As a result, most people had to leverage their home systems to accomplish their work,” he explained.
That typically means older devices (and operating systems), many of which are not properly configured and updated, are also used by other family members, and are not monitored and protected by enterprise security personnel – all factors that should make organizations not trust them implicitly and by default.
Sorting security priorities out
In his post as adjunct professor of Cybersecurity at Carnegie Mellon University, Touhill often hears from his students in the CISO certification course that they don’t know where to start when choosing security priorities for an organization.
His advice is to select a framework, identify high value assets, don’t be afraid to ask help, and follow corporate governance processes.
“A framework helps you organize and orchestrate your activities. I find that using a framework to guide your activities and effectively communicate up, down, across, and out is extremely helpful…and essential. I recommend the NIST Cybersecurity Framework,” he said.
Secondly, CISOs should know what their key cyber terrain is and focus their precious resources on defending the truly important assets.
Next, to mitigate the problem of tunnel vision, they should think about bringing in an independent third party with specialized skills – such as red and penetration testing teams – to help them assess their strengths and weaknesses and help them identify and focus on their most pressing operational needs.
He also recommends investing in cyber threat intelligence subscriptions, information sharing communities of interest, and conducting cyber exercises to help refine identification and prioritization of requirements.
Finally, CISOs should follow corporate governance processes.
“The good news is that in many organizations, the role of the CISO and the cyber defense team has graduated to the attention of the board and corporate governance process. When the CISO puts their requirements and recommended priorities in writing into the corporate governance processes, many boards and executives embrace them, fund them, and provide the ‘top cover’ needed to execute them well,” he explained.
While this comes at come cost for the CISO – mostly in the form of much more time spent on executive duties than day-to-day security operations – this is the price of success, he notes.
Managing the ransomware threat
Nation-state attackers might not be a present danger to most companies out there, but ransomware is, as it has become increasingly easy for those with modest cyber skills to craft a ransomware attack.
Touhill’s especially alarmed by reports that certain criminal groups are threatening their victims with physical violence if the ransom is not paid, and disappointed that ransomware remains an issue in many critical infrastructure sectors.
“TTPs that can reduce our risk exposure are often not properly employed, if at all. We know, for example, that zero trust can reduce the ‘blast radius’ of a ransomware attack, yet many organizations continue to keep deferring implementation. We know DMARC reduces your risk exposure from fraudulent email accounts (a favorite tactic of ransomware groups), yet many organizations continue to operate without DMARC installed and/or properly configured,” he said.
But while many board members are beginning to understand the danger and are directing the executive teams to evaluate the risks of ransomware attacks and conduct business case analyses to evaluate courses of action, some organizations have unfortunately come to the conclusion that paying a ransom rather than having to rethink their architectures and TTPs is the better choice for them.
“I find that those types of decisions actually come with unintended consequences, as those who pay a ransom and don’t properly address the underlying causes that led to the ransomware infection almost invite subsequent attacks,” he pointed out.
Finally, the nature of those attacks may change and result in even more harmful effects for target organizations.
“Looking forward, I am alarmed by unconfirmed reports that some criminal gangs are investigating means of going beyond the standard encryption-lockout technique commonly used in ransomware. In the not-too-distant future, I anticipate attacks where the attackers actually tamper with the victim’s data, undermining the trust in its integrity,” Touhill concluded.