Eye of the Tiger

The All Powerful Breach…or threat thereof. How often do you, as a security practitioner, get asked by a colleague outside of the security team about the viability of a breach at your organization? Is a breach the meter by which security is measured?  

Many organizations’ executives and employees have this view of security and, as a result, security teams focus on preventing a breach or, at very least, mitigating the damage from one. A breach, however, is a symptom of a larger issue, an indication that something else went wrong first.

Security practitioners know and understand this, yet many in the industry continue to focus on the symptom because others do, and because it’s easier than fixing the root causes. “Every major cyber breach, when examined for its root cause, will identify that at least three safeguards critical to security were either not in place or were not fit for purpose,” says Raef Meeuwisse, Director at Cyber Simplicity Ltd. and author of the soon-to-be-released, “Cybersecurity Exposed: The Cyber House Rules.” Meeuwisse says he’s “never seen a single exception” to this rule once the details behind mega breaches had been exposed.

Rising up, back on the street

Indeed, it is lack of commitment to security fundamentals that routinely catches companies off guard, thrusting them into the “have been breached” category. Basics like attending to controlled use of administrative privileges, asset inventory, regular and timely patching, secure configuration settings, and continuous vulnerability assessments are core to any security program—and mitigating breaches—but Meeuwisse warns that organizations often leave gaps in the security program, because it’s “cheaper, easier, and less painful in the short term.” Security doesn’t need to remain broken, he says, but organizations must make a dedicated effort to get back to basics, so to speak, and tend to the administrative tasks that are less fun and less sexy than hunting for the latest 0-day or investigating the most recent ransomware campaign.

Did my time, took my chances

Following the theme of a commitment to security fundamentals, one of Meeuwisse’s Cyber House Rules is: Your information of value and where you allow it to travel defines where you need your security. This concept should be well known to security practitioners, and it is, in fact, a major topic of conversation at every major MISTI security event. How many organizations, though, still don’t encrypt or adequately encrypt sensitive information, or don’t segment their most critical data, leaving one jackpot for adversaries? We’ve watched mega breaches result from organizations missing or ignoring alerts—not necessarily hard to do when logging and monitoring tools are overwhelmed with noise. What this means, though, is that other mitigating controls must be in place to compensate for errors. Only a layered security approach is effective in today’s cyber environment. 

“Network security is now an oxymoron,” says Meeuwisse, adding that, “Networks are no longer the security layer; they are only a partially effective security detection layer that covers a mere fraction of digital territory [companies] own.” Data, applications, users, morphing endpoints, etc. are all now part of the equation, and threat actors target the gaps, not the effective defenses. Why should an attacker work through some complex exploit scheme when it’s easy enough to find vulnerabilities in basic system administration?

Went the distance now I’m back on my feet

System flaws are the gist of another of Meeuwisse’s Cyber House Rules: Don’t take reassurance on what security you do have; find out what you don’t. (The book lists ~34 rules in total.) In other words, know where your defenses are lacking and put in efforts towards hardening them. This requires regular vulnerability and penetration testing (in the best case, a combination of automated and human, internal and external) plus a commitment to remediate areas of found weakness; testing alone does not a good security program make. Knowing how many gaps your organization has in its primary defenses, says Meeuwisse, is a good measure of organizational security efficacy. Diminishing or eliminating those gaps, however, is the difference between no breach, a minor breach (to the extent that any breach can be classified as “minor”), and a mega breach (à laSony, Target, or LinkedIn).

Just a man and his will to survive

Many security teams already have the tools and skill sets in place to accomplish foundational security measures. The industry has a tendency, though, to focus on what’s missing: the latest or most expensive tools, additional security staff, hard and fast guidance guaranteed to keep attackers at bay. Of course innovation will continue and vendors will develop stronger/ better/faster products that improve practitioners’ efficacy. These things cannot and should not be discounted, but if Meeuwisse’s work—and many other industry studies and assessments—is any indication, security practitioners cannot and should not ignore critical controls and processes; they’re the difference between an effective cybersecurity program and one which leads to breaches, data loss, business disruption, brand damage, and a host of other undesirable consequences.

“Get your house in order,” seems to be the unstated message in Meeuwisse’s book. It’s a chapter security professionals have read time and again; will 2017 finally be the year the message takes hold?