Part one of this blog series discussed the tactical responses which are appropriate in the wake of the Travelex security attack. Primarily, these involve ensuring that all endpoints are fully patched and thus not vulnerable to the attack, and confirming that any external VPN access is fully secured and patched.
But these tactical responses alone don’t sufficiently enhance the security posture of an organization. There will be more attacks, and next time, you might be the first one in the line of fire.
Protecting against cyberattacks requires strategy, not just tactics. Implementing an effective strategy can look daunting. When you visit sites such as SANS and start drilling down, there are a lot of things to consider. But, as General Patton once said,
“A good plan violently executed now is better than a perfect plan executed next week.”
An effective cybersecurity strategy can be developed and deployed incrementally. You don’t need to spend months or even years analyzing and planning to get started. During that time, you remain vulnerable. Instead, start by dividing the challenge up into smaller, bite-sized chunks, and then focus on the approaches with the most ‘bang for the buck’, i.e., where the benefit accrued is substantial relative to the cost.
In part two of this blog series, we’ll discuss how to get started with an effective cybersecurity strategy. Part three will then drill down into some additional issues we need to consider when fleshing out this core strategy.
The buck stops here
Start by considering who, within your organization, is primarily responsible for security.
That ‘who’ should ultimately translate to a single individual. By default, of course, in the absence of an effective cybersecurity strategy, that individual is the CEO.
Clearly that’s a terrible strategy. Most organizations delude themselves into believing that there IS someone other than the CEO who will primarily take responsibility. But when a detailed organizational analysis is performed, it turns into a “Whose Job Is It, anyway” story. It goes like this:
“This is a story about four people named Everybody, Somebody, Anybody and Nobody. There was an important job to be done and Everybody was sure that Somebody would do it. Anybody could have done it, but Nobody did it. Somebody got angry about that, because it was Everybody’s job. Everybody thought Anybody could do it, but Nobody realized that Everybody wouldn’t do it. It ended up that Everybody blamed Somebody when Nobody did what Anybody could have”.
In most of the high-profile attacks, it turns out that Nobody was primarily responsible for organizational security. But Everybody thought Somebody was, so they didn’t worry too much. Until it was too late.
Start with defining a CISO role – and fill it with the right individual
You need to start by defining a role – Chief Information Security Officer (CISO) – and an individual assigned that role, who will live, breathe, sleep and eat corporate security and – critically – be accountable in the event of a breach.
You also need a right-hand person, reporting to the CISO. They will be a sounding board for any decisions – no single individual gets it right all the time, and when it comes to security, mistakes can have catastrophic consequences.
Sure, in most organizations there will then be an additional team reporting to these two individuals. But it’s critical that power, responsibility and accountability ultimately trace back to a key pair of individuals. Without this, you will never implement an effective cybersecurity strategy.
This is a high-pressure role and ‘promoting’ an operational person into it by coercion is doomed to fail. You need to ensure that the CISO role is filled by an appropriate, motivated candidate, and be prepared to pay a salary commensurate with the criticality of the role. Think of the CISO and their right-hand person the way you would think of a highly skilled pilot and First Officer. When you get on an aircraft you put your trust in the skill and training of two individuals who work together to get you and the other passengers and crew safely to their destination. It takes two people because, apart from the obvious risk of pilot incapacitation, the two crew members delegate tasks between them and monitor each other to catch and rectify any minor error which could rapidly escalate into catastrophe if not caught promptly.
Learn from the airline industry
Although you wouldn’t think so from every newspaper report of a crash, in fact, flying in 2020 is incredibly safe. You would have to fly every day for over 6,000 years before the chance of being in an accident becomes significant. Only one ‘hull loss’ is typically experienced in nearly 10 million flights.
This is pretty amazing. But how did flying become so safe? Looking at how the airline industry manages risk is an excellent way to start mapping out your security strategy. You might think that air safety and cybersecurity are totally unrelated, but they are both risk management exercises and have much in common.
The airline industry learned lessons the hard way. As someone said once, “If you think safety’s expensive, try having an accident”. There are two key lessons that we can learn from the industry.
Lesson 1: Implement rigorous, traceable, auditable systems
All maintenance operations, as well as the parts used to assemble and repair aircrafts, are associated with meticulous audit operations, ensuring that parts can be traced and repair operations are cross-checked by multiple individuals.
In cybersecurity, this translates to having good control of your fixed assets (i.e., both fixed and mobile computer systems) and rigorous control of the software that runs on them. Additionally, it means implementing detailed logging that can capture any anomalous events and good tools to analyze these logs and highlight anomalies automatically and in real time.
It also means managing change control meticulously. Change control isn’t just about worrying whether a new release of a vendor’s software product might not work as planned. It’s about examining any known security issues and ensuring these are either patched or mitigated. You should be working with vendors to ensure that ‘Pentesting’ or penetration testing, is carried out for all third-party software you’re integrating with your systems – there should be consistent standards to which all vendors are audited. In the case of the Travelex hack, the VPN software appears to have exposed plaintext passwords – a major pentesting failure. A good audit would have picked this up long before the vulnerability was actually exploited.
Lesson 2: Learn from disasters
Every major airline disaster is analyzed by safety organizations across the world, such as the National Transportation Safety Board (NTSB) in the US.
These organizations work to determine exactly what caused the disaster and they make recommendations to airline manufacturers and operators to ensure that whatever went wrong can – hopefully – be prevented from reoccurring. For example, the worst airline disaster in US history, when American Airlines flight 191 crashed after takeoff at Chicago, was due to two primary root causes: incorrect maintenance procedures and deficiencies in the design of the DC-10 aircraft. As a result of this accident, changes were made to maintenance procedures and aircraft design to prevent a reoccurrence.
In cybersecurity, this translates to analyzing and understanding each major breach. As an organization, you need to know the details of how the attack was carried out, so that you can review your defenses and ensure that you aren’t vulnerable. This is not merely an issue of patching – it involves staff training and infrastructure management as well.
You’ve defined a CISO role and resourced it appropriately. Learning from the airline industry, you’ve implemented effective change management and monitoring processes. And, crucially, you’ve analyzed historical attacks and learned the lessons associated with them, ensuring your defenses are resilient to these attack vectors.
Now you have executed a good plan violently, it’s time to turn it into a perfect plan, knowing your defenses are as sound as they can be during this process. In part three of this blog series, we’ll discuss how you can augment the core plan to ensure your security in the long term.