From Passive to Active Cybersecurity Risk Management

This article originally appeared on Education Technology Insights.  

In December 2020, the top U.S. cybersecurity firm FireEye stumbled into an information network security incident that led them to uncover a massive data breach. The hack happened over an estimated period of 8 months and foreign perpetrators used Solarwinds, an American software company, to plant malicious code into the company's software system called “Orion”. The code created a backdoor to customer's information technology systems allowing hackers to deploy additional malware and escalate spying operations on thousands of U.S. companies and government agencies.

More than three months later, the Federal Bureau of Investigation and other cybersecurity firms still continue to uncover more malware related to the Solarwinds hack. The question at the center of this digital supply chain security fiasco is “how so many key government agencies, high profile technology corporations, and even top cybersecurity firms were blindsided for so long?” 

Indeed, cybersecurity specialists will hurry to answer this question by pointing out that this hack was a complex, deceptive spying operation supported by a top-tier cyber state actor on the U.S. adversary list. In other words: Russia. However, blaming the cyber aggressor is certainly not enough to understand what went wrong especially in the light of a brand new security incident involving Microsoft. 

In early March 2021, Microsoft reported a massive breach into its Exchange software allowing hackers to access thousands of companies and government email accounts, read messages without authorization, and install unapproved software. Again, it was another “complex, deceptive spying operation supported by a state actor in the U.S. top-tier cybersecurity adversary list”. This time China seems to be behind this second massive digital supply chain security debacle.

As the saying goes: “Fool me once, shame on you. Fool me twice, shame on me.”

These two massive cybersecurity incidents expose a new reality: compliance to cybersecurity frameworks and regulations are clearly insufficient. Checking the compliance boxes are nothing more than a passive approach to cybersecurity risk management and only protect organizations against known threat and attack vectors. Regulations, standards, and cybersecurity governance frameworks should be understood as a baseline in risk management. Cybersecurity threats and vulnerabilities are multifaceted and ever-evolving. Organizations need to move toward a more active strategy based on a holistic risk assessment. This active approach should include but not be limited to the following five components:

1.  Active Risk Communication

Communicating risk across the enterprise is a paramount feature of risk management. Organizations need to deploy continual reinforcement in their communications strategy, especially when addressing the issues of cybersecurity risk and change. CISO must use multiple communication approaches as well as tools and techniques that are appropriate for different audiences distributed across the enterprise. Finally, organizations need to plan and implement a workforce cybersecurity awareness communications campaign that allows risk communication from top-down to bottom-up. It’s important to note that, in the FireEye detection of the Solarwinds hack, it was an employee who notified his leadership about a suspicious dual authentication request which launched an internal incident investigation and the discovery of the breach.

2. Active Cyber Defense

Organizations must conduct threat intelligence and threat hunting activities. Cybersecurity professionals should profile relevant adversaries in cyberspace (hackers, organized crime, insiders, foreign states) and analyze techniques, tools, and processes they are using to perpetrate attacks against critical assets. Organizations should develop threat indicators, determine potential implications for existing information systems and exploitation systems, and formulate advice on how to neutralize threats or thwart possible attacks. Then, once the intelligence part is completed, cybersecurity professionals should gather data from diverse information system protection tools to analyze events, detect malicious activities, and recommend countermeasures. Advanced software powered by artificial intelligence is now available to monitor networks by using anomaly detection in order to alert stakeholders in case of discrepancies in data similar to events in previous cyber threats. Other AI solutions are smart antivirus that does not require virus signature updates, but over time will be learning to detect malicious programs from scratch to end.

3. Active Risk Assessment

First, cybersecurity risk assessment methodologies evolve constantly due to new attacks modus operandi. These changes, like software patches, must be integrated as soon as they evolved. For instance, National Institute of Standards and Technology offers a framework for cybersecurity testing and assessment methodologies. This type of methodology is revised and updated periodically to adjust to the threat landscape and new vulnerabilities. In terms of active risk assessment techniques, one of the best practices is the implementation of red team/blue team exercise in which the hackers try to attack an organization’s information systems (red team) and the cybersecurity specialists respond to the incidents. This type of exercise is beneficial at several levels: (1) discovery of unknown vulnerability; (2) learning new attack schemes; and (3) learning from mistakes made during the incident response without facing negative consequences.

4. Active Security in Development and Deployment Processes

An integral part of injecting security into processes is for organizations to integrate security solutions at the onset of the deployment and development cycle of new software and technology. DevSecOps was created in response to security concerns generated by the DevOps timeline in which security considerations were left until the very end of the software development cycle. The idea was to resolve security problems by addressing security at every stage of the software development cycle. However, this approach was flawed because the security solutions were left in the hands of software developers who were poorly equipped to address these issues (lack of tools and knowledge). Then a new approach was recently incepted: SecDevOps. This approach requires security to be at the forefront of every stage of the software development cycle by promoting secure coding and embedding security measures into the planning, analysis, design, and deployment stages in addition to traditional implementation and testing stages. In addition, changes in software application code are tied to security requirements related to deployment procedures. 

5.  Active Supply Chain Security

Finally, the Solarwinds and Microsoft incidents show how securing the digital supply chain is critical. Organizations must shift the security mindset from trusted partners to “trustworthy” and “zero trust” approaches. Relationships with external vendors and suppliers must be continuously reevaluated. Thorough due diligence processes must be applied periodically and no one in the supply chain network should be trusted but rather they should demonstrate their trustworthiness through a series of steps that demonstrate security requirements are achieved. For instance, the Cybersecurity Infrastructure Security Agency (CISA-DHS) provides a guide on how to establish and improve supply chain risk management across the enterprise. This document helps organizations to establish standard operating procedures on how to conduct supply chain risk management, identifies best practices to ensure security, and how to build a culture of supply chain risk management (training).

To conclude, it is also important to mention that organizations cannot just farm out their risks to external security firms. They must be an involved actor in their own cybersecurity risk management. If they don’t, they will be the ones that will suffer the dire consequences of their passiveness.