Insights

Return here often to view current news, insights and commentary.

Cybersecurity – It’s Really Not That Complicated.

03/29/2017

Effective cybersecurity is really not that complicated. I think that because so much technology is involved, most people assume the concepts are complicated; but they’re not. To illustrate this point, I’ll use home security as an analogy.

Most every homeowner uses basic security controls like locks on doors and windows. When you think about it, these basic security controls provide very little protection. They’re designed to discourage petty thieves from entering the home or cause them to make a little noise if they do decide to break in. But I don’t think anyone believes locks deter a motivated thief. Therefore, what happens next is a steady progression of a “cat and mouse” game where the homeowner enhances security based on what they know of criminal activity in their neighborhood.

If “smash and grab” thieves are kicking in doors or breaking windows, the homeowner may reinforce entry points with dead bolts, door stops or stronger windows. Reinforced entry points may slow down a thief or cause them to make more noise, but it won’t stop them; and there’s no guarantee the intrusion will be detected. Left undetected, thieves can remove a lot of value in a short amount of time. In response, the homeowner usually turns to a home security system that places intrusion detection sensors on entry points and sets off alarms. But what if no one is home to respond to the alarm? Smarter thieves do their homework and wait until they know the home is empty. So, better home security systems include a monitoring service that notifies the homeowner and law enforcement when the alarm has been triggered.

The “cat and mouse” game will continue as long as thieves are motivated. The homeowner must stay abreast of the latest tactics and techniques used by thieves if they want to keep the home secure. Motion sensors and cameras may be necessary in some situations. (I had a thief enter my home through the HVAC return!)

So how does this relate to cybersecurity?

Dynetics conducts “threat faithful” Adversarial Simulations to test organizations’ preparedness for real-world cyber criminals. In most cases, these organizations believe they are secure. To date, our Elite Ethical Hackers have never failed to breach a client’s network — usually within a few hours. After that, because organizations are not monitoring behind their perimeter defenses, it’s just a matter of time before we have access to all data, systems and functions — usually in less than two weeks! So while these organizations are successfully deterring nuisance hackers, they would not be successful stopping today’s motivated cyber criminals that have found ways around basic cybersecurity controls like firewalls, anti-virus, spam filters, etc. The proof of these statements in easily found in the steady stream of breach headlines.

I want you to stop and think for a second about the purpose of a monitored, home security system. It’s not to prevent an intrusion. Its purposes are to detect the intrusion as soon as possible, provide situational awareness, and disrupt the thief’s activities before valuables are found and removed. In essence, a home security system “assumes breach!”

But why do homeowners “assume breach?” Why don’t they just reinforce the perimeter security and make it impossible for thieves to break in? There are solutions available. You can put steel doors and shutters in place. You can put up a tall fence or wall with razor-wire. You can build a castle with a moat! Absurd I know, but you can make your home virtually impenetrable! So why not?!

The answers seem obvious, but sometimes the obvious answers cause us to overlook the underlying reasoning. In security circles, physical or cyber, you’ll hear the statement “When choosing among security, convenience and affordability, you can only have two!” While absolute home security may be achievable, it won’t be affordable and it won’t be convenient. Therefore, homeowners opt for the balance that meets their situation. And one more reason: you can’t enjoy your community if you isolate yourself. Interaction with others requires some amount of trust and risk that your trust will be abused. It’s no different in the digital world. To access the benefits of a digital economy, you must accept that at some point your trust will be abused and your network will be breached. You, too, must “assume breach!”

So, back to my opening point: “Effective cybersecurity is really not that complicated.” We simply need to apply the same reasoning that homeowners apply to home security. While homeowners may not go through a formal assessment process, they do consider two primary factors when selecting a security approach: value at risk and most likely threats. Then they determine the cost and inconvenience they’re willing to incur to achieve an acceptable level of risk. For cybersecurity, organizations should assess their value at risk (revenue generation, financial liability, mission, reputation, etc.) and their most likely threats (hackers, hacktivists, crime syndicates, nation states, etc.). Then they, too, can determine the cost and inconvenience to achieve an acceptable level of risk. And like homeowners, organizations must “assume breach” and add monitored detection capabilities to intrusion prevention systems. Only then can organizations ensure breaches are detected early enough to eradicate cyber criminals before valuable data is compromised. Finally, organizations must accept that cyber threats will continue to change in response to the latest security controls. Therefore, organizations must budget for a continuous cyber risk management program that includes assessments (value, threats and controls), implementation, operations and testing.

Cyber RiskScope® from Dynetics is a portfolio of cyber risk management solutions based on an adversarial perspective that ensures our clients are successfully defending against today’s motivated cyber threats. For information on how Dynetics can help your organization with strategic planning, assessments, implementation and operations, call 800.922.9261 ext. 5020 or email Sales@Dynetics.com


 

Today’s Cyber Risk Paradigm

01/13/2017

Cybersecurity” in today’s world is a misnomer. Our government agencies, businesses, and personal lives are irreversibly connected to a worldwide web that provides enormous opportunity and convenience. However, success in this “connected” world requires organizations sacrifice absolute security — and therein lies the problem. Because being “connected” requires some amount of insecurity, the same worldwide web that creates opportunity and convenience, also gives rise to sophisticated, dynamic and growing cyber threats motivated by financial gain, activism and state-sponsored espionage. This new business paradigm is the “Digital Frontier.

In the Digital Frontier, traditional cybersecurity approaches focused on perimeter protection are no longer effective. Firewalls that block unauthorized connections, must also allow email communications. Anti-virus tools that detect known malware, overlook the new; and intrusion detection systems that examine network traffic are blind to encrypted communications. As we rush to market with new offerings, the underlying technology often creates new vulnerabilities that are exploited by cyber criminals. And when security measures are effective, cyber criminals simply find new attack vectors. It’s a continuous match of wits between cybersecurity professionals and cyber criminals. However, the very nature of a “connected” society demands we leave some openings in our security and, consequently, makes “cyberSECURITY” in today’s world a misnomer.

In the Digital Frontier, breaches are inevitable. Therefore, resilience must be the goal. “Cybersecurity” must give way to “cyber risk management,” and organizations must recognize that cyber risk is a business risk that can no longer be managed solely by the IT staff.