When you assume, you make an ass out of ‘u’ and me, or so the saying goes, and, in many situations, making assumptions can be misguided. But, in other situations, it pays to assume. Information security is one of these situations and, by assuming the worst, you can start to plan for it and prepare to defend against it.
The recent spike of ransomware attacks has shown companies what a potential worst-case scenario looks like when it comes to information security, with companies being taken offline and critical data being lost. This wakeup call has forced many into action, but ransomware is only one potential attack vector and there are numerous routes into a company. Yes, ransomware may be hitting the headlines, but it’s not going to be everyone’s biggest risk. So, if you’re looking for solutions because of the headlines, then you may be wasting your money.
A successful attack only needs one route in, but defenders need to protect against many potential entry points. In this situation, the advantage is with the attacker and, with the time, skills and resources, it’s a matter of ‘when’ an attack will get through, rather than ‘if’.
Risk analysis and scenario planning allows you to assume that the worst will happen, that an attacker will get through. It’s an approach that more and more companies are looking to undertake in the face of growing, and often unknown, threats. As a ‘table-top’ exercise, it’s far more cost effective than implementing a tech ‘solution’ and allows companies to look at their wider security, building a roadmap of improvements that will bring the greatest security benefits. So, how do you go about it?
Know what’s important
A company’s crown jewels aren’t just important, they’re critical and if they were to be stolen or made unavailable, for even the shortest time, it could mean your business stops operating. But what are your company’s crown jewels? For many it’s intellectual property, the design of a new product or your products ‘secret recipe’, for others it could be financial data.
Maybe it’s the source code for a piece of software you’ve been developing, patient information, live production systems, servers running internal operations, your e-commerce website, the list goes on. Your crown jewels can be a combination of many things, but, whatever they are, they need to be protected. The key question you need to ask yourself is: what are the things I, or my clients, can’t afford to lose?
Identify your real-world threats
When it comes to cyber threats, sophisticated is a word that is used a lot. “We were the victims of a sophisticated cyber-attack” is the usual line when news of a breach breaks. But when the dust settles, it’s often found that the attack wasn’t sophisticated at all. Everyone likes to think they’re the target of sophisticated attacks, but most attacks are opportunistic in nature, using simple techniques to expose weak security practices, unpatched systems or take advantage of human vulnerability. By identifying your most likely real-world threats and targets, you can start to prioritise the risks, identify the techniques they would most likely use, and the potential routes they are likely to take.
Understand your full estate and how attackers could move across it
One of the fundamental IT security challenges within organisations is the shadow IT ‘visibility gap’ between assumed, or known, infra- structure and what truly exists. Whether it’s because of merger & acquisition activities, personnel changes, or infrastructure changes over time, it can be easy to lose track of your IT estate.
Obtaining an exact picture of what you have is key and if you can’t see a legitimate device on your network then how can you properly defend it? Once you have full knowledge of what you have, you then need to understand the security measures you have in place, but not just from a tech point of view, you need to look at your security processes, procedures, operating rules, and system design as well. Having this clear picture across your estate will enable you to understand where potential entry points exist and expose weaknesses which may allow an attacker to move easily across your network.
Develop your scenarios, prioritise your improvements
Once you have full 360-degree view of your organisation, what’s important to you and your threats, you can start to develop scenarios, ones that could have an extreme effect on your company. For example, a realistic scenario could be that an organised criminal group has stolen your intellectual property, or that hacktivists have brought down your ecommerce website through a DDOS attack. With a range of realistic scenarios in hand you can then evaluate which ones bring the highest risk.
Once you’ve evaluated the risk scenarios, you can start to think about making improvements, but firstly, it’s important to understand the steps the threats may have taken to achieve their goal. This can be done by conducting an attack tree analysis, working backwards from the goal, step by step, to continually ask ‘how’ it was possible.
Now you understand the potential steps taken to achieve the goal, you need to identify controls that would predict, prevent, detect, or respond to these actions at every stage of the attack. Some controls may already be in place, but it’s important to analyse how effective controls are and identify where gaps exist. Where gaps do exist, you can then evaluate the associated cost, and effectiveness, of the controls needed, helping to prioritise your remediation efforts.
Put your improvement efforts to the test
The more effective defensive measures you put in place, the more difficult you make it for would-be attackers. But how do you know if your defences are truly effective? You need to test them. Having your work tested can seem like a daunting prospect and it can be easy to think that it’s going to belittle or ridicule your security efforts. But that’s not the case. Testing is designed to support your efforts, ensuring that your business is as protected as possible from the primary risk scenarios you have identified.
Penetration testing and red teaming are great options, in terms of evaluating your defensive measures – and testers will look to simulate the actions of an attacker, potentially uncovering further vulnerabilities, supporting remediation and providing you with the assurances that your efforts have been truly effective.
Make sure information security is an ongoing process, not just a one off
Information security can sometimes be seen as a tick in the box exercise and that, once it’s complete, you’re protected. But that isn’t the case. What’s considered safe today may be vulnerable to attack tomorrow. Attackers are always looking for new attack routes, new techniques, new vulnerabilities and no company, or technology, is ‘unhackable’.
Security improvement efforts, such as risk analysis and scenario planning, need to be ongoing, helping keep your company one step ahead of any malicious threats.
First published in Computing Security Magazine