Cybersecurity Assurance: Learning from the Past

Cris Ewell, CISO, UW Medicine

Cris Ewell, CISO, UW Medicine

The exploitation of information security vulnerabilities by our adversaries is inevitable, and the economic and reputational damage from these attacks can negatively impact the organization. Our adversaries are highly motivated, organized, and often well-funded, which gives them an advantage over current information security controls and methods. The primary mandate for information security programs is the protection of enterprise information and information systems from unauthorized access. It is challenging to safeguard the data assets of an enterprise in today's complex IT environment. Not only do information security personnel need to implement administrative, physical, and technical controls, they need to be mindful of all of the potential attacks that might compromise their systems. 

It would be easy to say that the unauthorized access to our data and systems is only due to the sophistication of our adversaries (including nation-states and organized crime) as well as the advanced tactics, techniques, and procedures (TTP) used by these adversaries. While there is evidence of advanced TTPs used in attacks, our adversaries often do not need to use these methods due to the inadequate security strategies as well as the ineffectiveness of the traditional security controls which are disproportionately technical and not always maintained. Proof of conventional security approaches failing is in the news almost every day.

"Understanding how the adversaries target assets is an essential step in determining what controls are necessary or at least have the best chance of protecting the asset against compromise"

In 2017, the world experienced what happens when a combination of poor information security practices combined with a capable adversary exploits a system. The EternalBlue tool was used to weaponize the WannaCry attack against vulnerable systems which were unsupported (such as Windows XP) or not patched. The scale, speed, and impact of the successful attack were frightening.  Over 150 countries and hundreds of thousands of computers were impacted in the first few hours, causing billions of dollars of damage.

While some of the blame can be put on the software development and loss of the application by the government as well as the distribution of the tool by the cybercriminals, the organizations that were successfully attacked have to accept responsibility. Unless we change our practices, we will continue to see these types of attacks because organizations often use unsupported or deprecated systems as part of their business practice without adequate mitigating controls, do not routinely patch all firmware, operating systems, and applications, and do not adequately educate their workforce.

Understanding how the adversaries target assets is an essential step in determining what controls are necessary or at least have the best chance of protecting the asset against compromise. Many information security programs are not adequately funded or have the proper resources to protect the organization's environment. To maximize the resources, we have to determine which organizational information security risks will be prioritized for mitigation.  It is essential to understand how the adversary thinks to help with this prioritization and not have any pre-conceived ideas or assumptions regarding the threat or attack. It is easy to miss an essential element that can be exploited if all the attack approaches are not evaluated.

Over the past 15 years, I have reviewed information security literature, data breach reports, legal cases, and had discussions with information security professionals and developed the following list of attack methods most commonly seen.
• Authorized account misuse - authorized accounts are used to gain unauthorized access to data; 
• Implied trust exploitation - involves employees, trusted partners, or other third parties that have trusted access to the assets or data; 
• Denial of Service - disrupting access to specific resources; 
• Physical - exploiting vulnerabilities in the physical realm utilizing various techniques against physical entities and properties; 
• Supply chain compromise - manipulation of computer system hardware or software that disrupts the supply chain lifecycle; 
• Social engineering - interpersonal manipulation to gain access to systems or data; 
• Malicious software - occur using software such as viruses, worms, Trojans, and spyware designed to infiltrate a computer system without the owner's informed consent; 
• Misjudgment or error - related to mistakes made by authorized individuals allowing data or systems to be compromised; 
• Cryptographic and password attacks - bypasses the security of a cryptographic system by finding a weakness in code, cipher, cryptographic protocol or key management scheme; 
• Data interception - monitoring the data streams to or from a target to gather information occurs; and 
• Operating system and application - deliberately causing a fault in the asset's operating system or application. 

As each attack method is reviewed, evaluation of the attack from the perspective of an external user (no trust or system privilege), partner (implied trust and system privilege), and internal user (full trust and privilege) is necessary. The next step is to assess the exploitability, prevalence, and potential controls that can help mitigate the successful attack. From this evaluation, an organization can at least prioritize the controls that have the most significant impact in reducing the overall risk while maximizing the use of resources. It is interesting to note that often the adversary will combine multiple attack methods to gain access to the organization's assets after they complete their reconnaissance of the infrastructure and systems.

Information security professionals must learn from past events and understand the applicable attack methods so they can help their organization implement controls and practices that make sense and are agile enough to stay ahead of the evolving threats. Many good organizations have implemented basic administrative, physical, and technical controls and maintain mature information security practices. Even with this maturity level, the organizations are still at risk of being successfully attacked. Unfortunately, this level of maturity seen in some organizations is not uniformly implemented across all organizations that are protecting our confidential data, which is a contributing factor in the potential breaches. It seems that we expect different results without changing any of our actions – not something any information security professional wants or should accept. It is essential that we continue our fight for good practices and educate our leaders as to the risk of the status quo or inaction.


Read Also

Intentionality Is The Key To Increasing Diversity In Information Technology

Intentionality Is The Key To Increasing Diversity In Information...

Rosemarie Lee, Vice President and Chief Information Security Officer at BlueCross BlueShield of Tennessee
Dear CIO, You Must Support The CISO: It's For Your Own Good

Dear CIO, You Must Support The CISO: It's For Your Own Good

Christos Syngelakis, Group CISO, MOTOR OIL [MOH: GA]
Ensuring Cyber Security through Cloud technologies

Ensuring Cyber Security through Cloud technologies

Eric McKinney, Enterprise Infrastructure Director, G & J Pepsi-Cola Bottlers