Patch Management vs. Zero Day

Cyber security is a very fragmented market – there are a huge number of cyber security startups, usually focused on a technology niche, rather than a market. This fragmentation is driven by two psychological forces:

1.     People naturally worry about unusual disasters and large downsides more than they do mundane dangers. Stories about super sophisticated cyber-attacks are much more interesting than “we forgot to patch our servers” (ala Equifax).

2.    Folks have tendency to overestimate how good they are at something. When it comes to cyber security most IT organizations are sure they have the basics down pat – even though they may be failing at the most basic foundations of cyber security (e.g.  the first 5 CIS cyber controls).

These two natural human tendencies drive the cyber security market to gravitate towards ever more sophisticated (aka complex) solutions to solve “sexy” esoteric attacks. It’s not that organizations can’t be attacked through complex, well-orchestrated sophisticated zero-day attacks – it just that the over whelming majority aren’t.  If we lived in a world of unlimited resources this misplaced focus wouldn’t a problem, but in the real world cyber security resources are extremely constrained and increased attention in one area means less for in another.

As quick example – let’s look at a pressing cyber security issue – What are the most dangerous animals in North America? First, in order to answer that we need to define both “animal and “dangerous”, so let’s define animal as the entire animal kingdom except humans and dangerous as animals that cause the most human deaths. Turns out when you define it that way it isn’t scary snakes and bears you need to worry about, but rather the mundane, “innocuous” deer. This “scary” vs. “mundane” holds for cyber security as well – the overwhelming majority of damaging attacks are mundane.

The only way to adjust for our natural biases is through measurement and analytics -i.e. focus on real world cyber-attacks not scary “what ifs”. The resounding result from looking at actual attacks are most are usually “mundane” attacks that could have been easily mitigated by a focus on the basics.Once you have basic cyber defense down pat you can start looking at more esoteric protection – if you really need it and it is cost effective.

A platform approach is really useful in this regard – by basing cyber defense on actual data from a wide range of customers, it can help focus a company on the basics as well as democratize access to more esoteric defenses when warranted.

Cyber OODA

The OODA (Observe, Orient, Decide, Act) loop is a popular way to describe the benefits of using AI in cyber defense. The OODA loop was originally developed by Colonel John Boyd. Its popularized interpretation is that success in battle depends on the ability to out-pace and out-think the opponent, or put differently, on the ability to go through the OODA cycle more rapidly than your opponent. This description focuses on an introspective process in which faster completion of the loop is the key to victory. The thinking goes that since AI increases the ability to quickly detect and respond to cyber attacks it thereby increases security – maybe even to the point that detect+respond can take the place of identify+protect. So maybe AI is the long sought after silver bullet of cyber defense?

The problem is that OODA is not about the type of introspection provided by AI, it is about using knowledge of the environment to manipulate it and disrupt an adversary’s OODA loop. Success depends on generating friction in the attacker’s OODA loop and increasing the speed of your own OODA feedback loop. So cyber defense must first focus on increasing adversary friction and only then focus on speeding response.

Appropriately most independent cyber defense recommendations focus first on increasing adversary friction. The NSA “Methodology for Adversary Obstruction” provides 4 technology principles to increase adversary friction:

-Reduce the attack surface to reduce external attack vectors into the network

-Harden devices to reduce internal and external attack vectors into the network

-Implement Credential Protections to degrade the adversaries’ ability to maneuver on the network

-Segregate networks and functions to contain damage when an intrusion occurs

Similarly, 4 out of the 5 CIS (Center for Internet Security) Controls also focus on increasing adversary friction:

CSC 1: Inventory of Authorized & Unauthorized Devices

CSC 2: Inventory of Authorized and Unauthorized Software

CSC 3: Secure Configurations for Hardware and Software

CSC 5: Controlled Use of Administrative Privileges

Friction makes harder for cyber attackers to succeed – causing them to try their luck somewhere else. A valuable byproduct of increased friction is that causes “heat” which can be sensed and used by a cyber defense platform to dynamically increase protection.

The 5 Laws of Human Stupidity and Cyber Security

Carlo M. Cipolla a professor of economic history at the University of California, Berkeley published in 1976 an essay outlining the 5 fundamental laws of human stupidity:

1. Always and inevitably everyone underestimates the number of stupid individuals in circulation.
2. The probability that a certain person be stupid is independent of any other characteristic of that person.
3. A stupid person is a person who causes losses to another person or to a group of persons while himself deriving no gain and even possibly incurring losses.
4. Non-stupid people always underestimate the damaging power of stupid individuals. In particular non-stupid people constantly forget that at all times and places and under any circumstances to deal and/or associate with stupid people always turns out to be a costly mistake.
5. A stupid person is the most dangerous type of person, even more dangerous than a bandit.

So what does this mean for cyber security? It means that in order to keep itself safe, any system needs to work hard to provide invisible guardrails and processes to mitigate user stupidity. They need to be “invisible” because users will try to circumvent anything that they perceive gets in their way – even if they end up harming themselves. Even better when security systems are perceived as helping users, instead of hindering them.

Training has only very limited value since many users cannot be trusted to “do the right thing” and trying to scare them into compliance won’t work. This goes for all types of users – from sophisticated admins to naive (from a cyber perspective) executives.

PS. Not to belabour the point but cyber security is not immune to human stupidity:

1. How many times have you been forced to create a password with inane password rules that we now know do not increase security?
2. Most organizations don’t even have metrics to understand how the effectiveness of their cyber security program and how to plan an effective security budget
3. Most organizations don’t have explicit, enforceable cyber security policies.
4. Even companies that specialize in risk management (i.e. insurance companies) don’t ask the right questions in order to correctly analyze cyber security risks for companies they insure.

CIA triad: Warranty vs. Utility

The security CIA triad (confidentiality, integrity, availability) is a guide for information security policies within an organization. Confidentiality is a described as a set of rules that limits access to information (i.e. read access control), integrity is the assurance that information is trustworthy and accurate (i.e. write access control), and availability is a guarantee of reliable access to information by authorized people.

The problem is the CIA triad describes the warranties expected from a security policy (aka making it fit for purpose) but not the expected utility (fitness for use). Utility and Warranty are ITIL terms to describe the value of a service. Technical folk tend to focus on warranty when they define requirements – they don’t consider the broader ramifications of utility. That paradigm is rampant in cyber security solutions and causes a huge chasm between what the CISO knows should be done from a security perspective and what employees actually do everyday.

Just look at 20 year old password requirements we have all come to hate. Their creator focused on what he thought were rules that would ensure password warranty and ended up creating rules that are unfit for regular users (The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time). Even worse the requirements are actually UNfit-for-purpose (take a look at the current NIST recommendations for passwords) since they make it relatively easy for modern attackers to break passwords.

Information\cyber security is NOT only a technical endeavour. It is much more complex and needs to take into account human and organizational psychology as well usability to be successful. A real world example of the problem is described by Keith Swenson here.

How Much IT Security Spending is Enough?

IT budgets are a limited resource and money spent on (a) isn’t available for (b), so IT needs decide how to allocate its budget. For most existing IT departments most of their budget is to keep the lights on and manage legacy systems. Of the rest extremely limited budget some needs to be spent on enhancing security instead of other IT initiatives (including growing the business), so the question how much budget is enough for IT security?

Security’s job is to limit and mitigate risk. So a simple answer would be to quantify the risk and decide on what percentage of expected loss the business is willing to spend on IT security to protect against that loss.

A simple budgeting process would be something like:

· Make a list of all risks and their cost of occurrence.

· Decide on a probability of occurrence for each risk during the upcoming budget year given the organization’s security posture.

· Multiply those two numbers for each risk and add the results, which results in the maximal loss expected for the coming budget year if nothing is done,

·  Decide on a percentage of loss (say 25%-37%*) you are willing to spend to mitigate those uncovered risks,

·  Add that to your base IT security costs (keeping the lights on) and you now have your security budget for the budget year

That is far from an optimal process, but it is better than none. It also points out the importance of visibility – if you don’t know your current security posture there is no way to know what to spend to safeguard your assets.

*Taken from a 2002 paper “The Economics of Information Security Investment” by Lawrence A. Gordon and Martin P. Loeb of the University of Maryland.

Cyber Insurance is Broken

In 2016 cyber insurance gross written premiums were at over $3 billion and are expected to double by 2020 for a CAGR of 23% a year – quite a nice growth rate.

Insurance companies have a vested interest in a common language for cyber defense (in order to gather standardized data) to enable them evaluate risk more effectively. For example, in the US and UK ACORD defines the standard forms and data models for the insurance market. Also, insurance companies take a business risk oriented view of security – not a techie view which seems to pervade the cyber security industry. So I thought they could provide insight into how the cyber security market is evolving.

Since robust implementation of first 5 CSC (critical security controls) as defined by CIS (Center for Internet Security) reduces the risk of a cyber breach by 85% – I expected cyber insurance proposal forms to mostly have interesting questions on those 5 controls, and some insights about the importance of other controls.

What I found left me flabbergasted (always wanted to use that word in blog :). An analysis (see 1 below) of different cyber insurance proposal forms shows there are 4 CSC Controls with NO corresponding questions in proposal forms:

• CSC1: Inventory of Authorized and Unauthorized Devices – 16 other controls depend on this control
• CSC2: Inventory of Authorized and Unauthorized Software – 14 other controls depend on this control
• CSC 5: Controlled Use of Administrative Privileges
• CSC7: Email and Web Browser Protections

The 4 controls most mentioned are:

• CSC8: Malware Defenses
• CSC10: Data Recovery Capability
• CSC 13: Data Protection
• CSC14: Controlled Access Based on the Need to Know.

Bottom line: cyber insurance forms don’t gather information on the most important issues (CSC1, CSC2) – the ones almost every control depends on. It is like a life insurance company not caring about tobacco or alcohol use. The implications here are earth shattering – either the technical controls are completely wrong – or insurers that issue cyber insurance don’t have a clue about cyber security. I am guessing the latter.

Insurance companies are just asking for trouble unless they link cyber insurance policies to cyber security policy and execution.

Previous post: (Security) Policy – Lost In Translation

The series starts here: Creating a $1B Company – 5 Indicators a Market is Ripe for a Platform

(1) Mapping the Coverage of Security Controls in Cyber Insurance Proposal Forms by Daniel Woods, Jason R. C. Nurse and Ioannis Agrafiotis in the August 2017 Journal of Internet Services and Applications

(Security) Policy – Lost In Translation

An explicit policy concerning cyber security is critical for any organization. Executives need to define a cyber policy as a statement of intent to be provided to the rest of the organization and then implemented through tools, processes, procedures and protocols. A cyber security policy provides a system of principles to guide decisions, achieve rational outcomes and ensure compliance. These policies are very high level (maybe not as high as “honesty is the best policy”) and need quite a lot of translation before they can be operationalized.

The organizational cyber security policy (owned by the CISO, CEO and Board) provides the requirements for security architecture, procedures, processes, protocols, services, tools and configurations. These policies are translated and refined to become operational and implementation is owned by the CIO (head of IT) and CISO (had of security) and COO (head of operations). In every organization I have met this translation doesn’t explicitly exist or at best it exists in out of date documentation. Finally, operational policies are implemented (usually by IT) and the mapping back to policy is then implicit – buried deep in implementation details with no way to make it explicit or keep it up to date.

Even worse, somehow at the technical level security policy is sometimes misconstrued as firewall policy. Not that firewall policy isn’t important – but in the 21st century it certainly doesn’t equate to security policy:

–      security policy (even at the technical level) is much broader than firewalls;

–      firewall policy is much too low a level for anyone but a network engineer to understand

Just take a glance at the NIST firewall policy guideline. It defines a firewall policy as “how an organization’s firewalls should handle inbound and outbound network traffic for specific IP addresses and address ranges, protocols, applications, and content types based on the organization’s information security policies”. Very important stuff consideration – but far from topics of policy discussions at the level of board or CIO\CISO – and certainly not covering the needs of an organization’s cyber defense.

Actual firewall policies are even lower level requiring familiarity with terms like ingress filtering, egress filtering, stateful inspection, deep packet inspection, proxy servers. As an example a firewall policy is: “traffic with an invalid source address for incoming traffic or destination address for outgoing traffic (an invalid “external” address) should be blocked at the network perimeter. The most common type of invalid external addresses is an IPv4 address within the ranges in RFC 1918, Address Allocation for Private Internets, that are reserved for private networks” which then gets translated to firewall configuration.

Whew. I am sure your CIO (or CISO) is dying to dive into this level of detail – NOT.

This disconnect between security policy at the executive level and the actual implementation (firewall policy, as complicated as it is, is really only a small part of technical cyber security policy implementation) is the same gap between business requirements and IT implementation. For applications this gap causes about 2/3 thirds of issues and problems – my guess is that for cyber the number is similar.

The only way to meet the needs of 21st century cyber security and compliance is to bridge this policy translation divide.

6 + 1 Cyber Assets at Risk

The first step for any cyber security initiative is to be sure you know what you need to protect (aka visibility). A one-time effort is not enough, visibility must be ongoing and continuous process – assets at risk change constantly. Visibility (aka Identification) is an essential prerequisite to control – otherwise controls can lead to chaos.

There are the 6+1 main categories of cyber assets that need visibility:

1. Network – this is one that is clear to everyone, and to date is probably one of the best understood cyber security needs – everyone needs a firewall (and AV). The problem is that since the advent of the Firewalls the network threat has changed – it moved from needing only a perimeter threat to “perimeter and data in motion” threat. From a completely “logical” perspective the network can be thought of as the network infrastructure devices and their interconnect with other devices, but since network is so ingrained with cyber security I thought it made sense to add it as a separate category. That is why I consider it 6+1 instead of 7.
2. Devices – computational devices that connect to company infrastructure or are used by your employees for company business. It doesn’t matter whether a company actually owns the assets (on-premise vs. cloud and BYOD) or that the devices connect to infrastructure indirectly (e.g. USB or Bluetooth). Devices include everything from IoT devices to servers – Network Infrastructure (e.g. routers), Application Infrastructure (e.g. Servers), PCs and Laptops, Mobile devices (e.g. cell phones and smart watches), USB devices (e.g. Keyboards) and IoT devices (e.g. TVs and Thermostats). Things are changing so quickly here that this is usually where companies have lost control over visibility.
3. People – users that can access company applications, infrastructure or data. At one time these were only employees, now the list also includes vendors, customers and visitors.
4. Apps – Applications and application components used by the business. Used to be that this was a small set of on premise applications used by employees and accessed via a user interface (or GUI). Now the number of applications and application components has greatly expanded, and access is by employees, customers, visitors and vendors through GUIs and APIs (and don’t forget developers and QA if you have any bespoke development). Applications and application components reside on premise and in the cloud, and can belong directly to the business or to vendors. Open source is another large provider of application components and must be accounted for as well.
5. IP – unstructured proprietary data that is owned and used by the business (e.g. catalogues, emails, patents). Many companies don’t even have a good handle on what this data includes, or where it is located.
6. Data – structured data used by the business. For the most part organizations know where this data resides at rest (though it probably exists in transient form in unexpected places like caches). This is proprietary data that resides in organizational databases used to run and manage the business (e.g. employees data, customer data). It includes data that is often subject to compliance via PCI, GDPR and other regulations.
7. Reputation – the social opinion about your company. Most companies don’t have much quantitative information on their reputation except for accounting purposes (measured through brand value and goodwill). Reputation isn’t only a cyber asset – but cyber reputation has become a large part of a company’s overall reputation (e.g. reputation on Facebook). An attack on cyber reputation can harm a firm almost as much as an attack on tangible assets.

For mature companies this list is in order of precedence, mainly because most already have in place some basic controls. For example, most mature companies have a least a minimum handle on users (through credentials) and on their structured data – otherwise the order might change.

If you get the first right (network, devices and users) – you are a long ways ahead of the pack in your cyber security efforts. In any case, a cyber security platform must identification and protection of all cyber assets-at-risk.

Cyber Controls can Lead to Chaos

The British Cyber Essentials scheme was developed as a set of basic technical security controls for organizations to mitigate the ‘bottom 80%’ of remote cyber-threats (aka commodity cyber threats). These controls are applicable to businesses of all sizes as a base level of protection against cyber-attacks.

Out the known vulnerabilities these controls are considered to mitigate 69% and partially mitigate 30% of those vulnerabilities. Some vulnerabilities were only partial mitigated because mitigation was dependent on vendors releasing patches to combat those vulnerabilities.

So it seems logical that if you implement these 5 controls your company is protected against most cyber-attacks (similar to claims of the CIS 5). That is not true – and not just for companies under targeted attack.

The problem is that just implementing controls is not enough. Controls need to be linked via monitoring and feedback loops to visibility, analytics and policy. You need to implement a cyber defense PDCA (plan-do-check-act) cycle relevant to your company’s context. Just ask the former CEO of Equifax about how miscategorizing complicated problems as simple can lead to chaos.

As long as you are aware that controls alone aren’t enough, cyber essentials is a good list of basic controls:

·     Prevent unauthorized access to or from private networks,

·     Ensure systems are configured in the most secure way for the needs of the organization;

·     Ensure only those who should have access to systems actually have access and only at the appropriate level;

·     Ensure virus and malware protection is installed and up to date;

·     Ensure the latest supported version of applications is used and all necessary patches have been applied.

Just make sure that your implementation doesn’t focus only on controls but also addresses asset-at-risk visibility, analytics and policy.

Cyber Security Effectiveness

Insurance data is a good source of information regarding all sorts of risk. Insurance companies have a vested interest in collecting as much data as possible concerning risk, since that data is what drives their profitability. They fill cars with sensors, go and smash them just to get data on accident injury risk. I thought it would be interesting to see what the insurance industry knows about cyber risk.

I used the ACORD form for Cyber and Privacy coverage to understand industry best practice on the data needed to issue a cyber risk policy. I looked at a few reports, especially the Allianz Risk Barometer – a survey of more than 1,200 risk experts by Allianz Group on the top corporate perils. The risk barometer report has a section of cyber risk and ranks it as a top 3 business risk worldwide!

What I found drove home to me how little we understand systemic cyber risk. The problem is that no company (at least none that I have met) can actually link assets at risk, vulnerabilities, policies, controls and actual results. That means there is no way to measure cyber security spend effectiveness, i.e. whether company cyber defenses are actually minimizing the costs of:

·    business interruption,

·    reputational loss,

·    liability claims,

·    recovery and repair

In other words, most companies have no idea whether they are spending their cyber defense budgets effectively – or the level of protection afforded by those defenses.