Security Technology Executive

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 42 of 59

www. • September/October 2018 • SECURIT Y TECHNOLOGY E XECUTIVE 43 Addressing these pitfalls early helps build an effective security program. 1. Understanding Inherent Risk A starting point for managing security risk is under- standing business complexity, and how an organiza- tion's business model aligns to threat actor capabilities and intent. In other words, security programs must fac- tor the changing nature of inherent risk – i.e. adaptations in business strategy, technology architecture, threat, cus- tomer expectations and regulatory mandates – into their programs on a recurrent basis. • Business & Technology Complexity. New product offerings, entry into new markets as well as merger and acquisition activity all entail risk implications for security programs, as do changes in founda- tional mechanisms for conducting business (e.g., evolving payments mechanisms). It is vital that businesses have a process in place to assess risks associated with any major technology adaptation or change – such as cloud adoption. In fact, the Uber breach disclosed last year highlights this risk. In 2016, external intruders obtained unauthor- ized access to personal information for 57 million Uber customers around the world, but they did so without ever breaching Uber's corporate systems or infrastructure. Rather, they found a credential "contained within code on a private repository for Uber engineers on GitHub" (a cloud-site that allows people to collaborate on code) and used that credential to "obtain access to certain archived cop- ies of Uber databases and files located on Uber's private cloud data storage environment on Amazon Web Services" (another cloud site). 6 • Threat. Likewise, threat assessment is a founda- tional aspect of risk management – i.e. how to categorize business assets from the perspective of target attractiveness to an adversary. As part of this analysis, organizations must increasingly consider not just their own critical data and processes, but also related technologies (e.g., websites, email, soft- ware code) that an adversary could use as a step- ping stone to the organization's customers. Indeed, a key focus area for the Department of Homeland Security's new National Risk Management Center will be to focus attention on underlying systems on which many sectors rely. For example, U.S. government reporting has highlight- ed how state actors are targeting "multiple U.S. critical infrastructure sectors, including the energy, nuclear, com- mercial facilities, water, aviation, and critical manufac- turing sectors" by first compromising staging targets (i.e. peripheral organizations such as trusted third-party sup- pliers with less secure networks). The threat actors used the staging targets' networks "as pivot points and malware repositories when targeting their final intended victims." 7 As seen during the 2017 notPetya attacks, adver- saries are using third-party software as a viable entry vector to deploy malware on targeted systems because security controls can be bypassed through the subver- sion of trusted third-party software. Malicious actors were able to infiltrate at the source of a supply chain, compromise the third-party software in question, and then leverage this compromise to inject malware into victim computer systems (via a built-in auto-update process), which then spread laterally through those systems. It is thus critical that organizations achieve strong visibility and management over software being developed, used and shared inside their IT environ- ments and with customers. Changing customer and regulatory drivers (e.g., European Union General Data Protection Regulation breach reporting timelines) also merit careful and continuous consideration. 2. Planning Process Even where inherent risk is identified, programs may not succeed in prioritizing risk reduction capabilities appropriately. Ineffective implementation sequenc- ing can result in missed opportunities and meager security returns. 8 • Threat Pathways Analysis. Best practice for security planning depends in part on the implementation of a "threat pathways" planning approach. Using this approach, organizations can map out the life- cycle of an attack and align countermeasures to detect and block as early on in the lifecycle as pos- sible. This approach was embodied in a "kill chain" approach articulated by Lockheed Martin a decade ago. 9 More recently, the MITRE Corporation has significantly built out this approach through the MITRE ATT&CK model. 10 • Insider Risk. Ideally, security planning should not just reflect threats from external actors but Public, private and government sectors face a race against time in ensuring the critical infrastructure of the nation's technolog y, business and energ y assets are secure. Photo Courtesy of

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2018