In recent years, the cybersecurity focus and activities by both industry and government have been reactive to whatever is the latest threat or breach. As a result, mitigating the threats was difficult because, from the outset, cyber-defenders were always at least one step behind.
The reactive mindset has been changing due to a series of wake-up calls that have included a major series of intrusions by sophisticated threat actors against many high-profile targets (including SolarWinds, Colonial Pipeline, OPM, Anthem, Yahoo, and many others) that exposed a flawed approach to defending data and operating with a passive preparedness.
As our reliance on the interconnectivity of cyber devices, enterprises, and applications on the cyber landscape has grown, so have the cyber intrusions and threats from malware and hackers. The growing and sophisticated cyber threat actors include various criminal enterprises, loosely affiliated hackers, and adversarial nation-states. The firm Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025. Cybercrime To Cost the World $10.5 Trillion Annually By 2025 (cybersecurityventures.com)
Also, a change in the cyber risk environment resulting from a transition to remote work coinciding with a heightened need for procurement of innovative technologies and services has created a new paradigm for cybersecurity.
With the growing realization of just how important IT is to our business and as a result of the dramatic increase in breaches, there is a growing recognition that protection against them should be considered more than a business cost item and a necessity to ensure business continuity and reputation. Proactive cybersecurity has been a posture that has been adopted increasingly by industry and government.
Proactive Cybersecurity = Risk Management
Being proactive in the evolving digital ecosystem is not just about procuring technologies and hiring people. It also means adopting a cybersecurity framework that would include tactical measures, encryption, authentication, biometrics, analytics, and continuous testing, diagnostics, and mitigation, as they may apply to specific circumstances. Concisely, proactive cybersecurity means helping ensure business continuity.
In a core sense, a successful cyber threat consequences strategy is really about risk mitigation and incident response to maintain business continuity. It is critical to be aware of the morphing threat landscape and plan contingencies for all potential scenarios. A risk management strategy requires stepping up assessing situational awareness, information sharing, and especially resilience planning.
Foundational to a commitment to proactive cybersecurity is a cyber vulnerability risk assessment. That action item is a critical first step in cybersecurity best practices. A risk assessment can quickly identify and prioritize cyber vulnerabilities so that you can immediately deploy solutions to protect critical assets from malicious cyber actors while immediately improving overall operational cybersecurity.
A comprehensive risk management approach should include cyber-hygiene best practices, education/training, use policies and permissions, configuring network access, testing of code, security controls, applications, device management, application controls, and regular network audits.
Three strategies are most commonly being used today to bolster risk management in cybersecurity. They include Security by Design, Defense in Depth, and Zero Trust. Security by design monitors manages and maintains the security process. Defense in depth enables layers of redundant protective security measures to help deter data breaches. And zero trust focuses on protecting resources (assets, services, workflows, network accounts) through strict identity and access management enforced by authentication and proper authorization. Combining Three Pillars of Cybersecurity (forbes.com)
The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements are situational awareness combined with systematic abilities for critical communications in cases of emergency. These guidelines are represented in the U.S. government’s National Institute of Standards and Technology (NIST) mantra for industry and government: “Identify, Protect, Detect, Respond, Recover.”
First Steps: Testing of Code & Applications
Testing software code is a critical function of information technology product validation. If the process of testing is not followed, the end-use product may be defective and potentially put a business or organization at risk. Detecting and fixing bugs in software development is a way to ensure the end quality of products.
That assessment needs to begin with application security testing to identify vulnerabilities that can be exploited in code or misconfigurations, or the discovery of malware already existing in programs and applications. Prevention and preparedness begin with discovering the knowns and unknowns in the code that is the backbone of the array of applications and operating networks that will determine our digital future.
New code, especially third-party software, needs to be thoroughly identified, assessed, and validated before it is installed on the network. Third-party advisory websites such as US-CERT and BugTraq are important to monitor for new known vulnerabilities for your cybersecurity team.
While new code is a threat, many applications and programs may already be operating on legacy systems that include flaws and access points that can lead to breaches. Therefore, legacy code needs to be reviewed for patches along with any new code as part of a vulnerability assessment. Every application begins with software coding and standards are needed to optimize and discover vulnerabilities. This can be done by visibility scanning and penetration testing, which includes the verification/validation of the source code that can be exploited. The testing and validation testing process is all about finding issues before they get to production and contaminate networks and devices.
What is known can be tangible, but a big challenge for software testing, assessment, and validation is being able to anticipate the unknown threats common with cybersecurity breaches. These unknowns may include finding hidden malware undetectable by sandboxes, signature-based, and other behavioral identification products.
For most companies, software testing is used for quality assurance purposes that bring value to the users. Testing is a reputational enabler that helps ensure that quality products and any troubling issues are fixed before they are brought to the marketplace. The testing checks the alignment, user interface, and functionality of the productsI which translates to customer satisfaction. If you are planning to launch an application, it is necessary to check the compatibility and performance of the same in a wide array of operating systems and devices.
Testing also is a budget-related issue because it is cost-effective. It allows for planning and saves money in the software development process where bugs and misconfigurations can be caught and fixed in the initial stages of the software development lifecycle.
Security is another significant factor in the need for software testing. If security capabilities are built into the products in development, it builds trust for the users. Product security is a fundamental requirement for both industry and government, especially with the heightened sophistication of cyber threat actors.
The Need for Continuous Simulation Validation Testing
The sober reality is that cyber-breaches are not a static threat and criminal hackers are always evolving in tactics and capabilities. Cyber-criminals are now using stronger evasion techniques that can even stop running if it detects it is in a sandbox or other malware detection capabilities are detected. Software runs injection of code and manipulation of memory space as an exploit kit is injected in the target system. Often these criminals use stolen certificates that are sold underground or on the Dark Web to bypass anti-malware detection and get around machine learning code. Industry and government must do more to meet and contain cyber-threat challenges.
Because of the sophisticated and growing attack surface being exploited by hackers, testing needs to go beyond traditional vulnerability scanners and manual penetration testing. It also needs to be automated to keep up with the pace of change in the evolving cyber landscape. Anticipating what criminal hackers might do in likely scenarios and practicing how to defend against it is a prudent measure to improve cybersecurity. That is what is done via continuous simulation validation testing.
Continuous simulation validation testing helps fill that discovery and protection gap. Through simulations, results can be immediate, can be performed frequently, and do not rely on the skill level of the tester, which can be a weak point that leads to vulnerabilities.
Continuous simulation validation testing combined with penetration testing is a good avenue to consider since new payloads and attacks show up in the wild every day. There are currently several vendors providing continuous security validation solutions with different approaches. According to one of those vendors, Cymulate, in 2021 top threats that impacted companies include LockBit, Conti and Dharma ransomware, HAFNIUM, TeamTNT, and APT29 with Log4j abuse. Cymulate’s simulation validation approach employs an Immediate Threat Intelligence module to enable companies to assess and optimize their Email Gateway, Web Gateway, and End Point security controls with out-of-the-box test scenarios that simulate potential new threats. Cymulate research reveals unique threats in the wild rose by over 35% in 2021 – Cymulate
Simulated attacks are useful because they also enable security blue teams to assess and fine-tune their detect, alert, and response capabilities through integrations with existing security programs and systems including vulnerability management, EDRs, SIEM, SOAR and GRC systems.
Cyber-Resilience and Business Continuity
Cyber-resilience and business continuity after an intrusion is an area that must be continuously developed for optimizing response protocols, training of information security personnel, and deployment of automated detection and backup technologies.
Cyber-resilience, business continuity, innovation, and collaboration between government and industry stakeholders is a proven model that makes good sense. Together, government and the private sector can identify products and align flexible product paths, evaluate technology gaps, and help design, evaluate, and simulate scalable architectures that will lead to more efficiencies, and fiscal accountability.
Information sharing is also a key cog to the resilience and business continuity equation as it helps both industry and government keep abreast of the latest viruses, malware, phishing threats, ransomware, insider threats, and especially denial of service attacks. Information sharing also establishes working protocols for lessons learned and resilience that is critical for the success of commerce and the enforcement against cyber-crimes. DHS CISA has expanded its programs in information sharing with industry in the past couple of years, especially with companies involved in operating critical infrastructure.
Cybersecurity at the leadership level requires effective communication with the board and management team. The CISO, CTO, CIO, and executive management must align strategies, collaborate, and regularly assess their information security programs, controls, and safety of networks. Reputation management is often needed if the breach interferes with a company’s operations.
Remediation is important to continuity; no matter what, breaches will happen. To be most effective for resilience, industry and governments should have an incident response plan that includes mitigation, business continuity planning, and secure backup protocols in case networks and devices are compromised. Training and tabletop exercises can improve incident response plan implementation should an actual incident occur.
The incorporation of best practices and the lessons learned from the various and many breaches over the past few years is certainly valuable data for establishing components of prevention, recovery, and continuity in a plan. Unfortunately, many businesses are still negligent in their preparation and analyses. A recent study by Wakefield Research found that a third of mid-sized organizations still do not have a cyber-incident response plan in place! A third of mid-sized organizations don’t have a cyber-incident response plan (betanews.com)
The Challenge of Emerging Technologies
Emerging technologies are both tools for cyber-defenders and threat actors. The current cyber-threat landscape now includes artificial intelligence, machine intelligence, IoT, 5G, virtual and augmented realities, and quantum computing.
Automation, combined with artificial and machine intelligence, is an emerging and future cybersecurity pathway. Artificial intelligence (AI) is really going to be a big catalyst for cybersecurity. It will enable real-time threat detection and real-time analysis. Companies will be able to monitor what is in their system, and who may be doing things that are anomalies.
AI can also be used as a tool for nefarious purposes by criminal hackers to find vulnerabilities and automate phishing attacks, so not deploying or understanding the implications of such usage will undermine resiliency and continuity. AI and these other emerging technologies will all have a disruptive impact on security and operating models for the near future. Addressing new and more sophisticated threats will be fundamental to cyber-resilience and business continuity in the next decade.
In today’s sophisticated threat environment, cybersecurity can no longer be viewed as an afterthought if businesses are going to survive and thrive. Being proactive rather than reactive makes sense for anyone operating in the digital landscape. There are a variety of established paths to follow in cyber risk management to fill gaps and bolster defenses. Complacency in the face of growing threats is not one of them.
