By Chris Baldwin, System Director (CISO), Hartford Healthcare
Maya Angelou, a noted civil rights activist, once said, “hope for the best, prepare for the worst, and be unsurprised by anything in between.” This is useful thinking in support of effective cybersecurity.
The French Maginot Line
On May 10, 1940, Germany began the invasion of France through the Ardennes Forest in Southeast Belgium. The French believed an attack through this dense, rugged terrain was improbable. They had spent the past nine years and $3b francs constructing a 280-mile fortification called the Maginot Line. The French were aware the Maginot Line might be bypassed, but they did not seriously consider the Ardennes as a plausible alternative.
Many factors made the Ardennes attack successful and applicable to cybersecurity. The blitzkrieg tank tactics, the excellent command, and control and advanced radio communications in the Panzer tanks, the scouting reports of German activity in the Ardennes that was dismissed by the French. But most importantly, the Germans had the intent, resources, and creativity to dominate in a new type of warfare. It took six weeks for the defeat of France, Belgium, Luxembourg, and the Netherlands. Once the German Army penetrated France, allied forces morale quickly deteriorated, command and control broke down. The French were ill-prepared for the eventuality of a successful military penetration.
Maginot Thinking-What is cyber-Maginot thinking?
Many technical tools add great value to an effective cyber defense, which includes next-generation firewalls, advanced end-point antivirus, and state of the art email security platforms. But there is no one-and-done when it comes to cybersecurity. Any strategy predicated on building up defensive safeguards that support the “I am now secure” mindset is dangerous. This thinking assumes threat actors will not continue to adapt their tactics and try again even if they fail the first time. Federal and state security regulations are certainly extensive and important. The Health Insurance Portability and Accountability Act (HIPAA), being the most notable in healthcare, is a solid framework for driving compliance with baseline standards. But compliance is not the same as security, especially with the nefarious motivations and capability of international threat actors prevalent today.
Changing Threat Landscape
Today, it is possible for cyber-criminals and nation-state threat actors to construct effective offensive cyber capability with very modest resources. Building an effective cybersecurity defense program is more challenging. The National Institute of Standards and Technology (NIST) has done a good job in identifying and defining standards for the many elements of cybersecurity defense. The NIST Cyber Security Framework (CSF) is an excellent paradigm for thinking about a security architecture that starts with the right mindset. As defined in NIST CSF, there are five core functions to an effective defense: Identify, Protect, Detect, Respond, and Recover. The last three tacitly assume an attack will occur, and therefore: 1) the importance of early detection, 2) the need for a flexible and comprehensive incident response process, and 3) that response mitigation and recovery will eventually be needed.
In October 2020, the FBI began issuing warnings that international cybercriminals were targeting the US healthcare system. Within a few weeks, there were reports in the media of ransomware infections at hospitals and health systems around the country. In December 2020, some of the most stalwart security firms, including SolarWinds and FireEye, announced they had been compromised. These are firms corporate America relies upon to stay secure, and yet even they were vulnerable.
According to Mandiant (a division of FireEye), in their 2020 M-Trends report, the global median dwell time, defined as the duration between the start of a cyber-intrusion and it being identified, was 56 days. The more time a threat actor has inside a network, the more time they have to conduct reconnaissance, scan for vulnerabilities, seek to escalate privileges, and gain access to technical and corporate data that could represent an existential risk to almost any organization.
The requisite cyber defenses for every organization will, of course, vary depending upon all the unique characteristics of each entity’s digital footprint. Some may have moved extensive resources to the Cloud. This presents both risk and opportunity. Moving to the Cloud can improve an organization’s security posture because providers such as Amazon Web Services or Microsoft have vastly more resources to apply to cybersecurity. On the other hand, assessing the efficacy of Cloud services before making a move is critical. Not all Cloud providers are alike.
People, processes, and tools are all critically important for effective cybersecurity controls. New job roles, such as threat hunters, are becoming more commonplace. Rapid detection of an intrusion is essential in responding effectively and being able to recover with minimal impact. New skills are required for detection and other state of the art security functions.
Continuous testing is also critical. When critical weaknesses are found, any patch or remediation should always be tested again to ensure efficacy. Nothing should be taken for granted. For this type of penetration testing, outsourcing may be a viable option, especially if the staff you would rely upon internally to conduct the testing are the same individuals responsible for implementing the technical controls.
Cyber Security Governance
Cybersecurity is highly technical and complex. For many companies, it represents a significant organizational risk. One of the most important safeguards is not technical. Governance and effective risk management are foundational to an effective cybersecurity program. Some important governance questions include: How are we balancing resources with other competing funding priorities? What levels of cyber liability insurance are appropriate for the organization?
Effective governance is fundamental to technology adoption in general. Cybersecurity governance is most effective when it supports well-crafted strategies and tactics supported with capital and operating funds over a sustained period of years, along with the mindset that supports flexibility and adaptability in an ever-changing and increasingly dangerous threat landscape.
Those with ill intent have shown they have the resources and creativity to be successful. In cybersecurity, Maginot thinking — a faulty reliance on strategies that do not realistically consider the possibility of compromise, however fortified and well-conceived — is dangerous.