Recent computer / network security breaches combined with the fact that it’s an election year in the US has led to asignificant amount of focus on [information] security and technology and interesting responses from [mostly] politicians on what the appropriate solution should be. One of the solutions that I have heard tossed about in the media is a ‘top down approach to cyber security‘. I understand the idea but wanted to point out some potential hurdles for this type of approach as well as a few things that may have better results. The three specific concerns that I have with a top-down approach are that it would be too slow with too many points of failure, unclear jurisdictional authority and the fact that the primary weakness that’s being exploited is the bottom of the line, not the top. For readers who are either allergic to the ‘c-word’ (cyber) or who may be playing a drinking game with ‘cyber’ as the keyword, my apologies in advance.
The technology in use today is a massive collection of parts moving at breakneck speed and making radical changes in direction, sometimes overnight, as the next new thing hits the scene. Government, in contrast, is a massive collection of parts bound in bureaucracy and barely able to move at all without committees who appoint sub-committees who hire pollsters to confirm the potential political implications of any decision all before actually starting to work on the problem. Using the ‘top-down approach to cyber security‘ means that, by the time a government entity has identified the threat and actually started a response, the attackers have completed the attack, counted their winnings and are doing the recon / intelligence gathering on their next target(s). In addition to being too slow to be effective at combating cyber crime, each moving part is a potential point of failure for causes ranging from political correctness, incompetence or corruption. Combine the slow speed, potential points of failure and the US Governments track record on keeping it’s infrastructure secure and it’s clear that a large, slow-moving governmental body is not the tool to use to address cyber crime.
Ignoring the problems of speed and ability, the operating theater for cyber criminals is the Internet, which is global. Successfully combating cyber crime legislatively means addressing every level of the kill chain which would require an unprecedented amount of cooperation at every jurisdictional level (local, state, federal and international). A break at any point means the threat survived and now has actionable intelligence on how to defeat one more layer of security for their next attempt. One example of this is former NSA contractor Edward Snowden, who is wanted for treason by the United States but is currently enjoying asylum in Russia and avoiding extradition back to the US. Another example is the CAN-SPAM act of 2003, which was a ‘top down’ approach to curtailing unsolicited commercial email (SPAM). Between the exclusions and exceptions in the bill and the fact that it really has no jurisdiction on emails originating outside of the US, the CAN-SPAM act is largely worthless as anything more than a PR stunt for the senators who sponsored the bill. In both cases, legislative loopholes made / make prosecution all but impossible for legitimate offenders (debates on the ethics and / or morality of what Snowden is accused of are beyond the scope of this article).
Lastly, the ‘top down approach to cyber security’ largely ignores what security professionals have been preaching for years, that the weak link in cyber security isn’t a technology problem but a user / education problem. The Verizon Data Breach Report (DBIR) has highlighted Social Engineering as a sweet spot for attackers for the past two years and I expect similar results for this years report. Security professionals at every level have highlighted Social Engineering as a weakness in their target environments and we routinely find networks that, from a technical perspective (firewalls, IDS / IPS, enforcement of strong passwords, antivirus, updates, etc.) are locked down, have at least one or two users who will fall for phishing attacks, watering hole attacks, or USB drop attacks every time. There is also no shortage of well-publicized security failures where the weak link was the human including the 2015 Seagate breach and the 2016 Methodist Hospital ransomware attack. Legislative measures, regardless of their good intentions, cannot be a replacement for user training.
While I can’t agree that a top-down approach to cyber-security is the first or best way to combat cyber crime, I can certainly agree that there’s room for improvement in what we are doing now. I’ll skip over specifics in this article but a few things that come to mind as good places to start are:
- End user education. Establish and clearly communicate your organizations acceptable use policy and test it regularly with social engineering (phishing, USB drop, etc.) attacks to give your users exposure to what a phishing attack looks like as well as a real-world example of the damage that it can cause (when you clicked this email, I was able to download all of the spreadsheets that you have access to).
- Actively testing your organization (vulnerability assessments, penetration tests, etc.). Give your internal IT Department an opportunity to see what an attack looks like and test their response. It’s far better to fail during a controlled test than during an actual attack.
- Actively engage the C-Suite, share the results of the testing in terms of their business impact and risk (we had a 12% click-through rate on the last phishing campaign in accounting that could have resulted in a breach in that department exposing sensitive financial information) with recommendations on how to address it (additional training, etc.).
Misc / Erratta
- Heritage Foundation notes alarming trends in breaches and failures in US Government
- The Cyber Kill Chain
- Edward Snowden
- 2016 DBIR
- Watering Hole Attack
- USB Drop Attack
- 2015 Seagate Breach
- 2016 Methodist Hospital Ransomware
- Vulnerability assessment or penetration test, which do I need and why?