Print Issue: June 2017
Something is amiss in corporate cybersecurity. Hackers continue to get in and compromise or steal large amounts of data, often without being detected until hundreds of days later—if at all. Despite the billions of dollars spent on cybersecurity and the increasing corporate focus on cyber risk over the past several years, cybercriminals are still operating at an advantage.
“It’s the difference in the cultures. One culture is dynamic, entrepreneurial, and innovative. Unfortunately, that’s the bad guys,” says James Lewis, senior vice president at the Center for Strategic and International Studies (CSIS). “And the other culture is a little more bureaucratic. How do we address that? How do we fix that?”
Two recent reports from opposite perspectives seek to explain why this is, and how corporations can become more nimble in leveling the playing field.
Most cybersecurity reports are focused on the defenders; the report authors focus on collecting victims’ accounts about the threats they have experienced. But looking at that small fraction of the entire landscape doesn’t make sense to Chris Pogue, CISO at Nuix, an information management technology provider.
“Instead of asking the hacked what they are seeing, why don’t we ask people who are actually attacking, because we’d get a much wider perspective,” Pogue says. And thus, the idea for Nuix’s The Black Report: Decoding the Minds of Hackers was born.
To collect data for the report, Nuix held parties at the DEFCON and Blackhat conferences during the summer of 2016, inviting known hackers and penetration testers. “Literally I bought $5,000 worth of booze and I said, ‘Admission to the party is you fill out my survey,’” says Pogue, who is the report’s author.
Of those surveyed, 21 percent were professional penetration testers, 24 percent were “students of technology” who hack to learn, 1 percent were full-on hackers, and 53 percent said they were a mix of all of the above. Most of these individuals—66 percent—said that their main motivation as a hacker was that they “like the challenge,” while 32 percent said they were profit driven.
The surveyed hackers and penetration testers also said that they were usually able to break into systems and changed their tactics roughly every six months. However, only 5 percent of those surveyed said they changed their tactics because they no longer worked. Most only changed their tactics to learn new techniques.
“What was interesting was, security countermeasures that historically organizations think are effective, the hackers laugh at and blow right by,” Pogue says. “And then other things that organizations don’t want to spend money on—like employee training—the hackers are like, ‘The most difficult thing for us to get around is well trained people.’”
For instance, 52 percent of survey takers said that spending on employee education to prevent cyberattacks was “extremely important,” followed by vulnerability scanning (37 percent), and goal-oriented penetration testing (30 percent).
In contrast, hackers said the least effective place to spend a security budget was on data hygiene or information governance (42 percent), perimeter defenses (21 percent), incident response (19 percent), intrusion detection and prevention systems (13 percent), and penetration testing (4 percent).
“Clearly information governance elicits strong opinions from professional hackers,” the report explained. “On the one hand, if organizations achieved the goal of information governance, they would have all their data goodies in one area, ripe for compromise. On the other, information governance used in conjunction with other security controls can provide another layer of defense in the protective web.”
Many also had a cynical view of how boards of directors perceive cybersecurity, with 30 percent saying boards were only interested in security for compliance reasons, 15 percent saying that boards were only doing the bare minimum, and 5 percent saying boards see security as a “waste.” Instead, hackers encouraged boards to trust their security professionals and understand that it’s only a matter of time until their company is hacked.
“If it’s a foregone conclusion that an attack is imminent, organizations need to expediently and precisely figure out if an attack has indeed taken place, quickly understand the breadth and depth of the attack, and then formulate a response strategy,” the report said. “In this situation, the board needs to trust that the organization’s security professionals understand the threat landscape and are willing to work with the other groups (IT, developers, legal, HR) to limit the amount of downtime or exposure to a breach.”
While there may be misalignment between the way hackers and corporations view cybersecurity, there are other disconnects that are making companies more vulnerable to cyberattacks.
“Misaligned incentives between attackers and defenders mean that the decentralized market in which cybercriminals operate makes them adapt and innovate faster and more efficiently than defenders, whose incentives are shaped by bureaucracies and top-down decision making,” according to the recent report, Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity, by CSIS and Intel.
The report surveyed 800 respondents—executives and operators with technical responsibilities—from companies across five major industry sectors, including finance, healthcare, and the public sector.
It found that there are three levels of misaligned incentives that put defenders at a disadvantage: between the corporate bureaucracy and the free-form abilities of hackers, between strategy and implementation, and between senior executives and those with operational responsibility.
Bureaucracy. Black hat hackers are part of an underground ecosystem that’s made up of specialized freelancers with different skills and expertise.
“This loose, informal structure provides low barriers to entry, transparency and competition, and efficient allocation of resources that allows black hats to tap a wide talent pool, innovate quickly, and adapt quickly to changes in defenses and technology,” the report explains.
The business processes, risk management policies, and structured workflows that companies use for cybersecurity are at odds with the approach that hackers and penetration testers use, a misalignment that puts companies at risk.
This incentive misalignment does not come as a major surprise, says Candace Worley, vice president of Intel Security Group, who explains that companies have processes in place to address concerns that hackers do not have.
For instance, when a company becomes aware that it’s been breached, it often has to go through a process to ensure that how the breach is handled doesn’t significantly impact the business—such as shutting off the company’s ability to process payment information.
“A hacker doesn’t care; he just changes it,” Worley says. “But the network guy can’t shut down a port willy-nilly without checking in with the network team, so that slows the response process down for the corporation.”
Companies often put in place change control processes to mitigate the risk associated with any change in their IT infrastructure. To speed up their response time, Worley suggests that companies evaluate whether they need a parallel process for cyber events.
“If the house is on fire, you go through a different process of exiting the building than you would if you were just going to the grocery store,” she explains. “Cyber’s a lot like that; if we have reason to believe the corporation is under attack, we should have a different set of processes that the teams associated with responding to that attack can leverage to accelerate that response.”
Companies should also look at their other internal processes to speed them up to reduce their risk of cyberattack. One area Worley says companies should focus on is improving their patching practices.
“If we know that a vulnerability has been disclosed, especially a critical vulnerability, and 30 days later it’s not patched—well of course we should expect that someone’s going to exploit that,” Worley says. “A simple thing that companies can do to reduce their risk is patch vulnerabilities in a more accelerated fashion.”
Another area that companies can look into to speed up their processes is adopting security-as-a-service for tasks they are not capable of doing in-house.
“Greater use of outsourcing and open contracting can help reduce costs, increase competition, and facilitate the broad adoption of effective security technologies and practices,” the report says.
Strategy. Another incentive misalignment that the report found was that 90 percent of organizations have a cybersecurity strategy, but less than half of them have fully implemented those plans.
“Executives tend to view their organization’s cybersecurity strategies as more fully implemented than operators,” according to the report.
One reason for this could be a communication issue, Worley says, because oftentimes different assumptions are made by those communicating the strategy and those implementing it.
“You communicate ‘This is our strategy, we need to get this implemented,’ and there’s an assumption that it’s going to get implemented, but the reality is it takes time, money, and resources to implement a strategy,” she explains. “And depending on the capacity of your team, it may take much longer to implement that strategy than an executive would anticipate.”
Executives. Another reason for the misalignment might be the different ways that executives and implementers measure the plan’s effectiveness.
Executives are “more likely to evaluate the effectiveness of their cybersecurity strategies through the lens of broader organizational goals, including cost control and maintaining reputation, than operators who focus more on technical cybersecurity metrics,” the report finds.
Instead of focusing on cost, operators are using metrics that measure breaches, penetration testing, vulnerability scans, and cost-of-recovery analysis to determine their organization’s cybersecurity effectiveness.
Worley says this finding was particularly interesting to her because it showed that executives view cybersecurity as effective if nothing occurred to impact their company’s brand and bottom line.
“In 95 percent of organizations, they have experienced a cybersecurity breach—including disruption of operations, loss of IP, and harm to their reputation,” she says. “But only 32 percent actually indicated that they have lost revenue as a result of that. I couldn’t believe that. It blew me away because obviously if you’ve had a disruption in your operations…you have had an impact to your profit.”
To address this misalignment, Lewis says that companies should first realize that executives and operators are using different sets of metrics. They should then try to find a way to correlate the different sets, so everyone is measuring effectiveness the same way.
“I would put the two metrics next to each other, and say, ‘How well does controlling the cost correlate with successful defense?’” Lewis says. “Try and correlate cost with quantitative measures and see what you get.”
This will help companies get away from the mindset that a certain number of cyber incidents are just the cost of doing business and will help even the playing field with the hackers, who have a significant speed advantage over defenders.
Hackers are “incentivized by direct rewards for being faster, newer, and nimbler in their attacks,” the report says. “The incentives for speed and focus are not there for defenders. But incentives can be changed.”