The Importance of Practicing ‘Due Care’ in Cybersecurity

By Dave Cullinane, TruSTAR on April 1, 2016 | |
Security Industry Association (SIA)

Taking appropriate precautions can prevent security equipment from being a cyber vulnerability

Cybersecurity and physical security are becoming more and more connected. Everything from the cars people drive to the heating systems that warm their houses to the planes they fly in are increasingly controlled by interconnected computers. And, as a result, they are subject to attack.

Target sustained a major cyber breach through its HVAC vendor. That breach resulted in the firing of the CEO. Cyber-physical security, as a result, is on the minds of every C-level executive and board of directors member, from major corporations to small businesses.

This means that security equipment companies have a responsibility to make sure that the systems that are used to secure those businesses are not the vulnerability that enables a cyber attack to be successful.

Supply chain security is also an increasing concern today. An employee of a small company (fewer than 200 employees) that builds customized high-tech components for major corporations recently related that his employer had been hit with a ransomware attack. All of their production systems had been encrypted, and the attackers demanded money in exchange for the decryption key. This company did not have a security function.

Small and midsize businesses (SMBs) are the core of America’s business growth, yet they are the least likely to have the level of security expertise needed today – particularly cybersecurity expertise. Their focus is entirely on their core business. The principles of security are the same, though. Cyber is just a specific type of security expertise.

Is a given company at risk of a ransomware attack? Is there someone somewhere in the world that might like to hurt the business by hitting it with a denial-of-service attack? Does it or its employees use the Internet and receive email? Does everyone have a smart phone? Do they work at home? Does it work with companies that are likely to be attack targets? If it is supplying products to major corporations, might those corporations be concerned about the products being the source of an intrusion? For most companies, all of the above is probably true. It is part of being a company in the Information Age.

So how real is the threat to a company’s products? It is very, very real.

  • In 2015, 100,000 new pieces of malware were created every day. That is roughly one per second. Can a company’s anti-virus product keep up with that?
  • There are 80 to 90 million or more cybersecurity events per year, with close to 400 new threats every minute. Up to 70 percent of attacks go undetected.
  • Someone who does not like an organization can rent a denial-of-service attack online for $10-$20 that is capable of taking all but the most sophisticated networks down.
  • 60 percent of attacks are directed at SMBs.
  • Symantec reports that, “Cyberattackers are leapfrogging defenses in ways companies lack the insight to anticipate.”
  • As Dan Geer pointed out, “The CISO has to find and fix every vulnerability. The adversary only has to find one he/she can exploit.”
  • Many hackers create attacks, then turn them into kits that they can sell, allowing them to make millions with virtually no risk. So there are lots of unsophisticated attackers using highly sophisticated attacks.
  • Other hackers take the original attack kit and modify it, making new versions that are immune to the protections that were created to stop the original.
  • Attacks spread rapidly. The Verizon 2015 Data Breach Investigations Report found that attacks can reach dozens, even hundreds, of other companies within 24 hours.
  •  And finally:

“The cyber insurance market will dramatically disrupt businesses in the next 12 months. Insurance companies will refuse to pay out for the increasing breaches that are caused by ineffective security practices, while premiums and payouts will become more aligned with the actual cost of a breach. The requirements for cyber insurance will become as significant as regulatory requirements, impacting on businesses’ existing security programs.”
– Carl Leonard,
Principal Security Analyst, Forcepoint Security Labs

Cloud computing, particularly the concept of security-as-a-service, has had a big impact on the security industry. But manufacturers and service providers face the challenge of ensuring that their equipment and services are secure. Cybersecurity for video is also a very significant concern. Digital video has to be demonstrably free from tampering to meet most customers’ needs. The most efficient storage for digital media, by far, is in the cloud, but how do you ensure the integrity of video data in the cloud? Encrypting it in storage is a big help, but how do you make sure it is not tampered with in transit or while it is being used by applications? There are products today that allow applications to use encrypted data, so the cleartext data is never exposed. Who controls the encryption keys is another issue. Edward Snowden has made the trusted third party model obsolete. The same product that allows applications to use encrypted data also allows the creator of the application to control the keys.

Almost all online security applications use a browser. But browser security is a major concern, particularly when a customer is using a browser that has been to unsecure places. There are companies today, though, that provide extremely secure browsers that operate as simply and easily as what customers are used to while protecting them from being victimized and protecting security equipment and service providers from being accused of causing a problem.

For security vendors in the traditional physical security space, it is clear that there is a significant risk that their products and services will be attacked, and that the consequences could be very detrimental, both to customers and to the company’s bottom line. So what can be done?

One must assess the company’s security posture:

  • What information and data is received, transmitted or stored as “cyber data” (on computers, networks, databases, etc.)
  • How is that data protected from cyber attack? Are anti-virus products, data integrity tools, etc. used? Are development and production systems protected by properly configured firewalls, intrusion detection and prevention products, etc.? Are operating systems, network devices and applications patched in a timely fashion to ensure protection against emerging attacks?
  • Is an effective incident response team in place that can quickly detect, contain, stop and remediate an attack without significantly damaging business operations?
  • Does the company’s crisis management plan include processes for communicating with customers if and when an attack occurs? The plan should include who decides what gets communicated, by whom and when. Most cybersecurity professionals today will say that the question is not if a company will be breached, but when. The Verizon report noted that the vast majority of companies find out they have been breached when someone else tells them, usually a customer or partner. Companies should have processes in place to handle communications if a customer calls to say they think a breach has occurred – or worse, that the customer has been breached and they think it was through the company.

The Verizon report noted that the vast majority of companies find out they have been breached when someone else tells them, usually a customer or partner.

  • Does the company retain any “sensitive” data – personally identifiable information (PII) or protected health information (PHI)? If so, it has regulatory obligations. This is in addition to HIPAA obligations if it has healthcare information about its employees.
  • A company should do a cybersecurity review of its products as they would be implemented. Many cybersecurity consulting firms can do this. Based on that review, it should implement the measures that are necessary to protect the firm and its customers. Once that is done, it should do a penetration test to see if anything was missed. The same vendor that did the review may be used, but it is often good to have a “fresh pair of eyes” look at the situation.

Donn Parker is the dean of information security/cybersecurity professionals, and he espoused a theory years ago that basically said that you cannot tell who might attack you, or what their method or motivation might be, so the best that can be done is to exercise “due care” (what a reasonable and prudent person or corporation might do) and be prepared to respond when necessary. Today, a company may know a lot about who might attack, and what the method and motivation might be, but it still needs to exercise due care and be ready to respond quickly and effectively.

Dave Cullinane (davidmcullinane@gmail.com) is a co-founder of TruSTAR (www.trustar.co), a member of the Cloud Security Alliance Board of Directors (www.cloudsecurityalliance.org), and a member of the SIA Cybersecurity Advisory Board.