A CEO’s Guide to Cybersecurity

Identifying and addressing vulnerabilities must be a priority

Cybersecurity responds to leadership priorities just as finances and human resources do. Computers and networks come with flaws and vulnerabilities, as with all other aspects of a business, and these vulnerabilities enable hackers to achieve their goals. The CEO mitigates risk, regardless of domain, by exhibiting leadership and delegating day-to-day responsibility for given areas to specific individuals who are held accountable for strategies and results based on the expectations of the CEO and board of directors. Within cybersecurity, the chief information security officer (CISO) is responsible for ensuring that the CEO’s priorities are implemented and advises the CEO on the strengths and vulnerabilities of current policies. A good CISO is a key player in maintaining internal network security and advising designers and engineers on the security of products and systems, as well.

Security Begins at the Top

Security has typically been an afterthought in the cyber technology market and, although the curve is bending slightly in mass market systems, it will continue to lag behind customer needs. While mass market operating systems are doing better with features such as automatic updates, industrial control systems (ICS) and the Internet of Things (IoT) will likely continue to lag, both because of the large installed base and a general reluctance to making security a key driver compared to essential functionality.

As a consequence of this continued vulnerability to hackers, it is imperative that operators of ICS and IoT systems design and operate them with critical defenses built in from the start. The essential best practices outlined below are aligned with best security practices in conventional computer networks, such as those recommended by the SANS Institute and the National Institute of Standards and Technology (NIST). They are based on the premise that the best way to defeat a hacker is to close the vulnerabilities that hackers exploit to gain entry.

The best way to defeat a hacker is to close the vulnerabilities that hackers exploit to gain entry.

Assign Responsibility

The first critical step an organization should take is to appoint a senior security officer who primarily acts as the advocate for an assessor of the critical data and process security within the organization. Critical data and processes can include financial, personnel, industrial process, video, lock systems, and whatever is critical to the continued existence of the organization. In most businesses, the senior security officer is the CISO, and this person’s responsibility should include processes and other significant technologies that use information technology. The CISO also needs to ensure that the organization has the ability to detect when it has been hacked, something that, today, is discovered by a third party in almost all cases.

Identify Critical Data and Processes

The first project for a new CISO is to determine what data streams and processes, both internal and external, are critical to the business. Companies that make or integrate security cameras might want to ensure the integrity of their products, of their financial and personnel records, and of any external dependencies such as servers and operating systems sourced from other vendors. Technology is truly a polyculture that is mutually interdependent, and a failure in one system can have widespread deleterious effects. No computer is an island.

Initiate a Culture of Security

Having figured out the products, processes, and data that are critical, the CISO needs to start building a security culture within the organization. This culture will encompass all aspects of equipment design and building, network architectures, customer interaction and staff awareness. The CISO should also designate “thought leaders” for the corporate centers of gravity where security awareness is particularly critical. C-level executives are important to annunciating and demonstrating that security is a critical value for the corporation.

Inventory the Network

There are a number of critical areas that the CISO can assess to judge the maturity of an organization’s security posture. These are all basic, but adherence to these security protocols can help prevent almost all of the intrusions directed at networks and systems. The first one is whether the organization is able to identify all systems within its own network and to define a perimeter between inside and outside. Modern networks have become very fluid, much like modern battlefields, and they frequently include personally-owned devices such as mobile phones and computers. This may not be avoidable, but CISOs and CIOs can ensure that especially important data and processes stay within specific network enclaves and can build the network for security as well as reliability. As the network is redesigned and rebuilt, they must not forget to produce and maintain adequate documentation for the network, both as-designed and as-built. This makes it possible for future engineers to understand and improve the design quickly and securely.

Update the Network

The second major criterion is whether all devices on the network have the latest software version and patches. All hardware and software need to be a version that remains supported by the manufacturer, and the CIO should have a process for ensuring that operating systems and software are patched in a timely fashion. A very high percentage of the patches made available by manufacturers fix newly discovered vulnerabilities in systems and are exploited by hackers within a week or two after being made public. Although some vulnerabilities continue to be exploited for years after patches are issued, many are time-sensitive. Failure to install patches is a critical component of breaches by hackers.

Zero-Days

Zero-day attacks are intrusions that take advantage of vulnerabilities that have been known to the manufacturer for zero days. Once a manufacturer is notified of a new vulnerability, it generally tries to keep the vulnerability secret until a patch can be released, but once the patch is made available, it does not take long for hackers to reverse engineer the fix to discover the original vulnerability and write an exploit. The shorter the interval between the disclosure of the vulnerability and the installation of the patch, the better. Unfortunately, new patches may create instabilities in dependent systems and CIOs are reluctant to introduce changes in systems that are working. This is a hard-to-win position for the CIO, and one of the jobs of the CISO is to provide cover for the CIO to increase the speed of the patch cycle in order to shorten the exposure window, even if this might cause downtime.

Improve Access Control

The final key metric that needs to be assessed is how closely employees’ access control boundaries meet their actual needs. Many highly efficient organizations assume that fewer administrators with more access equals greater efficiency, but they do not consider the increased risk that comes with a small number of people having very broad access. Staff members ideally should have no more access than they need to do their jobs, and they generally should not have any administrative access. Similarly, administrators should not be able to answer their email with administrative privileges. While this may increase salary costs, it reduces a disgruntled employee’s ability to do harm to a network. It also prevents a hacker from gaining broad access to a network by getting access to one employee’s or administrator’s login credentials. This is another area where the CISO provides cover for the CIO to ask for more staff to enable better separation of duties and reduce long-term risk to the company’s data and processes.

Password Hygiene

Having tightened the access of administrators and users alike, the CISO needs to ensure that the organization requires and enforces good password hygiene. Every year, there are reviews of the most common passwords found after hacks, and, invariably, passwords like “12345678” or “qwerty” come out on top. Each complex password may only be used for one system and must be at least 12 characters long, using each of the four character types on the keyboard – lowercase letters, uppercase letters, numbers and special characters – in a manner that does not suggest a word or phrase. Similarly, the CISO must ensure that all stored passwords are hashed to prevent prediction algorithms from solving them. The CISO should also ensure that all default passwords on devices are changed as soon as they are deployed. For users or administrators who need to have multiple accounts and passwords, password managers are an excellent tool for organizing them.

Security Metrics

It is hard, if not impossible, to generate meaningful measures of security. However, it is possible to measure and compare some critical metrics regularly. These include the number of new devices found on the network on a weekly basis, the percentage of devices that are fully patched, changes in privileged user accounts compared to changes in personnel, and other fundamentals. Many appliances generate metrics that are perfectly true but are of no use in assessing the actual security posture, so it is critical to focus on basic metrics that measure the effectiveness of security measures rather than the scans of hackers. Regular collection of security metrics makes it possible to spot trends and identify significant patterns. It also provides data about how good an organization is at doing basic security processes, which will not be better than its ability to do sophisticated security processes. Companies that provide security risk benchmarking-as-a-service will measure which vulnerabilities they can detect from outside the network.

Hackers know that the patch cycle in their targets is long enough that it only requires a limited amount of ingenuity and persistence to get in. As long as system owners persist in making security a secondary consideration this will not change.

Vulnerability Discovery

The above principles hold true for conventional computer networks, physical security networks, and all other connected devices. They are critical for both manufacturers and their products. In addition to sponsoring security advocates within the design and manufacturing chain, companies need to create simple and secure models for patching their products to enhance capabilities and security. While some of the security vulnerabilities will be discovered internally, such as the implementation of backdoors for testing or convenience, companies should create a responsible disclosure reward system in which hackers are paid for disclosing vulnerabilities in a way that gives the company time to issue patches before the vulnerability is widely known.

Security in Design Choices

At the same time, integrators of equipment from multiple vendors need to increase awareness of supplier security postures and work to define maturity models.

Very little physical security equipment does not have a cyber aspect, which promises better security management but is also associated with an increased number of potential vulnerabilities, both to subversion and to denial of service.

Various technologies offer different advantages and vulnerabilities in communications links and failure modes. It is critical to consider the entirety of the infrastructure, as vulnerabilities frequently arise in the seams between different systems. A holistic approach that fuses all aspects of the network, including physical and logical aspects, and also prevents counterfeiting of hardware and preserves the integrity of software, is critical.

Wireless Communications

Wireless connections offer freedom from running a lot of cables, saving time and money. At the same time, though, they are difficult to implement securely and are vulnerable to jamming, which may cause equipment or connectivity failure. Equipment failure may cause awareness gaps, and this requires designers to plan whether equipment should fail “open” or “closed.” A door that does not open when human safety requires it can cause deaths. Systems closing when they should be open also is not good. In either case, failure modes need to be part of the design criteria.

Cryptography

Some engineers may say that they can design and build a cryptographically-secured communications protocol. They are wrong. Many people have tried to do it with, for example, satellite TV, encrypted movies and music, and “smart” electric meters. They all used home-brewed cryptography and they all failed to withstand even modest efforts to penetrate them. Good cryptography relies on well understood, thoroughly tested protocols, such as those approved and sponsored by NIST and used on the Internet. After the installation of good crypto algorithms, attention must be paid to key length and management. History shows that cryptography typically fails because of user mistakes, not algorithm vulnerabilities, so companies must ensure that the end-to-end application is secure by having it reviewed by a capable third party.

Multi-Purpose Computers are Less Secure

Computers are good general purpose machines that can do many things simultaneously – but they rarely can do many things securely. The more things running on one machine, the higher the likelihood of interference or vulnerabilities between software packages. It is common to see ICS interfaces running on machines that also allow corporate and external email. This makes the ICS software vulnerable to email spear phishing designed to get users to click on embedded malware or links. Spear phishing is one of the most common attack vectors, and attackers are consistently ahead of antivirus defenses and defensive perimeter machines. It is much more secure to run ICS systems separately from the corporate LAN. Similarly, since hackers know that senior personnel has extensive access, they often try to spear phish them directly – which is known as whaling – forcing CEOs and others to be extra aware of the potential threats that can come from clicking on links within unusual emails.

Silver Bullets

Many companies would like to sell customers a silver bullet that protects them from all digital threats. This is an alluring proposal, but it is not one that bears out in reality.

Security is a process that begins at the design stage and continues until the last hard drive is wiped and crushed. It is a part of every decision about a network and covers everything that goes into or touches the network, such as the supply chain and insider threats. The phrase “defense in depth” is still the mantra to heed.

For more details, search for “CIS critical security controls” on the Internet.

Supply Chain

The supply chain includes technology with known and unknown flaws. Companies should never assume that any part of the supply chain delivers flawless products. Rather, they must assume that every part of the supply chain requires continuous mitigation of whatever flaws are known, and must use an architecture that is based on the assumption that vulnerabilities are present.

A company that makes a product that can receive updates should consider using cryptography to secure the updates, all the way from the software development center to the customer’s device, after exhaustive testing. Not only does this make it harder for hackers to subvert the functionality of the product, it can also protect the intellectual property that is contained in the device and the update, and ultimately protect the company’s reputation.

Again, the capability and process for secure firmware and updates usually need to be designed in from the beginning.

Insider Threats

There will always be some insider threats, whether deliberate or accidental, malicious or careless. Companies must, then, design, build and manage their networks with that assumption in mind, building in safeguards that protect the confidentiality, integrity, and availability of critical data and processes. They will not be able to detect insider threats in advance – after all, anybody who has one password for multiple systems or uses weak passwords is a risk – and many insider threats will never be detected. Insider threats that are detected are generally found by third parties, such as auditors. This reflects poor efforts at detecting insider threats in the act more than it does the quality of audits, as insiders generally are not caught quickly. The most likely avenue for detecting insider threats is to monitor how data moves within the network and to compare that to how it should move.

Hackers

There are hackers out there who cannot be stopped, but that is not the same as saying that no hackers can be stopped. The vast majority of hackers exploit vulnerabilities for which there are patches and mitigations. They know that the patch cycle in their targets is long enough that it only requires a limited amount of ingenuity and persistence to get in. As long as system owners persist in making security a secondary consideration, this will not change. As with cryptography, the technology is sound but the implementation is weak.

And that is where the C-Suite can make a difference.

No Defense is Perfect

Odds are that some attackers will get inside the network. The systems need to be able to detect abnormal behaviors by users or systems before the hackers get the critical data or processes. Good auditing of systems, looking for abnormalities in behaviors, volume, and content, is critical to understanding what is happening within the network. Following the discovery of abnormalities, the defense team needs to implement a predetermined plan to defeat the intrusion before it succeeds. No amount of planning will predict every possible attack, but a practiced set of responders who know each other well can be very effective against most hackers.

The Nutshell

The key to cybersecurity is managing vulnerabilities. Companies that focus on minimizing vulnerabilities and quickly detecting intrusions will be the most secure.

---

Hans Holmer (hholmer1@gmail.com) is the senior cyber strategist in the Technical Intelligence Center at Intelligent Decisions (www.intelligent.net). He is a member of the SIA Cybersecurity Advisory Board.