The new paradigm for utility information security: assume your security system has already been breached

In 1990, Steven Covey published the very popular book The Seven Habits of Highly Effective People. With the publication of that book I am certain, Dr. Covey introduced the term “paradigm” into the popular business lexicon and it has been persistently used ever since.

As a reminder, a paradigm is defined as a worldview underlying the theories and methodology of a particular scientific subject. However, what does that have to do with information security practices of enterprises and energy companies? Below you’ll see that the paradigm for system security is getting flipped on its head.

The Old Paradigm: The Fortress

Basically, there has been a standard practice if you will for many years where the “fortress” approach was the norm –- or paradigm -- for enterprise and energy company security. This applied to physical security and cyber security. The fortress concept included a strict perimeter – usually defined by gates, guards, and firewalls.

In this approach, the assumption was that all the attackers were on the outside of the perimeter and that the strong perimeter would prevent the attacker from not only entering the walls but they could not access the crown jewels (aka data) because it was housed within layers of more security barriers that included more walls, more guards, and more firewalls and maybe a moat.

The insider threat – that is the threat of an attacker from the inside of the perimeter – was viewed as very unlikely and not a “real” threat.

Using this approach, when the attacks became stronger and bolder, the captains of the fortress added more walls, more guards and more firewalls with some extra intrusion detection systems (perhaps vats of boiling oil?) and security management tools.

Frankly this was how I was trained as a security professional. But there are new ideas surfacing that turn this model upside down.

The New Paradigm: Assume Security System Breach

If you have been following the news these past few months there have been some large cyber security hacks resulting in huge breaches of data and personal information. For example, the Sony hack shut their gaming system down for a considerable time resulting in lost revenue and investigation/mitigation costs.

While writing this article, Sega announced that their gaming system had been hacked causing them to shut down their system for a time and reset all the user’s passwords. And the recent Lockheed Martin notice of breach certainly raised many eyebrows.

Don’t forget there have been many other hacks in the recent past including the Heartland Payment Systems – credit card processor – resulting in thousands of credit card numbers being stolen.

All these companies have employed the Fortress Paradigm. They have employed walls, fences, gates, guards, firewalls, intrusion detection systems, two-factor authentication systems, etc. and their systems still were breached by presumably outside miscreants or nation-states.

This changes the security defense posture considerably! The security paradigm needs to be adjusted.

As I attend different security conferences and read new thought leadership on the subject of security of companies I’m noticing a new theme surfacing. That theme is you should assume your security systems are breached. You should assume that you can, and will be breached.

Who is saying this?

For instance, I heard Mr. Kris Herrin, Chief Technology Officer of Heartland Payment Systems make a speech at The Source Security Conference in June in Seattle. Kris said that the new approach by Heartland is to take all possible and practical steps to protect the data but they will assume the security systems and data can and have been breached.

In December 2010, Deborah Plunkett, the head of the U.S. National Security Agency’s (NSA) Information Assurance Directorate announced that computer systems must be built with the assumption that the adversaries will get in. She even stated that the most sophisticated attackers are going to go unnoticed on the NSA’s networks.

With these new paradigms, the focus will be on assuming that all components of the system are not safe and to make sure their practices, policies, procedures and mitigation schemes are adjusted accordingly.[1]

This same theme of assumption of breach was also echoed in a PriceWaterhouseCoopers white paper called “Are You Compromised But Don’t Know It? A New Philosophy for Cybersecurity.” Here they go on to reinforce the new paradigm – assume you have been or will be breached and protect your systems and data accordingly. They advocate that this approach is more realistic and can allow you to be more flexible in protection of your high-value assets.

Lastly, my friend and mentor, Mr. Kirk Bailey, Chief Information Security Officer of the University of Washington in Seattle has always been an advocate for assumption of breach. He has maintained this philosophy for as long as I have known him and he steadfastly keeps his cyber mind aware that University systems and data stores could be hacked at anytime by sophisticated attackers.

Even in the Verizon Data Breach Investigations Report for 2011, there is a demonstrated increase in data breaches caused by external agents. In other words, these external entities need to somehow breach the security systems to gain access to the information. And statistically the report goes on to show that the data breaches occurred by:

50% utilized some form of hacking, 49% incorporated some sort of malware, and 11% employed social engineering tactics.

What Do You Do?

With this new paradigm the fortress will still remain but you need to realize that the standard “signature-based” defensive measures do not necessarily work to identify and stop the more sophisticated attacks. You also have to realize that even the smallest hole in your perimeter could be compromised. Don’t forget, that is all the attacker needs.

For example there is a barrage of targeted attacks being made on various energy companies. However, these attacks are not like a cloud of arrows attacking your facility but instead a “rifle shot” aimed at an executive in your organization.

This shot is usually a targeted phishing attack where a single email is sent to the executive that looks innocent enough but has a single URL or attachment that when opened will take advantage of vulnerabilities in computer programs such as Adobe Reader or Microsoft PowerPoint.

This then allows the hacker to install “back doors” in the corporate computer systems for future malware injects, network reconnaissance, and data retrieval. Hence, the assumed security of systems you rely upon is not necessarily effective enough.

A signature-based system would not stop this attack but education of the executive might.

Please recognize that this challenge to the assumption of a secure perimeter is not just the failure of employees to not open phishing emails. Often the factors include highly complex software, new attack methodologies, and the ever-crumbling perimeter caused in part by constant detection of vulnerabilities by security researchers and organized criminals.

So, what to do? Mr. Kirk Bailey, has offered some guidance on how he is approaching this problem in the field.

Kirk is offering 10 Key Practices he is implementing under the philosophy of assumed breach. They are listed below – but please realize that these are not easily implemented, they are fraught with pushback from traditional security professionals, and each one could be described more thoroughly than this article can accommodate. That said, they include the following:
 

• Implement a Risk Management Framework for reporting. Have a structure that is repeatable and readily demonstrates trends.
• Conduct asset profiling and inventory. Know where your “crown jewels” of data are and separate out the data that can be lost with minimal impact.
• Prioritize assets and related risk-mitigation efforts. Focus on protecting the “crown jewels.” Continue to use and implement traditional layers of defense but only to recognize that they will not be 100% effective.
• Clearly define roles and communication plans. Know who your trusted contacts are for incident response.
• Implement aggressive risk transfer programs through detailed contracts and insurance underwriting.
• Establish and sustain active and strategic alliances to allow for effective and trusted cross-communication about threats, mitigation schemes and lessons learned.
• Implement a business intelligence (aka “warfare intelligence”) program that includes effective situational awareness features.
• Establish “advanced” incident response and management capabilities. Think outside of the normal cyber incident response practices to include incorporation of trusted contacts, stealthy communications, and attacker evidence.
• Develop an active response capability.
• Practice strategic isolation for your key executives, scientists and knowledge workers. Limit presence on social networks that can be used by attackers for targeted hacks.

Kirk has reiterated that the above are not a checklist and are not adequately described in one or two sentences; however, he sees that the new paradigm including assumption of breach will require new thinking and for security programs to be built upon a “flexible fabric.”

In any risk discussion, the notion that there will always be some percentage of risk that cannot be eliminated is always present. You have to assume that this risk will always be there, and often it's due to things way beyond your control.

Examples include human misbehavior, fundamental flaws with networking protocols, ditto for software, hidden back-doors, and design flaws in third-party hardware and software that you've bought and installed. That said, even with a “zero risk” mentality, you still need to realize that no security system is 100% effective.

Conclusion

This is a new shift in security thinking and many of my peers are still in disbelief. However, this new approach may allow you to be more effective in implementing layered security systems, protecting the high-value data, and being flexible enough to think like a cyber criminal and stop the attacks or at least mitigate their damage early in the theft. Basically, be ever vigilant.

Constantly monitor and inspect your security systems, inspect your “crown jewels” and look for suspicious activity or minute changes that cannot be explained, and look at your logs and egress filters for stealthy communications to and from these systems. 

[1] Reuters Canada, December 16, 2010 

https://ca.reuters.com/article/technologyNews/idCATRE6BF6BZ20101216