Ingredients for a Successful Cybersecurity Strategy
There's no doubt that enterprises today, more than ever, need effective cybersecurity strategies. However a sound strategy is not in and of itself a guarantee of success. There are several ingredients that are necessary for a cybersecurity program to be successful. This chapter will describe what a cybersecurity strategy looks like and each of the necessary ingredients for success in detail.
Throughout this chapter, we'll cover the following topics:
- Defining the term cybersecurity strategy
- Common ways organizations become compromised, and how the mitigation of these are fundamental to effective cybersecurity
- Understanding the difference between an attacker's motivation and their tactics
- Additional guidance on formulating a successful cybersecurity strategy
Let's begin with a fundamental question that we'll need to answer before discussing cybersecurity strategy in any detail: what do we actually mean when we say "cybersecurity strategy"?
What is a cybersecurity strategy?
Organizations that have a super-strong security culture, essentially have cybersecurity baked into them. For everyone else, there's strategy. In my experience, the terms "strategy" and "tactics" are poorly understood in the business world. One person's strategy is another person's tactics. I once worked with a Corporate Vice President who would tell me that I was talking about tactics when I was explaining our strategy. Throughout my career, I've been in meetings where people have talked past each other because one person is discussing strategies and the other is discussing tactics.
Additionally, security and compliance professionals sometimes use the term "strategy" when they are referring to frameworks, models, or standards. There are lots of these in the industry and many organizations use them. For example, ISO standards, NIST standards, OWASP Top 10, CIS Benchmarks, STRIDE, risk management frameworks, SOC 2, PCI, HIPAA, the Cloud Security Alliance Cloud Controls Matrix, the AWS Cloud Adoption Framework Security Perspective, AWS Well-Architected Security Pillar, and many more. All of these can be helpful tools for organizations seeking to improve their security postures, comply with regulations, and demonstrate that they meet industry standards.
I'm not proposing a new dictionary definition of the term "strategy," but I do want to explain what I mean when I'm discussing cybersecurity strategies in this book. In my view, there are at least two critical inputs to a cybersecurity strategy:
- Each organization's high-value assets
- The specific requirements, threats, and risks that apply to each organization, informed by the industry they are in, the place(s) in the world where they do business, and the people associated with each organization
High Value Assets (HVAs) are also known as "crown jewels." There are many definitions for these terms. But when I use them, I mean the organization will fail or be severely disrupted if the asset's confidentiality, integrity, or availability is compromised. HVAs are rarely the computers that the organization's information workers use. Yet I've seen so many organizations focus on the security of desktop systems as if they were HVAs.Given the importance of HVAs, it would be easy to focus on them to the exclusion of lower-value assets. But keep in mind that attackers often use lower-value assets as an entry point to attack HVAs. For example, those old development and test environments that were never decommissioned properly, typically, aren't HVAs. But they are often found to be a source of compromise.
One of the first things a CISO needs to do when they get the job is to identify the organization's HVAs. This might be more challenging than it sounds as the crown jewels might not be obvious to people that don't possess expertise specifically related to the business they are supporting. Interviewing members of the C-suite and members of the board of directors can help to identify assets that would truly cause the business to fail or be severely disrupted.
Working backward from the organization's objectives can also help identify its HVAs. As CISOs do this analysis, they should be prepared for some nuances that weren't initially obvious. For example, could the business still meet its objectives without power, water, heating, air conditioning, and life-safety systems? Depending on the business and the type of building(s) it uses, if elevators aren't available, is there any point letting employees and customers through the front door? Customers might be willing to walk up a few flights of stairs, but would they be willing to walk up 40 flights of stairs if that was necessary? Probably not.
If this disruption was sustained for days, weeks, or months, how long could the business survive? Where are the control systems for these functions? And when was the last time the security posture of these systems was assessed? Identifying an organization's HVAs doesn't mean that CISOs can ignore everything else. Understanding which assets are truly HVAs and which aren't helps CISOs prioritize their limited resources and focus on avoiding extinction events for the organization.
Once the CISO has identified their organization's crown jewels, the next step is to ensure that the C-suite and board of directors understand and agree with that list. This clarity will be very helpful when the time comes to request more resources or different resources than the organization has leveraged in the past. When the organization needs to make hard decisions about reductions in resources, clarity around HVAs will help make risk-based decisions. The time and effort spent getting the senior stakeholder community on the same page will make the CISO's life easier moving forward.
The second critical input to a cybersecurity strategy is the specific requirements, threats, and risks that apply to the organization, informed by the industry they are in, the place(s) in the world where they do business, and the people associated with it. This input helps further scope the requirements of the cybersecurity program. For example, the industry and/or location where they do business might have regulatory compliance requirements that they need to observe, or they could face stiff fines or get their business license revoked. Keep in mind that most organizations can't identify all possible threats and risks to them. That would require omniscience and is a natural limitation of a risk-based approach.
After publishing thousands of pages of threat intelligence when I worked at Microsoft (Microsoft Corporation, 2007-2016), I can tell you that there are global threats that have the potential to impact everyone, but there are also industry-specific threats and regional threats. Using credible threat intelligence to inform the strategy will help CISOs prioritize capabilities and controls, which is especially helpful if they don't have unlimited resources. Trying to protect everything as if it's of the same value to the organization is a recipe for failure. CISOs have to make trade-offs, and it's better if they do this knowing the specific threats that really apply to the industry and region of the world where they do business. This doesn't mean CISOs can ignore all other threats, but identifying the highest-risk threats to their organization's crown jewels will help them focus resources in the most important places.
I have dedicated three chapters in this book to help you understand the threat landscape and how it has evolved over the last 20 years. Chapter 2, Using Vulnerability Trends to Reduce Risk and Costs, dives deep into vulnerability management and will show you how vulnerability disclosures have trended over the past two decades. Chapter 3, The Evolution of the Threat Landscape – Malware, focuses on how malware has evolved over the last 20 years. Chapter 4, Internet-Based Threats, examines internet-based threats that every organization should seek to mitigate.
Without the two inputs I've described here, CISOs are left implementing "best practices" and industry standards that are based on someone else's threat model. Again, these can be helpful in moving organizations in the right direction, but they typically aren't based on the HVAs of individual organizations and the specific threats they care about. Using best practices and industry standards that aren't informed by these two inputs will make it more likely that there will be critical gaps.
At this point, you might be wondering what a cybersecurity strategy looks like. The following diagram represents a cybersecurity strategy. HVAs are central and are supported by the other parts of the strategy. The cybersecurity fundamentals include the foundational capabilities that support a successful security program, such as vulnerability management and identity management, among others.
Advanced cybersecurity capabilities are investments that organizations should make as they become very proficient at the fundamentals. If your organization isn't really good at the fundamentals, then don't bother investing in advanced cybersecurity capabilities, as attackers won't need to do anything "advanced" to successfully compromise the environment and subvert those advanced capabilities.
Figure 1.1: An illustrative example of a cybersecurity strategy
Now that we have a good idea of what cybersecurity strategy entails, let's examine what I consider to be a critical ingredient of cybersecurity strategies: the common ways that organizations are compromised.
How organizations get initially compromised and the cybersecurity fundamentals
The foundation of the strategy is what I call the "cybersecurity fundamentals." A solid foundation is required for a successful strategy. The cybersecurity fundamentals are based on the threat intelligence I mentioned earlier. After performing hundreds of incident response investigations and studying Microsoft's threat intelligence for over a decade, I can tell you with confidence that there are only five ways that organizations get initially compromised. After the initial compromise, there are many, many tactics, techniques, and procedures (TTPs) that attackers can use to move laterally, steal credentials, compromise infrastructure, remain persistent, steal information, and destroy data and infrastructure. Some of these have been around for decades and some are new and novel.
- Unpatched vulnerabilities
- Security misconfigurations
- Weak, leaked, and stolen credentials
- Social engineering
- Insider threats
The cybersecurity fundamentals are the part of the strategy that focuses on mitigating the cybersecurity usual suspects. Let's look at each one of these in more detail, starting with the exploitation of unpatched vulnerabilities.
A vulnerability is a flaw in software or hardware design and/or the underlying programming code that allows an attacker to make the affected system do something that wasn't intended. The most severe vulnerabilities allow attackers to take complete control of the affected system, running arbitrary code of their choice. Less severe vulnerabilities lead to systems disclosing data in ways that weren't intended or denying service to legitimate users. In Chapter 2, Using Vulnerability Trends to Reduce Risk and Costs, I provide a deep dive into vulnerability management and some of the key vulnerability disclosure trends over the past 20 years. I'll save that in-depth discussion for the next chapter, but I will provide some more context here.
Attackers have been using vulnerabilities to compromise systems at scale since at least the days of Code Red and Nimda in 2001. In 2003, SQL Slammer and MSBlaster successfully disrupted the internet and compromised hundreds of thousands of systems worldwide by exploiting unpatched vulnerabilities in Microsoft Windows operating systems. In the years following these attacks, a cottage industry developed an ongoing effort to help enterprise organizations, those with the most complex environments, inventory their IT systems, identify vulnerabilities in them, deploy mitigations for vulnerabilities, and patch them. At the end of 2019, there were over 122,000 vulnerabilities disclosed in software and hardware products from across the industry, on record, in the National Vulnerability Database (National Vulnerability Database, n.d.). As you'll read in Chapter 2, Using Vulnerability Trends to Reduce Risk and Costs, the number of vulnerabilities disclosed across the industry surged between 2016 and 2020, reaching levels never seen before.
An economy has evolved around the supply and demand for vulnerabilities and exploits, with a varied list of participants including vendors, attackers, defenders, various commercial entities, governments, and others. The number of participants in this economy and their relative sophistication make it harder for organizations to protect themselves from the exploitation of vulnerabilities in their IT environment by pressurizing the associated risks. Using unpatched vulnerabilities are a mainstay of attackers' toolkits.
A well-run vulnerability management program is a fundamental component and a critical requirement of a cybersecurity strategy. Without it, organizations' cybersecurity efforts will fail regardless of the other investments they make. It's important enough to reiterate this point. Unpatched vulnerabilities in operating systems, and the underlying platform components that advanced cybersecurity capabilities rely on, enable attackers to completely undermine the effectiveness of these investments. Failing to efficiently address ongoing vulnerability disclosures in the "trusted computing base" that your systems rely on renders it untrustworthy.
An accurate inventory of all IT assets is critical for a vulnerability management program. Organizations that can't perform accurate and timely inventories of all their IT assets, scan all IT assets for vulnerabilities, and efficiently mitigate and/or patch those vulnerabilities, shouldn't bother making other investments until this is addressed. If your organization falls into this category, please reread the preface section of this book and recall the submarine analogy I introduced. If the CISO and vulnerability management program managers rely on their organization's IT group or other internal partners to provide IT asset inventories, those inventories need to be complete – not just inventories of systems they want to comply with.
Assets that don't show up in inventories won't get scanned or patched and will become the weak link in the security chain you are trying to create. Very often, this is at odds with the uptime objectives that IT organizations are measured against, because patching vulnerabilities increases the number of system reboots and, subsequently, decreases uptime even if everything goes smoothly. My advice in scenarios where asset inventories are provided by parties other than the vulnerability management program itself is to trust but verify. Spend the extra effort and budget to continually check asset inventories against reality. This includes those official and unofficial development and test environments that have been responsible for so many breaches in the industry over the years.
If the sources of asset inventories resist this requirement or fail to provide accurate, timely inventories, this represents the type of risk that the board of directors should be informed of. Providing them with a view of the estimated percentage of total asset inventory currently not managed by your vulnerability management program should result in the sources of asset inventories reprioritizing their work and the disruption of a dangerous status quo. I'll discuss vulnerability management in more detail in Chapter 2, Using Vulnerability Trends to Reduce Risk and Costs, of this book. I'll also discuss vulnerability management in Chapter 8, The Cloud – A Modern Approach to Security and Compliance, on cloud computing.
The cloud can render the old-fashioned methods of inventorying, scanning, and patching security vulnerabilities obsolete.
Of course, one challenge with the approach I just described is environments that have embraced Bring Your Own Device (BYOD) policies that allow information workers to use their personal mobile devices to access and process enterprise data. The underlying question is whether enterprise vulnerability management teams should inventory and manage personal devices? This debate is one reason why many security professionals originally dubbed BYOD as "Bring Your Own Disaster." Different organizations take different approaches when answering this question. Some organizations give employees corporate-owned and fully managed mobile devices, while others require personal devices to enroll in enterprise mobile device management programs. I've also seen a more passive management model, where users are required to have a access pin on their devices and aren't allowed to connect to their employers' networks if the latest mobile operating system version isn't installed on their devices. Some organizations use Network Access Control (NAC) or Network Access Protection (NAP) technologies to help enforce policies related to the health of systems connecting to their network. Minimizing the number of unpatched systems allowed to connect to enterprise networks is a best practice, but can be challenging to accomplish depending on corporate cultures and mobile device policies. Collecting data that helps security teams understand the risk that mobile devices pose to their environments is very helpful for a rationalized risk-based approach.
Next, we'll consider security misconfigurations. Like unpatched vulnerabilities, security misconfigurations can potentially enable attackers to take a range of actions on a system including disrupting its operation, stealing information, lowering security settings or disabling security features, seizing control of it, and using it to attack other systems.
Security misconfigurations can be present in a system as the default setting, like a preset key or password that is the same on every system manufactured by a vendor. Security misconfigurations can also be introduced gradually as a system's configuration changes incrementally as it's managed over time.
After performing hundreds of incident response investigations while I was on the customer-facing incident response team at Microsoft, I can tell you that a significant percentage of systems get initially compromised through security misconfigurations.
This is especially true of internet-facing systems such as web servers, firewalls, and other systems found in enterprise demilitarized zones (DMZs). Once a misconfiguration enables an attacker to control a system in a DMZ or use it to send authenticated commands on the attacker's behalf (such as a server-side request forgery attack), the attacker aspires to use the system to gain access to other systems in the DMZ and ultimately get access to systems inside the internal firewall of the organization. This has been a common pattern in attackers' playbooks for 20 years or more.
Security misconfigurations have also plagued endpoint devices, such as PCs, smartphones, and Internet of Things (IoT) devices. The infrastructures that these endpoints connect to, such as wireless access points, are also frequently probed by attackers for common misconfigurations. Security misconfigurations have also been an issue in industrial control systems (ICS). For example, one scenario with ICS that has burned security teams in the past is "fall back to last known status," which can override more recent security configuration changes in favor of former, less secure settings. Hardcoded credentials and vulnerable default configurations have long haunted manufacturers of all sorts of software and hardware across the industry.
A well-run vulnerability management program typically includes identifying security misconfigurations as part of its scope. Many of the same vulnerability scanners and tools that are used to identify and patch security vulnerabilities are also capable of identifying security misconfigurations and providing guidance on how to address them. Again, organizations should forego big investments in advanced cybersecurity capabilities if they aren't already very proficient at identifying and mitigating security misconfigurations in their environment. There's no point in spending a bunch of money and effort looking for the advanced persistent threat (APT) in an environment if attackers can use decades-old lists of hardcoded passwords, which are available on the internet, to successfully compromise and move around the environment. Even if CISOs found such attackers in their IT environment, they would be powerless to exorcise them with unmanaged common security misconfigurations present.
Some of the biggest breaches in history were a result of an initial compromise through a combination of unpatched vulnerabilities and security misconfigurations. Both can be managed through a well-run vulnerability management program. This is a non-optional discipline in any cybersecurity strategy that should be resourced accordingly. Don't forget, you can't manage what you don't measure; complete, accurate, and timely IT asset inventories are critical for vulnerability management programs. Trust but verify asset inventories, always. It's worth keeping in mind that the cloud provides several advantages over the old on-premises IT world. I'll discuss this in detail in Chapter 8, The Cloud – A Modern Approach to Security and Compliance, in this book.
Security misconfigurations can be present by default with new hardware and software, or can creep in over time. Another ongoing threat that requires constant attention is that of compromised credentials. Organizations must constantly and proactively work to mitigate this threat vector.
Weak, leaked, and stolen credentials
Compromised IT environments due to weak, leaked, or stolen credentials are common. There are several ways that credentials get leaked and stolen, including social engineering such as phishing, malware that does keystroke logging or steals credentials from operating systems and browsers, and compromised systems that cache, store, and/or process credentials. Sometimes, developers put projects on publicly available code-sharing sites that have secrets such as keys and passwords forgotten in the code. Old development and test environments that are abandoned but still running will ultimately yield credentials to attackers after not being patched over time.
Massive lists of stolen and leaked credentials have been discovered on the internet over the years. In addition to these lists, the availability of high-performance computing clusters and GPU-based password cracking tools have rendered passwords, by themselves, ineffective to protect resources and accounts. Once passwords have been leaked or stolen, they can be potentially leveraged for unauthorized access to systems, in "reuse" attacks and for privilege escalation. The usefulness of passwords, by themselves, to protect enterprise resources has long passed. Subsequently, using multi-factor authentication (MFA) is a requirement for enterprises and consumers alike. Using MFA can mitigate stolen and leaked credentials in many, but not all, scenarios. Using MFA, even if attackers possess a valid username and password for an account, they won't get access to the account if attackers don't also possess the other factors required for authentication. Other factors that can be used for authentication include digital certificates, one-time passwords and pins generated on dedicated hardware or a smartphone app, a call to a preregistered landline or mobile phone, and more.
MFA isn't a silver bullet for weak, leaked, or stolen passwords, but it's super helpful in many scenarios. There have been some successful attacks on some MFA methods. For example, SIM-swapping attacks to intercept pin codes sent to preregister mobile phones via SMS. Another real limitation of MFA is that it isn't ubiquitous in enterprise IT environments. Organizations with decades of legacy applications that use old-fashioned authentication and authorization methods are less likely to fully mitigate the risk with MFA. Even if the latest systems and cloud-based services require MFA, chances are there are more legacy applications that cannot utilize it easily.
A picture of an iceberg comes to mind here. Several CISOs that I've talked to have experienced this limitation firsthand during penetration tests that exposed the limitations of MFA in their environments. Still, MFA should be widely adopted as it successfully mitigates many attack scenarios where weak, leaked, and stolen passwords are involved. It should be required for new systems being adopted and the risks posed by the old systems without it should be carefully considered and mitigated where possible. There are several vendors that specialize in such mitigations.
When an on-premises enterprise environment is initially compromised, attackers use leaked or stolen credentials to perform reconnaissance and to look for other credentials that have been cached in the environment. They are especially on the lookout for administrator credentials that could give them unlimited access to resources in the compromised environment. Typically, within seconds of the initial compromise, attackers try to access the victim organization's user account directory service, such as Microsoft Active Directory (AD), to dump all the credentials in the directory. The more credentials they can use to move and stay persistent, the harder it will be to expel them from the environment – they can persist indefinitely. Attackers will try to steal user account databases. If attackers successfully get all the credentials from their directory service, then recovery really is aspirational.
Once attackers have stolen hashed credentials, the weakest of these credentials can be cracked in offline attacks in a matter of hours. The longer, uncommon, and truly complex passwords will get cracked last. There have been raging debates for decades about the efficacy of passwords versus passphrases, as well as appropriate character lengths, character sets, password lockout policies, password expiration policies, and the like. Guidance for passwords has changed over the years as threats and risks have changed and new data has become available. Some of the people I worked with on Microsoft's Identity Protection team published password guidance based on the data from 10 million credential attacks per day that they see on their enterprise and consumer identity systems. "Microsoft Password Guidance" (Hicock, 2016) is recommended reading.
When credentials are leaked or stolen from an organization, it doesn't take attackers long to run them through scripts that try to log in to financial institutions, e-commerce sites, social networking sites, and other sites in the hopes that the credentials were reused somewhere. Reusing passwords across accounts is a terrible practice. Simply put, credentials that provide access to more than one account have a higher ROI for attackers than those that don't. Sets of compromised credentials that can provide access to corporate resources and information, as well as social networks that can also serve as a rich source of information and potential victims, are valuable.
Using unique passwords for every account and using MFA everywhere can mitigate this risk. If you have too many accounts to assign unique passwords to, then use a password vault to make life easier. There are numerous commercially available products for consumers and enterprises.
Identity has always been the hardest part of cybersecurity. Identity governance and management deserves its own book. I offer a very incomplete list of recommendations to help manage the risk of weak, leaked, and stolen credentials:
- MFA can be very effective – use it everywhere you can. Microsoft published a great blog post about the effectiveness of MFA called "Your Pa$$word Doesn't Matter" (Weinert, 2019) that is recommend reading.
- You should know if your organization is leaking credentials and how old those leaked credentials are. Using a service that collects leaked and stolen credentials, and looks for your organization's credentials being sold and traded online, can give you a little peace of mind that you aren't missing something obvious. Getting some idea as to the age of these credentials can help decide if password resets are necessary and the number of people potentially impacted.
- Privileged Access Management solutions can detect pass-the-hash, pass-the-ticket, and Golden Ticket attacks, as well as attackers' lateral movement and reconnaissance in your infrastructure:
- Many of these solutions also offer password vaulting, credential brokering, and specialized analytics. Some of these solutions can be noisy and prone to false positives, but still, they can help you to manage and detect weak, leaked, and stolen credentials.
- In cloud-based environments, identity and access management (IAM) controls are the most powerful controls you have. Taking advantage of all the power that IAM controls offer can help you to protect and detect resources in the cloud. But this is one control set area that can proliferate into an unmanageable mess quickly. Extra thoughtful planning around your organization's IAM strategy will pay huge security dividends.
I will discuss identity a little more in Chapter 5, Cybersecurity Strategies of this book.
An important aspect of protecting credentials involves educating information workers within an organization to be aware of social engineering attacks in which attackers may attempt to steal credentials through methods such as phishing. This is not the only way in which social engineering is used to compromise systems, however. We'll cover social engineering in a little more detail next.
Of the cybersecurity usual suspects, social engineering is the most widely used method. Simply put, social engineering is tricking users into making poor trust decisions. Examples of poor trust decisions include lowering the security posture of a system by changing its settings without understanding the possible outcomes of doing so or installing malware on a system. Attackers rely on the naivety of their victims in social engineering attacks.
The volume of social engineering attacks is orders of magnitudes larger than other types of attacks. For example, the volume of email phishing attacks Microsoft reported for July 2019 was 0.85% of the more than 470 billion email messages that flowed through Office 365 that month (Microsoft Corporation, n.d.). That's 4 billion phishing emails that all relied on social engineering, detected in a single month. Similarly, Trojans, a category of malware that relies on social engineering to be successful, has been the most prevalent category of malware in the world continuously for the last decade. I'll discuss this category of malware and many others, in detail, in Chapter 3, The Evolution of the Threat Landscape – Malware.
Given the massive volume of social engineering attacks, and their historical record of success, mitigating these attacks really isn't optional for enterprises. A fundamental component of an enterprise cybersecurity strategy is a mitigation strategy for social engineering attacks. Put another way, not including social engineering attacks in your cybersecurity strategy would mean ignoring the top way that organizations get initially compromised by volume.
Social engineering attacks are typically perpetrated by attackers external to organizations, to which users must be prepared through appropriate education and training. Another challenging threat to defend against is one from within. The final potential route of compromise, which we'll discuss next, is that of the insider threat.
- Users and administrators that make mistakes or poor trust decisions that lead to bad security outcomes.
- The lone wolf insider or a very small group of individuals that use their privileged access to steal information or otherwise negatively impact the confidentiality, integrity, or availability of the organization's information technology and/or data.
- The mass conspiracy where multiple insiders work together to overcome the separation of duties that distributes the span of security control. I've found that enterprises typically bring this category up in discussions about risks in managed service provider environments and the cloud.
Mitigating insider threats is an important aspect of cybersecurity and is something that should be fundamental to any enterprise-wide strategy. Enforcing meaningful separation of duties and embracing the principle of least privilege are helpful, as are monitoring and auditing.
I became a big fan of deception technology after seeing how it can be used to mitigate insider threats. There are a few different approaches to deception technology, but the basic concept is to present attackers with a system, potentially with publicly known vulnerabilities or common security misconfigurations that, when interacted with, alerts defenders to the presence of attackers. This approach can help alert defenders to the presence of external attackers and insider threats. I've heard some security professionals refer to it as a "canary in the coal mine" for IT environments. Implementing deception technology with as few people involved as possible and keeping the program confidential can be helpful in exposing at least two of the three categories of insider threats that I have outlined.
Those are the five ways organizations get initially compromised. Defending against these five vectors of attack is fundamental to effective cybersecurity.
Focus on the cybersecurity fundamentals
To have a successful cybersecurity program, organizations need to get very good at continuously mitigating all five of these types of threats. This competency forms the foundation of a sound cybersecurity strategy. Other cybersecurity-related investments will potentially have diminishing returns if the foundation of the strategy is not solid.
After an attacker uses one or more of these five ways to initially compromise an organization, then they might employ a plethora of novel and advanced TTPs. Organizations that focus on the cybersecurity fundamentals make it much harder for attackers to be successful; that is, by focusing on the inside 85% of the bell curve below which the cybersecurity fundamentals sit, instead of the activities in the outlying 7.5% on either end of the curve, security teams will be much more successful. Unfortunately, the allure of hunting advanced persistent threats can take resources away from the less sexy, but critical, work in the middle of the curve.
Figure 1.2: A bell curve illustrating that most security teams should spend their time on the cybersecurity fundamentals
If there really are only five ways that organizations get initially compromised, why does there seem to be so much confusion in the industry on proper priorities for cybersecurity programs? I think there are a bunch of factors contributing to the confusion. One reason for the confusion is the way that attacks, security incidents, and data breaches have been reported in popular media outlets sometimes confuses attackers' tactics with their motivations. This can lead organizations to make the wrong security prioritization decisions.
Understanding the difference between the attacker's motivations and tactics
One of the reasons I've found so many organizations lack focus and competency around the cybersecurity fundamentals is the way big data breaches have been reported in the news over the last decade. Stories that claim an attack was the "most advanced attack seen to date" or the work of "a nation state" seem to be common. But when you take a closer look at these attacks, the victim organization was always initially compromised by attackers using one or more of the five ways I outlined in this chapter.
There are attackers that operate in the open because they don't believe there are consequences for their illicit activities, based on their location and legal jurisdiction. But this is the exception to the rule that they will obfuscate their true personal identities. Claims that an attack was the work of a nation state or an APT group are typically based on circumstantial evidence. Rapidly changing networks of social media accounts and news outlets spreading false information exasperate the challenge of attribution.
Attributing an attack to an individual or group can be extremely hard. This is because the internet is based on a suite of protocols that was developed over 35 years ago.
The engineers that developed these immensely scalable and sophisticated protocols never envisioned a future world where an entire multi-billion-dollar-a-year industry would be based on the discoveries of new security vulnerabilities, malware research, social engineering protection, and nation state actors. TCP/IP version 4, the basis of the internet, was never designed to help investigators perform attribution for attacks that leverage vast networks of compromised distributed systems around the world. Comparing code fragments from two malware samples to determine if the same attackers developed both is not a reliable way to perform attribution, especially when the attackers know this is a common technique. Finding "patient zero," where the compromise started, in large environments that have been compromised for months or years, using data from compromised systems, can't be done with complete confidence.
But still, many cybersecurity professionals use this type of data to surmise the attackers' motivations and identities. Attacker motivations include:
- Notoriety: The attacker wants to prove they are smarter than the big high-tech companies and their victims.
- Profit: As I'll discuss in Chapter 3, The Evolution of the Threat Landscape – Malware, after the successful worm attacks in 2003, malware began to evolve to support a profit motive that continues to the present day.
- Economic espionage: For example, alleged activities by groups in China to steal valuable intellectual property from western nations to give their own industries a competitive and economic advantage.
- Military espionage: A motivation as old as governments themselves, where governments want to understand the military capabilities of their adversaries.
- Hacktavism: Attacks against organizations and institutions based on disagreements on political or philosophical issues.
- Influencing elections: Using cultural manipulation and information warfare to help nations achieve foreign policy objectives.
- Many others: Watch any James Bond movie where the Special Executive for Counterintelligence, Terrorism, Revenge, and Extortion (SPECTRE) is part of the plot.
If most organizations can't really know who is attacking them, then they can't really understand what the attacker's motivation is. If CISOs don't know what's motivating the attacker, how do they know what a proportional response is? Who should help the victim organization with the response to the attack – local authorities, the military, an international coalition?
Still, I have talked to organizations whose cybersecurity strategies rely heavily on attribution. After performing hundreds of incident response investigations for Microsoft's customers, I find the assumption that timely attribution can be done with any confidence to be overly optimistic. For most organizations, relying on accurate attribution to inform their cybersecurity strategy or to help make incident response decisions is pure fantasy. But I believe you can, with 99.9% certainty, predict the tactics the attackers will use when they try to initially compromise an IT environment. This is what organizations should invest in – the cybersecurity fundamentals.
Having a cybersecurity strategy is a great step in the right direction. But by itself, it represents good intentions, not a commitment by the organization. In the next section, we'll take a look at what else needs to be done in order to successfully implement an effective cybersecurity strategy.
Other ingredients for a successful strategy
There is a bunch of management-related work that needs to be done to ensure the CISO, the security team, and the rest of the organization can effectively execute a cybersecurity strategy. This section outlines some of the ingredients that give a strategy the best chance of success.
CISOs that tell the businesses they support, "No, you can't do that," are no longer in high demand. Security teams must align with their organizations' business objectives, or they won't be successful.
Business objective alignment
I've met many CISOs that were struggling in their roles. Some of them simply weren't properly supported by their organizations. It's easy to find groups of executives that think cybersecurity threats are overblown and everything their CISO does is a tax on what they are trying to accomplish. To these folks, cybersecurity is just another initiative that should stand in line behind them for resources. After all, the company won't get to that next big revenue milestone via a cost center, right?
Working with executives that don't understand the cybersecurity threats their organization faces and really don't have the time to pay attention isn't uncommon. Most CISOs must work with other executives to get things done, even if those executives don't realize they have a shared destiny with the CISO; when the CISO fails, they all fail. But the best CISOs I've met tend to thrive in such environments.
Whether a CISO works in an environment like the one I described, or they are lucky enough to work with people that care if they are successful, to be successful, CISOs need to align with the business they support. CISOs that don't understand and embrace the objectives of the organizations they support generate friction. There is only so much friction senior leaders are willing to tolerate before they demand change. Deeply understanding the business and how it works gives enlightened CISOs the knowledge and credibility required to truly support their organizations. Put another way, "purist" CISOs that try to protect data in isolation of the people, business processes, and technologies that their organization relies on to succeed are only doing part of the job they were hired to do.
A cybersecurity strategy will only be successful if it truly supports the business. Developing a strategy that helps mitigate the risks that the security team cares most about might give the team the satisfaction that they have a buttoned-up plan that will make it difficult for attackers to be successful. But if that strategy also makes it difficult for the business to be competitive and agile, then the security team must do better.
The best way to prove to your C-suite peers that you are there to help them is to learn about the parts of the business they manage, what their priorities are, and earn their trust. None of this is going to happen in your security operations center (SOC), so you are going to have to spend time in their world, whether that's on a factory floor, in a warehouse, on a truck, or in an office. Walk a mile in their shoes and they'll have an easier time following your counsel and advocating for you when it's important.
Lastly, remember it's the CISO's job to communicate, manage, and mitigate risk to the business, not to decide what the organization's risk appetite is. The board of directors and senior management have been managing risk for the organization since it was founded. They've been managing all sorts of risks including financial risks, economic risks, HR risks, legal risks, and many others. Cybersecurity risks might be the newest type of risk they've been forced to manage, but if the CISO can learn to communicate cybersecurity risks in the same way that the other parts of the business do, the business will do the right thing for their customers and shareholders or they will pay the price – but that's the business' decision, not the CISO's.
That said, accountability, liability, and empowerment go hand-in-hand. Many CISOs face the harsh reality that they are made accountable for mitigating risks accepted by the business, but are not empowered to make the necessary changes or implement countermeasures. Simply put, a CISO's job is a hard one. This might help explain why CISO tenures are typically so short compared to those of other executives.
Having a clear and shared vision on where cybersecurity fits into an organization's wider business strategy is not only important within the upper echelons of an organization; the organization as a whole should have a clear stance on their vision, mission, and imperatives for their cybersecurity program. We'll take a look at this next.
Cybersecurity vision, mission, and imperatives
Taking the time to develop and document a vision, mission statement, and imperatives for the cybersecurity program can be helpful to CISOs. A shared vision that communicates what the future optimal state looks like for the organization from a cybersecurity perspective can be a powerful tool to develop a supportive corporate culture. It can inspire confidence in the cybersecurity team and the future of the organization. It can also generate excitement and goodwill toward the security team that will be helpful in the course of their work.
Similarly, a well-written mission statement can become a positive cultural mantra for organizations. A good mission statement can communicate what the security team is trying to accomplish while simultaneously demonstrating how the security team is aligned with the business, its customers, and shareholders. The mission statement will help communicate the security team's objectives as it meets and works with other parts of the organization.
Finally, business imperatives are the major goals that the cybersecurity team will undertake over a 2- or 3-year period. These goals should be ambitious enough that they can't be achieved in a single fiscal year. Imperatives support the strategy and are aligned with the broader business objectives. When the strategy isn't aligned with broader business objectives, this can show up as an imperative that is out of place – a square peg in a round hole. Why would be the business support a big multi-year goal that isn't aligned with its objectives? This should be a message to the CISO to realign the strategy and rethink the imperatives. These multi-year goals become the basis for the projects that the cybersecurity group embarks on. An imperative might be accomplished by a single project or might require multiple projects. Remember a project has a defined start date, end date, and budget.
Don't confuse this with a program that doesn't necessarily have an end date and could be funded perpetually. Programs can and should contribute to the group's imperatives.
Developing a vision, mission statement, and imperatives for the cybersecurity program isn't always easy or straightforward. The vision cannot be actioned without the support of stakeholders outside of the cybersecurity group, and convincing them of the value of the program can be time-consuming. The future rewards from this work, for the CISO and the cybersecurity group as a whole, typically make the effort worthwhile. We'll briefly discuss securing this support next, as one of our important ingredients to a successful cybersecurity strategy.
Senior executive and board support
Ensuring that the senior executives and the board of directors understand and support the organization's cybersecurity strategy is an important step for a successful security program. If the senior executives understand the strategy and had a hand in developing it and approved it, they should show more ownership and support it moving forward. But if they don't have a connection to the strategy, then the activities that are executed to support it will be potentially disruptive and unwelcome. They won't understand why changes are being made or why the governance model behaves the way it does.
Two of the important questions CISOs should ask when they are interviewing for a new CISO job is who the role reports to and how often the CISO will be meeting with the board of directors or the Board Audit Committee? If the CISO isn't meeting with the board quarterly or twice per year, that's a red flag. It might be that the role that the CISO reports to, meets with the board instead. But unless that role is steeped in the strategy and the daily operations, they should be sharing or delegating the job of meeting with the board to the CISO. This gives the CISO firsthand experience of discussing priorities with the board. It also allows board members to get their updates directly from the CISO and ask them their questions directly. I'd be very hesitant to take a CISO job where the role didn't meet directly with the board at least a couple of times per year.
This experience is important and demonstrates that the CISO is a legitimate member of the organization's C-suite. If the CISO doesn't have the opportunity to ask the board for help with their peers, including the CEO, that's one more reason their peers don't really need to support them. Adding a management layer between the CISO and board can be a tactic that senior management uses to delay, influence, or deter the CISO from making progress with their security program. It can also provide shelter to CISOs that don't have the business acumen or corporate maturity to interact directly with the board.
But if the executive management team is truly supportive of the CISO and the cybersecurity strategy, they should welcome the opportunity for the CISO to get the help they need as quickly as possible without instituting more bureaucracy. Besides, the executive team should already know what the CISO is going to tell the board if they are taking their responsibilities seriously. Of course, history has taught us that this is not always the case where cybersecurity is concerned.
If the CISO is successful at getting the board on board with the cybersecurity strategy, this will make it easier for the board to understand why the security team is doing what they are doing. It will also make it easier for the CISO to elicit help when needed and report results against the strategy. I don't claim this is an easy thing to do. The first couple of times I met with boards of directors was like meeting the characters in an Agatha Christie novel or from the game of Clue. The board members I've met have all been very accomplished professionally. Some are humble about their accomplishments, while others assert their accomplishments to influence others. There always seems to be at least one board member who claims to have cybersecurity experience, who wants to ask tough questions, and give the CISO advice on cybersecurity. But if the CISO can effectively communicate a data-driven view of results against the cybersecurity strategy, the same strategy that the board approved, these conversations can be very helpful for all stakeholders. Additionally, results from internal and external audits typically provide boards with some confidence that the CISO is doing their job effectively.
After talking with executives at literally thousands of organizations around the world about cybersecurity, I can tell you that there are real differences in how much risk organizations are willing to accept. In addition to gaining support from senior executives and the board, it is important to have a good understanding of their appetite for risk, as we'll discuss next, since this could significantly impact cybersecurity strategy.
Understand the risk appetite
Some organizations are in hypercompetitive industries where innovation, speed, and agility are top priorities; these organizations tend to be willing to accept more risk when faced with security and compliance decisions that will potentially slow them down or otherwise impede their ability to compete. For these companies, if they don't take calculated risks, they won't be in business long enough to make decisions in the future. Other organizations I've talked to are very risk-averse. That doesn't mean they necessarily move slowly, but they demand more certainty when making decisions.
They are willing to take the time to really understand factors and nuances in risk-based decisions in an effort to make the best possible decision for their organization. Of course, there are also organizations in the spectrum between these two examples.
CISOs that understand the risk appetite of the senior management in their organizations can help them make faster, better decisions. I've seen many CISOs over the years decide to play the role of "the adult in the room" and try to dictate how much risk the organization should accept. In most cases, this isn't the CISO's job. Providing context and data to help the business make informed risk-based decisions is a function CISOs should provide. Sometimes, they also have to educate executives and board members who do not understand cybersecurity risks. But I find it useful to always keep in mind that, in established organizations, executive suites were managing many types of risks for the organization long before cybersecurity risks became relevant to them. Note, this could be different for start-ups or in organizations where the CISO also has deep expertise in the business they support; in these scenarios, the CISO might be expected to make risk decisions for the organization more directly. But in all cases, understanding how much risk the organization is willing to accept in the normal course of business is important for CISOs.
The organization's appetite for risk will show up in their governance model and governance practices. In many cases, organizations that accept more risk in order to move faster will streamline their governance practices to minimize friction and blockages. Organizations that want to take a meticulous approach to decision making will typically implement more governance controls to ensure decisions travel fully through the appropriate processes. For this reason, it's important that CISOs validate their understanding of their organizations' risk appetite instead of making assumptions about it. This is where their knowledge of the business and their peers' priorities will help.
Realistic view of current cybersecurity capabilities and technical talent
Many of the CISOs I know aspire to have a world-class cybersecurity team designing, implementing, and operating sophisticated and effective controls. However, being honest with themselves about their current state of affairs is the best starting point.
The entire industry has been suffering from an acute shortage of cybersecurity talent for over a decade. This problem is getting worse as more and more organizations come to the realization that they need to take cybersecurity seriously or suffer potential non-compliance penalties and negative reputational consequences. Assessing the talent that a security team currently has helps CISOs, as well as CIOs, identify critical gaps in expertise. For example, if a security team is understaffed in a critical area such as vulnerability management or incident response, CIOs and CISOs need to know this sooner than rather than later. If you have people that are untrained on some of the hardware, software, or processes that they are responsible for or are expected to use, identifying those gaps is the first step in addressing them. It also helps CIOs and CISOs identify professional growth areas for the people on the security team and spot potential future leaders. Cross-pollinating staff across teams or functions will help develop them in ways that will potentially be useful in the future.
The key is for CIOs and CISOs to be as realistic in their assessments as they can be so that they have a grounded view of the talent in the organization. Don't let aspirations of greatness paint an inaccurate picture of the talent the organization has. This will make it easier to prioritize the type of talent required and give the organization's recruiters a better chance of attracting the right new talent.
Cartography, or doing an inventory of your current cybersecurity capabilities, is another important exercise. The results will inform the development of the cybersecurity imperatives that I discussed earlier, as well as helping to identify critical gaps in capabilities. It can also help identify over-investment in capabilities. For example, it's discovered that the organizations procured three identity management systems and only one of them is actually deployed. This is occurring while the organization doesn't have enough vulnerability scanners to do a competent job of scanning and patching the infrastructure in a reasonable amount of time.
In most big, complex IT environments, this won't be an easy task. It might turn out to be relatively easy to get a list of entitlements from the procurement department or a deployed software inventory from IT. But knowing that a particular appliance, piece of software, or suite of capabilities has been deployed only answers part of the question the CISO needs answered. Really understanding the maturity of the deployment and operation of those capabilities is just as important but is typically much harder to determine. Just because an identity management product is in production doesn't mean all of its capabilities have been implemented or enabled, that the product is being actively managed, and the data it produces is being consumed by anyone.
Discovering these details can be challenging, and measuring their impact on your strategy might be too difficult to realistically contemplate. But without these details, you might not be able to accurately identify gaps in protection, detection, and response capabilities, and areas where over-investment has occurred.
If CIOs and CISOs can get an accurate view of the current cybersecurity talent and capabilities they have, it makes it much easier and less expensive for them to effectively manage cybersecurity programs for their organizations.
In my experience, there can be a lot of conflict and friction in organizations when cybersecurity teams and compliance teams do not work well together. Let's explore this dynamic next.
Compliance program and control framework alignment
I've seen cybersecurity and compliance teams conflict with one another over control frameworks and configurations. When this happens, there tends to be a disconnect between the cybersecurity strategy and the compliance strategy within the organization. For example, the CISO might decide that the cybersecurity team is going to embrace ISO as a control framework that they measure themselves against. If the compliance team is measuring compliance with NIST standards, this can result in conversation after conversation about control frameworks and configurations. Some organizations work out these differences quickly and efficiently, while other organizations struggle to harmonize these efforts.
A common area for misalignment between cybersecurity and compliance teams is when controls in an internal standard and an industry standard differ. Internal standards are typically informed by the specific risks and controls that are most applicable to each organization. But differences between an internal standard and an industry standard can happen when the internal standard is newer than the industry standard or vice versa. For example, the industry standard states that an account lockout policy must be set to a maximum of 5 incorrect password entries. But the cybersecurity team knows that this control is "security theatre" in an environment that enforces a strong password policy and especially on systems that have MFA enabled. But in order to meet the industry standard, they might be forced to turn on the account lockout policy, thus enabling attackers to lock accounts out any time they want to with a denial of service attack.
I've seen compliance professionals argue with CISOs on the efficacy of such dated control standards, who are simply trying to successfully comply with an industry standard without considering that they are actually increasing risk for the entire organization. I've even seen some of these compliance professionals, in the course of their work, claim that they can accept risk on behalf of the entire organization where such decisions are concerned – which is rarely, if ever, the case.
It should be recognized and acknowledged that both compliance and security are important to organizations. Compliance is driven by the regulation of liability, and security is driven by prevention, detection, and response. CISOs should foster normalization and the alignment of applied frameworks for security and compliance. Compliance professionals need to recognize that any organization that places compliance as a higher priority will eventually be compromised.
The cybersecurity group and the compliance group should work together to find ways that they can meet standards while also protecting, detecting, and responding to modern-day threats. These different, but overlapping, disciplines should be coordinated with the common goal of helping to manage risk for the organization. As I mentioned earlier, the cybersecurity strategy should be informed by the organization's high-value assets and the specific risks they care about. The compliance team is the second line of defense designed to ensure the cybersecurity team is doing their job effectively by comparing their controls against internal, industry, and/or regulated standards. But they need to be prepared to assess the efficacy of controls where there are differences or where they conflict, instead of blindly demanding a standard be adhered to.
Typically, the decision to accept more risk by meeting a dated industry standard, for example, should be made by a risk management board or broader internal stakeholder community instead of by a single individual or group. Internal and external audit teams are the third line of defense that help to keep both the cybersecurity team and the compliance team honest by auditing the results of their work. No one wins when these teams fight over control frameworks and standards, especially when the frameworks or standards in question are based on someone else's threat model, as is almost always the case with industry and regulated standards.
Some organizations try to solve this problem by making the CISO report to the compliance organization. I always feel sorry for CISOs that I meet that report to compliance or audit leadership. This isn't a criticism of compliance or audit professionals or leadership in any way. Simply put, cybersecurity and compliance are different disciplines.
Compliance focuses on demonstrating that the organization is successfully meeting internal, industry, and/or regulated standards. Cybersecurity focuses on protecting, detecting, and responding to modern-day cybersecurity threats. Together, they help the organization manage risk. I'm going to discuss "compliance as a cybersecurity strategy," in detail, in in Chapter 5, Cybersecurity Strategies. Next, however, we'll talk about the importance of cybersecurity and IT maintaining a happy and productive relationship with one another.
An effective relationship between cybersecurity and IT
In my experience, CISOs that have a good working relationship with their business' IT organization are typically happier and more effective in their job. An ineffective relationship with IT can make a CISO's life miserable. It's also true that CISOs can make the jobs of CIOs and VPs of IT disciplines frustrating. I've met so many CISOs that have suboptimal working relationships with their organization's IT departments. I've seen many cybersecurity groups and IT organizations interact like oil and water, when the only way to be successful is to work together. After all, they have a shared destiny. So, what's the problem? Well, simply put, in many cases, change is hard. It is easy for CIOs to interpret the rise of CISOs as a by-product of their own shortcomings, whether this is accurate or not. CISOs represent change and many of them are change leaders.
Moreover, I think this dynamic can develop for at least a few reasons. The way that these groups are organized can be one of them. The two most common ways I've seen cybersecurity groups integrated, who are typically newer than IT organizations in large, mature organizations, are as follows:
- The CISO reports to IT and shares IT resources to get work done.
- The CISO reports outside of IT, to the CEO, the board of directors, legal, compliance, or the CFO. There are two flavors of this model:
- The CISO has their own cybersecurity resources, but needs IT resources to get work done.
- The CISO has their own cybersecurity and IT resources and can get work done independently of IT.
The scenario where the CISO reports into the IT organization, historically, has been very common. But this reporting line has been evolving over time. Today, I estimate that less than 50% of the CISOs I meet report into IT. One of the reasons for this change in reporting lines is that, all too often, CIOs prioritize IT priorities over cybersecurity.
Cybersecurity is treated like any other IT project in that it must queue up with other IT projects and compete with them for resources to get things done. Frustrated CISOs would either be successful in convincing their boss that cybersecurity wasn't just another IT project, or they were forced to escalate. There are no winners with such escalations, least of all the CISO. In many cases, the CISO gets left with a CIO that resents them and sees them as a tax on the IT organization.
It took years for many CIOs to realize that every IT project has security requirements. Deprioritizing or slowing down cybersecurity initiatives means that every IT project that has a dependency on cybersecurity capabilities will either be delayed or will need an exception to sidestep these requirements. The latter tends to be much more common than the former. When CEOs and other executives began losing their jobs and directors on boards were being held accountable because of data breaches, many organizations were counseled by outside consultants to have their CISOs report to the CEO or directly to the board of directors. This way, cybersecurity would not be deprioritized without the most senior people being involved in making those risk decisions.
A new challenge is introduced in the scenario where the CISO reports outside of IT to the CEO, the board of directors, or another part of the company. Where is the CISO going to get the IT staff required to get things done? When the CISO reported into IT, it was easier to get access to IT resources, even if they had to queue up. For CISOs that sit outside the IT organization, they only have a few options. They can get resources from IT and become their customer, or they must hire their own IT resources. Becoming a customer of IT sounds like it could make things easier for CISOs, but only when they have a good relationship with IT that leads to positive results. Otherwise, it might not be sufficiently different from the model where the CISO reports into IT. As expedient as hiring their own resources sounds, there are challenges with this approach. For example, change control can become more complex because IT isn't the only group of people that can make changes in the environment. Many times, this results in IT engineers watching cybersecurity engineers making changes in their shared environment and vice versa. Using twice as many resources to ensure things get done in a timely manner is one way to approach this problem. But most organizations can find better uses for their resources.
I've seen a better approach in action. When CISOs, CIOs, and CTOs have mutual respect for each other's charter and support each other, the work is easier, and things get done more efficiently.
Instead of a relationship defined by resource contention or assertions of authority, CISOs need to have good, effective working relationships with their IT departments to ensure they can do their jobs. Building such relationships isn't always easy, or even possible, but I believe this is a critical ingredient for a successful cybersecurity strategy. Ideally, these relationships blossom into a security culture that the entire organization benefits from.
On the topic of culture, the last ingredient for a successful cybersecurity strategy is a strong security culture. This culture involves everybody in the organization understanding their role in helping to maintain a good security posture to protect the organization from compromise. Let's talk about it in a little more detail in the next and final section of this chapter.
Someone famous recently said, "Culture eats strategy for breakfast." I agree wholeheartedly. Organizations that are successful in integrating security into their corporate culture are in a much better position to protect, detect, and respond to modern-day threats. For example, when everyone in the organization understands what a social engineering attack looks like and is on the lookout for such attacks, it makes the cybersecurity team's job much easier and gives them a greater chance of success. Contrast this with work environments where employees are constantly getting successfully phished and vulnerabilities are constantly being exploited because employees are double-clicking on attachments in emails from unknown senders. In these environments, the cybersecurity team is spending a lot of their time and effort reacting to threats that have been realized. A strong security culture helps reduce exposure to threats, decrease detection and response times, and thus reduce the associated damage and costs.
Culture transcends training. It's one thing for employees to receive one-time or annual security training for compliance purposes, but is quite another thing for the concepts and calls to action that employees learn in training to be constantly sustained and reinforced by all employees and the work environment itself. This shouldn't be limited to front-line information workers. Developers, operations staff, and IT infrastructure staff all benefit from a culture where security is included. A security culture can help employees make better decisions in the absence of governance or clear guidance.
One note on the gamification of cybersecurity training: I've seen good results when organizations shift some of their cybersecurity training away from reading and videos into more interactive experiences.
I've facilitated "game days" focused on helping organizations learn about threat modeling and cloud security. To be completely honest, I was more than a little skeptical about using this approach. But I've seen many groups of executives and security teams embrace it and provide glowing feedback that now I'm a big fan of gamification for training purposes.
CISOs have a better chance of success when everyone in their organizations helps them. I encourage CISOs, with the help of other executives, to invest some of their time in fostering a security culture, as it will most certainly pay dividends.
I covered a lot of ground in this chapter. But the context I provided here will be helpful for readers throughout the rest of this book. In this chapter, I introduced the cybersecurity fundamentals, the cybersecurity usual suspects, High Value Assets (HVAs), and other concepts, that I will relentlessly refer to throughout the rest of this book.
What is a cybersecurity strategy? There are at least two critical inputs to a cybersecurity strategy: your organization's HVAs, and the specific requirements, threats, and risks that apply to your organization, informed by the industry you are in, the place(s) in the world where you do business, and the people associated with the organization. If an HVA's confidentiality, integrity, or availability is compromised, the organization will fail or be severely disrupted. Therefore, identifying HVAs and prioritizing protection, detection, and response for them is critical. This does not give security teams permission to completely ignore other assets. Clarity on HVAs helps security teams prioritize, and to avoid extinction events.
There are only five ways that organizations get initially compromised, I call them the cybersecurity usual suspects. They include, unpatched vulnerabilities, security misconfigurations, weak, leaked, and stolen credentials, social engineering, and insider threat. Organizations that are very proficient at managing the cybersecurity fundamentals, make it much harder for attackers to be successful. After the initial compromise of an IT environment, there are many tactics, techniques, and procedures (TTPs) that attackers can use to achieve their illicit goals. Advanced cybersecurity capabilities can help security teams detect the use of TTPs and reduce response and recovery times. Don't confuse an attacker's motivations with their tactics. Since accurate attribution for attacks is so difficult to accomplish, it's unlikely most organizations will be able to determine who is attacking them and what their motivation is.
Whether the attacker is a purveyor of commodity malware or a nation state, the ways they will try to initially compromise their victims' IT environments are limited to the cybersecurity usual suspects. Being very proficient at the cybersecurity fundamentals makes it much harder for attackers, whether they are a nation state trying to steal intellectual property or an extortionist.
A cybersecurity strategy is required for success, but it is not sufficient by itself. Ingredients for a successful strategy include:
- Business objective alignment
- Cybersecurity vision, mission, and imperatives
- Senior executive and board support
- Understand the organization's risk appetite
- A realistic view of current cybersecurity capabilities and technical talent
- Compliance program and control framework alignment
- An effective relationship between cybersecurity and IT
- Security culture
Now that all this context has been introduced, I'll build on it in the chapters that follow. In the next few chapters, I'll explore how the threat landscape has evolved. I believe that CISOs can make better decisions when they understand how threats have changed over time. The three categories of threats that I'll dive into are the ones that CISOs have asked me about most frequently: vulnerabilities, malware, and internet-based threats like phishing and drive-by download attacks.
- Hicock, R. (2016). Microsoft Password Guidance. Retrieved from Microsoft Corporation Web site: https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf
- Microsoft Corporation. (2007-2016). Microsoft Security Intelligence Report. Retrieved from www.microsoft.com/sir
- Microsoft Corporation. (n.d.). Microsoft Security Intelligence Report. Retrieved from https://www.microsoft.com/securityinsights/Phishing
- National Vulnerability Database. (n.d.). Retrieved from https://nvd.nist.gov/vuln
- Weinert, A. (July 9, 2019). Your Pa$$word doesn't matter. Retrieved from https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984