A Practical Strategy to Maintain Confidentiality, Integrity, and Availability (CIA)

A Practical Strategy to Maintain Confidentiality, Integrity, and Availability (CIA)

Mark Tellier, MS, SSCP

Our businesses are inundated with incidents of Ransomware, Malware, Adware, and many other intrusion variants, it’s no wonder that 90% of healthcare institutions have been affected, at a total cost of $6 billion a year according to a recent study from the Ponemon Institute¹. As we make our way through these threats, one needs to ask; if so many companies offer solutions, and institutions hire top shelf network security engineers, why are there so many breaches?

The Security Triad published in FIPS Publication 199² distinctly categorizes the security threats within the domain of Risk Identification, Monitoring, and Analysis, and defines their potential impact. FIPS Publication 200³ follows up with minimum government CIA regulations for government information systems.  On to NIST 800-53⁴for the risk management framework and guidance for security controls, and NIST 800-35⁵ describes the computer security life cycle in detail, and so well in fact that this framework should work. We know what we need to do and having a difficult time implementing it.

From a perspective of Security Operations and Administration, within the access controls domain there is a plethora of controls including SIEMS, firewalls, IDS, IPS, proxies, PKI services, and endless software programs claiming to protect our networks. If all defenses were in place and working, then why is this problem increasing exponentially? It may be, according to numerous studies that upper management may not be doing enough to protect company assets. Security is not about firewalls and advanced IT measures, it is about education and awareness of employees⁶. Senior management’s responsibility is to put safeguards into place to protect the company.

Our systems are managed by high priced security professionals yet the expectation in many cases is that it is just luck that the system has not been hit. Based on this scenario, complacency, lack of knowledge, and top down politics seem to outweigh a value proposition in mitigation of threats. Yes, threat mitigation is a value proposition with a tangible outcome that can enhance profit. It is an unexpected inverse relationship where higher profit is related to decreased threats. Upper management complacency in simply educating employees seems to be the norm.

In some cases expensive devices are purchased through capital budgets approved by C-Level directors with the assurance that the money is well spent. Complacency on the part of upper level management as they burden budget IT equipment sunk cost with the expectation that they are now secure are missing the boat. Moreover, employee engagement, training, and common sense seem to fall by the wayside when focus is on short term monetary goals rather than overall company value.  Executives sometimes hire overzealous ‘Security Experts’ who are out to impress the executive team with their knowledge rather than getting down to basics and understanding the root of the problem.  Research suggests that the majority of breaches are caused by simple social engineering tactics that could be negated up front.  

As an analogy, let’s talk about a wave of car thefts. Think about how many of those cars were left unlocked or had the keys left in the ignition; probably the majority of them that were stolen. That is just the point, the criminals exploit the easy opportunities, yet there is no need on the criminals part to even try to open one of the locked cars , just as complicated plans to infiltrate a network are usually are not needed. It is the simple things like opening a malicious email and taking advantage of untrained employees that entices criminals.  Simple human nature is being exploited without complicated strategic plans such as what would be used in robbing a bank.

In May of 2018 the European Union (EU) invoked the General Data Protection Regulation (GDPR) ⁷ which adds penalties for breaches and defines consent and data subject rights along with data standards to try to minimize breaches. Data protection officers will be responsible for data protection and fines will be levied for breaches. It is a step in the right direction and forces C-level executives to get their act together.  In a recent Ponemon⁸ security study done in the UK it was found that 86% of respondents throughout the EU felt that new security architecture was needed while 76% felt that security procedures were outdated. These are troubling statistics as the number of threats increases it seems that attacks will continue with more variants, and more exploits that take advantage of complacency. GDPR is a step in the right direction, and the jury is still out on its effectiveness. However, the financial penalties may open some eyes.

Let us put the issue in perspective in the United States, we have very good NIST documents, very good hardware and software controls, very smart network engineers, and we are losing the battle. According to Baker Hostetler’s 2016 Data Security Incident Response Report⁹, phishing and malware accounted for approximately 31 % of incidents, employee action and mistakes 24%, external theft 17%, vendors 14%, internal theft 8%, and lost or improper disposal 6%.

In the aforementioned study, if the majority of the issues could be preventable by training, engagement, and common sense, how could our experts who are failing to make the grade not rethink their methods? The current state of affairs does not work, and the bad guys know it.  Security companies are getting rich; experts are getting paid to administer their expertise in a market that the bad guys created. It is unfortunate that complacency seems to be the norm across the board, with an attitude that cybercrime is just something that we need to live with. However, if employees are simply trained, and therefore become concerned, the ‘lay’ people become part of cyber security for the greater good of the company. It just seems so simple, yet engagement is so difficult because it may just be too basic.

While researching ideas based on the stated statistics, there are numerous articles, white papers, and websites devoted to cyber security, and many state the obvious that C-Level management is responsible for company’s demise in being hacked. It makes sense that companies are dependent on these high level executives to create profit, however they seem to be missing the boat on a relatively simple risk mitigation strategy with a relatively low cost when the average cost of a forensic investigation exceeds $60,000 with the highest cost at approximately $750,000, according to the Baker-Hostetler Cyber Security Report for 2017¹⁰. In addition, the report found that a back to the basics strategy would be a prudent approach to establish baseline procedures such as training to reduce the company’s risk profile.

In addition to the basic premise of educating employees through comprehensive training, an ESG research study¹¹ suggests that over the past two years there has only been an increase of 39% in security budgets and only a 33% increase in training for cyber security, and clearly there are large gaps  as threats are increasing by orders of magnitude. Most distressing is that there was a strong conclusion that the government should be more involved and executives should lobby the government for better controls. Clearly, executives are looking for a bail out instead of just engaging the simple things.

 As threats become more commonplace and invasive, the battle is being lost due to complacency and lack of focus on the most prevalent and obvious controls. This could be the defacto reason why the bad guys are winning, as C-Level Management has created a monster. In fact, according to a CompTia study¹²only one-third of CIO’s surveyed, required cyber security training for employees and in more than one half of surveyed companies training decisions are being made at the top.  The basics are being overlooked and cyber-crime is flourishing on the lack of basic, simple, and inexpensive controls like training; criminals prefer that CIO’s just throw money at the problem with high priced detection systems with the expectation that things will be better.

In a recent CIO article¹³ regarding human liability it was stated that a company could buy the best equipment and same level of investment should be put into employee education and that rarely happens^. Along with a training solution, practical controls such as email scanners like Proofpoint¹⁴ for example that utilizes threat intelligence at a very reasonable cost, inadvertently screens selected URL’s and phishing scam’s that spark user’s curiosity. The email phishing threat vector relies on social engineering and therefore can be negated through the suggested combination of education and email scanning specifically targeted at the most relevant threats. In addition, indirect cost savings from a solution such as Proofpoint may result in indirect cost savings based on the lack based on lack of cyber security skills^15. In conjunction with a training solution an intelligent threat mitigation technology, a company could reduce their vulnerability significantly without the need for highly compensated network security engineers and a multitude of detection equipment.

Current IPS, IDS and scanning devices work to detect threats and in fact do a good job. After all when a Ransomware attack occurs at the local hospital it is detected and reported quickly. If only mitigation was prioritized instead of detection, the bad guys would be running to find another simple way to defraud the public. As threats change and become more sophisticated, the mitigation landscape must change with it as email is the most common vector, while  mobile and social engineering are increasing.  Risk mitigation through training and intelligent screening of threats could mitigate a high percentage of threat vectors that adversely affect many businesses. Executive buy-in and understanding of basic education, in conjunction with intelligent threat mitigation applications could a most effective solution as the bad guys continue to exploit complacency.

References:

1.      https://www.insurancejournal.com/news/national/2015/05/07/367165.htm

2.      http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

3.      http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf

4.      https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf

5.      http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-35.pdf

6.      https://www.zdnet.com/article/who-is-really-responsible-for-cybersecuritythe-ciso-the-cio-the-ceo-or-you-who-is-really-responsible/

7.      https://www.eugdpr.org/

8.      https://www.citrix.com/content/dam/citrix/en_us/documents/white-paper/the-need-for-a-new-it-security.pdf

9.      http://f.datasrvr.com/fr1/516/11618/BakerHostetler_2016_Data_Security_Incident_Response_Report.pdf

10.   https://www.databreaches.net/bakerhostetler-2017-data-security-incident-response-report-based-on-450-incidents/

11.   https://c.ymcdn.com/sites/www.issa.org/resource/resmgr/cscl/ESG-ISSA-Research-Report_Sta.pdf

12.   http://searchsecurity.techtarget.com/opinion/Lack-of-cybersecurity-awareness-linked-to-CIOs

13.   https://www.cio.com/article/3205305/data-protection/human-liability-in-security.html

14.   https://www.proofpoint.com/us/products/ransomware-and-targeted-attack-protection

15.   Preventing, Detecting, and Responding to Advanced Email-based Attacks, Tony Palmer, Senior Validation Analyst August 2017

Mark Tellier Bio:

Mark Tellier holds a Master’s Degree in Business Management along with a Six-Sigma/Lean Black Belt. In addition he is certified in ITIL Foundations and is Systems Security System Practioner Certified (SSCP). Mark has 25 years of experience in the health care industry and has been involved in Medical Device Manufacturing, Healthcare Interoperability, and building a Healthcare Information Exchange (HIE).