Rethinking Cybersecurity: Challenging the Commoditisation and Embracing Restorative Practices
Since I started in Cybersecurity, I have observed that cybersecurity has become dominated by insincere vendors and practitioners driven solely by profit. As a cybersecurity leader, I have also noticed the increasing commoditisation of cybersecurity over the years, and it’s important for us to address this issue.
Going deeper into the motives, I realised the significance of my blog’s title. Initially, I chose the name to reflect the current state of cybersecurity, where my work felt repetitive and inconsequential, like an assembly line. However, regardless of the organisation, the same recurring non-technical issues persisted.
The primary challenge lies in the way security practitioners interact with the people they are meant to protect within these organisations. Those outside the security team are often victim-shamed and blamed for their perceived ignorance as if they are at fault for not prioritising cybersecurity in their daily work.
Security organisations sometimes oppress the very people they are meant to serve. This behaviour struck me as counterproductive and degrading, particularly as I familiarised myself with nonviolent communication and other conflict-resolution techniques. I wondered whether adopting peacebuilding methods could foster collaboration and alignment among stakeholders. While only a few security practitioners initially showed interest, the transition to DevOps and shift left strategy, emphasising these attributes, attracted like-minded individuals.
Additionally, the way users are treated is like the punitive and shaming approach commonly seen in the criminal justice system. However, this approach has not reduced crime or supported victims. On the other hand, restorative justice, which focuses on repairing the harm caused by crime and restoring the community while respecting the dignity of all involved parties, has shown promise.
Evidence suggests that traditional fear-based and shaming tactics have not effectively promoted user compliance in cybersecurity. Instead, creating a supportive workplace environment has been identified as a more practical approach to encouraging voluntary security behaviours.
In the rapidly evolving landscape of cybersecurity, organisations must adapt their approaches. Rather than relying on fear, uncertainty, and doubt (FUD)-based strategies, we must acknowledge the value of users as allies and reposition cybersecurity as a collaborative effort. This involves a fundamental shift in the industry, prioritising collaboration, understanding, and support to foster a culture of proactive cybersecurity measures. By moving away from fear-based tactics and embracing a more cooperative approach, organisations will be better equipped to mitigate threats and safeguard information.
The Interconnected World of billions of IoT (Internet of Thing) devices has revolutionised digitalisation, creating enormous opportunities for humanity. In this post, I will be focussing on the uniqueness of the security challenges presented by these connected IoT devices and how we can respond.
We are ever more connected in the history of humanity. Every time we wear or connect a device to the Internet, we extend this connectivity, increasing your ability to solve problems and be more efficient and productive. This connected world of billions of IoT (Internet of Thing) devices has revolutionised digitalisation. However, such massive use of connected devices has presented a different cybersecurity challenge. A challenge that compelled c-suite to develop and implement separate cybersecurity programs to respond to two competing security objectives. Where IT (information Technology) focuses on managing confidentiality and integrity more than the system’s availability, OT(Operational Technology) focuses on the availability and integrity of the industrial control system. The convergence of the two desperate technology environments does improve efficiency and performance, but it also increases the threat surface.
What makes OT different from IT?
IT predominantly deals with data as a product that requires protection. On the other hand, data is a means to run and control a physical machine or a process. The convergence of the two environments has revolutionised our critical infrastructure, where free exchange data has increased efficiency and productivity. You require less physical presence at the remote sites for initiating manual changes. You can now remotely make changes and control machines. With Industry 4.0, we are witnessing the next wave of the industrial revolution. We are introducing a real-time interaction between the machines in a factory (OT) and the external third parties such as suppliers, customers, logistics, etc. Real-time exchange of information from the OT environment is required for safety and process effectiveness.
Unfortunately, the convergence of IT into OT environments has exposed the OT ecosystem to more risks than ever before by extending the attack surface from IT. The primary security objective in IT is to protect the confidentiality and integrity of the data ensuring the data is available as and when required. However, in OT safety of the people and the integrity of the industrial process is of utmost importance. The following diagrams show a typical industrial process and the underlying devices in an OT environment.
As you can see, the underlying technology components are very similar to IT and, therefore, can adopt the IT security principles within the OT environments. OT environments are made of programmable logic controllers (PLCs) and computing devices such as Windows and Linux computers. Deployment of such devices exposes the OT environment to similar threats in the IT world. Therefore, the organisations need to appreciate the subtle similarities and differences of the two environments applying cybersecurity principles to improve the security and safety of the two converged environments.
Risk profile of the converged environment
The interconnected OT and IT environments give an extended attack surface where the threats can move laterally between the two environments. However, it was not until 2010 the industry realised the threats, thanks to the appearance of the Stuxnet. Stuxnet was the first attack on the operational systems where 1000 centrifuges were destroyed in an Iranian nuclear plant to reduce their uranium enrichment capabilities. This incident was a trigger to bring cybersecurity threats to the forefront.
Following are some of the key threats and risks inherent in a poorly managed converged environment. * Ransomware, extorsion and other financial attacks * Targeted and persistent attacks by nation-states * Unauthorised changes to the control system may result in harm, including loss of life. * Disruption of services due to the delayed or flawed information relayed through to the OT environment leads to malfunctioning of the controls systems. * Use of legacy devices incapable of implementing contemporary security controls be used to launch a cyberattack. * Unauthorised Interference with communication systems directs operators to take inappropriate actions, leaving unintended consequences.
Cybersecurity Behaviours and Practices
As noted earlier in this post, the converged IT & OT environments can take inspiration from IT security to adopt tools, techniques and procedures to reduce cyberattack opportunities. Following are some strategies to help organisations set up a cybersecurity program for an interconnected environment.
Reduce complexity and attack opportunities
* Reduce the complexity of networks, applications, and operating systems to reduce the “attack surface” available to an attacker.
Better perimeter and service knowledge
* Map the interdependencies between networks, applications, and operating systems. * Identify assets that are dealing with sensitive data.
Strengthen internal collaboration
* Avoid conflicts between business units (business owners, information technology, security departments, etc.) and improve internal communication and collaboration.
Strengthen External collaboration
* Improve and strengthen collaboration with external entities such as government agencies, Vendors, customers etc., sharing threat intelligence to improve incident response.
Know your insider threats
* Identify and assess insider threats. * Regularly monitor such threats, including your employees, for their changing social behaviours.
Increase awareness and training
* Invest in targeted employee security awareness and training to improve behaviours and attitudes towards security.
Strengthen Integration by data/traffic analysis
* Improve network traffic data collection and analysis processes to improve security intelligence, improving informed and targeted incident response.
Build in-house security capabilities
* Build in-house security competencies, including skilled resources for continuity and enhanced incident response.
Limit BYOD (bring your device)
* Clear BYOD policy must be defined and implemented within the IT & OT environments. * Only approved devices can always be connected to the environment with strict authorisation and authentication controls in place. * Monitor all user activity whilst connected with the network
Align Cyber Program with Industry standards
* Align your cybersecurity program with well-established security standards to structure the program. * Some of the industry standards include ISO 27001–27002, RFC 6272, IEC 61850/62351, ISA-95, ISA-99, ISO/IEC 15408, ITIL, COBIT etc.
* Ensure clear demarcation of the IT & OT environments. Limit the attack surface. * Virtual segmentation with zero trust. Complete isolation of control and automation environments from the supervisory layer. * Implement tools and techniques to facilitate incident detection and response. * Implement a zero trust model for endpoints
Implement threat hunting
* Implement threat hunting capabilities for the converged environment focused on early detection and response.
Conclusion
The last fifteen years or so have shown us how vulnerable our technology environments are. Protection of these environments requires a multi-pronged and integrated strategy. This strategy should not only consider external risks but also consider insider threats. A prioritised approach to mitigate these risks requires a holistic approach that includes people processes and technology. Benchmarking exercises could also help organisations to identify the “state of play” of similar-sized entities. We are surely seeing consistent investment in the security efforts across the board, but we still have to work hard to respond to ever-changing threat scenarios continuously.
In the past, I have talked about zero-day vulnerabilities and the risks they pose. This post will focus on a grey market ecosystem, where zero-day exploits are bought and sold. To stay within the context, let me first define some key terms that will help us distinguish between the legality of this market.
Zero-day Vulnerability & Exploit
Zero-day vulnerabilities are flaws in system software or a device that has been disclosed but not yet patched by the creator. Because the creator of the software has not yet been discovered and patched, the zero-day vulnerabilities pose the high risk where a cybercriminal can take advantage for financial gain.
A zero-day exploit is software that takes advantage of these vulnerabilities. Merely creating an exploit and selling such software is not illegal. However, using such an exploit taking advantage for financial gain or causing harm is illegal.
Zero-day Brokers
Zero-brokers is the grey market ecosystem where zero-day exploits are bought and sold, often by governments secretly. Governments do this to ensure that no one else knows about these vulnerabilities, including the software creators. Since governments are involved, you guessed it right, there is a level of legitimacy to this market. The concept of good or bad is subjective and depends on which side of the table you are on.
The History of the “Market”
Like any other market, buying and selling zero-day exploits is the core of the business model. Therefore, the brokers (zero-day brokers market) have existed since the beginning of cyber warfare. As we were moving towards the Internet revolution, the data, famously called as “new oil” of this century. Zero-day exploits have become the most reliable way of exploiting vulnerabilities in the quest of seeking information. Some governments and private entities buy or sell these exploits to protect national interests and, in other cases, use these exploits to spy on the adversary. The market seems to be very small but very high value depending upon the exploit in question.
I came across a book from a New York Times cybersecurity and digital espionage journalist Nicole Perlroth; THIS IS HOW THEY TELL ME THE WORLD ENDS is an excellent account of the zero-day market. This well-researched book talks about the origins and the extent of this market. She notes in her accounts that it is hard to pinpoint the exact numbers that sell these exploits but even few that buy these exploits from these researchers. Even though the major buyers in this market are from law enforcement agencies worldwide, some private entities do indulge in buying.
The zero-day exploits market is predominantly for the valuable tools, which are to execute covert surgical operations. Recently, respective governments have tried to regulate the exploits market, but no matter what controls governments apply, we will always have a thriving black market selling zero-day exploits.
Nicole sites in her book the inability of Americans to protect against espionage attempts from Russia, China and North Korea, which prompted them to use zero-day exploits as a critical component of their response to the digital/cyber warfare. The Snowden leaks confirm that the US agencies were one of the biggest players in this market. Nicole shared a story of the two young hackers in the early days of this century who offered iDefense Research Lab, a threat intelligence company, a business model parallel to the blackhat hackers exploiting the vulnerabilities for-profit and cyber warfare. So, this was a kind of a model where whitehat hackers, with all their good intentions, were missing the buck due to the lack of acknowledgement of the creators. iDefense became the first company to buy bugs from these whitehat hackers to create a service that offers “threat intelligence” to companies such as banks that needed vulnerable business software and required protection against attacks. This kind of arrangement was the win-win proposition for the iDefense labs and the whitehat hackers.
In the early days, there was no market for iDefense. To develop this market, they started offering hackers monies for a laundry list of bugs, but at first, the bugs submitted were good for nothing. Even though they were thinking of letting the hackers go away, they needed to build trust. After 18 months or so, the hackers from Turkey, New Zealand and Argentina showed bugs that could exploit using antivirus, intercept passwords and steal data. As time passed, the program gained attention, and the company started getting calls from people in the government offering iDefense substantive amount of money in exchange for the bugs. The key to these discussions was not to inform the creators of the software of these vulnerabilities in exchange for the money. This opened up a whole new paradigm for these hackers, who would take a few hundred dollars a year earlier were asking for six-figure payouts. This created a whole new ecosystem of buyers and sellers known today as “zero-day brokers”.
The future of Zero-Day Brokers
As long as we will have software, we will have software vulnerabilities. Therefore, this ecosystem will persist. However, there could be some differences in the way the exploits are bought or sold. The value of these exploits could be different. The race, the cyber arm one, is becoming enormously competitive, and the governments worldwide are behaving so that there is no consequence of hacking an adversary country. It is becoming increasingly evident in the cybersecurity world that countries like the US, China, North Korea, Israel etc., are very much involved in cyber espionage and are finding new ways to stay ahead in the race. They will keep developing or buying exploits. Meanwhile, ordinary people will always be the last to know and the first ones impacted by a digital apocalypse. It sounds alarming, but what we are seeing in the cybersecurity world does not indicate anything but a potential digital catastrophe.
I did my FAIR analysis fundamentals course a few years ago and here are my thoughts on it.
FAIR stands for Factor Analysis of Information Risk, and is the only international standard quantitative model for information security and operational risk. (https://www.fairinstitute.org/)
My interest to learn more about FAIR came from two observations.
The first was that we had many definitions of what constitute risk. We refer to “script-kiddies”as risks. Not having a security control is referred to as risk. SQL injection is a risk. We also said things like “How much risk is there with this risk?”
The other observation was with our approach at quantifying risk. We derived the level of risk based on the likelihood and impact. And sometimes it was hard to get agreement on those values.
Having completed the course, one of the things I like about FAIR is their definitions. Their definitions of what is a risk, and what it must included. It should include an asset, threat, effect with a method that could be optional. An example of a risk is the probability of malicious internal users impacting the availability of our customer booking system via denial of service.
It uses future loss as the unit of measurement rather than a rating of critical, high, medium & low. The value of future loss is expressed as a range with a most likely value along with the confidence level of that most likely value. As such it focuses on accuracy rather than precision. I quite like that as it makes risk easier to understand and compare. Reporting that a risk has a 1 in 2 year probability of happening with a loss between $20K to $50K but likely being $30K is a lengthy statement. However it is more tangible and makes more sense than reporting that the risk is a High Risk.
Now it sounds like I’m all for FAIR, but I have some reservations. The main one being that there isn’t always data available to determine such an empirical result. Risk according to FAIR is calculated by a multiplication of loss frequency (the number of times a loss event will occur in a year) with loss magnitude (the $ range of loss from productivity, replacement, response, compliance and reputation). It’ll be hard to come up with a loss frequency value when there is no past data to base it on. I’ll be guessing the value and not estimating it. FAIR suggests doing an estimate for a subgroup if there isn’t enough reliable data available, but again I see the same problem. The subgroup for loss frequency is the multiplication of number of time the threat actors attempt to effect the asset with the percentage of attempts being successful. Unless you have that data, that to me is no less easier to determine.
Overall it still feels like a much better way of quantifying risk. I’ll end with a quote from the instructor. “Risk statements should be of probability, not of predictions or what’s possible.” It resonated with me as it is something I too often forget.
