How Digitally Resilient Is Your Company?

Unlike the game Whack-a-Mole, where the object is to clobber a mole as it pops its head out of a hole, cyber threats are becoming more targeted and harder to whack, said Ray Rothrock, CEO of RedSeal, and author of the book, Digital Resilience: Is Your Company Ready for the Next Cyber Threat? on Monday’s episode 55 of Task Force 7 Radio. Rothrock was the guest of host George Rettas, the president and CEO of Task Force 7 Radio and Task Force 7 Technologies.

“The bad guys keep creating new threats all the time and come at organizations in different ways, he said. “I was a [venture capitalist] for 30 years and in the early days, I called it the ‘whack-a-mole strategy, and we had technology that would whack it. And that worked for 25 years.”

But as threats became more targeted, “it demonstrated to us that whack a mole was not exactly the perfect strategy to have anymore,” he said. “Since we don't know what that mole is going to look like, and we don't know which hole it's going to pop out of, we can't evolve technology fast enough; we've got to employ resilience strategies in our cyber process and operations.”

Resilience, he added, “means the ability to withstand an impairment of some sort and come out the other side looking like you handled the problem.” It starts with knowing what systems you have, how they are operating and how they were constructed, he said.

Cyber Security has constantly moving parts

In response to a question from Rettas about whether companies understand how to conduct a self-assessment of their cyber security system and reflect on their capabilities, Rothrock’s answer was a resounding no – unless they have been the victims of a cyber threat or narrowly avoided an attack.

Cyber security is “not a static thing,’’ but a lot of people treat it that way, he stated. Although smaller and medium-sized companies have likely deployed things like firewalls and antivirus software, “there's just not enough people and the technology is dated compared to where the threats are,’’ he observed.

Rettas said he believes companies are still putting too much energy into trying to avoid a hack instead of figuring out how to bounce back from one, and Rothrock agreed. “Your job as a system is to prevent [an attack]. But you're really going to be judged on how you respond,’’ he said.

A “large percentage” of security frameworks, including NIST, are based on prevention and detection, he maintained. “The problem is, now our systems are very porous: we have phones, we have Wi-Fi, we have clouds we have all this fabric that basically rips down the perimeter of the organization.”

Rothrock also pointed out that “unless you have a lot of capital and engineers, chances are the network you're operating on was built and designed by people that are no longer at the company. And chances are the documentation was poor -- if there is any documentation.” The two then talked about the cyber security breach retailer Target experienced in 2013, and how that was the seminal event that prompted companies to take further steps to protect themselves.

But the big mistake Target made, Rothrock noted, was electing to keep their operations up and running rather than shutting down the network to contain the malware.

That meant “they let the malware continue to operate and continue to exfiltrate this very sensitive data, 40 million customer records or something like that, and lo and behold they got in trouble,’’ said Rothrock. Several executives were subsequently fired because they did not protect their customer data. “They had lots of procedures, they had lots of technology, but at the end of the day they made a decision not to protect that data.”

Business continuity is more than backing up data

The show’s second segment began by picking up the discussion about Target. Even though that breach happened five years ago, many companies have still not deployed systems “in a more cyber resilient way,” Rothrock said. “So what happened to Target can happen to anybody.”

The two then shifted gears to talk about digital resiliency and the ability to keep systems up and running. Business continuity is not just about backups, Rothrock said.

“We also have to have cyber resiliency,’’ he emphasized. It’s not enough to just recover from a cyber attack; organizations need to have crisis management policies in place to be able to make the right decisions, he said.

Rettas asked how a business can detect these breaches earlier. Rothrock said there are companies that sell systems with “lots of detection capability agents” that look for a change in traffic patterns and will “infer a problem or a least infer an alert.”

When that occurs then those systems start to take an action, he continued. “They get an alert … [that] this IP is under attack, this device is under attack, or maybe it's under attack. You hand it to your incident response team and the incident response team investigates. And maybe it is, maybe it isn't; the first thing you want to do is isolate it or you can honey pot it, or you can do whatever your plan is -- you need to have thought that through.”

Detection, Rothrock added, “is just good old fashioned … shoe leather, where you have systems and capabilities and look for the clues.” Because cyber attack software has digital signatures, “this is very helpful in sorting out where the threats are and what kind of action you should probably take.”

Emerging threats from the IoT

In the show’s third segment, Rettas brought up Rothrock’s book, which talks about “unboxed computation environments” and asked him to explain what that is.

Rothrock said they are an “actual, virtual thing,” like the cloud, where servers can be spun up quickly. When a system is dynamic, he said it becomes harder to test.

That’s one emerging threat, Rettas pointed out. Cyber security in the age of the internet of things, is another.

These devices “were not designed with security in mind,’’ Rothrock noted. “In fact, sometimes it's not even considered in the design. It becomes a leap frog point or a transmission point … It's like a sneeze and the air that you're breathing carries the virus to the next person.”

The problem, he said, is that those systems cannot be retrofitted if a security problem is discovered. “So what you have to do is you have to design the network in which these things operate to be resilient or to be sufficiently architected to prevent a problem.”

Rettas then asked what is the best way to design resilience for networks and computer systems? Rothrock said the most popular method is segmentation.

“You have to have a router or a firewall at every junction, if you will … In a network, you want to think about the segments of activity where the data is stored, what's the important data, what's the not-so-important data. You need to think about that before you design, before you just throw things up and make them go.”

All of that gear has to be programmed and tested, he added. “You need to make sure that you've got the segmentation in place, that the firewalls and routers are doing what you want.”

But sometimes, accidents occur during the test phase, which Rothrock called “the ‘fat thumb’ problem.’’ Half of the mistakes made happen because “someone was typing too fast. They hit a two rather than a three and they didn't go back and test it. We've seen whole networks where they take them down to do maintenance and they forget to put them back.”

Then IT will wonder why an e-commerce site isn't running, he said. “I was actually in the room once when that happened, and it was an embarrassment to the operators.”

Even though “Humans are pretty darn good at designing things and we're pretty good at building things,” he said, “it’s critical to go back and check them.”

The human element

In the show’s final segment, Rettas asked Rothrock to hone in on the role users play in making networks vulnerable.

“It is the human factor, the human failing, the human frailty, that causes most of the trouble,’’ Rothrock said. People make mistakes, so they have to be continually trained about cyberthreats and how to “manage your relationship with the world on the digital front,’’ he said.

“There's a lot of talk about social engineering and the young people today aren't as concerned about privacy,’’ he added. Cyber training may be expensive for HR to implement, he noted, “but it's essential.”

Rothrock then relayed a story about one of his board directors who was staying at a “nice hotel in San Jose.” She logged on to that hotel's Wi-Fi network, like most people do and saw the name of the hotel. So she put in her room number and her name. “When she showed up at my office the next day, because her computer was known to us, she connected to the network, and all my alarm systems went off. It just went nuts,’’ Rothrock recalled. “She had been phished, not on an email, but she had been phished into logging into a fake network that looked like the hotel network, and it had deposited malware.”

The woman didn’t do anything wrong, he added, “but that's how sophisticated these attacks are, so people are in the middle of this thing.”

Even the most sophisticated cyber security person can be duped, like this woman, he said.

Rettas asked who should really take ownership of these networks and how important is it for the c-suite and the boards to be involved?

Rothrock said it's very important that boards get involved, especially CEOs.

Cyber security should no longer fall solely under the purview of IT, he said. “The network is the business of the company, so that puts it in the c-suite automatically. As we all know, culture, process, attitude, everything starts with the leadership in the organization whether it's the CEO” or someone else.

Never, he stressed, should someone log onto a company’s free public Wi-Fi and start conducting mission-critical business.

Resiliency in the cloud

Another emerging threat where resiliency is very important is the cloud, and figuring out how to keep data safe, Rettas commented.

“The cloud is probably safer than these old legacy networks in many respects,’’ Rothrock said, because it has been designed “with modern software programming techniques.” But he added that “the truth is, we don't know really what's going on out there as a user, and these clouds can go away.”

Even though cloud providers offer disaster recovery plans, “we may need to think more about it,’’ Rothrock said, and make sure you have resiliency and backups in place. One of his customers, Stanford Health Care, he said, “has 5.7 million vulnerabilities in their network, and their network's pretty big and complicated. Which ones matter? Which ones are important to them?” The healthcare system uses a lot of software to help, he said, but organizations need to prioritize what data is most important.

Then they have to determine where that data resides, if it is properly segmented and if there are firewalls and routers managing that data.

“All of that matters and so we have to have the visibility … into where that data is, how it's being moved around and who has access to it,’’ Rothrock said. That is it, really, at the end of the day.”

The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes, click here.