by Dr Amel Bennaceur, lead educator Cyber Security Operations microcredential, FutureLearn.com; academic in Computing at the Open University
As our reliance on digital, connected devices increases, so does our need for security. Secure systems must provide the necessary capabilities to protect assets from harm. These systems rely on an explicit definition of their security requirements to describe precisely which actions in a system are allowed and which ones are prohibited. Once security requirements are specified, it becomes possible to concentrate on the security controls by which these security requirements can be satisfied.
Tools, techniques, and methods to deploy those security controls abound but ultimately cyber security professionals need to adopt a particular mindset to protect their organisation data and infrastructure best. The need for staff to adapt their thinking and embrace an even more vigilant approach to cyber security is more important than ever as many organisations have reported an increase in cyber attacks amidst the coronavirus outbreak. This article will describe the principles that professionals need to adopt during this period of remote working, as well as for the future.
- Think Trade-off
“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.” said Gene Spafford. Of course, this may be your unrealistic professional ambition; however, to deploy security control, any professional must identify the goals or requirements of their organisation and what they need to achieve them first. On the cyber security microcredential I teach on FutureLearn, we encourage our professional learners to adopt the ‘it’s not if, but when’ mindset. We want our learners to understand that stopping an attack or finding the threat actor responsible in the short term isn’t enough, there needs to be a longer term plan to prepare for the worst. Professionals must therefore define the organisation’s most valuable assets and the costs of protecting them. Only then, can they deploy mechanisms to protect those assets.
Cybersecurity professionals must also think of optimising the resources required to deploy those mechanisms thinking with Pareto efficiency: 20% of effort to achieve 80% of the goal. For example, setting up a firewall is the first 20% that significantly improves security (achieve the 80%), fine-tuning all parameters will improve security but the effort and expertise required are much bigger. Of course, some actions such as changing default password, setting up a firewall, or having an anti-virus require minimal effort but significantly reduce the likelihood of cybersecurity incidents, especially from novice attackers. However, some other actions such as designing a fault tolerant architecture, encrypting a lot of data may have a significant cost and may not always be justified or required.
- Think cyber-physical-social
People are at the heart of all organisations, and so they should be in the heart of its cyber security solutions. As for trade-offs, usability is an important factor. A recent survey by the UK Government shows that human behaviour such as staff not adhering to organisational policies contributes to 42% of security incidents. However, systems often place too many obligations on their users and staff that are to a large extent, arbitrary and cumbersome.
For example, most companies require staff to have different passwords for alternative accounts, to use a mix of characters in their passwords, to confirm them before every critical action and change them every 90 days which often leads to weaker passwords. Security policies can therefore cause friction in the way users want to interact with systems. Yet, the usability of systems is critical for their acceptance by users and ultimately their effectiveness.
In other words, for many technical disciplines, the focus is primarily on the technical infrastructure but security requires taking people, processes, and governance into perspective. This means that protecting the organisation’s infrastructure is not solely the task of the cyber security professionals but all staff should be having some understanding of principles, challenges, threats and opportunities of security operations and how an attack or potential cyber-incident should be handled. Educating members of staff about security is essential as well as establishing processing on reporting and handling incidents.
Finally, with the prevalence of BYOD and the Internet of Things, cybersecurity professionals have to also consider the interplay between cyber and physical aspects. Attackers can exploit a digital network to gain access to the physical devices connected to the network (e.g., the German Still Mill Attack) and vice versa, exploit physical access to control orchestrate attacks against third party cyber systems and services (e.g., the Mirai Attack).
- Think like an attacker
Security is not a zero-sum game, meaning the gain of the attacker does not equal the loss of the defender. Therefore, understanding the goals, assets, and risks for the organisation is not enough. It is important to understand the goals of potential attackers and the gain they may achieve by having access to the organisation’s assets can be to them. Therefore, cybersecurity professionals need to define what is called anti-requirements or abuse frames which make explicit the potential adversarial behaviour of attackers and design mechanisms to prevent them.
- Think Resilience
While a well-designed security system is paramount, a well-motivated well-resourced attacker can still compromise and manipulate a secure system. Organisations are often judged on how they recover from attacks and restore their services more than their ability to prevent them completely. In this context, adaptation and resilience are essential. Adaptive security systems continuously monitor, analyse, and deploy appropriate security controls. At the heart of those processes is acquiring increased knowledge. That knowledge helps to make more informed decisions about trade-offs and the security controls that work (or not) as well as better understand attackers.
It is becoming a bit of a cliché to say failure helps to strengthen security systems, but encountering failure and attacks whether real or simulated help build knowledge, which in turn builds resilience. For example, Netflix has implemented The Simian Army, a set of tools aimed at building knowledge by injecting failure and evaluating how the system recovers from it.
However, cybersecurity is not only about tools and techniques, it is also about a mindset. Understanding the goals and assets of your organisation, understanding the risks and impact of attacks on those assets help prioritise and put the right resources to maximise protection. Understanding adversarial behaviour can also give insight on where to put effort. Finally, understanding the role that human processes play in security helps create more sustainable secure systems that have the buy-in of their users.