Just as a healthy body can’t dodge every bacterial infection that comes its way, so should a sound organization realize it cannot avoid getting hacked. That’s how Michael Chertoff, former secretary of the U.S. Department of Homeland Security and co-founder and executive chairman at the Chertoff Group, explains the reality of today’s threat environment to security professionals.
“Anybody telling you that you are going to avoid ever getting hacked is blowing smoke at you … because you can’t stop getting hacked, but what you can do is manage the risk of getting hacked,” Chertoff told the audience at the recent Cybertech conference in Fairfax, Va.
With the interdependence of the internet, the issue of vulnerability or attack surface is no longer restricted to an organization’s own network, Chertoff said talking about the trends and challenges in cybersecurity. And that vulnerability will only increase as more things become internet-enabled.
Mirai-like malware, for example, uses the internet of things devices to launch distributed denial of service attacks, he said, referring to how IoT is affecting security and privacy.
“By bringing the IoT devices into play, we have not considered the fact that it’s going to be a problem not only for those who own these devices and may find malware coming in from these devices, but for everybody else who will become a victim of these botnets,” he said.
At the same time, ransomware attacks like WannaCry prove that surface area issues are not just a question of zero-day exploits or cutting edge malware; they are often about human failure to take simple steps like installing patches on time, Chertoff said.
Dealing with these threats as a society is of paramount importance, he said, because a failure at one organization can affect multitudes. “The ability to act collectively in order to protect ourselves and our community is an important part of cybersecurity strategy.” People need to be educated on the solutions out there that can help them manage risks in today’s threat environment.
Chertoff circled back to his infection analogy: Just as the human body uses the immune system as a second line of defense, organizations should adopt an equivalent model to their cybersecurity risk management approach, he stressed. They should focus on the attack pathway when securing their networks, because the problem is not just the initial breach, he said. Once the attackers have penetrated the company’s network, they will steal credentials, identify the data that’s going to be stolen and then execute the exfiltration of that data, all resulting in systemic damage to the network – and beyond.
“At each of these stages you have an opportunity to deploy and exercise your immune system to stop and mitigate the damage and that’s when you use a whole set of tools, which I think is a more holistic approach to security,” he said.
When configuring their networks, organizations should consider security measures like identity authorization and role-based access control to determine a user’s access rights, network segmentation to supervise what’s going on within their networks, and privileged user monitoring to monitor behavior that deviates from the normal, he advised.
“In the end what defines your strategy for securing yourself are your policies, governance … your understanding of what the key assets are and then your ability to train people and deploy them with technology to execute the plan,” he said.