Lessons in Layered Cybersecurity – Part 1
Organizations must have a layered, holistic approach to cyber resiliency
“Beyond confirming that even high-profile software vendors and well-funded organizations get hacked, the SolarWinds incident serves as an important reminder that every organization – big or small – should think critically about a holistic and layered security approach that includes addressing potential failure points among people, process, and yes, even technology.”
Rodney Turner, Director, Solution Engineering
Niki Rabren, Executive Director Cybersecurity & Professional Services
The December Breaches That Rocked Us All
As if 2020 needed any more drama, the month of December gave us two shocking reminders that even the strong can be weak when it comes to cybersecurity, and organizations cannot be secure without a layered, holistic approach to cyber resiliency.
The first example is the incident of an “ethical hacker” in the Netherlands who was able to access Donald Trump’s Twitter account by a simple password guess, “maga2020!” Fortunately, no damage was done, but it magnifies the importance of educating users on creating complex passphrases instead of passwords (e.g. “thecr0wflies@midnight!”). Otherwise, a little bit of knowledge, and an educated guess could compromise even the most protected user.
But the biggest year-end event that shook the technology world was the malicious hack that occurred with the SolarWinds Orion software platform. In case you missed it, this hack exploited deficiencies in SolarWinds’ Orion platform, which then affected as many as 18,000 customers. The main targets appeared to have been many US government agencies and DoD related organizations, including the US Treasury and Commerce departments and the Department of Homeland Security. This vulnerability may also be the same one used for the breach at FireEye and other Federal and commercial organizations that occurred late in 2020.
What Does This Mean for My Program?
Beyond confirming that even high-profile software vendors and well-funded organizations get hacked, the SolarWinds incident serves as an important reminder that every organization – big or small – should think critically about a holistic and layered security approach that includes addressing potential failure points among people, process, and yes, even technology.
Today we’ll focus on people and process, and next week we’ll follow up with our perspectives on technology.
Failure-Proofing People and Process
Let’s look at the role “people” played in the SolarWinds attach. To carry out the attack, the threat actors were able to compromise a Microsoft Exchange email at a US-based think tank. The email user knew the account had been breached, and, like an exemplary security-minded user, changed the account password to prevent future breaches. That should have prevented further breaches, right? Wrong.
Unfortunately, the threat actor used existing tools in the user’s environment to gain access to a pre-shared key for its two-factor authentication software – in this case Duo MFA. Even though the account password had been reset, the user missed resetting keys in the APIs which enabled the threat actor to stay in the environment and do further harm. This isn’t a failure of the technology, but of the people (and processes) operating the technology.
So, what can we learn from this?
Layering Your Approach to Cyber Education
Let’s talk first about people and forgive us if this sounds like we’re stating the obvious, but human error is responsible for 90% of all breaches.
We’ve already mentioned the importance of establishing a password policy and educating users about how to create complex password phrases instead of passwords. However, this isn’t enough. It is important to implement a layered approach to cyber education across all topics, not just password policies, to keep good cyber hygiene top of mind.
It’s also not enough to rely on annual or periodic mandatory training to empower users. Organizations must continually educate users in new and creative ways to reinforce cyber awareness messages that get users’ attention and motivate behaviors that keep data safe. Using multiple formats across different media to reinforce these messages is important. Solutions like AwareForce, KnowBe4, and Proofpoint provide great out-of-the-box content to achieve this objective.
Layering Processes to Reduce Failure Points
Now let’s talk about process. While establishing a password policy is great, adding an enforcement layer to make sure people are following the policy is even better. It is also important to make sure password policies are enforced across all users – including those in IT who manage networks and systems. It may sound like we’re stating the obvious, but the Tier4 Secure team has seen a lot of breaches that resulted from poor or breached IT admin passwords. Tools like Netwrix, Thycotic, and Cyberark can help organizations manage the enforcement to lighten the burden on IT and Security resources.
But let’s go a layer deeper. While the breached email user in the SolarWinds attack changed the account password, no one changed the API keys on the MFA software. This key step was missed and the security tools in place were unintentionally mismanaged because of the oversight. As a result, the threat actors were able to continue their exploits.
Changing the MFA API key could have been triggered with an incident response (IR) plan that holistically addressed the people, processes, and technology within the think tank organization. It’s important to analyze a variety of potential breaches (e.g. email, network, etc.) and address failure points across the entire people/process/technology spectrum, establishing remediation protocols accordingly. Even though various orchestration solutions offer the promise of automating remediation, it’s important to ensure that IR processes address human actions in managing the tools in the environment. There can be no single point of failure.
Thinking through proper breach protocols for all systems and users in advance will improve the likelihood of preventing bad actors from doing greater damage. Until AI truly runs all our systems and lives, we will have people who operate the tools, and processes must account for this reality.
But What About Technology?
With that said, there are plenty of technology lessons learned from these incidents that we’ll address next week. To be continued…