August 25, 2020
Why Traditional Risk Assessments May Not Prepare You for a Cyber Attack
An intriguing cybersecurity question was once posed to me by the chief information security officer (CISO) of a prestigious healthcare system. The hospital had recently completed an extensive NIST 800-53 and HIPAA cybersecurity and privacy assessment conducted by a third party. Overall, the hospital did a decent job, and although some gaps were found, they were not critical. The organization had vastly matured since the prior year’s assessment and did much better than most industry peers of similar size and complexity.
Yet, when we conducted a penetration test, the results were devastating. Our team could access critical systems, deploy malware, and exfiltrate data, without knowing their security operation center or raising any alerts. These results brought us to the question posed by the CISO: “Why is your team so successful, even though our assessment showed we were doing well from a policy, process, and practice perspective?”
Risk assessments often create a false sense of security. We will dive into the reasons why and what you can do to realize a better return on a cybersecurity assessment program.
First, why do many organizations struggle with realizing value from a cybersecurity risk assessment? In most cases, security and privacy assessments or audits are conducted by individuals who do not practice cybersecurity, using a checklist approach. They may be well-versed and certified in evaluating an organization’s adherence to a framework or standard, but they typically do not have the real-world experience to validate that standard. Unfortunately, this means they think not like an attacker but more like an auditor.
Many standards and frameworks relied upon are also outdated. The issue here should be apparent. If a framework or standard is outdated—and the person conducting the assessment is not a real-world practitioner who can advise you—you will have a dimensional gap. This is the difference between the effectiveness of the principles and the current threat landscape.
You may meet all the framework requirements, but that does not mean you have deployed a cybersecurity strategy that respects your enemy’s audacity. If the cybersecurity and privacy frameworks we rely on are outdated, then isn’t our entire approach also obsolete?
That brings me to the second reason why assessments may fail. In many cases, they are not informed by your enemy’s tactics. To question if a practice is relevant, you must understand your systems and capabilities and remember that the attacker has a vote. They do not care about how well you adhere to a framework or not.
The third issue with assessments is that they are often overly cumbersome. We must evolve quickly to address the current threat landscape. When an assessment requires a review of 300, 500, 700, or more line items with potentially hundreds if not thousands of gaps, it quickly becomes unmanageable.
This approach leads to misalignment between the on-the-ground IT security teams, senior management, and potentially the board of directors. Ultimately, this lack of clarity and understanding can lead to a misunderstanding of priorities, support for critical policies and procedures, and a lack of funding to adequately protect the organization. Not to mention that addressing hundreds of gaps is a significant challenge for any team that is usually understaffed or under-experienced.
We often find that many organizations make little progress, if any, year over year in addressing identified gaps. Why?
One way that organizations address the issue of being overwhelmed is what I call Compliance Island Syndrome, which occurs when the sole focus is on assuring compliance with a regulation or framework. For instance, compliance or security personnel will focus on guaranteeing that only those systems which contain personal health information (PHI) are HIPAA compliant. However, other systems on the network are not kept to the same standards required by HIPAA since they do not interact with or manage PHI. This creates an island of systems compliant in a sea of systems that are possibly insecure or not maintained to the same standard.
An example of how this plays out in the real world is corporate websites. In doing an assessment, we will hear the corporate site is managed by marketing and not part of IT, or it is hosted elsewhere and not a concern. However, regardless of whether a system contains data or is addressed explicitly by regulations such as HIPAA, you must ensure it is secured to the same standard as those under the regulatory statute.
Attackers know many organizations create compliance islands, which is why this is such a critical risk. Let us illustrate how this provides a gap that an attacker can easily exploit, and why this provides a false sense of security.
Assume a corporate website is located at a third-party hosting site. The site is managed by a consultant who reports to your marketing organization. Marketing does not come under the IT group, and your IT team has stated that since this is not on the corporate network, it is not in the scope of the assessment. Before we address all that is wrong with that last item, let’s walk through how an attacker (whom we’ll call Rei) exploits it.
Rei understands there is a high probability that someone in your organization’s marketing department will log in to that corporate website – either a production or staging site. So Rei would find a way to exploit the website and deploy malware that will wait quietly until a marketing team member accesses the site to perform a task. Now stop and think about how that team member will access the marketing site. They probably use a corporate laptop connected to the corporate network—pivot attack. Rei is now on your system.
Let’s walk through the errors. First, the auditor did not point out that this attack was possible and that not putting the corporate website into scope was dangerous. But how would the auditor know about this threat if they have no day-to-day experience with attacking systems? Secondly, the framework employed more than likely does not deem the corporate website as a critical system or within the purview of any compliance requirement. It may also not consider things like pivot attacks because it is outdated. Lastly, we embraced Compliance Island Syndrome and decided that systems not required to meet compliance are not worth auditing.
Ultimately, assessments create a false sense of security because we cannot employ them in a manner that reduces the overall risk as it relates to the current threat landscape. That does not mean they have no value, we just need to find a way to ensure they are relevant and drive organizational-wide alignment. We need to confirm they are easily repeatable to measure progress in a more agile manner than yearly. We also need to make sure that those conducting the assessments have current relevant experience and can engage in discussions and debates beyond just checking the box on an evaluation.
One framework we have seen yield tremendous value is the Department of Energy Cybersecurity Capability Maturity Model or C2M2. It was designed to help rapidly determine the maturity of organizations.
The complete process can be completed in just a few days. Unlike other frameworks, C2M2 does not create massive disruption to the organization, and it is much more economical than a 800-53, CSF, or HIPAA assessment. Another considerable benefit is that it creates boardroom-to-basement alignment. Even the most non-technical individual can easily understand the output and precisely where the organization is from a cybersecurity maturity perspective.
C2M2 works across ten domains, each addressing a critical aspect of cybersecurity. For each domain, a maturity score is provided. Once completed, you have a valuable tool that allows you to prioritize your cybersecurity strategy, develop a specific roadmap for addressing maturity, and a practical method for organization-wide discussions regarding cybersecurity. The assessment can be repeated every quarter or every six months, to measure progress and adjust priorities and practices for the current threat landscape. Further, with the right person leading the C2M2 assessment, you can use it to evaluate, discover, debate, and discuss what you are doing and how to get better.
Aside from C2M2, one of the recommended items is ensuring you understand the primary objective for doing an assessment. Is it to satisfy a regulatory or compliance requirement, or safeguard systems and personnel?” These are not the same, and the correct answer is not both.
If your answer is to satisfy a regulatory or compliance requirement, then your assessment’s focus, depth, and outcome will be vastly different. I would argue that it may lead to a false sense of security because the emphasis is on attaining a check mark.
On the other hand, if the primary objective is to use the assessment to safeguard systems and personnel better, the evaluation criteria will be different. Chances are you will be focused on ensuring you have executive understanding and alignment. You can put the findings to work as part of a comprehensive strategy.
C2M2 can be tailored to your objectives. For example, if you want to satisfy a compliance requirement, C2M2 can work. It is also a fantastic tool for gaining an honest assessment of your maturity. Furthermore, it can engage your organization in a holistic process to safeguard your systems and personnel better.
At CloudWave, when we conduct a C2M2 Workshop, we use it not only as a means to help clients meet regulatory requirements but much more. C2M2 can help develop a clear cybersecurity roadmap and strategy, validate evidence of practice, create boardroom-to-basement alignment, identify resource and policy gaps, and provide an engagement that helps identify the organization’s ability to deal with current real-world threats.
Regardless of the approach you take, it is vital that you do the following before your next assessment:
- Assure that your auditor has real-world cybersecurity experience. They should be able to understand the attacker’s mindset, articulate current security threats, evaluate defenses beyond the framework employed, and challenge your organization to think and evolve.
- Validate if your framework is outdated. It does not mean you should not use it, but that you realize it will have inherent gaps you can plan on addressing.
- Determine how to reduce identified gaps to a set the organization can address. Avoid falling into the trap of just addressing all the critical, then the high, medium, and someday low. Instead, address identified gaps based on a variety of factors, only one of which is severity.
- Determine if you are employing Compliance Island Syndrome and, if so, find a way to get off the island and deploy a holistic cybersecurity strategy.
- Determine your primary objective for doing an assessment, as this will guide you and illustrate your overall cybersecurity culture.
To see an example of how an innovative hospital used the C2M2 approach to successfully meet its objectives, read the case study, Lake Regional Achieves Cybersecurity Boardroom Alignment Using CloudWave’s Sensato Cybersecurity-as-a-Service Solution.
John Gomez is the chief security and engineering officer at CloudWave.