Mark Brown, Global Managing Director at BSI Cybersecurity and Information Resilience, shares his expertise on the best methods for building a cybersecure world and mitigating cyberattacks – from how to enhance your penetration testing regime, securing your connected systems and technologies and overcoming the challenges related to data governance.
With presence in the US, UK and Ireland, EMEA, Japan and Australia, at BSI our global expertise and services enable our clients to better respond to cyber threats and build more resilience around their critical information and IT infrastructure, protecting their information, people, and reputation, as well as constructing a more cybersecure world. We enable a state of enhanced and sustainable information resilience through our integrated and woven sets of products, technical and consulting expertise in the areas of cybersecurity, security awareness and training, information management and data protection, compliance, and data risk advisory services.
Operational Technology (OT) systems
The world has faced an increase in attacks against computer systems. Daily news reports highlight incidents of breached companies, systems shut down due to ransomware, and even hospitals unable to accept new patients because of a cyberattack. However, what is missed in most of the reporting is that nearly every instance of cyberattack also impacts Operational Technology (OT) systems.
So, what are typical OT systems? OT is simply a computer or electronic system that can change the physical world. Companies use OT systems daily without thinking about them or the technological infrastructure running behind the scenes. These are all OT systems, from printers or large copiers in an office reporting back ink levels to physical security systems that control door locks with employee badges to the sprinkler systems protecting that same office from fire. Has your organisation considered the risk that comes with these OT systems?
The honest answer for most organisations is no. Maybe security was thought of, but the action did not happen since there was not an issue. After all, the equipment is designed well so you should not have to think about it – right? This same thought process has happened for many OT systems. Why would a manufacturer spend to increase cybersecurity? The production systems are running, raw goods come in and finished goods leave. The manufacturer hears news reports about cyberattacks but thinks that no one would target them. The manufacturer is making a bet, one that they are not even aware they are making. This bet, ultimately, is for the survival of the business and their people’s safety, and they do not realise it.
A standard model for manufacturers to measure against is needed if we are ever to increase the maturity and resiliency of global manufacturing. Adapting security controls based on your actual risk to the supply chain allows small-scale manufacturers to enhance security without overspending on programmes, not in line with the fundamental risk level.
To support this, as an example, the US Department of Defense created the Cybersecurity Maturity Model Certification (CMMC). This programme establishes maturity levels for organisations (Level 1-5) and establishes the certification model for organisations. The goal is to include CMMC Level requirements in federal contracts to better protect non-classified information or confidential unclassified information (CUI).
What is encouraging about the CMMC programme is its power for any level contractor working for the United States government to work within this programme. The Department of Homeland Security is currently considering adopting CMMC as its standard moving forward. The adage “you are only as strong as the weakest link in your chain” is incredibly relevant to this conversation. One insecure contractor can make the entire chain weak, which creates another layer of risk for OT systems.
Ensuring your security is sufficient
Due to the rising number of high-profile cybersecurity incidents and compromises, the requirement to more accurately simulate the Tactics, Techniques, and Procedures (TTPs) of the real-world adversary has become increasingly more important.
One method utilised by organisations to check for exploitable vulnerabilities is a penetration test, also known as a pen test. This is a simulated cyberattack used to highlight any potential holes in a cybersecurity system.
Red team engagement
Red team engagements are not a new concept but have gained more prominence in recent years with the advent of CBEST (Bank of England), TIBER (De Nederlandsche Bank), iCAST (Hong Kong Monetary Authority), and CREST STAR (Simulated Target Attack & Response) schemes, the latter of which BSI is a member. All these schemes are similar in nature and bring a formalised framework to offensive testing techniques which have been around for a long time.
By utilising this type of enhanced penetration testing, an organisation can gain a greater understanding and appreciation of the likelihood of a successful compromise, the types of adversary they may face, and how well they are equipped to respond to and deal with such an incident.
A typical penetration test follows a pre-defined and approved methodology during the execution of the assessment, with the end result being a report which highlights all of the security issues and vulnerabilities identified on specific assets.
To identify the vulnerabilities present on those assets, a penetration test includes performing offensive testing techniques against a pre-defined scope of assets. Assets can take on many forms; including web applications, externally facing networks and hosts, internal networks, network devices, cloud infrastructure, mobile applications, and APIs, to name but a few.
Penetration testing has formed, and continues to form, a large element of cybersecurity efforts for many organisations. However, traditional penetration testing has its limitations. For instance, certain assets or locations can be removed from the scope of the test. It also does not address an organisation’s ability to detect and respond to real-world attacks. Therefore, it is just one piece of the puzzle to achieve organisational resiliency. A journey where more advanced testing activities, such as red teaming and purple teaming, should be performed.
How does red teaming work?
A red teaming engagement is an objective-oriented simulation of a real-world attack on the organisation. Designed specifically to assess the prevention, detection, and response capabilities of an organisation when targeted by an advanced persistent threat (APT).
In contrast to traditional or goal-based penetration tests, a red team engagement is performed from as close-to-a-zero knowledge perspective as possible, and the organisation as a whole is not notified ahead of the engagement, thus removing its ability to prepare for the assessment and accurately measuring its current security posture in the face of a real-world attack.
As with a typical war game-based scenario, a red team engagement consists of attack versus defence. Respectively, the red team versus blue team; the roles of both teams are now explored a little more closely.
The red team would utilise the necessary TTPs and offensive techniques in order to establish a foothold within the organisation’s network and achieve the outlined objectives of the engagement. Information like IP addresses, URLs, and key assets would not normally be shared prior to the start of a red team engagement.
Red team versus blue team
In contrast to the red team, the typically internally resourced blue team has a primary focus to proactively and reactively defend an organisation against attacks – in this case, those originating from the red team. They would typically have zero knowledge of the assessment, lending themselves to accurately emulating a real-world situation. Operating this way ensures the optimum level of realism by offering no means for the blue team to prepare for the attack, be on the lookout for suspicious activity, or raise awareness amongst staff members – all of which may impact the effectiveness of a red team engagement.
By planning and delivering an objective-based red team engagement, an organisation can gain a greater understanding and appreciation of the likelihood of a successful compromise, the types of adversary they may face, and how well they are equipped to respond to and deal with such an incident.
Red and blue – purple team
Another high-value-adding exercise that can be done on its own or after a red team assessment is what is known as a ‘purple team’ exercise. This is a highly collaborative exercise in which both the red and blue teams work together closely to exchange knowledge, identify gaps, and assess the current detection and response capabilities of the organisation.
Prior to the commencement of a purple team exercise, a set of scenarios and TTPs to form the basis of the purple team exercise are agreed upon. This can be the output of threat modelling, a tabletop, or a red team exercise. Once agreed, both teams will sit together to commence the exercise during which the red team will go through the list of tactics and techniques one by one and work closely with the blue team to measure, fine-tune, and develop the organisation’s detection and response capability of each technique. This also gives the blue team practical exposure and insight into the operations of a red team.
The BSI Security Testing Maturity Framework (outlined below) can be used to help identify the most effective security testing level for your organisation. The framework marries the security maturity of an organisation with its appetite for risk to identify the optimal level of testing and provide the best return on investment.
Reassess your data storage
As well as thinking about the security you have in place to protect your systems and data from a cyberattack, it is also vital to consider how and where your data is stored.
One of the key challenges facing organisations as we head towards 2022 is the explosive growth in data and the risks that this entails. One of the primary risks is cost. As data moves through its lifecycle, the value of data changes. From creation through to storage, it has an initial value and meaning to the business, and from there, you want to both use and share the data. This is where the data is of its highest value to an organisation. For example, a monthly sales report, operational utilisation number, pipeline figures, stock reports, etc. As time passes, the data becomes less valuable and thus enters one of the latter phases of the data lifecycle which is archive or destroy. The choice of which latter phase to utilise depends on the organisations’ data policies, such as data destruction and retention. This is where the hidden risk of cost kicks in. Where is your data being stored or archived to? Is this data in organisational data centres, stored in the Cloud or a hybrid of both? If it is the Cloud, then typically organisations pay per GB per month which can add up significantly. When in the data centre, it is stored on disks systems such as NAS and SAN. The same considerations apply also for the protection of these data systems where there will be backup versioning in place and, from a cost perspective, tapes, licensed tape slots, typical software licences per device, and hardware costs. It is estimated that there are on average nine copies of each document per organisation with data doubling in size every three years.
Combining the quantitative costs discussed with the fact that in many cases they are hidden on the balance sheet and usually contained within the IT budget and thus simply evolve year-on-year in line with budget expansion. Where budgets are cut in organisations, IT leadership tend to look at budget elements such as software, assets, resources, outsourcing and other non-data related costs to reduce expenditure. This combined with the ongoing explosion of data growths leads to another risk and that is one of data discovery.
Should your organisation be obliged to discover data for a reason, be that regulatory such as freedom of information or data subject access requests (DSAR), commercial litigation, internal investigations or criminal proceedings, then whatever data the organisation holds is liable to be discovered, preserved, collected, reviewed and produced to authorities. This can work both for and against an organisation dependent on the discovery request. The more data being held, the longer this request will take to complete. Organisations do have the ability to extend the time available to fulfil, for example a DSAR, but this simply adds to the costs involved and diverts resources away from core business operations.
The generation of data is not confined to traditional activities and as Internet of Things (IoT) devices, evolving technologies such as Artificial Intelligence (AI), Operational Technology (OT) and Machine Learning become more mainstream organisation’s will need to adapt their approach and extend their controls and governance activities to manage and secure the data that is generated.
How can BSI help you?
To meet these and other data related challenges, we at BSI advocate several best practices and provide trusted consultant advisors in conjunction with key technology partners to assist clients. We understand that implementing a data loss prevention programme is key, particularly in the hybrid data environment. Amongst our services, BSI can:
- Complete a data mapping exercise to understand exactly what data the organisation has, where it is stored and who the data owners are;
- Ensure you have conducted an asset discovery and data classification exercise;
- Have tried and tested data recovery procedures in place to mitigate data loss and capture the recovery metrics to ensure the organisation understand the time to recover data and to what point data can be recovered to and data discovery procedures to meet business requirements;
- Bring both a security and privacy by design approach to operational activities;
- Maintain strong data security controls, such as data encryption, key management, data segmentation and security access controls;
- Ensure that all personnel handling data are trained, have a high level of security awareness with clear guidance on how to report suspicious activity;
- Conduct incident response tabletop exercises specifically as they pertain to data, ensuring that senior leadership have an active involvement and that everyone knows what roles and responsibilities they play in the recovery from an incident; and
- Perform continuous monitoring and improvement activities as data, devices, user behaviour and threats do not remain static.
Please note, this article will also appear in the eighth edition of our quarterly publication.