Written by Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), CCSFP is a Member of (FBI) InfraGard & HITRUST CSF Assessor Council.
A single system or application, today, may have hundreds of thousands of vulnerabilities. The threat actor has to find a single vulnerability to exploit, while cyber defenses have to “reasonably and appropriately” implement credible capabilities to secure vital assets across the enterprise. Asymmetric attacks mandate that organizations must look to implement a cyber defense based on a credible, mature, robust framework.
The focus of this brief is to establish the current state of cyberattacks and why the HITRUST CSF framework provides a credible option upon which organizations can base their cyber strategy.
State of Cybersecurity Today: Executive Fast Facts
Key facts emerge from the exhaustive study published annually by Verizon, the 2017 Data Breach Investigations Report (DBIR). We examine some critical findings as detailed in the Verizon DBIR Report.
Who’s behind the breaches?
- 75% perpetrated by outsiders
- 25% involved internal actors
- 18% conducted by state-affiliated actors
- 3% featured multiple parties
- 2% involved partners
- 51% involved organized criminal groups
What tactics do they use?
- 62% of breaches featured hacking
- 51% of breaches included malware
- 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
- 43% were social attacks
Who are the victims?
- 24% of breaches affected financial organizations
- 15% of breaches involved healthcare organizations
What else is common with breaches?
- 66% of malware was installed via malicious email attachments
- 73% of breaches were financially motivated
- 21% of breaches were related to espionage
- 27% of breaches were discovered by third parties
Note that 61% of the data breach victims in this year’s report are businesses with under 1,000 employees. So, small businesses need to also be prepared to defend their critical digital assets.
Further, 95% of phishing attacks that led to a breach were followed by some sort of software installation. And, 80% of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords. The importance of continued, credible, end user cybersecurity training, as well as performing regular social engineering exercises must be part of any organization’s cybersecurity strategy.
Source: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/?mod=djemCybersecruityPro&tpl=cy
Cyber Attack Patterns
Table 1 provides a summary of key attack patterns that covered 88% of breaches, as detailed in the Verizon DBIR Report.
| Cyberattacks | Description |
|---|---|
| Cyber | Espionage Attacks linked to state-affiliated actors, and/or with the motive of espionage. |
| Denial of Service (DoS) | Any attack intended to compromise the availability of networks, applications and systems. |
| Insider and Privilege Misuse | Any unapproved or malicious use of organizational resources. |
| Crimeware | All instances involving malware that did not fit into a more specific pattern. Ransomware was the 22nd most common form of malware. |
| Physical Theft and Loss | Any incident where physical assets went missing—deliberately or accidentally. |
| Web Application Attacks | Any incident in which a web application was used as the means of attack. |
| Payment Card Skimmers | All incidents where a skimming device was placed on a payment card reader. |
| Point of Sale (POS) | Intrusions Remote attacks against POS terminals and controllers. |
Table 1: Top Cyber-attack Patterns.
HITRUST CSF: A Credible Enterprise Cybersecurity Framework
A cybersecurity framework enables an organization to address the dual challenge to every enterprise. First, the continual cyber-attacks on the infrastructure and core applications. Second, the rising number of federal and state compliance mandates that must be met continually. HITRUST CSF is a cybersecurity framework that addresses both areas to ensure the enterprise implements an appropriate cyber defense.
The HITRUST CSF enables an organization to formally address compliance mandates, such as HIPAA, HITECH, as well as state mandates, e.g. California, Texas, and others.
HITRUST is a prescriptive framework. What that means is that it establishes minimal, specific requirements for various aspects for an enterprise cybersecurity program. For example, in the area of access control, an organization must automatically remove or disable accounts that have been inactive for a period of sixty (60) days or more.
The HITRUST CSF establishes maturity levels relevant to evaluating an organization’s compliance and security program.
Bottom-line: Cyber Defense Strategy
2017 and 2018 will witness more, not less, of the types of massive cyberattacks we have seen in 2016 and 2017 already. These attacks are highly disruptive to business operations and finance. Think Mirai from October 21, 2016. Think WannaCry ransomware malware from May 12, 2017. Given the increasing frequency and sophistication of cyber-attacks, how does an organization improve its cyber defense?
Every organization must establish its cybersecurity strategy. One of the first key decisions is to identify the security framework that will provide the foundation for an enterprise cybersecurity program. HITRUST CSF is a robust, mature, credible framework that an organization can base its cybersecurity strategy on.
In addition, ensure the following areas are addressed credibly:
- Encrypt. Encrypt. Encrypt. Whenever and wherever possible!
- Require employees and customers to vary their passwords and seriously review use of two-factor authentication.
- Re-think security awareness training and encourage employees to report phishy emails.
- Verify you have DDoS mitigation services implemented to thwart any attacks, and ensure appropriately tested.
- Stress the importance of software updates; develop formal policy and practice for patch management.
- Enforce a formal procedure for disposing of anything that might contain sensitive data.
- Implement an automated and consolidated log file management; change management systems can give you early warning of a breach.
- Limit the amount of sensitive information stored in web-facing applications.
- Perform targeted penetration testing exercise, at least annually, on mission critical applications.
- Think supply chain security and formally develop process to review third-party vendors (business associates) and their security practices.
Get started with the HITRUST CSF!