Getting More Responsive Security by Learning From Disaster Responses
Editor’s Note: In the two previous blogs, we discussed some of the issues and dilemmas found within information security knowledge and practice domains. Those challenges arise fundamentally from the traditional approach that many organizations have adopted to address information security requirements. In this fourth installment, we look at how good preparation can improve security outcomes, as illustrated in a few case examples.
As the Dutch philosopher Erasmus once said, “prevention is better than cure.” Most organizations’ security approaches have focused primarily on erecting defensive systems to prevent attackers from compromising information and systems through exploiting security weaknesses associated with technology, process, or people in the organization.
A good analogy illustrating this is a fortress surrounding an old castle, which inherently has a weakness because it assumes the outside environment remains static. When new artillery, such as a cannon, is used as an attack weapon, the fortress’s security posture changes and cannot be easily upgraded as part of any change management process. The same is true for businesses. Even if a business remains static (which is an unrealistic assumption), security vulnerabilities in technology systems and applications will eventually be discovered and disclosed. If they are not patched or addressed through other workarounds, they could result in significant exposure for the organization. The recent Heartbleed incident that resulted from a vulnerability discovered in the OpenSSL library demonstrates this point well.
Furthermore, not all changes can be planned in advance. Like the OpenSSL issue, many of these changes are beyond the organization’s control. Even when a patch management system is in place, the required patch may not be available from the vendor to address the vulnerability promptly. Some vulnerabilities take months to patch. Meanwhile, workarounds or other measures must be implemented before perpetrators launch their attacks to exploit those vulnerabilities. Without preparation, organizations may not be able to respond appropriately, and will therefore be exposed.
Before we can design and build defensive mechanisms to prevent exposure or exploitations, further knowledge and experience about related security threats and weaknesses is needed. Such dependency, in reality, causes organizations to become very much driven by the discovery of security vulnerabilities, which is reactive in practice—even though the concept of “prevention is better than cure” appears to be proactive by design.
We see this reactive practice play out frequently, particularly in airports where new security checks are implemented in response to a suspicious activity or a direct incident to breach security barriers. In many instances, and for a variety of reasons—such as risk management decisions, resource constraints, or simply ignorance—weak security mechanisms somehow become an intrinsic component of the system. For instance, many online sites, including financial institutions, continue to use the simple password/ID authentication mechanism for online transactions, even though this has proven to be vastly vulnerable to attack and exploitation (see: http://twofactorauth.org/).
The knowledge gap, resource limitation, and dynamics of change often mean that organization information systems will retain vulnerabilities, both known and not previously known. Instead of depending solely on preventive measures, experiences from environmental incidents have shown that the impact of an incident can be greatly reduced with good preparation beforehand—and enables responders to react swiftly as an incident unfolds.
Take, for example, the tragic tsunami that spread over most of the Indian Ocean on December 26, 2004. While more than 150,000 people across 11 countries were either dead or missing (highlighting the dire consequences of inadequate early warning systems and preparedness against disasters), several lifesaving stories were reported. According to the British Broadcasting Corporation (BBC), a teenage girl vacationing in Thailand saw the waves, recalled a geography lesson about tsunamis, and alerted her family and other tourists and saved them all from disaster.
On the same day, an Indian national working in Singapore watched the early morning news of the earthquake in Indonesia and called his home in the Nallavadu village in India. His sister, who answered the call, noted seawater seeping into their home. The man realized what that meant and urged his sister to run out and warn the rest of the village. The villagers used a public address system set up to announce sea conditions to fishermen and broadcast the warning. Their vigilant and responsive actions saved more than 3,500 lives.
Recognizing a significant change event (the tide receding plus water seeping into the home), provides the requirement for what we call “risk visibility.” This translates into situation awareness that prompts the necessary actions to re-align the critical systems to the risk situation—like a soft cushion absorbing the impact of a fallen heavy object. It can effectively reduce the severity of unexpected (low probability but potentially high impact) consequences of an unknown event. These are characteristics of many incidents where responsiveness plays out positively, and where we could emulate or complement our existing approaches in managing information security risks—otherwise known as Responsive Security.
In March 2013, a well-known cloud-based note taking application, Evernote, detected an attack on its site. Although it did not find any specific compromises involving payment data and premium accounts, Evernote identified that the “individual(s) responsible were able to gain access to Evernote user information, including user names, email addresses associated with the Evernote accounts, and encrypted passwords.”
Evernote was quick to acknowledge and communicate information about the attack through its blog site and, more importantly, promptly blocked all user access until each user completed an online password reset. This mandatory password reset effectively nullified the stolen encrypted passwords for use by the perpetrators. Evernote’s user communication provided the “risk visibility” while the mandatory password change aligned the users’ actions to the incident, providing a quick stopgap to prevent further losses while the company addressed the underlying weaknesses.
As observed, a key attribute for responsive security is preparation—be ready to respond. Techniques such as scenario planning, fire drills, and tabletop exercises are all proven methods for preparing organizations for disaster recovery and business continuity. Many of these similar tools and methods are used in preparing organizations to be ready and responsive to cyber security events. Another critical attribute is risk visibility, which relates to the notion that we cannot respond to what we cannot see. Many security vendors are now providing full stack visibility, contextual awareness and threat intelligence, which form part of risk visibility needs. Risk visibility however, should not stop at watching threat intelligence and security events, but all potential failure events, including operational or human errors associated with the system itself.
To be responsive, we need to change our mindset and start thinking about the consequences and work backwards towards gaining visibility and preparing to re-align to critical situations.
BBC Online. 2005. Award for tsunami warning pupil. British Broadcasting Corporation (BBC) News, September 9, 2005. Available from http://news.bbc.co.uk/1/hi/uk/4229392.stm.
Chin, Saik Yoon. 2004. Phone call saved scores of Indian villagers from tsunami. International Development Research Center. http://firstname.lastname@example.org/msg02013.html
Evernote. 2013. Security Notice: Service-Wide Password Reset. http://evernote.com/corp/news/password_reset.php.