Former federal CISO Greg Touhill explains how to reduce an organization's exposure to breaches and subsequent liabilities.
Brig. Gen. (ret.) Gregory J. Touhill, CISSP, CISM, is the president of Cyxtera Federal Group, former federal chief information security officer, and guest author for the (ISC)² U.S. Government Advisory Council Executive Writers Bureau.
Recent headlines continue to feature reports of serious data breaches in both public and private sectors. Sadly, these reports often are met with the resigned sighs of a fatigued public growing accustomed to unacceptable cyber defeats. Lost amongst the reporting is a growing conversation about what these cyber defeats mean in terms of liability, due care and due diligence.
Cybersecurity professionals need to care about and pay attention to due care and due diligence. I define due care as “doing the right things” and due diligence as “doing the right things the right way.”
In the not-so-distant past, information technology and cybersecurity were viewed as near-magical technical realms where non-technical people dared not go. Now, with our national prosperity and national security intrinsically linked to automated, secure and trusted information technology and communications systems, the common business concepts of liability, due care and due diligence have fully arrived on the doorstep of every cybersecurity professional.
In the aftermath of a breach, boards of directors want to know, “How did they get in?” as well as, “Could this have been prevented?” Spoiler alert: Smart boards will want to bring in a trusted third party to double-check the answers the corporate team provides. Operating a modern secure infrastructure in an increasingly hostile and highly contested cyber environment demands due care and due diligence. If I can demonstrate that well-known and used practices were not followed leading up to a breach, it can be argued that due care and due diligence indeed were not followed. If that is the case, your exposure to liability penalties likely increases significantly.
The following recommendations will help cybersecurity professionals implement due diligence and due care mechanisms while helping to reduce the organization’s exposure to breaches and subsequent liability penalties.
Modern Access Controls
If, like many breaches, a compromised username and password was used for entry and a modern control like multi-factor authentication was not employed, proper due care and due diligence will be questioned. Similarly, if a SQL injection or Cross Site Scripting were the means of entry through a faulty web page and secure software procedures were not in place, it will be difficult to prove reasonable measures to exercise due care and due diligence were in place. Many entities still are using 20th-century technologies that are increasingly easy to defeat instead of employing much more effective, efficient and secure modern solutions such as software-defined perimeter technology.
Hackers covet elevated privileges and move laterally across compromised networks seeking system administrator and “super user” accounts to control. Your privileged accounts are the keys to your kingdom. Insist on MFA for all privileged user accounts. Deny remote access for privileged accounts whenever you can. (I recommend that you always deny remote access to privileged accounts.) Limit damage of hacker and insider threat by implementing “micro-segmentation” to reduce your attack surface. Not doing so may be argued to be failure to exercise due care and due diligence, as these are contemporary best practices.
Securing the Environment
There are some folks who jump to conclusions when they hear of a breach, that the victim did not immediately install a patch to an operating system or application. To them I say, “Not so fast.” Failure to immediately patch doesn’t tell the whole story.
When a manufacturer releases a patch, you need to do two things. First, assess your current environment to ensure there are sufficient compensating controls to protect the integrity of your data and systems against the flaws revealed by the patch. Compensating controls may include such things as increasing surveillance by your security operations center, changing access control rules, adding other layers of defenses, or (in some severe cases) taking a system offline. Implementing compensating controls is driven by factors such as risk appetite, budget and business operations. Secondly, test the patch in your test environment to make sure it doesn’t break anything critical.
Throughout my professional career, I’ve seen some patches arrive that caused numerous applications across our operational environments to cease working. If the cure is worse than the disease, you have a big problem. Always test before you patch the operational environment and, if the patch doesn’t work right, employ compensating controls to manage the risk of not installing the patch. Don’t forget to keep management informed as well!
Testing patches often reveals another critical due care and due diligence item: application security. When you find through testing that a patch will “break” applications, ask yourself, “Why do we have such a fragile application?”
Applications ought to be constructed using secure coding standards and architectures that reduce the impact of dependency on a single operating system version; they should be as platform-agnostic as possible. From a business perspective, having to retool your applications every time an operating system patch comes out isn’t a good value. The National Cybersecurity Risk Framework states that you need to build in resiliency to help recover from an incident. Due care and due diligence in developing secure and resilient code reduces the likelihood that a patch will cause an incident that gets your brand and reputation in the newspaper for all the wrong reasons.
For more recommendations on proving due care and due diligence, and why cybersecurity professionals should care, read part two of this article series.