The Key to Reducing Exposure to Cyber Liability, Part 1

Den Rise/Shutterstock.com

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
By Greg Touhill

By Greg Touhill

|

Former federal CISO Greg Touhill explains how to reduce an organization's exposure to breaches and subsequent liabilities.

Brig. Gen. (ret.) Gregory J. Touhill, CISSP, CISM, is the president of Cyxtera Federal Group, former federal chief information security officer, and guest author for the (ISC)² U.S. Government Advisory Council Executive Writers Bureau.

Recent headlines continue to feature reports of serious data breaches in both public and private sectors. Sadly, these reports often are met with the resigned sighs of a fatigued public growing accustomed to unacceptable cyber defeats. Lost amongst the reporting is a growing conversation about what these cyber defeats mean in terms of liability, due care and due diligence.

Cybersecurity professionals need to care about and pay attention to due care and due diligence. I define due care as “doing the right things” and due diligence as “doing the right things the right way.”

In the not-so-distant past, information technology and cybersecurity were viewed as near-magical technical realms where non-technical people dared not go. Now, with our national prosperity and national security intrinsically linked to automated, secure and trusted information technology and communications systems, the common business concepts of liability, due care and due diligence have fully arrived on the doorstep of every cybersecurity professional.

In the aftermath of a breach, boards of directors want to know, “How did they get in?” as well as, “Could this have been prevented?” Spoiler alert: Smart boards will want to bring in a trusted third party to double-check the answers the corporate team provides. Operating a modern secure infrastructure in an increasingly hostile and highly contested cyber environment demands due care and due diligence.  If I can demonstrate that well-known and used practices were not followed leading up to a breach, it can be argued that due care and due diligence indeed were not followed. If that is the case, your exposure to liability penalties likely increases significantly.

The following recommendations will help cybersecurity professionals implement due diligence and due care mechanisms while helping to reduce the organization’s exposure to breaches and subsequent liability penalties.

Modern Access Controls

If, like many breaches, a compromised username and password was used for entry and a modern control like multi-factor authentication was not employed, proper due care and due diligence will be questioned. Similarly, if a SQL injection or Cross Site Scripting were the means of entry through a faulty web page and secure software procedures were not in place, it will be difficult to prove reasonable measures to exercise due care and due diligence were in place. Many entities still are using 20th-century technologies that are increasingly easy to defeat instead of employing much more effective, efficient and secure modern solutions such as software-defined perimeter technology.

Hackers covet elevated privileges and move laterally across compromised networks seeking system administrator and “super user” accounts to control. Your privileged accounts are the keys to your kingdom. Insist on MFA for all privileged user accounts. Deny remote access for privileged accounts whenever you can. (I recommend that you always deny remote access to privileged accounts.) Limit damage of hacker and insider threat by implementing “micro-segmentation” to reduce your attack surface. Not doing so may be argued to be failure to exercise due care and due diligence, as these are contemporary best practices.

Securing the Environment

There are some folks who jump to conclusions when they hear of a breach, that the victim did not immediately install a patch to an operating system or application. To them I say, “Not so fast.” Failure to immediately patch doesn’t tell the whole story.

When a manufacturer releases a patch, you need to do two things. First, assess your current environment to ensure there are sufficient compensating controls to protect the integrity of your data and systems against the flaws revealed by the patch. Compensating controls may include such things as increasing surveillance by your security operations center, changing access control rules, adding other layers of defenses, or (in some severe cases) taking a system offline. Implementing compensating controls is driven by factors such as risk appetite, budget and business operations. Secondly, test the patch in your test environment to make sure it doesn’t break anything critical.

Throughout my professional career, I’ve seen some patches arrive that caused numerous applications across our operational environments to cease working. If the cure is worse than the disease, you have a big problem. Always test before you patch the operational environment and, if the patch doesn’t work right, employ compensating controls to manage the risk of not installing the patch. Don’t forget to keep management informed as well!

Application Security

Testing patches often reveals another critical due care and due diligence item: application security. When you find through testing that a patch will “break” applications, ask yourself, “Why do we have such a fragile application?”

Applications ought to be constructed using secure coding standards and architectures that reduce the impact of dependency on a single operating system version; they should be as platform-agnostic as possible. From a business perspective, having to retool your applications every time an operating system patch comes out isn’t a good value. The National Cybersecurity Risk Framework states that you need to build in resiliency to help recover from an incident. Due care and due diligence in developing secure and resilient code reduces the likelihood that a patch will cause an incident that gets your brand and reputation in the newspaper for all the wrong reasons.

For more recommendations on proving due care and due diligence, and why cybersecurity professionals should care, read part two of this article series.

NEXT STORY: How the New Science of Vulnerability Management Can Help Struggling Federal Networks

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.