As summarized in the first installment of our two-part blog series, President Biden recently issued a sweeping Executive Order aimed at improving the nation’s cybersecurity defense. The Order is a reaction to increased cybersecurity attacks that have severely impacted both the public and private sectors. These recent attacks have evolved to a point that industry solutions have a much more difficult time detecting encryption and file state changes in a reasonable timeframe to prevent an actual compromise. The consequence is that new and evolving ransomware and malware attacks are now getting past even the biggest solution providers and leading scanners in the industry.
Thus, while on its face, many of the new requirements within the Order are aimed at federal agencies and government subcontractors, the ultimate goal appears to be to create a more unified national cybersecurity defense across all sectors. In this installment of our blog series, I will outline recommended steps for private sector organizations to prepare for compliance with the Order, as well as general best-practice tips for adopting a more preemptive approach to cybersecurity.
1. Conduct a Third-Party Assessment
First and foremost, organizations must understand their current cybersecurity posture. Given the severity and volume of recent cyberattacks, third-party in-depth or red-team assessments should be done that would include not only the organization’s IT assets, but also include solutions providers, vendors, and suppliers. Red teaming is the process of providing a fact-driven adversary perspective as an input to solving or addressing a problem. In the cybersecurity space, it has become a best practice wherein the cyber resilience of an organization is challenged by an adversary or a threat actor’s perspective. Red-team testing is very useful to test organizational policies, procedures, and reactions against defined, intended standards.
A third-party assessment must include a comprehensive remote network scan and a comprehensive internal scan with internal access provided or gained with the intent to detect and expose potential vulnerabilities, exploits, and attack vectors for red-team testing. Internal comprehensive discovery includes scanning and running tools with the intent to detect deeper levels of vulnerabilities and areas of compromise. Physical intrusion tests during red-team testing should be conducted on the facility, networks, and systems to test readiness, defined policies, and procedures.
The assessment will evaluate the ability to preserve the confidentiality, integrity, and availability of the information maintained and used by the organization and will test the use of security controls and procedures used to secure sensitive data.
2. Integrate Solution Providers and IT Service Companies into Plans to Address Above Executive Order Steps
To accurately assess your organization’s risk, you first have to know who your vendors, partners, and suppliers are with whom you share critical data. Many organizations rely on a complex and interconnected supply chain to provide solutions or share data. As noted above, this is exactly why the Order will eventually broadly impact the private sector. While on its face, the Order only seems to impact federal government and subcontractor entities, those entities’ data infrastructures (like most today) are interconnected environments composed of many different organizations with complex layers of outsourcing partners, diverse distribution routes, and various technologies to provide products and services – all of whom will have to live up to the Order’s cybersecurity standards. In short, the federal government is recognizing that its vendors, partners, and suppliers’ cybersecurity vulnerabilities are also its own. The sooner all organizations realize this the better.
According to recent NIST guidance, “Managing cyber supply chain risk requires ensuring the integrity, security, quality, and resilience of the supply chain and its products and services.” NIST recommends focusing on foundational practices, enterprise-wide practices, risk management processes, and critical systems. “Cost-effective supply chain risk mitigation requires organizations to identify systems and components that are most vulnerable and will cause the largest organizational impact if compromised.
In the recent attacks, hackers inserted malicious code into Orion software, and around 18,000 SolarWinds customers, including government and corporate entities, installed the tainted update onto their systems. The compromised update has had a sweeping impact, the scale of which keeps growing as new information emerges.
Locking down your networks, systems, and data is just the beginning! Inquiring how your supply chain implements a Zero Trust strategy and secures their environment as well as your shared data is vitally important. A cyber-weak or compromised company can lead to exfiltration of data, which a bad actor can exploit or use to compromise your organization.
3. Develop Plan to Address Most Critical Vulnerabilities and Threats Right Away
Third-party assessors should deliver a comprehensive report of their findings that includes the descriptions of the vulnerabilities, risks found in the environment, and recommendations to properly secure the data center assets, which will help companies stay ahead of the Order’s mandates. The reports typically include specific data obtained from the network, any information regarding exploitation of exposures, and the attempts to gain access to sensitive data.
A superior assessment report will contain documented and detailed findings as a result of performing the service and will convey the assessor’s opinion of how best to remedy vulnerabilities. These will be prioritized for immediate action, depending upon the level of risk. Risks are often prioritized as critical, high, medium, and low risk to the environment, and a plan can be developed based upon these prioritizations for remediation.
4. Develop A Zero Trust Strategy
As outlined in Section 3 of the Order, a Zero Trust strategy is critical to addressing the above steps, and must include establishing policy, training the organization, and assigning accountability for updating the policy.
Defined by the National Security Agency (NSA)’s “Guidance on the Zero Trust Security Model”: “The Zero Trust model eliminates trust in any one element, node, or service by assuming that a breach is inevitable or has already occurred. The data-centric security model constantly limits access while also looking for anomalous or malicious activity.”
Properly implemented Zero Trust is not a set of access controls to be “checked,” but rather an assessment and implementation of security solutions that provide proper network and hardware segmentation as well as platform micro-segmentation and are implemented at all layers of the OSI (Open Systems Interconnection) model. A good position to take is that Zero Trust should be implemented using a design where all of the solutions assume they exist in a hostile environment. The solutions operate as if other layers in a company’s protections have been compromised. This allows isolation of the different layers to improve protection by combining the Zero Trust principles throughout the environment from perimeters to VPNs, remote access to Web Servers, and applications.
For a true Zero Trust enabled environment, focus on cybersecurity solution providers that qualify as “Advanced” in the NSA’s Zero Trust Maturity Model; as defined in NSA’s Cybersecurity Paper, “Embracing a Zero Trust Security Model.” This means that these solution providers will be able to deploy advanced protections and controls with robust analytics and orchestration.
5. Evaluate Solutions that Pre-emptively Protect Through Defense-In-Depth
In order to further modernize your organization’s cybersecurity protection, consider full integration and/or replacement of some existing cybersecurity systems with ones that understand the complete end-to-end threats across the network. How can an organization implement confidentiality and integrity for breach prevention?
Leverage automated, preemptive cybersecurity solutions, as they possess the greatest potential in thwarting attacks and rapidly identifying any security breaches to reduce time and cost.
Use a Defense-in-Depth blueprint for cybersecurity to establish outer and inner perimeters, enable a Zero Trust environment, establish proper security boundaries, provide confidentiality for proper access into the data center, and support capabilities that prevent data exfiltration inside sensitive networks.
Implement a solution to continuously scan and detect ransomware, malware, and unauthorized encryption that does NOT rely on API calls, file extensions, or signatures for data integrity.
Solutions must have built-in protections leveraging multiple automated defense techniques, deep zero-day intelligence, revolutionary honeypot sensors, and revolutionary state technologies working together to preemptively protect the environment.
As noted above, Cyemptive recommends the above steps in order to take a preemptive, holistic approach to cybersecurity defense. Cyemptive recommends initiating the above process as soon as possible – not only to comply with potential government mandates brought about due to President Biden’s Executive Order, but also to ensure that organizations are better prepared for the increased cybersecurity threat activity we are seeing throughout the private sector.
Lighthouse is a global leader in eDiscovery and information governance solutions to manage the increasingly complex landscape of enterprise data for compliance and legal teams. Since our inception as a local document copy shop in 1995, Lighthouse has evolved with the legal technology landscape, anticipating the trends that shape legal practices, information management, and complex eDiscovery. Whether reacting to incidents like litigation or governmental investigations or designing programs to proactively minimize the potential for future incidents, Lighthouse partners with multinational industry leaders, top global law firms, and the world’s leading software provider as a channel partner.