The cyber threat landscape has evolved since decades ago from a direct attacking-and-crashing nuisance to today’s sophistication of multi-vector advanced persistent threats (APT). Unfortunately, this “evolution” does not stop. Attack vectors continue to expand in breadth and depth. In breadth, the attacks now target not just IT but also the OT and IOT space. In depth, they have gone cyber-physical and now even with a mix and match of new vector dimensions such as situation and less-known vulnerabilities in people, process, technologies.
The Wuhan virus related cyber-attacks that we see today is probably something that we could relate well. Such attacks ride on the epidemical situation to entice eyeballs and mouse-clicks. This, coupled with selected mix of socially engineered or technologically vulnerable possibilities, may create catastrophic damages and fatalities unprecedentedly do-able in the past.
One possible example is the attack on medical PACS and DICOM which is the infra-structure developed more than two decades ago for the transport and storage of medical images such as X-Rays, CT Scans and MRIs. Taking just the DICOM aspect which is the standard file format for such purpose without any cyber protection consideration in place, if coupled with socially engineered dark intelligence, may be abused by the cyber criminals and ill-intents for varied purposes of abduction, extortion and planned misinformation when the contents of DICOM medical records such as X-Rays and patient information are altered. This, in our opinion, is a serious vulnerability in the global medical landscapes since this unprotected standard is still not well recognized in the cyber security technology community, with exposed vulnerability both when in-transit and at-rest.
For readers who wish to understand more about the vulnerability of medical DICOM, we have written a paper on this more than a couple of years ago as per this link. We welcome comments and sharing of such related topic for the benefit of the global community.
In summary, cybercrime activities will become increasing complex and multi-faceted. This will be fuelled primarily by combinatorial adoption of new attack vectors, new situations and new technologies which are unheard of today. The awareness of such security challenge should not be limited to only CIO, CISO and the rest of C suite, but a multi-level awareness of the rapidly challenging threat landscape in a bid to build a total defence culture that is both self-learning and self-resilient.
It is a common knowledge that an organization’s culture starts from the number one guy of its structure. His or her leadership style determines the culture of the organization. Some simple examples include: if the leadership style is to manage by fear, a “window-dressing” and finger pointing culture will be developed; if the leadership style is to manage by hear-say (or in my own term “manage by distant learning”) and is not close to the people, an enterprise-wide gossip culture will develop. These are examples of toxic culture that do not bring about productive possibilities, instead they will impact the development of a positive security culture.
Specifically, under a leadership that manages by fear, upward reporting is typically suppressed. This would directly impact cyber incident discovery and reporting. To make matters worse, a line-drawing and finger pointing culture may also lead to information hiding and blame transfer mindset as far as cyber security related effort is concerned. For management which distance itself from the people, the organization would risk focusing on the wrong protection strategies since the actual and sincere subject matter experts in the organization may not have the direct channel to feedback the gaps early to pre-empt the unnecessary.
With the above consideration, what hence is the right management style for nurturing a productive cyber security culture enterprise wide?
In my opinion, a servant-leadership approach would be effective to help pave the ground for the nurturing of a sharing culture across different levels in the organization. As people start to understand that cyber incident is no longer a taboo today and the security posture of the organization could only be fulfilled via collective effort of all, a sharing culture will naturally develop, facilitating strong organization fabric and cohesion for the development of a total defence culture.
As in any functional organization, it is about leadership 101. The buck would ultimately end with the leader. While everybody plays a part in cyber security, C level needs to set the stage right, and pave the ground right and not just knowing the right direction to work towards but doing them right.
I would tend to see such leadership in the usual perspectives of people, process and technologies.
On People leadership, it is more about apply the right leadership style so that the right culture will naturally be developed. This aspect has been discussed rather extensively with examples under the earlier section.
On Process leadership, it is important to moderate the focus on certification and compliances and channel equal focus between paper audits and operational security, Is certification the be-all and end-all to protecting our enterprises from cyber-attack? Today, cyber breaches and data leaks continue to make headlines despite stringent audits and well-structured certifications. Well-complied systems are compromised not long after they scored flying colours in audits. Certification and compliances do not equate operational security. What is needed alongside certifications to truly protect our enterprises? Are paper certifications end up an academic pursuit providing business owners the false sense of security? It is important to lead with a well-balanced approach towards security compliances and operational security.
On Technology leadership, it is important for the C suite leadership to look beyond product and functional innovations but more of keeping abreast of innovations that entail radically differentiated technologies at its fundamental level.
One good example is to look beyond just detection paradigm. Specifically, most cyber technology fundamentals are still caged in the thought of “detection”. Whether it is AV, multi-AV, machine learning, sandboxing, threat intelligence, most approach today is to apply the most advanced technologies to detect the bad, in order to remove the bad. Unfortunately, most has forgotten the fact that we cannot detect advanced threats in the first place. Even if we are able to detect them now, we can’t later. It is a never-ending pursuit as long as the thought is detection centric. We need to bring ourselves beyond that, we need to focus on eliminating the cause rather than focusing on detecting the effect. We need to focus on detection-less paradigm and start to preach it to our people and start leading. For that, the thought leadership to educate the people to think outside the box is paramount. People should start to think about how to apply fundamentally differentiated strategies to take care of advanced threats, rather than managing the hygiene challenges. There are many detection-less strategies. For the convenience of this reading, I would cite Content Dis-arm and Reconstruction (CDR) as one of such strategies. It has protected more than 350 CIIs since 2009 with zero incident. For reader who are keen to know more, the deeper information is available via >this link.
Unfortunately, there is no textbook to an effective cyber protection strategy. Cyber threat landscape is a wild jungle out there. It is a highly dynamic and changing environment. With that, we advocate a practitioner’s approach to effectively dealing with the challenge. Any textbook based approach typically does not work out. Some of our example experience could be shared as follows:
Cyber security typically encompasses People, Process and Technology considerations. We have covered them in earlier section accordingly.
These has also been addressed in the above generally. On results and KPI, we could summarize them as follows: