8/13/21
Protective Security: Building BRIDGES
by James Seaman
“War must be, while we defend our lives against a destroyer who would devour all;
But I do not love the bright sword for its sharpness,
Nor the arrow for its swiftness,
Nor the warrior for his glory.
I love only that which they defend.”
(J.R.R. Tolkien, 2020)1
Never has a quote been more relevant than for today’s modern digital business and their attempts to stave off their opportunist aggressors, as depicted in the news clipping in Figure 1 (Anon).2
Figure 1: Homeland Security News
The defense of the digital business is not about the number of shiny security tools they have but, more importantly, knowing how well these security tools and your employees work cohesively to defend your business valued assets.
It is almost a decade since I transitioned across from a career in the Royal Air Force Police, having spent 22 years providing Policing and Protective Security activities, in support of an establishment’s mission statements.
Since transitioning across from my military service, I have noticed a strong leaning towards the term compliance:
Compliance. Originating from the 1640s, "act of complying; disposition to yield to others." 3
Based upon my long, extensive, and rewarding military experiences (where the term compliance was not widely associated with secure operations), it seems counter-intuitive to associate protecting your business with a term of yielding to the will of others.
Surely asking whether the business is adequately protected or suitably secured (to within acceptable risk tolerances) would be more appropriate questions:
- Protective. Originating from the 1660s, “affording protection, sheltering, defensive.”4
- Security. Originating from the mid-15c., "condition of being secure".5
You only need to look at the latest headlines6 to see that something needs to change, to bring a level playing field for today’s digital business and to help reduce the opportunities for their aggressors:
- The global cost of cybercrime reached over $2 trillion in 2020. (Juniper Research, 2019).
- On average, the cost of a data breach for organizations in 2020 is only about $3.86 million. (IBM, 2020).
- The United States has the highest average cost of a data breach at about $8.64 per attack. (IBM, 2020).
- The healthcare industry suffered the most from data breaches with an average cost of $7.13 million. (IBM, 2020).
- Each ransomware attack costs up to $84,116 to pay. (Coveware, 2020).
- 51% of organizations say they are ill-equipped to respond to a cyberattack. (FireEye, 2020).
- Ransomware variants are beginning to target large companies. For example, Ryuk ransom payments reached up to $780,000. (Coveware, 2020).
- 98% of companies who paid the criminals received legitimate decryptors. (Coveware, 2020)
- However, only 97% of encrypted files are recovered on average after companies paid the criminals. (Coveware, 2020).
- Cybersecurity is only the second technological priority among companies around the world at 49%, next to digital transformations at 54%. (Flexera, 2019).
- Targeted distributed denial-of-service (DDoS) attacks are sold for as low as $10 per hour on the dark web. (Privacy Affairs, 2021).
- Small businesses lose on average $200,000 per ransomware incident due to downtime and recovery costs, with many going out of business. (CNBC, 2019).
- Unplanned downtime can cost businesses from $926/minute (low end estimate) up to $17,244/minute (high-end estimate). (phoenixNAP, 2018).
To provide a different approach, in my latest book Protective Security: Creating Military Grade Defenses for Your Digital Business7, I have sought to explain how the military approach can be leveraged by today’s digital businesses to provide proportionate defensive measures, focused and prioritized around those assets that are deemed to be the most important for the business’ continued success.
Converting this strategy is delivered through the BRIDGES acronym, as depicted in Figure 2:
Figure 2: BRIDGES Acronym
During the past few years, we have seen a significant increase in the number of reported ransomware attacks. Consequently, if your business has operations that could be significantly impacted by a ransomware attack, wouldn’t it be sensible to evaluate how vulnerable these business operations might be to a ransomware and to measure and report on the effectiveness of the existing defenses, to such an attack?
For example, REvil ransomware attacks8:
- How vulnerable are your valued business operations to the REvil ransomware family tactics9?
- Do you understand the type of tactics that are leveraged in such an attack, as shown in Figure 210?
- What would be the potential impact of a Revil ransomware attack?
- What assets are the most vulnerable?
- How effective are your defenses to this style of attack?
- How quickly could you detect the ABNORMAL activities and be able to relate these to stages in the aggressors kill chain? Such as:
Initial Access11
“The adversary is trying to get into your network. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spear-phishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
- How quickly could you bounce back from such an attack?
Figure 3: REvil Attack Surface
In Summary
To effectively defend your organization and to help prevent harm to valued business operations, you should not be focused on having the latest security tools or an army of security specialists. Rather you should be focusing on understanding the assets that are important for the continued success of the business and to ensure that the security tools and personnel are appropriately employed for the defense of these assets.
The military defensive ethos is focused on the assets, understanding the risks, and ensuring that the defenses are proportionate to mitigate against the perceived threats.
For a proactive approach to the defense of your modern digital business, I think you will find that there is a great deal of benefit that can be gained through the lessons-learned from centuries of military defensive tactics evolutionary development.
About the Author
Jim (James) Seaman has been dedicated to the pursuit of security for his entire adult life. He served 22 years in the RAF Police, covering a number of specialist areas (physical security, aviation security, information security management, IT security management, cyber security management, security investigations, intelligence operations, incident response and disaster recovery), before successfully transitioning his skills to corporate environments (financial services, banking, retail, manufacturing, ecommerce, marketing, etc.) to help businesses enhance their cyber/InfoSec defensive measures working with various industry security standards.
_____
1 J R R Tolkien (2020). The Lord of the Rings. Boston: Mariner Books.
2 Anon, (n.d.). Intel Agencies Warn of “More Destructive and Disruptive” Cyber Attacks on Infrastructure – Homeland Security Today. [online] Available at: https://www.hstoday.us/subject-matter-areas/infrastructure-security/intel-agencies-warn-of-more-destructive-and-disruptive-cyber-attacks-against-infrastructure-supply-chains/.
3 www.etymonline.com. (n.d.). comply | Origin and meaning of comply by Online Etymology Dictionary. [online] Available at: https://www.etymonline.com/word/comply [Accessed 25 Apr. 2021].
4 www.etymonline.com. (n.d.). protective | Search Online Etymology Dictionary. [online] Available at: https://www.etymonline.com/search?q=protective [Accessed 25 Apr. 2021].
5 www.etymonline.com. (n.d.). security | Search Online Etymology Dictionary. [online] Available at: https://www.etymonline.com/search?q=security [Accessed 25 Apr. 2021].
6 Andre, L. (2019). Cybercrime or computer crime costs US companies over half a billion dollars in annual loss. In addition, data. [online] Financesonline.com. Available at: https://financesonline.com/cybercrime-statistics/.
7 Seaman, J. (2021). PROTECTIVE SECURITY : creating military-grade defenses for your digital business. S.L.: Apress.
8 Javers, E. (2021). Axis of REvil: What we know about the hacker collective taunting Apple. [online] CNBC. Available at: https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html [Accessed 25 Apr. 2021].
9 attack.mitre.org. (n.d.). REvil, Software S0496 | MITRE ATT&CK®. [online] Available at: https://attack.mitre.org/software/S0496/ [Accessed 25 Apr. 2021].
10 mitre-attack.github.io. (n.d.). ATT&CK® Navigator. [online] Available at: https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0496%2FS0496-enterprise-layer.json [Accessed 25 Apr. 2021].
11 attack.mitre.org. (n.d.). Initial Access, Tactic TA0001 - Enterprise | MITRE ATT&CK®. [online] Available at: https://attack.mitre.org/tactics/TA0001/.
This article was contributed by James Seaman, author of Protective Security: Creating Military-Grade Defenses for Your Digital Business.