As an electrical engineering student, I was envious of some of my peers – the mechanical engineers, the civil engineers, the geological engineers. They could see what they were doing; they could touch and feel their problems. They were physical. Mine were in my mind – you couldn’t touch them or smell them, but that didn’t make them any less real.
Cyber-security reminds me of that. It’s much harder to perceive what’s being done to protect so much of the information we rely on today, or what we should be doing to protect it. Physical security – safes, locks, cameras, passcards – these are well-understood by everyone. Move into the cyber domain, and it becomes much more difficult to get everyone on the same page.
As I recently explained in a speech at the Toronto Region Board of Trade (which was covered on expertIP), we see organizations caught in a difficult struggle mitigating potential cyber-security risks while earning and maintaining the trust of their customers. This requires skillful leadership, not just investments in technology. Even Symantec, one of the world’s best-known security software companies, declared the death of traditional anti-virus products, which may only catch 40 to 50 percent of the possible threats.
Hackers are also becoming more like businesses, with clandestine services that offer distributed denial of service (DDoS) and other threats in an on-demand fashion. With that in mind, perhaps the time has come for more businesses to take on the mindset of cyber-criminals in order to think through the scope of danger to their organization.
Lockheed Martin’s Cyber Kill Chain is considered the playbook used by cyber-criminals, and therefore the best method to translate your technical security posture to a business risk context. Let’s walk through the steps.
- Reconnaissance: research and analyze information about the target environment
- Weaponization: the malicious payload is ready for use against the target
- Delivery: transmission
- Exploitation: takes advantage of vulnerabilities (technical, systemic/organizational, human)
- Installation: a vulnerability has been exploited and malware installed on the target
- Command & Control: outbound connection to the adversary who launched the attack
- Act on Objectives: the threat agent can take over the targeted asset (e.g. information retrieval, information manipulation, application misuse, etc.)
If you were trying to penetrate your own company’s network security, what vulnerabilities – technological or otherwise – might make working through these steps easier? Where might social engineering techniques be used to trip up your team? How far might you move down the Cyber Kill Chain before a threat or attempted attack is discovered?
This kind of thinking could help direct expenditures to those areas where your security controls are ineffective or missing. It could also kick-off an important internal conversation about the value of information assets and data protection.
Even if they seem to be made up of nothing more than electronic files travelling invisibly over the Internet, business leaders need to educate those they work with that these items have real value. The forces trying to steal them certainly see them that way.