In 2020, companies were taught a lesson in the consequences of failing to shore up their defenses and improve their resiliency to cyber attack.
Ransomware took off, infecting companies and accounting for 81% of financially motivated cyber crimes. With the compromise of SolarWinds, government agencies, technology companies, and other organizations scrambled to assess the damage of the massive UNC2452 cyber-espionage campaign conducted by a suspected nation-state adversary. And data breaches and privacy violations continued to lead to significant fines as a variety of new privacy regulations came into force.
Companies in 2021 must work toward making their businesses more resistant to cyber attack and adverse events, specifically moving from focusing on individual systems to overall cyber resilience.
While the path to cyber resiliency is not easy, it can be successfully traversed. Here are four New Year’s resolutions your application security team should sign on to in order to improve your organization’s security maturity and reduce the risk of potential attacks.
1. Use strong credentials
Reused, weak passwords are the zombies of the cybersecurity world. Companies have repeatedly tried to eliminate them, but they always come back and—more often than not—are at the heart of major breaches.
In the latest case of massive cyber espionage, for example, an update server was reportedly protected only with the password “solarwinds123,” and brute-force password guessing could have gained easy access to the server and been the starting point for attackers. The Trump Administration learned this lesson as well, when a Dutch hacker twice determined that the password to the president’s Twitter account—and his primary communication medium to his 89 million followers—were simple passwords: “yourfired” and then “maga2020!”
Passwords should be dead. Companies should require strong credentials, prevent password reuse, and augment all passwords with other types of authentication. For developers, secrets—such as database passwords and private encryption keys—need to have automated tests to ensure that no sensitive credentials are exposed. Default entities must be removed where possible or at least disabled. Where credentials are required for services and non-personal accounts (NPAs)—such as for database access—those should not be reused outside of that particular lifecycle stage (DTAP, development, test, acceptance, or production).
Solutions do exist. For identity and attribute-based access, multi-factor authentication (MFA) is a key technology that can protect remote users. Microsoft estimates that 99.9% of account-compromise attacks rely on stolen or leaked credentials and can be blocked by MFA and “password-less” technology.
Any system that currently relies solely on passwords should either be bolstered by multi-factor authentication or have user-generated passwords eliminated. Limiting the time that security tokens are valid is important, as is setting the certificate’s expiration date not too far into the future. Validating that a certificate has not been revoked requires collaboration between business groups or between a company and its partners.
These are not easy steps. MFA can be expensive when you’re talking about ≠≠hundreds or even thousands of accounts, and certificate management is cumbersome. Creating secrets storage and verification can be difficult. But the payoff for companies, in terms of cyber resilience, is enormous.
2. Maintain strict segregation
Segregation is a key concept in cyber defense. Companies need to segregate privileged roles from everyday users, segment networks to wall off sensitive capabilities such as finance and development, and restrict untrusted hardware and software components from accessing sensitive data. With the rise of the connected devices and industrial Internet of Things (IoT) devices—such as surveillance cameras and industrial sensors—companies are increasingly susceptible to these devices’ security shortcomings, including poor upgradeability and basic errors, such as hard-coded passwords.
Understanding the purpose of established and maintained segregation and segmentation policies is key. Companies should identify their valuable assets—and take a broad view of what those are or could be—and then identify multiple interlocking layers that protect those assets. The key is to find defensive processes or technologies that can serve to protect multiple assets. The fact that the attacks on SolarWinds were able to infect the development process without raising an alert should be a warning.
Network segmentation can wall off untrusted and less secure devices from critical assets and resources, which brings us to our next lesson.
3. Maintain trusted resources and supply chains
Attacks on the supply chain are increasingly common. The SolarWinds attack focused on corrupting software updates sent out between March and June 2020. Alternatively, the use of untrusted or compromised hardware as a way to get inside a network is a common tactic of nation-state intelligence programs.
For developers, the problem is equally dire. Many development supply chains continue to mix untrusted and trusted components, leading to what commonly is called “trust-boundary violations.” About 70% of the code in modern applications is typically open-source components or libraries, but more than 91% of applications use code from projects that are either abandoned or more than four years out of date.
Yet companies cannot rely on third-party developers to become more serious about security. Overall, securing software is a low priority, according to a recent study by Harvard University and the Linux Foundation, which found that open-source developers typically spend less than 3% of their time on security.
Identifying and determining the level of trust of other supply chains, whether hardware, software, or services, should be a high priority for companies. Those that maintain their own applications should regularly check on the components used by developers to build those tools or, better yet, use automation to make the process simple and fast. External components and libraries must come from a verified source and managed, staged repository, to validate the dependencies origin and increase security.
Companies need to not only know what resources are critical and which are untrusted, but also have visibility into the state of those resources. Change management, automated unit tests, and the detection of malicious behavior need to be bolstered to make such attacks on the software supply chain more difficult in the future. In addition, focusing on supply chain cleanliness and validating external software components—in terms of their origins and signature—are also important.
Undetected compromises of IT processes contributed significantly to the success of the UNC2452 cyber-espionage campaign, for example, allowing attackers to insert malicious code into updates for the SolarWinds Orion network-management platform. In 2017, attackers infiltrated the network of system utilities developer Piriform, which had just been bought by security firm Avast, and pushed out malicious updates to its CCleaner utility, infecting customers. The same year, three updates published by Ukrainian firm Intellect Service, which produces accounting software known as M.E. Doc, had malicious code that resulted in the NotPetya ransomware attack.
4. Invest in monitoring and detection
Breaches happen. In 2020, 56% of companies suffered a ransomware attack, according to one survey. The average organization suffers some 22 security breaches every year, down from 30 breaches in 2019, according to business consultancy Accenture.
Failing to detect those breaches, however, can make the consequences much more damaging. Solutions do exist to detect and block lateral movement by attackers, especially when linked to behavior-anomaly detection. Define and maintain your SOC use cases to improve the quality of detection and reduce noise. Too many alerts will drown investigation capabilities. You cannot detect behavioral anomalies without understanding and defining normal behavior. The malicious activities against SolarWinds could have been detected early and possibly blocked by a strict anomaly-detection system.
Be resolute for better resilience
Companies that focus on these four areas—and frequently rinse and repeat—will have a more resilient cyber infrastructure and a software development process that produces more secure software. Like many New Year’s resolutions, improving is often more of a journey than a destination. Tackling these challenges will not assure a resilient informational and operational posture, but it can help you to maintain good cyber hygiene and highlight deficiencies.