Why Is It Necessary to Run Cybersecurity Evaluation Exercises?
This is a guest article by IT service provider Asim Rahal
Cyber threats have even been on the rise during the pandemic. The World Health Organization (WHO) has not only been busy dealing with healthcare challenges, it also saw a significant increase in cyber attacks. The rapidly growing volume and sophistication of attacks entail the need for greater preparedness, especially through regular security exercises.
Here’s a question related to the field of security: Why do military organizations ceaselessly conduct combat exercises or drills? The answer is the same as the reason for running cybersecurity exercises every so often. Security validation is necessary for many compelling reasons. While cybersecurity technologies continue to improve, cybercriminals are also relentless in finding new ways to defeat security defenses.
MITRE ATT&CK® and the evolution of cybersecurity
Before discussing the benefits of cybersecurity effectiveness testing, it is worth discussing the growing prominence of MITRE ATT&CK®. This security framework has been gaining attention across different parts of the world because of its comprehensive assemblage of cyberattack techniques and tactics, from pre-exploitation to actual attack and postattack steps.
The second word in MITRE ATT&CK® stands for Adversarial Tactics, Techniques, and Common Knowledge. MITRE is the name of a US government-funded organization with a substantial cybersecurity practice spun out of MIT in 1958.
MITRE ATT&CK® represents one of the significant strides towards more effective cybersecurity practices. It serves as an extensive resource for security researchers, analysts, and incident response teams in evaluating and validating the effectiveness of their respective security defense systems.
Before the advent of MITRE ATT&CK®, organizations would have to manually run commands on a target server to determine if their defenses are working as designed. The commands are often sourced from or based on open-source tools and information banks. Another way to evaluate and verify security effectiveness is to use automated penetration testing software or red teaming resources.
Manual and automated pen-testing methods are faced with crucial limitations especially when it comes to simulating the full chain of an attack that involves multiple vectors. Additionally, they may not be current with the most recent threats and mitigation techniques.
MITRE ATT&CK® makes cybersecurity testing a collaborative, crowdsourced, up-to-date, and transparent process. It bolsters the efficiency and timeliness of the testing process. However, it does not change the reasons to continue regular security testing exercises. It makes the job easier for conducting rigorous regular security testing.
What makes it compulsory to conduct cybersecurity evaluation exercises? Read on to get acquainted with these seemingly commonplace but frequently disregarded reasons.
Reason 1: Knowing if the system works
The primary reason for undertaking security testing is to know if the cybersecurity solution adopted by an organization works the way it is designed to. No matter how expensive and sophisticated a security system is, it means nothing if it does not work as expected.
This may seem relatively basic but the reality is that many organizations tend to neglect it. An ISFT Benchmark survey found that 74 percent of businesses do not conduct cyberattack simulations or exercises to test the effectiveness of their critical systems under development. For them, the process is just too time-consuming, costly, and even disruptive.
Many are under the impression that something that was planned properly and developed meticulously will work. Organizations that subscribe to this mindset do not necessarily settle for mediocrity, but they fail to see the reality that even the best systems created by the best developers do not always deliver the desired outcomes.
Adult Friend Finder, one of the biggest online companies, is expected to have a robust security system especially because of the delicate nature of the services it offers. However, it suffered an embarrassing (for the company and more so for its users) security breach that resulted in the exposure of over 400 million accounts. The breach was attributed to a vulnerability in a module on the production servers used by the site, something which could have been easily detected and addressed if only the company conducted regular security exercises.
Reason 2: Knowing if changes or tweaks are necessary
If the security testing routine finds zero faults or defects in the security system, then the organization would feel assured that there will be no problems that can interrupt operations or lead to losses and unwanted expenses. Otherwise, they would have to implement changes, adjustments, or a complete overhaul.
Fault correction, leak plugging, vulnerability resolution, and strategy improvements cannot take place without proper cybersecurity testing. Likewise, getting updated with the latest threats and security techniques is unlikely if security testing is not considered a necessity.
Adjustments and improvements do not always apply to security software. Sometimes, changes are needed in the protocols and the people who are using or accessing the system. A security defense solution can be highly reliable, but it may crumble when complex social engineering enters the picture.
As Accenture Managing Director Robert Kress puts it, “. . . humans are still the weakest link when it comes to an organization’s cybersecurity defenses.” Security testing, especially with the help of MITRE ATT&CK® can help generate insights that reveal and address vulnerabilities attributable to people.
In 2014, eBay encountered a major security failure that resulted in data theft involving over 145 million user accounts. The attack involved social engineering that led to the hackers being able to use the credentials of three corporate employees. No matter how rigorous a security system is, if people fall for deceptive schemes, it will be easy for them to become instrumental in defeating their organization’s defenses.
Through security testing methods such as penetration testing, security professionals are able to determine the weaknesses in their system and introduce the necessary changes and improvements. Cybersecurity experts recommend testing at least once a year and every time there are major changes in the IT resources of an organization such as an office relocation or the replacement and purchase of new equipment.
Reason 3: Contingency planning
Even after doing the adjustments or tweaks to address the weaknesses found during security testing, it is unwise to expect that foolproofing has been achieved. There are instances when the results yield confusing or ambiguous information. In some cases, organizations that are working with very limited resources are forced to make decisions in a bid for cost efficiency.
Organizations may be driven to adopt a specific low-cost solution that is considered adequate internally, but not so when external inputs are taken into account. In such cases, the security team would have to come up with contingency plans to prepare for possible adversities in case the existing strategies fail to work.
Moreover, it is possible that organizations may have the wrong security mindset. Compromises may mire the development and implementation of a cybersecurity strategy. With security testing, the security team can get useful information and insights to come up with contingency plans in anticipation of possible failures in the system.
Again, even the best planning and the presence of top security talents do not guarantee infallibility, if the security system put in place is intentionally made below optimum or just on par with compliance requirements. At the very least, testing provides security teams an idea of the challenges they should expect and the alternatives they can take.
Reason 4: Ensuring operational continuity
Ultimately, cybersecurity evaluation exercises are needed to make sure that attacks do not result in unmanageable disruptions or downtimes that significantly impact business activity, profitability, and reputation. The IMF already considers cyber risk as a threat to financial stability. Responsible organizations understand the need to take cyber threats seriously by not only having appropriate security solutions in place but also testing if these solutions are sufficient.
Cyberattacks can disrupt businesses in a variety of ways. A successful DoS or DDoS attack, for example, can render a company’s website or online store inaccessible, leading to lost sales and reputational damage. Database breaches can be devastating as they force organizations to suspend operations to search for and plug the anomalies left by an attack while addressing the security defects. Viruses and other malware can create various adverse consequences that usually require companies to halt their systems until the malware is removed. Moreover, spyware can result in data losses that can also mean disruptions in business operations.
In light of the significant changes in the way businesses operate during the pandemic, security testing has only become more important. Working from home in particular is creating new cybersecurity challenges for many organizations. It creates numerous opportunities for cybercriminals to exploit.
Arguably, there is no excuse not to have thorough security testing nowadays. Enterprise and organization systems can easily adopt MITRE ATT&CK®. If they want an even easier way of evaluating and validating the effectiveness of their cybersecurity defenses, they can turn to enterprise solutions that also integrate MITRE ATT&CK®.
There are companies that offer highly simplified, wizard-based ATT&CK® solutions that work regardless of the platform they use. These tests can be undertaken across the entire kill chain and simulate the latest threats identified by the global cybersecurity community. Quick and seamless to deploy, they enable efficient security testing with remediation and mitigation guidelines to provide additional context for security professionals.
An incurable evangelist of cloud security, data protection and cyber risk awareness, Asim Rahal is a Detroit-based independent IT service provider. You can reach Asim via Twitter: https://twitter.com/asimrahal
Want to write an article for our blog? Read our requirements and guidelines to become a contributor.