Published March 17, 2021
WRITTEN BY MICHAEL SOLOMON
Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments.
Software security isn’t a state of being, or even a single action; it is a process, and one that requires more than just hardening your software.
The year 2020 saw a dramatic rise in cyberattacks, with many attacks specifically targeting IT infrastructure. Any attack that compromises an IT environment interrupts normal operations, which can effectively interrupt critical software operations. Regardless of how secure your software is, if you can’t access critical data or services, your application won’t be available to authorized users. And since availability is one of the “big three” tenets of security, unavailable effectively means insecure.
Ensuring software security is an organic and community-driven effort. For the most effective result, focus on actions that provide benefits for your software and its surrounding environment.
The last thing you want to do is constantly put out fires. A better approach is to get ahead of the fires. Learn to anticipate attacks and take proactive measures. Here are some ways to create a balanced threat-handling environment to make your software more secure.
Responding to attacks
The first step to handling any attack is to recognize that there is an attack being carried out. That may sound simple, but in many cases it isn’t. Non-disruptive attacks like data exfiltration may go unnoticed for months. Security is challenging even under normal circumstances, and the problem of handling attacks is even worse given the pressures of today’s realities.
Organizations of all types were put under more pressure when the new realities of covid-19 changed the way people work and interact. But few sectors were impacted more than healthcare. In addition to changes in the workforce and patient interaction protocols, covid-19 stretched every aspect of delivering quality healthcare. IT service and security concerns were just one part of the bigger problem. And in the midst of all the additional pressure, ransomware attackers sensed an opportunity and launched an unprecedented number of attacks against the healthcare sector.
For example, in October 2020, the University of Vermont (UVM) Medical Center suffered a successful ransomware attack that ended up disabling all online systems for several weeks. At first it wasn’t evident that the interruption was an attack, but once the nature of the attack did become clear, UVM personnel searched for nearly two hours before they found a file that contained a note from the attackers. CNN picked up on the alarming statistics and published a story about the UVM Medical Center attack, and the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory warning of the increasing number of ransomware attacks on healthcare organizations.
UVM had taken some precautions to harden their systems, but the attackers were still able to succeed. While there is no guaranteed approach that leads to an impenetrable defense, there are ways to make your organization far less vulnerable.
There is a constant need to iterate over updated threat information to stay ahead of the attackers. The goal is to approach the problems of security in parallel. If all you do is respond when you receive a new attack alert, you’re always chasing the attackers.
Rather than being reactionary, a better approach to handling security threats is to attempt to get out in front of the attacks. You’ll end up using less energy and fewer resources by preventing or avoiding attacks than by fighting them.
After you’ve responded to several incidents or attacks, you should see some similarities begin to emerge. Are most of the attacks a result of users following bad links? Or do you find that remote personnel often provide the entry point into your network for attackers?
Regardless of the technical details, look at your attack response documentation for any trends. That would be a good place to start hunting for the vulnerabilities that allow the recurring attacks to happen.
Many risk management approaches to cybersecurity take a general approach to finding vulnerabilities. While a general approach has benefits, if you find yourself fighting fires on a daily basis, you need a more targeted approach. To take the analogy further, think of how to prevent fires from starting. Before any fire department can implement a fire prevention program, they must identify the main reasons fires start. The most effective approach is to identify the reasons behind the majority of fires and rank them by their severity.
The same is true for cybersecurity attacks. Use your response documentation to identify the most common attacks, and determine which of those caused the most damage. The resulting list shows you where to go next.
Once you have a prioritized list of attacks, identify the vulnerabilities that allowed each attack to succeed. In some cases, the vulnerability is obvious, such as a default password that was left unchanged. In other cases, there may have been a series of subtle vulnerabilities. Figure out why past attacks succeeded, and then do something about it.
Mitigating and preparing for threats
The easiest attacks to handle are the ones that never happen. You’ll never be able to do away with every threat, but each threat that never becomes an attack represents substantial time and resource savings. The old saying “an ounce of prevention is worth a pound of cure” is so true in cybersecurity.
The best way to prevent a threat from being realized is to engage in an iterating process of monitor and investigate, learn, harden, and repeat.
Monitor and investigate
Your initial activities will start by responding to incidents or attacks. Hopefully, you’ll get a notification early enough to engage before the attack does too much damage. You should have monitors in place to alert you when things don’t seem normal. If you’re targeting ransomware, a file integrity monitor (FIM) can tell you if critical files change and give you a clue that you could be under attack.
Once you detect an attack, you respond to it. A response effort includes containing the damage, assessing the blast radius, recovering critical functionality, and investigating what happened.
Any attack investigation should result in evidence that may advance your organization’s body of knowledge. Learning from an attack may seem like a trivial recommendation, but don’t overlook it. Use every response effort as an opportunity to learn more about how to do things better in the future. Looking at evidence as a learning artifact helps to avoid a similar attack later.
The last active step is to take action based on what you’ve learned. Do something to avoid falling prey to another attack. If your investigation pointed to obvious vulnerabilities, fix them. If not, perhaps further investigation is necessary. Don’t just take action to appear productive; take action that makes your organization more secure.
It would be great if one pass would be good enough. Unfortunately, it isn’t. Security is an ongoing process, and one that you’ll iterate through continuously. The good news is that it should get easier and you’ll get better at it the longer you stick with it. You know you’re doing better when the majority of your investigations are only for minor issues.
Very little in this article is new. Although you’ve probably heard many of these recommendations before, the need is still there. If every organization embraced security and made it a part of their culture, we probably wouldn’t see such an increase in attacks.
Security isn’t easy. It costs money and it takes time. The problem is that too few organizations realize that bad security will eventually be far more expensive and time-consuming than good security.
If you’re concerned about hardening your application software by preventing ransomware attacks, take a look at the CISA Ransomware Guide. You’ll find some valuable recommendations on implementing a defense in depth strategy to help you avoid interruptions from ransomware.
Would you like to know more about implementing a SAST or SCA solution in your company? Get in touch with our Kiuwan team! We love to talk about security.