Speaking in the keynote theatre at Infosecurity North America, Jim Routh, CSO at insurance behemoth Aetna, told audiences that cybersecurity control frameworks, while useful, are not sufficient in today’s threat environment to cultivate effective risk management.
In his “Managing & Mitigating Risks & Threats in the Digital Enterprise” presentation, Routh noted that while frameworks like the ISO 27001 and NIST’s Cybersecurity Framework (CSF) specify useful control methods, standards and procedures, all too often threat actors study them to uncover where the controls are in order to bypass them. Therefore, new approaches are needed.
In an example of the realities driving such tweaking and the adoption of unconventional controls, Routh outlined the No 1 threat to companies and individuals, which is phishing. Under traditional frameworks, the main mitigation technique is employee education.
“The recommendation is to spend time and money convincing employees not to trust email,” he said. “We know from history that when you extract trust, civilization breaks down. Similarly, if you extract email from the enterprise, the enterprise will fall to its knees. This is not a sustainable model, but it remains a conventional control.”
He noted that each of the main types of phishing has better, unconventional controls to consider. For instance, for spoofing, companies can implement DMARC. He said that at Aetna, DMARC implementation has had a side effect: because the email is trusted, the company has seen a 10% lift year after year in the open rate for its email communications.
Similarly, in phishing attempts that use look-alike domains (most typically they have one letter off from the legitimate site they’re attempting to impersonate), sinkholing for newly registered domains is an effective approach.
“Essentially, you can write a script that ensures the server doesn’t deliver any email from a newly registered domain for 48 hours,” Routh said. “This is effective because all phishing sites are new. They use 24- to 48-hour migrations to avoid spam filters.”
When the phishing mail is sent from a compromised account, this may be the most difficult to detect and stop. For its part, Aetna has deployed a machine-learning tool that uses behavioural analysis to determine a unique fingerprint for anyone sending mail. It also leverages the FIDO standard for multiple authentication types.
Also driving unconventional controls are several tectonic shifts in the threat landscape, he added. These shifts include the rise of drive-by browser infections in 2008.
“The bad actors realized that 75% of web servers are misconfigured,” Routh explained. “They can inject a key logger and you would never know. This was a big shift.”
In more recent days, he noted that 5 billion online credentials were harvested in 2016—and that with a brute-force tool known as Century MBA bad actors can at scale own hundreds of thousands of online accounts. “Binary authentication is becoming obsolete and it’s fundamentally changing the industry,” Routh said.
This year, in the most recent shift, increased nation-state attacks using tools like WannaCry and Petya are changing the control requirements.
“These attacks were designed to look like ransomware, but they not meant to collect money,” Routh said. “These were data destruction events with political motivations. And that puts a premium on information-sharing—an unconventional control.”
Overall, the upshot is that while conventional frameworks are an important starting point for risk mitigation, it’s necessary to be dynamic.
“At Aetna, we’re adjusting our controls based on bad actor tactics,” he said. “And that’s what you have to do if you’re risk-driven. We make on average 1.5 changes per day to our control standards or procedures. Where once this would be seen as a sign of immaturity, in today’s world such agility is an important indicator of resilience.”