Login
As the majority of the global Covid fog finally started lifting in 2022, other events – and their associated risks – started to fill the headspace of C-level execs the world over. In my role, I regularly engage with CISOs in all kinds of sectors, representatives at industry bodies, and experts at analyst houses. This gives me an invaluable macroview not only of how the last 12 months have affected organizations and what CISOs are thinking about, but also how the upcoming year is shaping up.
Using this information, last year I wrote a blog summing up the nine top of mind issues I believed will most impact CISOs as we headed into 2022. Many of them still ring true now and will continue to do so, but some new concerns have risen up the agenda. Here are the topics that I think will be top of mind in 2023, and what CISOs can do to prepare.
One aspect that has come to the fore this year is the CISO’s position as ‘guardian of customers’ private data’ in the event of a breach, and their responsibilities over the level of disclosure they later provide. And here, we are not only talking about the legal duty to inform regulators, but the implicit moral duty to inform third parties, customers, etc. From my conversations this year, this whole area is getting CISOs thinking about their own personal liability more.
As a result of this, next year we could see CISOs tightening up the disclosure decision making process, focusing on quicker and greater clarity on breach impact, and even looking to include personal liability cover in cyber insurance contracts. CISOs will also likely be pushing more tabletop exercises with the executive leadership team to ask and answer questions around what is showed, to whom, and by whom.
Cyber insurance has become a newsworthy topic over the last 24 months, mainly due to the hardening of the market, as insurance products have become less profitable for underwriters and insurers’ costs have risen. But the topic will continue to be in focus as we move into 2023, with insurers demanding greater attribution – aka the science of identifying the perpetrator of a cybercrime by comparing the evidence gathered from an attack with evidence gathered from earlier attacks that have been attributed to known perpetrators to find similarities.
The need for greater attribution stems from the news that some insurers are announcing that they are not covering nation state attacks, including major marketplace for insurance and reinsurance, Lloyd’s – a topic I covered with colleague and co-author Martin Lee, in this blog earlier in the year.
Greater preparation and crystal-clear clarity of the extent to which attribution has taken place when negotiating contracts will be an essential element for CISOs going forward. For more practical advice on this topic, I also wrote a blog on some of the challenges and opportunities within the cyber liability insurance market back in June which you can read here.
Being a CISO has never been more complex. With more sophisticated attacks, scarcity of resources, the challenges of communicating effectively with the board, and more demanding regulatory drivers like the recently approved NIS2 in the EU, which includes a requirement to flag incidents that cause a significant financial implication or operational disruption to the service or to others within 24 hours.
With so much to consider, it is vital that CISOs have a clear understanding of the core elements of what they protect. Questions like ‘where is the data?’, ‘who is accessing it?’, ‘what applications is the organization using?’, ‘where and what is in the cloud?’ will continue to be asked, with an overarching need to make management of the security function more flexible and simpler for the user. This visibility will also inevitably help ease quicker decision making and less of an operational overhead when it comes to regulatory compliance, so the benefits of asking these questions are clear.
According to Forrester, the term Zero Trust was born in 2009. Since then, it has been used liberally by different cybersecurity vendors – with various degrees of accuracy. Zero Trust implementations, while being the most secure approach a firm can take, are long journeys that take multiple years for major enterprises to carry out, so it is vital that they start as they mean to go on. But it is clear from the interactions we have had that many CISOs still don’t know where to start, as we touched on in point #3.
However, that can be easier said than done in many cases, as the principles within Zero trust fundamentally turn traditional security methods on their head, from protecting from the outside in (guarding your company’s parameter from external threats) to protecting from in the inside out (guarding individual assets from all threats, both internal and external). This is particularly challenging for large enterprises with a multitude of different silos, stakeholders and business divisions to consider.
The key to success on a zero-trust journey is to set up the right governance mode with the relevant stakeholders and communicate all changes. It is also worth taking the opportunity to update their solutions via a tech refresh which has a multitude of benefits, as explained in our most recent Security Outcomes Study (volume 2).
For more on where to start check out our eBook which explores the five phases to achieving zero trust, and if you have already embarked on the journey, read our recently published Guide to Zero Trust Maturity to help you find quick wins along the way.
As with last year, ransomware continues to be the main tactical issue and concern facing CISOs. More specifically, the uncertainty around when and how an attack could be launched against the organization is a constant threat.
Increased regulation on the payment of ransomware and declaring payments is predicted, on top of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Ransom Disclosure Act, but that doesn’t help alleviate ransomware worries, especially as this will again put the CISO in the firing line.
CISOs will continue to keep a focus on the core basics to prevent or limit the impact of an attack, and again have a closer look at how any ransomware payment may or may not be paid and who will authorize payment. For more on how executives can prepare for ransomware attacks, read this blog from Cisco Talos.
Traditionally CISOs have talked about the importance of improving security awareness which has resulted in the growth of those test phishing emails we all know and love so much. Joking aside, there is increased discussion now about the limited impact of this approach, including this in depth study from the computer science department of ETH Zurich.
The study, which was the largest both in terms of scale and length at time of publishing, revealed that ‘embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing’.
For the most effective security awareness, culture is key. This means that everyone should see themselves as part of the security team, like the approach that has been taken when approaching the issue of safety in many high-risk industries. In 2023, CISOs will now be keen to bring about a change to a security culture by making security inclusive, looking to create security champions within the business unit, and finding new methods to communicate the security message.
Last year, we talked about preparing for the ‘great resignation’ and how to prevent staff leaving as WFH became a norm rather than an exception. In the past year, the conversations I have had have altered to focus on how to ensure recruitment and retention of key staff within the business by ensuring they work in an environment that supports their role.
Overly restrictive security practices, burdensome security with too many friction points, and limitations around what resources and tools can be used may deter the best talent from joining – or indeed staying – with an organization. And CISOs don’t need that extra worry of being the reason behind that kind of ‘brain drain’. So, security will need to focus on supporting the introduction of flexibility and the ease of user experience, such as passwordless or risk-based authentication.
Just when we thought it was safe to go back into the organization with MFA protecting us, along came methods of attack that rely on push-based authentication vulnerabilities including:
There has been a lot written about this kind of technique and how it works (including guidance from Duo) due to some recent high-profile cases. So, in the forthcoming year CISOs will look to update their solutions and introduce new ways to authenticate, along with increased communications to users on the topic.
This issue was highlighted again this year driven by regulations in different sectors such as the UK Telecoms (Security) Act which went live in the UK in November 2022 and the new EU regulation on digital operational resilience for financial services firms (DORA), which the European Parliament voted to adopt, also in November 2022. Both prompt greater focus on compliance, more reporting and understanding the dependency and interaction organizations have with the supply chain and other third parties.
CISOs will focus on obtaining reassurance from third parties as to their posture and will receive a lot of requests from others about where their organization stands, so it is crucial more robust insight into third parties is gained, documented, and communicated.
When writing this blog, and comparing it to last year’s, the 2023 top nine topics fit into three categories. Some themes make a reappearance, seem to repeat themselves such as the need to improve security’s interaction with users and the need to keep up to date with digital change. Others appear as almost incremental changes to current capabilities such as an adjusted approach to MFA to cope with push fatigue. But, perhaps one of the most striking differences to previous years is the new focus on the role of the CISO in the firing line and the personal impact that may have. We will of course continue to monitor all changes over the year and lend our viewpoint to give guidance. We wish you a secure and prosperous new year!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Written by Martin Lee and Richard Archdeacon.
Lloyds of London have recently published a Market Bulletin1 addressing the wording of cyber insurance policies to exclude losses arising from:
“state backed cyber-attacks that (a) significantly impair the ability of a state to function or (b) that significantly impair the security capabilities of a state.”
The concern raised is that this sort of attack will produce losses that the market cannot absorb. Most insurance policies already include provisions that exclude the consequences of armed conflict. Applying these to potential cyber warfare is a logical step.
The bulletin includes the tenet to:
“set out a robust basis by which the parties agree on how any state backed cyber- attack will be attributed to one or more states.”
What should the CISO be thinking of when reviewing such an exclusion clause, how can we clearly define this key term and what issues may arise?
Attribution is the science of identifying the perpetrator of a crime. In cyber attacks, this is arrived at by comparing the evidence gathered from an attack with evidence gathered from previous attacks that have been attributed to known perpetrators to identify similarities.
In practice, statements of attributions are carefully phrased. Rarely is evidence clear-cut. Frequently attribution is labelled as being ‘consistent with’ a threat actor, or wrapped in words of estimative probability such as ‘highly likely’, ‘probably’, ‘possibly’ etc.
The malicious actors who conduct cyber attacks are referred to as threat actors. The cyber research community identifies and keeps track of the actions of these threat actors, publishing compendia of known actors such as those made available by MITRE2 or Malpedia3.
Rarely do threat actors identify their true identities, they may actively try to confuse or frustrate attribution. Many of the named groups may be synonyms of other groups, equally many of the chains of evidence used to attribute groups may be incorrect. The compendia of threat actors should not be considered as reaching the evidence threshold of “beyond reasonable doubt”.
Some identified threat actor groups are assumed to be criminal gangs due to the nature of their activity. Others appear to be conducting attacks solely to further the geopolitical aims of a nation state and are assumed as being state sponsored or state backed. Some of these groups have been able to be associated with specific national intelligence agencies or state apparatus.
The following are four practical factors to consider when setting out a robust basis for attribution of attacks in a contractual basis.
Step 1 – Collect forensic evidence.
No attribution of an attack can be made without forensic evidence. CISOs should ensure that they are able to gather forensic evidence from attacks to identify as much information as possible regarding how an attack was carried out, and the infrastructure used by the attacker. This requires a basic level of security telemetry gathering with the ability to secure and query this data.
This forensic capability, how evidence will be gathered and preserved, should be agreed with the insurer. However, both parties must bear in mind that attackers may destroy or tamper with evidence, and in the urgency of halting an attack, forensic evidence may be compromised or omitted.
The CISO should be prepared to discuss internally with senior executives the possibly competing priorities of stopping an attack versus collecting good forensic evidence.
Step 2 – Define how attribution will be made.
The attribution of a specific attack must be made by comparing evidence gathered from the attack with that of previous attacks. CISOs should agree the process by which forensic artifacts are used to attribute attacks and the degree of certitude necessary to declare an attack as having been carried out by a specific group.
The set of organisations trusted to assert attribution should be agreed. Attribution made by national bodies such as NCSC, CISA or ENISA may be assumed to be reliable, as may those made by major security vendors (such as Cisco) with expertise and resources that a CISO will never have inhouse. However, anyone can suggest attribution. CISOs should be certain to insist on the exclusion of assertions that have not been confirmed by a trusted entity.
This raises the question as to whether a trusted organisation would be prepared to support their attribution in a scenario where they would have to expose their intelligence sources and methodologies to examination. Attribution may be based on classified intelligence, or made according to ‘fair efforts’ that fall below the legal threshold of “on the balance of probabilities.”
Step 3 – Consider the volatility of attribution.
The gathering of evidence and intelligence is a continuing process. Information previously assumed to be fact may be subsequently identified as incorrect or a purposeful red herring. New evidence may be identified months or years after an attack that changes the estimated attribution of prior attacks.
CISOs must determine a period after which the attribution of attack (if made) will not be changed even if subsequent evidence is uncovered.
Step 4 – Define the nature of state backing.
CISOs should agree what constitutes state backing. Ideally CISOs should agree with their insurers the set of threat actor groups (and their synonyms) which are considered to be ‘state backed’.
State involvement in cyber attacks is a spectrum of activity. Criminal threat actors may be under various degrees of state tolerance or encouragement without being fully backed by a nation state. Some criminal groups may be under partial state direction, acting in a manner akin to privateers. Some state backed actors may indulge in criminal style attacks to boost their coffers.
In any case, criminal and state sponsored actors can easily be confused. They may choose to use the same tools or apply the same techniques to conduct their activities. Non-state threat actors may come into possession of state developed tools which may have been stolen or traded without permission.
Some threat actors may actively resort to influence attribution, either through choice of tooling, or through sock puppet accounts attesting attribution, to increase pressure on CISOs to pay ransoms by influencing if insurance is paid out or not.
The decision line where an attack can be referred to a ‘state backed’ is a fine one that requires consideration and agreement.
Changes bring opportunities, the need for this robust process may cause complications for CISOs. But it is an opportunity for CISOs to review the details of cyber insurance contracts and to hammer out the details of how issues of attribution will be determined.
Lloyd’s Market Association provide sample clauses for insurers4, we intend to consider these in a subsequent blog.
One thing is certain, there will be many opportunities for the legal profession.
The information provided here does not, and is not intended to, constitute legal advice. When negotiating a specific matter, readers should confer with their own legal adviser to obtain advice appropriate for a specific insurance contract issue.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
FreshRSS 