When the Cybersecurity Model Maturity Certification (CMMC) goes into effect this year, the defense department will be holding its contractors to a higher standard than ever before. But whether or not they’re ready for the change remains to be seen: in the past, DoD partners were required to comply with regulations like NIST 800-171. In reality, many fell behind due to the leeway they had in implementation.
With CMMC, the DoD hopes to foster a “culture of cybersecurity” throughout the federal government, and a big part of that involves an emphasis on risk. While the traditional mindset of compliance is based on a checklist of one-size-fits-all security controls, a risk-based mindset invites every business to find its weakest spots and prioritize them effectively.
Now, bidding contractors will be required to demonstrate adequate levels of security before a contract can even be awarded. But while the CMMC provides plenty of guidance, contractors will find its standards difficult to meet unless they take responsibility for their own unique risks. In this blog, we will examine what that effort entails, especially from the perspective of an organization’s worst enemies.
What is Risk?
According to the Risk Management Framework (RMF) published by the National Institute of Standards and Technology (NIST), “risk” is a combined measurement of two factors:
- The likelihood that a vulnerability will be exploited
- The impact of such an event
In some ways, this fits with a common sense notion of risk, and in other ways it does not. For instance, hackers are not counted as a risk by this definition, but “risk” does include everything which hackers and other adversaries may use to their advantage.
Incidentally, what proves advantageous to a hacker is also the most serious kind of risk. And while certain oversights in security may not seem like a big deal from the organization’s perspective, this mistake is less easy to make from the opposite side of an attack.
How Hackers See Risk
When conducting a cyber hunt, Securicon often uses red-teaming to find less obvious vulnerabilities in an organization’s network. While a “blue” team works to defend the network from attacks, the “red” team works to bypass them using a combination of techniques.
These two perspectives could not be more different: while the blue team takes a hierarchical and organized view of the technology they are defending, the red team is opportunistic. It works to find any trigger that allows it to cause chaos or otherwise subvert normal operating conditions.
For hackers, “risk” therefore translates into “opportunity”. And although individual hackers differ in their overarching goals, all of them look for three basic opportunities:
- Access – establish an initial and persistent presence within the target organization for further activity
- Concealment – hide activity by evading detection, which means bypassing normal safeguards, disguising malicious activity as legitimate or creating a diversion elsewhere in the network
- Escalation – gain privileges and therefore greater control over a system
The greatest risks to an organization’s security center around these goals and should be prioritized accordingly. Common examples include:
Wide Area of Attack
In a past article, we talked about the importance of minimizing attack area in the context of industrial control systems (ICS). This principle applies more broadly: networks become increasingly less secure with every new access point such as routers and IoT devices. Partners up or downstream also represent potential targets which hackers can use to gain a foothold.
Despite how far technology has come, hackers still use social engineering during the reconnaissance phase of an attack. Untrained personnel may be persuaded to divulge sensitive information which can be used for access, concealment or escalation. They may also compromise their organization by clicking malicious links containing malware or phishing scams.
Robbers do not come in through the front door: likewise, the most sophisticated hackers seek an entry-point that is not well-monitored or protected to conceal their presence. Thanks to the Internet of Things (IoT), organizations are now flooded with a host of devices – from printers to coffee machines – that may contain significant vulnerabilities and require protection.
Lack of Security Controls
Overlooked security controls – such as two-factor authentication (2FA), network passwords and encryption – represent one less obstacle for hackers to overcome during an attack, and they will use such oversights to their advantage. On the other hand, even controls that seem redundant can prevent an attack from succeeding at a crucial stage.
Using a Hacker’s Mindset
The best form of security is proactive security, and proactive security starts by finding risks and remediating them before they are ever exploited. As this risk-based approach becomes essential to meet federal standards for compliance, organizations will benefit from thinking about their systems like an outsider.
In 2020, consider investing in a professional risk assessment. With years of experience in a DoD context, our trained experts can offer something that automated solutions cannot rival: human intelligence, creativity and a deep understanding for the way real hackers think.
Securicon is poised to support industry partners in preparing for CMMC through Gap Analysis and Assessment of security practices and procedures. Contact us for more information.