How a Human-First Approach Helps Protect Against Cybersecurity Vulnerabilities

There is a saying that life imitates art. Sometimes life also appears to imitate cybersecurity events. According to Space.com the solar wind “is a continual stream of protons and electrons from the sun’s outermost atmosphere … When the solar wind reaches Earth it sends a flurry of charged particles into the magnetosphere and along Earth’s magnetic field lines.”

“In addition to the constant streams of solar wind, the sun sometimes expulses massive quantities of those charged particles in one go. These events, known as coronal mass ejections, can trigger geomagnetic storms in the environment around Earth, which are associated with the beautiful aurora displays, but can also wreak havoc with power grids, telecommunication networks and satellites orbiting the planet.”

The description above is rather apropos for the widespread, high-impact cyberattack nearly two years ago when SolarWinds – the company – reported that the Russian threat group Nobelium breached the build environment of their Orion network management platform and planted a backdoor, dubbed SUNBURST, that was then pushed out to the company’s customers as legitimate software updates. Some 18,000 customers received the poisoned updates, including Microsoft, Intel, and government agencies such as the Department of Energy. 

SolarWinds is now facing legal troubles and agreed to pay $26 million to settle claims in a class-action lawsuit filed against the company and some of its executives. The lawsuit claimed the company had misled investors in public statements about its cybersecurity practices. Separately, the SEC may be taking enforcement action against SolarWinds for its alleged violation of federal securities laws when making statements and disclosures about the 2019 data breach.

The SolarWinds incident demonstrated how human thinking and decisions are at the core of cybersecurity – both in setting development priorities to reduce vulnerabilities and in how a cyberattack is managed after it occurs. 

Despite the ongoing legal aftermath, being at the center of this storm has forced SolarWinds to implement multiple changes to the development and IT environments with a new secure-by-design approach that other organizations can learn from. For example, they now create resources on demand that are destroyed when the task is completed so attacks have no opportunity to establish a presence.

The case of SolarWinds illustrates just one type of vulnerability critical infrastructure and organizations face. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) are currently focused on developing partnerships and gaining feedback on protecting against the risks posed by IT and OT connectivity and legacy systems. 

NIST is currently asking for feedback on a proposed project that would pilot solutions for water and wastewater plants. Another Dark Reading article discusses a partnership between Idaho National Laboratory and NIST to develop a plan to ensure utility companies and the energy sector use cyber-informed engineering when connecting to the grid.

In addition to national security risks, ransomware is a risk to the sustainability of affected companies. The article, “Your OT Is No Longer Isolated: Act Fast to Protect It,” mentions how United Structures of American Inc., formerly valued at $100m, filed for bankruptcy largely due to losing most of its data in a ransomware attack. Cybersecurity and data protection must become a priority to an organization’s leadership.

A new Microsoft Digital Defense Report 2022 finds that nation-state groups are increasingly targeting critical infrastructure, and they are also using automation. Countries like China are also attempting to stockpile zero-day bugs using regulations demanding that vulnerabilities are submitted to their Ministry of Industry and Information Technology within two days of discovery. Evolving, advanced tactics mean that organizations must stay informed and also evolve their own defenses.

CISA Director Jen Easterly recently spoke at a forum on being optimistic that U.S. companies will embrace cooperation for the new cybersecurity performance goals released at the end of October. She also commented that, “We’re not in the business of naming or shaming or hurting anybody’s reputation or stabbing the wounded.” Easterly likened the approach to a neighborhood watch system.

The idea that cybersecurity “shame” prevents effective communication and collaboration is important because breaches often cause employees and leadership to not be honest or transparent when an event happens. Often the cause of the breach will be due to a mix of factors including lack of awareness, technology tools that are not user-friendly, overworked IT staff, or due to an organization’s culture that hinders incident response.

Zero Trust is the security strategy that acknowledges people make mistakes and starts with identifying and prioritizing what needs protection so that you can minimize exposure and create policies, supported by technology, that protect systems and data.

A November ATARC event brought together federal cybersecurity experts who explained that Zero Trust is a journey. Shane Barney, CISO at the DHS United States Citizenship and Immigration Services (USCIS) remarked that they are probably further along than other agencies and “we’ve made a lot of mistakes along the way [and] learning from those mistakes is really critical, so reach out to your federal partners.” He recommended heavily investing in automation.

Automation is important because computers can help minimize fatigue performing repetitive, data-intensive tasks and monitor tedious alerts so that organizations can leverage the strategic abilities of people assets.

We recently wrote an article on protecting critical infrastructure using CISA and NIST cybersecurity guides, soliciting creative “Gordian Knot” solutions, and the importance of risk assessment, asset inventory, and intelligent automation:

Protecting critical infrastructure with CISA and NIST cybersecurity guides, “Gordian Knot” assessment, and automation

The protection of data is a primary focus of Zero Trust. One major development in data protection and privacy is that employee Data Subject Access Requests (DSARs) are on the horizon. “Beginning on January 1, 2023 when the revised version of the CCPA officially goes into effect, employees will be entitled to the right to access, update and delete their personal data in the same way that consumers can.”

Organizations must take action now to prepare according to CPO Magazine. Research found “it takes on average 83 hours to complete a DSAR and less than 50% were able to fulfill these requests within the mandatory time limit.” Steps recommended include:

    • Establish an operational data inventory
    • Implement data discovery capabilities
    • Define a DSAR workflow
    • Invest in automation now

    Data is critical for digital transformation and data analytics insights. The U.S. Labor Department is unlocking data as its “Superpower” according to a Health IT Security article, and the Chief Data Officer, Scott Gibbons, says their data strategy focuses on the four FAIR principles: make data findable, accessible, interoperable, and reusable.

    However data sprawl creates a security dilemma if data is spread across different cloud platforms and visibility is “nearly impossible.” A Help Net Security article states “it is common for employees to collectively upload, create, share, or store data in roughly 138 different external apps in their daily work.”

    The reality is most, if not all, organizations are going to face cyberattacks, potential data breaches, and they will make mistakes. As regulation increases, the key is how is leadership and the organizational culture supporting proactive response, collaboration, transparency, and improvements?

    The well-known researcher, author, and speaker, Brené Brown, has worked with many Fortune 500 companies, and appeared in her now famous TED Talk on “The Power of Vulnerability” in 2010, and more recently, in a Netflix special in 2019 titled “The Call to Courage.” 

    Cybersecurity is a world of vulnerabilities, but Brown makes the point that the most important power we have as humans is our vulnerability. She says that to foster innovation, creativity, and connection requires us to be authentically vulnerable, including in the workplace. Her research states that there is no courage without vulnerability. In today’s world, we need brave, creative thinkers who collaborate to solve these difficult challenges.

    Security must be built around users with a human-first approach, according to a Dark Reading article, because often security tools foster a “false sense of protection, we’re fomenting risk and making them more vulnerable” due to existing cybersecurity beliefs, processing styles, and habits. 

    A few of our articles highlight the importance of assessing assumptions, bias, and conditioning. We also address inventorying assets and using intelligent automation to improve the accuracy of the risk assessment process:

     
    Cybersecurity is a journey of continual change and mistakes will happen that may be out of your control. Effective risk management and supportive automation are critical to human-first cybersecurity so that your people and processes can efficiently grow and improve. Risk management is dependent upon an accurate understanding of your assets, risks to those assets, and prioritizing threats and controls.

    Anacomp’s data discovery and intelligent document processing solutions help provide data asset visibility and automate multiple data inventory, risk assessment, digital transformation, and processing functions for cybersecurity, risk management, compliance, cloud and data migrations, and analytics projects. Conducting a DSAR is fast and easy saving IT resources hours of time.

    Data Discovery and Distillation (D3) provides a single pane view of both structured and unstructured data stores for over 950 file types with visualization of all file properties and customizable metadata. Risk filters, workflows, data tagging, and federated search help to clean data up and then keep it that way with ongoing, automated monitoring. D3 is unique in that it provides actionable visibility for a broad array of data types with data visualization down to the content-level, not just file attributes.

    High-Speed Intelligent Document Processing uses technologies like Artificial Intelligence, Machine Learning, and Natural Language Processing to process and ingest many types of data including handwriting and poor quality documents, as well as images, enabling you to incorporate more data into your projects. 

    These solutions can be combined and customized to validate and improve data quality for security, compliance, and analytics projects. 

    You can test out data discovery on your own data with a free 1 TB Test Drive of Anacomp’s D3 AI/ML Data Discovery Solution.

    This article is an updated version of a story that appeared in Anacomp’s weekly Cybersecurity & Zero Trust Newsletter. Subscribe today to stay on top of all the latest industry news including cyberthreats and breaches, security stories and statistics, data privacy and compliance regulation, Zero Trust best practices, and insights from cyber expert and Anacomp Advisory Board member Chuck Brooks.

    Anacomp has served the U.S. government, military, and Fortune 500 companies with data visibility, digital transformation, and OCR intelligent document processing projects for over 50 years