Back to School: The 80/20 Rule

We keep hearing and reading about it over and over.
80% of cybersecurity threats can by prevented by good hygiene and best practices — while the other 20% requires a bit more sophistication.
We’d all be better off if we looked in the mirror and started with ourselves.
Even the longest journey starts with a single step.
By Sara Abraham in Asia Pacific FutureGov.
Emphasis in red added by me.
Brian Wood, VP Marketing

The 80-20 rule of cyber security

80 per cent of cyber attacks are opportunistic threats which can be tackled by cyber hygiene and best practices, according to Arnold Shimo, Chief Technologist, Innovation and Technology Centers at Lockheed Martin.
The remaining 20 per cent, however, consists of Advanced Persistent Threats (APTs) – unknown, predetermined, intentional and well-equipped attacks that anti-viruses cannot mitigate. Opening their workshop at the FutureGov Summit 2013 with this insight, Shimo and Mahesh Kalva, CTO, International and Tech Transition at Lockheed Martin, raised awareness about a different type of cyber risk posed to government agencies and how their Cyber Kill Chain strategy could be used to counter it.
Drawing the participants’ attention to certain inadequacies of the The National Institute of Standards and Technology’s (NIST) incident handling process of APTs, Shimo laid out the seven stages of Lockheed Martin’s Cyber Kill Chain – a strategy designed to help defenders understand the actions, intentions, methods and tools of the attacker.
The seven stages are:

  1. Reconnaissance
  2. Weaponisation
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command & Control
  7. Actions on Objectives

In this model, an attacker has to go through all seven stages to be successful while the defender succeeds by disrupting, degrading or denying access to the attacker anywhere in the chain.
Kalva delved into various safeguards an organisation can employ, using the Cyber Kill Chain, to protect against APTs. These included prioritising sensor alerts and better communicating risks to leadership according to their position on the Cyber Kill Chain. Shimo further elaborated on how to prioritise investment in security and risk mitigation to the extent that is practical. He also he suggested limiting one’s outbound connections or points of presence on the internet so that all traffic that goes out to the internet must pass these two proxies, ensuring greater monitoring and transparency.
Shimo explained that the idea is to make such attacks unpalatable to hackers. Since these attackers are intentional about the attack, they invest in infrastructure to carry out the attack. By detecting their delivery mechanism or weaponisation software, they are forced to reinvest in another set of tools and infrastructure to continue the attack. Repeated detection makes the attack undesirable because it becomes too expensive to invest in technology at each stage.
“This is the way we defend Lockheed Martin today”, Shimo explained. “What Mahesh’s and my job has been is to take this and bring it to our customer’s benefit.”
Bearing in mind that their customers use multiple clouds – private clouds, Community Clouds, government clouds or industry clouds – Kalva explained that they are looking to engage in cloud brokerage and allow clients to choose the cloud that best suits their needs. They want to put a cloud wrapper around a client’s existing cloud to provide the same protection as if inside one’s own private cloud.
As part of the interactive nature of the workshop, the participants were divided into four groups. Each group was asked to discuss a problem they face in their organisations and to come up with a solution together. Though many of them were concerned primarily with fixing the 80 per cent rather than the 20 per cent, as pointed out by Gerrit Bahlman, Director of Information Technology at The Hong Kong Polytechnic University, the exercise highlighted the importance of creating awareness of this 20 per cent threat and the extent of the damage it can cause.
Arthur Nastos, CIO of the Department of Culture and the Arts, Western Australia, wrapped up the small group discussions by emphasising the importance of intrusion prevention and detection. He cited the example of his organisation, which does regular penetration testing by bringing in external consultants to hack into their systems (also known as ‘White Hat Hacking’). On this note, Kalva concluded by saying that ignorance is bliss, but knowing what you don’t know is the first step to security.