If there’s one thing SolarWinds showed us, it’s that the world’s digital supply chain was clearly not ready to protect itself from a large-scale hack. Around the globe, and here in Germany too, companies have been going about their daily business without a strong security foundation beneath them, leaving them critically vulnerable to cyber terror.
Security architecture is the process by which an organization can build that strong foundation, and prepare themselves for future hacks. So why isn’t it more widespread, and how can you better secure your own network by using simple security architecture steps?
Why are many organizations so easy to hack?
To start, it’s because hacks are getting worse
If you look at the trends in cyber crime, it’s clear to see that the problem is only getting worse.
Just a few years ago, 2017, the NotPetya attack by Russian agents on Ukraine showed the globe just how vicious a large-scale hack can be. Russian military hackers infiltrated a Ukraininan company (Linkos Group) and installed a back door into their system, allowing them to inject the NotPetya malware into the network. NotPetya was designed to dish destruction and spread rapidly, and it did its job perfectly – soon spreading outside Ukraine, even back into Russia, and becoming so powerful it took down the world’s biggest shipping company, Maersk.
Now add the modern trends. It’s 2021, and last year the German Federal Office for Information Security (BSI) discovered more than 117.4 million new malware variants, an increase on the year before. Not only that, but Microsoft found that state-backed cyber terror attacks are also on the rise, targeting private sector businesses as well as public.
Read more: “Is German cyber security ready for 2021?“
Case study: SolarWinds
SolarWinds is the current example of widespread cyber terror, a hugely damaging hack that is still unfolding as we write this article.
In 2019, Russian FSB-backed cyber terrorists snuck into the SolarWinds system, testing their abilities before eventually injecting their attack malware – Sunburst – into SolarWinds’ Orion product, which delivered a patch (and the malware) to more than 18,000 customers.
Since that point, at the end of 2020, the world’s top security firms have uncovered that the Russian agents used as many as five different strains of malware in the months-long operation, and dealt untold havoc to businesses up and down the digital supply chain. Microsoft Azure was one such victim, as was FireEye, a host of other US brands, and even Duetsche Telekom here in Germany.
A lack of firm security allows this to keep happening
It would be easy to lay all the blame on cyber terrorists, who grow increasingly sophisticated (and well funded) every year.
But the reality is that organizations must share the responsibility. Security is an often-overlooked part of the business, a box to tick. There is poor awareness of security policies up and down companies outside of the IT department and low cyber culture knowledge among staff (i.e. does your receptionist understand your security policies and their responsibilities, or the board, or sales, marketing, accounting, HR?).
Yet, staff have access to the network, and that network contains sensitive information and mission-critical applications. Anyone can make a mistake, especially if they don’t know what they don’t know.
Case study revisited: SolarWinds
To use some real-world examples, it’s been discovered since December 2020 that SolarWinds had a number of vital flaws in its security perimeter.
- The password to one of its servers was ‘solarwinds123’, which was leaked online due to a misconfiguration.
- Many of the staff used out-of-date web browsers and operating systems.
- SolarWinds itself advised customers not to scan Orion with their antivirus software, as the two apps often came into conflict.
How Would Security Architecture Have Helped?
Analyzing threats and developing control strategies is a key part of security architecture’s Create and Implement & Manage phases.
- First identify threats to your business attributes and drivers.
- Next, build control strategies to meet those vulnerabilities.
- Poor passwords and end-of-life components are discovered in the Create phase.
- Had SolarWinds defined its threats, it could have closed those key gaps as easy wins.
Supply chains attacks are hard to stop, but you don’t have to make it easy
The best way to look at security strategies going forwards is to assume that a breach is definitely going to happen.
That said, supply chain attacks are very often hard to defend against. No matter how hard you work to protect your organization’s data, it can all be undone through a single vulnerability in your partners and vendors.
However there are always solutions for your organization to mitigate or minimize the likelihood of those attacks having a negative impact on your business. We will discuss some of these practicalities below.
How Security Architecture Can Help
Supply Chain Management (SCM) is a common business attribute in security architecture.
- SABSA has a predefined SCM attribute for you to start with.
- Security architecture helps define the threats and opportunities within that attribute.
- This attribute can then become a main driver for new policies concerning SCM and its risks.
Read more: “How to respond to a cyber breach“
What can leaders do right now to improve their defences?
Here we’re going to learn how to:
- Revise your security architecture fundamentals
- Write new policies
- Review your third parties
- Build awareness across the company
1. Revise your architecture fundamentals
Security architecture takes place in phases. Without going through the earlier steps, jumping ahead could mean you’re flying blind – and therefore wasting time on strategies that won’t work.
First we have to Define the different factors that are important to our organizational security, including our business objectives, drivers and attributes. In the next phase, Create, we start to model our threats and their potential impact and only then, after all of those steps have been completed, can we begin to build and implement (Manage) control strategies.
So, any process designed to secure your business with better security architecture must go back to those fundamental steps of the Define and Create phases.
More practical steps to follow
- Review and revise your business objectives and drivers – make sure you still agree with them.
- Review and revise your business attributes, with a particular focus of updating the threats to those attributes to ensure they’re still relevant.
- Review and revise your threat analysis, again to ensure it’s still relevant.
2. Now rethink those policies
Security policies are written documents outlining how to protect your organization from threats, including computer security threats, as well as how to handle them when they occur.
These documents must identify all of your company’s assets (physical and digital) as well as the potential threats to those assets. This is what we talked about when we introduced you to Matko’s Pizzeria in our article, “Behind the scenes of security architecture“. Matko’s greatest asset was his kitchen, and insects posed a threat to that kitchen – so he developed control strategies (i.e. cleaning regimens) to mitigate their likelihood of attack.
Security policies are at the heart of the Logical security architecture phase (a part of the wider Create phase), but require physical procedures, component configurations and operating instructions at the Service Management layer, too.
In addition to those policies, you need well-defined procedures containing a detailed description of how the instructions in the policies should be carried out. Then, all of the above must be reviewed regularly to remain effective.
More practical steps to follow
- Audit everything. Agreements and contracts with third-party vendors; risk management policies; software update policies; staff onboarding and training; security access levels (who can access what?); age of company hardware; security policies in the DevOps teams. Look at it all through a security lens.
- Prioritize your assets and determine how to protect your data. This will enable you to invest resources in protecting the most important assets first. Again, we discuss prioritization in our behind the scenes article.
- Know what functions make economic sense to keep or build in-house, and what to outsource. But remember, outsourcing a function does not outsource your responsibility to keep it secure.
3. Review your third parties closely
Want your organization to be as safe as possible when it comes to third-party vendors? Treat them as your own.
Compare your defined business attributes with theirs. If you don’t think their policies follow the security protocols that are important to your enterprise, you may have to reconsider the agreement and look elsewhere.
You can’t change their policies, but you have a choice of who to work with.
4. Build awareness across the company
Cyber awareness is a crucial step to cyber protection. Anyone can make mistakes when they don’t know, say, how to set a strong password, use two-factor authentication, check a USB drive is safe, which links are OK to click in their emails … and so on.
Your auditing process should have highlighted key gaps in staff knowledge across the business. Over time, it would be wise to fill them – but remember that not everyone is IT savvy, so training will need to be catered to a language people understand and can engage with.
This step is linked with the idea of building agility across your organization, which is part of developing an agile security architecture with the SAFe framework – which you can learn more about in the video below.
More practical steps to follow
- Educate each employee on their responsibilities and accountability for security in your organization.
- Train them on strong authentication – i.e. using different passwords for personal and business use. Weak passwords are a very common attack vector for hackers.
- Establish two-factor authentication across the business, and ensure employees use it.
Your best defence is the best expertise
None of these steps individually are a silver bullet for countering cyber threats, but together they can improve your security, harden your enterprise through resilience and awareness, and make it more difficult for potential hackers to access your networks.
But security architecture is a full-time discipline all of its own. Your company may not have the right expertise in house – and that’s OK. That’s why we’re here.
You know your business. We know ours. Working together, we can help you walk through the security architecture process and tailor a unique solution to your specific business needs.
Interested in learning more? Join us for a live webinar on “Transforming Business Through Security Architecture”. Or, to speak with one of our experts, book a free maturity consultation today.