Tensions continue to rise between the U.S. and China following Speaker Nancy Pelosi’s recent visit to Taiwan. As the Chinese military puts on a physical display of power, Taiwan’s presidential office and a handful of other pertinent Taiwanese websites were hit with cyberattacks.

Although these specific attacks are extremely minor compared to a cyberattack on critical infrastructure, it serves as a reminder for U.S. businesses and individuals to remain vigilant.

In part two of our cybersecurity series, AmeriVet Securities Advisory Board member and retired U.S. Air Force Colonel Brian Denman, provides recommendations on what the private sector, business owners and individuals and can do to reduce the risk of a cyberattack.

Protecting the Private Sector

While prevention of cyberattacks is obviously the most preferred course of action, complete prevention is not realistic in today’s complex threat environment.

Cybersecurity is best expressed in terms of risk exposure and risk reduction. Even with state-of-the-art security capabilities and Draconian controls, those risks cannot effectively be reduced to zero. The internet and all the networks the internet connects – including your organization’s own infrastructure – arguably represent the most complex machine, or set of machines, ever created by mankind. As machines, they are prone to the errors and flaws of their creators. Errors and flaws that can be exploited by any number of threat actors who only need to guess right once, while your security team needs must weigh every possible avenue of approach.

The best course of action in this environment is to focus on attainable goals that reduce unnecessary risk exposure for your firm, your customers and your stakeholders. These goals focus as much on mindset, prioritization and awareness, as they are concerned with specific technical actions:

• Prepare to compete. Cybersecurity isn’t a “solvable problem” that a one-time investment can mitigate for the future. The current situation looks more like an arms race that involves every individual and organization that touches the internet. As adversaries adapt and technology changes, cyber defenses must adapt and change, too. Competing means being prepared to smartly invest in people, methods and technologies to reduce cyber-related risk over time.
• Reducing risk exposure starts with knowing your organization’s risk exposure and priorities. The good general, Sun Tzu, said “if you know the enemy and know yourself, you need not fear the result of a hundred battles.” The same applies to cybersecurity. The most controllable aspect of this is knowing yourself. Like other business functions, cyber risk is a product of loss frequency and magnitude as derived from the threats to, the vulnerabilities of, and the criticality of the functions at risk. Actively link your core business processes to the technologies required for them to function.  Evaluate your risk through a balanced lens of relevant threats, unmitigated vulnerabilities, criticality to your business and criticality to others.
• Don’t confuse compliance with security or defense. Compliance standards and regulatory requirements represent a foundation that effective security or defense can be built on, but are mediocre at best, as a form of defense itself. Security is not the simple sum of implemented controls – one hundred security controls implemented in one area do not offset gaps in controls elsewhere. Good security and defenses require skilled placement of human, technical and administrative controls, enduring use of those controls, and continual active testing to ensure those controls yield effective risk reduction over time.
• Understand your inherited risks and fill the gaps. If there is one thing the COVID-19 pandemic has taught us, it is that risks to our businesses ripple to us through our supply chains. Supply chain attacks are also increasing in scope and frequency in cyberspace, as well. A risk accepted by a vendor or partner can rapidly echo to you, as was seen with the severe and highly-publicized Log4j vulnerability in December 2021 that impacted a major portion of the world’s webservers and cloud environments. Gaps in your security posture might echo further to your customers – you could be their supply chain risk. Explore software bills of materials (SBOMs) to increase your awareness of inherited risks in software. In cloud environments, take a sober review of your cloud provider’s “shared responsibility model” to clearly understand the risks you are contractually responsible for managing and build in active measures to reduce risk.  Consider third party risk support, including vendor assessments and threat intelligence.  Read your contracts carefully, analyze with supply chain risk in mind and realize that many risks in cyberspace aren’t so easily transferred to another entity (in real terms).
• Prioritize fundamental technical controls and actions over advanced ones. The most fundamental and least flashy controls still yield huge dividends. Master the basics, then augment with advanced controls. This includes:
  • Maintaining and auditing logs of security-related activities on key systems
  • Scanning and mitigating known vulnerabilities
  • Hardening access controls, including use of multi-factor authentication (MFA)
  • Turning off unnecessary services or unused accounts
  • Maintain a “least privilege” policy

For example, in the 2021 Colonial Pipeline breach, attackers exploited an unused and insufficiently monitored virtual private network (VPN) account to gain initial access in their hack, which resulted in disruption to oil distribution along the entire U.S. East Coast. Proper application of any one of the aforementioned controls, particularly MFA, log auditing and turning off unused accounts, would have likely prevented the hack. As you solidify your fundamentals, begin to add advanced and proactive measures, such as threat hunting and “purple teaming,” to validate your efforts and “lean forward” in your security posture.

• Test your controls, don’t just trust checklists – think like a bad guy. While compliance checklists are a useful tool, they do not inherently provide security. From a practical standpoint, no compliance checklist ever stopped an attacker in their tracks. Even the rare 100% compliant organization can easily fall victim to a cyber-attack any number of ways. Controls can be assessed to be “in place” but still not be configured to stop even the most common cyberattacks. Which brings us back to Sun Tzu: “know your enemy.” Use both internal and external Red Teams to assess your performance. Timing and repetition matter, too. Secure systems often don’t stay secure over time without revalidation. Assess, audit and test live.
• Migrate to zero trust architectures and resiliency. Historically, cyber defenses have evolved from a “hard outer shell with a soft center” to arrayed controls layered in depth (termed “defense in depth”). Defense in depth means that an attacker must circumvent multiple security controls to reach your sensitive assets, no matter which attack vector they come from. But today, attackers can still find thin spots or seams in security. The next evolution of defenses, “zero trust,” takes defense in depth and puts it on steroids. Zero trust architectures take an “assume you are already breached” perspective and requires both systems and users to continuously authenticate (in a frictionless way) to prevent malicious action from going unnoticed or even occurring at all. These architectures also include microsegmentation, which allows impacts to one portion of a network to be narrowly contained from other portions of a network, strongly boosting resilience. Expect to be hit – and be able to roll with the punch.
• Take a “when, not if” mentality. For most organizations, it is not if they will experience a cyberattack, but when. For others, it may even be how often. Create a comprehensive incident response plan and practice it live, if possible. The best cyber incident response plans are linked to business continuity plans – test them together. Test them at both the technical and executive levels. Creating an ad hoc response plan during an incident is a recipe for disaster. This will often prolong, and potentially increase the damage, as your incident response teams take unrehearsed actions to mitigate the effects of an attack. Be prepared for when the bad day comes.

Emphasize the human element. This is perhaps the most underappreciated aspect of this traditionally machine-centric discipline. Your biggest weakness is likely your own people…turn that into a strength. The most common cyberattack vectors today, as have been for years, are phishing and social engineering attacks. Invest in training and awareness for your workforce to combat this. Pay particular attention to “high value targets” in your organization, such as C-suite executives and users with privileged access, like system administrators. Test your people as well as your machines.  Critically, invest in your security teams, not just your toolsets. While cybersecurity tools are useful, particularly in separating the analytical “wheat from the chaff,” and preventing the predictable, it still takes skilled and empowered cyber defenders to both prevent and stop the most damaging cyberattacks. Empower and invest in that team.

Protecting Yourself and Your Business

For the average citizen, resources outside of the workplace or school are, frankly, a bit thin.   We’re relying on younger, “digital native” generations to help train older generations on how to stay out of trouble, with mixed results.

If you don’t have a local resource available to you, I recommend CISA’s Cybersecurity Awareness Program Toolkit and their “Stop. Think. Connect” campaign as a resource to get better informed.

In addition, many of the previously mentioned measures provided for businesses also can apply to individuals. Simply taking stock of what personal information and other sensitive data you keep online, as well as understanding those key online capabilities (like banking and other sites), can help you understand your personal online risk level. From that understanding, you can choose to enact technical controls, such as those recommended for businesses but on a smaller scale. Individually, we should all be:

• Using MFA where possible – especially MFA that uses a separate authenticator app or key as the second factor (avoid more easily spoofed SMS texts for authentication)
• Avoiding credential or password reuse across different sites, and using a password manager to help us become comfortable using longer and more difficult-to-guess passwords
• Keeping our home computers patched and updated
• Using tools to scan and remediate vulnerabilities – tools like anti-virus or endpoint intrusion detection/protection systems
• Avoiding downloading unnecessary software or clicking on untrusted links

For business owners, I would also recommend CISA as a resource for best practices, training guidance and useful tools.

Where they exist for an industry or critical infrastructure sector, I would highly recommend businesses join their respective Information Sharing and Analysis Centers (ISACs). ISACs are information clearinghouses (for vetted members) for cyber and physical security issues in a given sector or industry. They are focal points for cyber threat information, early warning and advisory products, vulnerability data and best practices relevant to their members.

In the U.S., they were created from an executive action in 1998 intended to protect critical infrastructure: Presidential Decision Directive-63. Today, 25 different ISACs exist.

There is an ISAC aligned to most of the federal government’s 16 critical infrastructure sectors, such as the Electricity ISAC, the Downstream Natural Gas ISAC, the Financial Services ISAC, and the Water ISAC, but they are not constrained to critical infrastructure alone.

Industry, or sector specific ISACs have also been created for election infrastructure, media and entertainment, real estate, retail, hospitality and space.

There is a Multi-State ISAC for government support below the federal government level for state, local, tribal and territorial governments.

Putting It All Together

Despite all these recommendations, there is no perfect solution for cybersecurity in existence today.  In large part this is because, despite the focus on the technology, the core of cybersecurity is about people and trust. In society and in business, we’ve integrated and trusted technology in deeply meaningful, but occasionally unreasonable, ways – technologies with all the natural flaws that we’d expect from any machine built by mankind.  As with most technologies, eventually bad actors seek to exploit that trust and that integration, elevating our risk.  Our ability to combat those bad actors and reduce our risk will be a product of human traits – forethought, preparation, persistence, commitment, education, training, teaming and collaboration – combined with smartly applied technology.

About Brian Denman 

Colonel Brian Denman retired from active duty in 2019, after a distinguished 25-year career in the U.S. Air Force as a communications and cyberspace warfare operations officer.

During his military service, he led Cyber Protection Teams for U.S. Cyber Command, the U.S. Air Force’s advanced cyber warfare and information operations schoolhouse, an enterprise network operations unit responsible for the global operation of the U.S. Air Force’s networks and an intelligence support unit.

Additionally, Colonel Denman served as a strategic planner and resource advocate on the Joint Staff, where he focused on Russia and emerging cyber threats. In this role, he also supported the creation and employment of the nation’s Cyber Mission Force, U.S. Cyber Command’s action arm to execute cyberspace operations in defense of the nation’s interests.

A native of Spokane, Washington, Colonel Denman earned his commission as a Second Lieutenant in the Air Force and his bachelor’s degree in business administration, with a focus on management information systems, from Washington State University in 1994.

He earned a master’s degree in management from Troy University and a master’s degree, with distinction, in national security and strategic studies from the U.S. Naval War College. In addition, he is a Certified Information Systems Security Professional and holds multiple cybersecurity industry certifications.

Following his military career, Colonel Denman and his wife, Amy, returned home to Spokane, where they own and manage a cybersecurity consulting and training firm, Sentient Forge, LLC.

He is devoted to educating our next generation of cyber professionals and helping organizations find success in today’s challenging security environment.