Start your day with intelligence. Get The OODA Daily Pulse.
Cyber malfeasance comes in a variety of forms and is conducted by an almost equally diverse threat actor ecosphere. The news is rife with examples of big and small cyber theft of money or data; of disruptive attacks directed against public and private sector organizations; of increasing threat activity against critical infrastructures; of severe vulnerabilities that continue to emerge and need patching; and of mundane and innovative attack types and methodologies that are forever knocking on the cyber perimeter. It has become so that the benefits of increasingly advanced and connected technologies are almost on par with the dangers associated with them in the fashion of a true double-edged digital sword. A quote by the French culturalist Paul Virilio captures this sentiment perfectly: “The invention of the ship was also the invention of the shipwreck.” And so is the dichotomy of cyberspace where hostile actors race to compete with the rate of its innovation.
The volume of cyber-related information is daunting to say the least. A “cyber professional” can encompass a multitude of functions and disciplines ranging in technicality. Skills include but are not limited to network security, network architecture, application security, data loss prevention, forensics, vulnerability management, incident response, security auditor, encryption, and threat intelligence, to name a few. When applying a security mindset to cyberspace, it is fairly easy to get lost down a rabbit hole of malware, tools, vulnerabilities, in addition to the actors that develop them, promote and sell them, and use them. It is unsurprising that cyber security professionals are worn out from a never-ending assault of cyber threats trying to penetrate their organizations’ perimeters. Per one report, more than 90% of security professionals surveyed admitted to being stressed in their roles, with 46% disclosing that they considered leaving the industry permanently. This can happen given the volume of attacks organizations face on a daily basis, as any given attack will have action items for cyber professionals in a variety of disciplines (e.g., writing detection signatures, ensuring patch management and configuration, remediating and removing the threat, conducting forensics where necessary, threat intelligence reporting to inform leadership, etc.).
While the cyber attack kill chain focuses on the step-by-step mechanics of hostile activity, the attackers’ main goal is to be able to abuse the trust that is inherent throughout the model because trust factors at all levels of a cyber interconnected world. Through this prism, trust is a principle that may be as extensive and multi-faceted as cyber itself as it is the very cornerstone of securing the digital environment. The savvier attackers understand that by successfully exploiting trust, they exponentially increase the chances of their success in whatever type of attack they are executing. Consider the following attacks and how trust is targeted and manipulated in order to achieve operational success:
We are now in a world where the mantra is “trust no one,” and a prominent cybersecurity strategy promulgating around the public and private sectors is the concept of “zero trust.” A zero trust model requires that all possible vectors into an organization are monitored, which can be an overwhelming task for security teams often mired in financial and human resource constraints. A 2022 IBM report found that only 41% of surveyed organizations had implemented zero trust security architecture in their environments, a low number given the cybersecurity state of affairs. Further complicating matters is that trust extends beyond architecture and systems and confirming user identity, device identity, and device health.
As new security technologies emerge to address zero trust issues, organizations need to consider how trust can be targeted and manipulated for nefarious purposes outside the technical space.
For example, in the greater information sphere that leverages the cyber domain to produce, process, and disseminate data, people need to trust the sources of content and stories to help inform their decisions. Exploitation of this type of trust can have negative consequences against an organization’s brand, image, and reputation, potentially impacting public perception, and affect their bottom lines. Considering the promulgation of disinformation, organizations also need to be cognizant of material being published about them or their industry and be prepared to validate what’s being spread around, and counter-message it if necessary.
One influential consultant said, “Trust is perhaps the most critical single building block underlying effectiveness.” This is especially true as we move into 2023. The CIA (confidentiality, integrity, availability) triad has been around since 1986, and has served as an important security model for organizations. But it’s also outdated, and its focus is too narrow. It needs updating to bring it up to today’s standards. Trust, Visibility, and Resilience are natural complements to the triad, as they address the areas in which organizations need vast improvement and are not confined solely to the technological space. Security concerns have expanded past perimeters and focusing on trust will aid organizations in diverting attention where it’s most needed. And in 2023, that’s the road organizations should take for not only their own security, but also for their own success as well.