The Cyber Poverty Line

CPL

I recently had the chance to participate in my third “Cyber Moonshot” session. During a brainstorming session on how to increase the cost of performing cyber attacks by 100x, Andrew Wild mentioned the concept of the “Cyber Poverty Line”. This concept made it into our final group brief to the larger session and several Moonshot participants mentioned to me they liked the concept which led to this blog.
Several people also mentioned Wendy Nather’s work at Duo and 451, where the phrase ‘Security Poverty Line’ was coined and even presented about at RSA 2013. A lot has happened since 2013 with the wide adoption of cloud services, vendor walled gardens, SOAR, third party risk services, the NIST Cyber Security and Mitre ATT&CK frameworks and the emergence of red, blue and purple teams to manage cyber security.

In this blog, I present both new and updated concepts for defining what is above and below the "Cyber" poverty line, as well as for helping organizations below move towards the line, if not above it.

What is the Cyber Poverty Line?

The Cyber Poverty Line is a point of divide to signify the difference between organizations who can and should perform cyber security functions and those that can’t and should not. If you are above the cyber poverty line, you have both the resources and knowledge to achieve some level of cyber hygiene
and cyber hunting. If you are below the cyber poverty line, you may not have the resources to achieve a reasonable amount of cyber hygiene or hunting and may not even have the knowledge or desire to do either.

I think it is really important to define those above the Cyber Poverty Line to have the ability to perform hygiene and hunting and determine the mix of resources of these functions for themselves. With today’s catastrophic cyber attacks and penalties for data breaches, if you are not actively managing the efficacy and efficiency of your security program, you are below the line and need to take steps to have a more reasonable approach to cyber security.

How to Move More Organizations Above the Cyber Poverty Line

There are many types of recommendations that can be made for individuals, small businesses and enterprises that are struggling to get to the other side of the Cyber Poverty Line. Below is a list and brief discussion of strategies and recommendations to help organizations cross the line. The goal is to move organizations towards an ability to maintain a level of cyber hygiene and detect attacks with cyber hunting.

Making the Case for Increased Budget

A lack of budget for technology, people and other resources is often a limiter in getting above the cyber poverty line. Here is a short list of free to very inexpensive tasks you can perform that will help educate your management as to why the overall cyber security budget should be increased.

  • Third Party Risk Companies – Most modern third-party risk companies will give you a free assessment of your organization’s cyber exposure. These may include comparison between your organization and others in your industry. Comparing your organization to others can be a motivating factor for business leaders.
  • Perform a High-Level Gap Analysis Against NIST CSF or CIS 20 – Both the NIST CSF and CIS 20 have a set of easy to complete tools which identify cyber security gaps in your program. These gaps have clear business risk reducing benefits if adopted. Knowing about specific risks in basic terms makes it easier for a business leader to choose to accept a risk or choose to mitigate it somehow.
  • Track Public Breach Disclosure of Comparable organizations – As organizations in your industry report breaches, sharing this information with senior business leaders may motivate them to avoid the same mistakes of their peers. This information can be found from Internet research, vendors who track this information and even MSSPs and MDR companies that focus on specific industries.
  • Attempt to Purchase Cyber Insurance – The cyber insurance industry is more than ready to help evaluate your company, likely at no cost, in the hopes of issuing some form of cyber insurance coverage. The interactions with the cyber insurance company may also identify gaps in your cyber program which business leaders may use to justify increased security spend. Marsh has introduced a free cyber risk manager which can help identify gaps in your coverage and even vendors if you have a budget.
  • Consider the Potential Compliance Costs – Making sure your management team is aware of potential liabilities due to a breach can incentivize them to minimize the risk of the breach with larger cyber budgets. Be wary that in some cases, fines may not be that much of a motivator or could be so large, they are hard to comprehend. Be sure to include all regulations your organization is obligated to comply with.
  • Conduct a Cyber Table-Top Exercise Over Lunch - A great way to raise awareness with senior management is to get them to participate in a table-top exercise. There are many companies that will do this for you as a service, but there is also plenty of content online that you can customize to your organization.
  • Conduct a Low-Cost Penetration Test – Doing a penetration test is an age-old technique of proving that a hack can be done. Many firms can offer quick assessments at a low or no cost as they may want to bid on longer term IT service contracts.

Minimizing IT Complexity

Reducing IT complexity is a great way to make cyber hygiene and even hunting an easier task. Too often we jump to hardening a cornucopia of IT systems and software against very detailed frameworks like NIST CSF or CIS and get overwhelmed with detailed recommendations. Below is a list of higher-level recommendations that can be used to minimize IT complexity.

  • Embrace Monocultures & Walled Gardens – A network of 100% Microsoft operating systems and software is much easier to manage than one that also includes Apple and Linux. The same argument can be made for 100% Apple networks. The efficiencies of this approach break down when non-standard software is added.
  • Consolidate Applications to the Cloud – Migrating older applications running on internal systems to cloud based SaaS solutions removes the need to run underlying operating systems.
  • Replace Managed Operating Systems with Tablets – If an organization can do their mission without laptops and desktops running complex operating systems, consider replacing them with tablets from Apple or Google. These devices can be managed simply and patched without third party tools.

Outsource IT and Cyber Smarter

If an organization is outsourcing IT services, ensure that the solution provider or providers are delivering the full spectrum of cyber hygiene, hunting and strategy.

  • Separate auditing – If you are outsourcing IT, choose a different firm to audit your network. Having a single IT firm tell you that everything is great is a conflict of interest. You should insist that audit results are reported against some common open framework like the Center For Internet Security’s Critical Controls or the NIST Cyber Security Framework. This provides a basis for comparison, and the start of a roadmap for improvement.
  • Ensure Hunting is Performed – In the last few years, there has been a rise in services offering managed detection and response (MDR) for both the enterprise and managed service provider markets. If your organization is only outsourcing hygiene, you will likely miss modern stealthy attacks on your network. If your IT team is performing SOAR, you should review it to ensure their correlation rules and triage strategies are in line with your business. You should also use breach simulation tools to check the reaction time of the MDR service.
  • Ensure Minimum Hygiene is Performed – You should use a vulnerability scanner or manual spot checks to ensure that the systems being managed by the IT firm are being managed to your service level agreement.
  • Consider Working with your Peers – Depending on your industry, you may be able to share cyber monitoring with your peer organizations. Several MDRs and MSSPs work closely with various ISACs, academic networks, states, counties and provide an umbrella of monitoring. This is very useful with MDRs if threat actors target a specific industry.
  • Audit the Security and Access of the IT Service Team – When you outsource the IT management of your company, you do not get to outsource your responsibility or reporting requirements. You are placing a great deal of trust into this provider, and they should be familiar with the regulatory and legal issues that apply to your business. You should feel comfortable with who they hire, how they vet their employees and under what conditions they will notify you of an issue. You should also feel comfortable with the access they have in to your network. Can they read your email, look at your network traffic or access files on your computer? Lastly, you should expect the IT service provider to not be easily hacked themselves and understand what their cyber program looks like.

Empowering your Employees

There are many strategies organizations can do to raise awareness in their employees without incurring great costs or disruption.

  • Highlight Cyber Hygiene at Company Meetings – Instead of telling your employees to silence their phones, perhaps tell them to reboot their phones. Same thing for laptops. If you can’t force a reboot to apply patching through IT, tell employees to perform a hard reboot before coming to meetings or going home for the weekend. Rebooting phones and laptops/desktops will apply many patches that are likely sitting on the system but not installed yet. If possible, engage other executives to deliver the message so that it does not always come from "the" cyber expert.
  • Highlight Specific Cyber Awareness with Employees – It would be great to have an actual cyber policy and have human resources and IT ensure everyone is aware of it, but short of that, pick the top attack vectors which can impact your company and create very focused courses of action for your employees. For example, if you are concerned about phishing and wire fraud, you can devote time in company communications and meetings to raise awareness of these threats and recognize employees who detected and prevented these attacks. Create a simple and clear way for employees to report suspicious calls and emails.
  • Leverage Free Cyber Training – There are many great resources online for cyber training. For example, Cybrary offers a variety of free courses for beginners, intermediaries, and experts. If you can incentivize employees to complete courses online, either during work hours or off hours, with bonuses or pay increases, you can increase the cyber knowledge and culture of your company.
  • Pick a Framework – If you are having a hard time starting out even with the above ideas, there are many places you can go to get help and ideas. Some of these include The Cyber Readiness Institute or the Global Cyber Alliance’s Cyber Security Toolkit for Small Business. More advanced frameworks include the Center For Internet Security’s Critical Controls or the NIST Cyber Security Framework. You can also look for industry specific content and guidelines. For example, for election campaigns, the Belfer Center produced a playbook to enhance the cyber security of IT operations working for candidates.
  • Join an ISAC or an ISAO – There are a variety of Information Sharing and Analysis Centers for industries such as power, finance and public transit. Joining an ISAC, which are non-profits, does take time away from work and perhaps require sponsorship, but you will be exposed to peers in your industry facing the same problems. If you aren’t large enough to join an ISAC, there is likely an Information Sharing and Analysis Organization close to you.
  • Leverage Free Tools for People Training – Many good cyber vendors offer free tools. For example, there are many tools from KnowBe4 which can be used to perform phishing and other types of social engineering attacks.

Conclusion

If you can’t maintain some form of cyber hygiene, and you don’t have a capability to hunt stealthy attackers, you are below the Cyber Poverty Line. This blog outlined several ways organizations below the line can attempt to increase their budget, minimize their IT complexity, make better choices when outsourcing IT or cyber capabilities and empowering their employees.

If you have suggestions or feedback, please feel free to connect with me on
LinkedIn. I’m happy to update this blog post with new information and suggestions.

I’d like to thank
Bryson Bort (CEO, Scythe), Tony Sager (Chief Evangelist, Center for Internet Security), Michael Sutton (Founder, Stone Mill Ventures and former CISO zScaler), Kiersten Todt (Managing Partner, Liberty Group Ventures), Errol Weiss (CSO, Health ISAC) and Andrew Wild (CISO, QTS Data Centers and former CSO Rapid7) for their input, edits, suggestions and contributions to this blog.