Don't Wait for Official Inspections to Maintain Security
Adversaries persistently scrutinize your networks 24/7/365, so you must too.
Thirty years after the Morris Worm, networks face a long and growing list of potential attack vectors employed by an almost limitless number of threat sources, including criminals, hacktivists and nation-state actors. In response to threats, the U.S. Defense Department has taken prudent measures to shore up vulnerable systems and networks. In accordance with the well-established practice of concentric rings of security, the most sensitive department data exists on its most secure and isolated networks.
But as threats and responses have evolved, the practices for measuring the effectiveness of security programs have had to keep pace. And while Defense Department cybersecurity history is filled with a hearty alphabet soup of acronyms related to inspections, these sometimes have been maligned as mere paper-pushing exercises.
Historically, there probably is some truth to this assertion. Any process that is self-administered and internally policed is likely to be more prone to shortcuts, errors and omissions borne of familiarity and ingrained assumptions. When executed by the book, an incomplete or failed inspection should result in a system or even an entire network not authorized to operate and, as a result, actually not operate.
But this does not often happen. Safety valves such as plan of action and milestones built into these processes make it easier to take shortcuts, so not-entirely-secure networks and systems can still be authorized to function.
Government executives, including those in the Defense Department, have businesses to run and missions to execute and must always weigh risk against potential impact. The fundamental problem with self-inspections is the temptation to force the round peg that is a system’s actual security posture into the square hole of what the system’s owner would like to believe it to be.
In 2011, Chairman of the Joint Chiefs of Staff Instruction Information Assurance (IA) and Support to Computer Network Defense was released, leading to the creation of the first formal external-party inspection program in the Defense Department: the Command Cyber Readiness Inspection (CCRI). Unlike previous inspection methodologies that allowed the department’s components to self-inspect, the CCRI presented a new paradigm. The Defense Information Systems Agency (DISA) sent teams of analysts to conduct cyber readiness inspections of other Defense Department components.
This approach was a major paradigm shift. During a CCRI, this external team assessed the quality of documentation and processes and the degree to which they were compliant with the required set of security controls. Team members spoke with the organization’s staff. They sent phishing emails and looked around for unattended common access cards and security tokens. They then formed an opinion and, although their assessment could be appealed and the organization could provide commentary to defend its security posture, the outcomes of the process—the results documented in the final report—were largely out of the organization’s control once the inspection began.
Later, as part of the move to demonstrate cybersecurity as an operational component rather than an administrative exercise, an enhanced inspection called the Command Cyber Operational Readiness Inspection (CCORI) was introduced. In addition, responsibility for the inspections shifted from DISA to the Joint Force Headquarters–Department of Defense Information Network (JFHQ–DODIN), which now conducts the CCORIs.
The CCORI adds a level of operational or mission focus not included in the CCRI. The team schedules the inspection with an organization, assesses the potential threats to the mission as well as the vulnerabilities in its cybersecurity defenses. It probes an organization’s defenses, attempting to exploit vulnerabilities by using tools and methods that closely mirror those that may be employed by real-world adversaries.
However, giving an organization the heads up about an upcoming inspection can be detrimental to its overall effectiveness. For example, one organization that underwent a CCORI passed, its capability was not restricted and the process increased its feeling of security. But, this probably would not have been the result if the inspection had been conducted unannounced.
The CCORI’s true value is not only the inspection itself but also the period between when the inspection is scheduled and when it begins. During those weeks, this particular organization reviewed its Security Technical Implementation Guides twice. Documentation was reread and updated. Networks were scanned, rescanned and then scanned again. Architectures were reviewed and critiqued, and known or newly identified holes in the security capability plugged. Overall, a hypercritical, inward-looking assessment was conducted to ensure all its systems and procedures were in order.
An external inspection can be effective but only as far as organizations choose to make them beneficial. Agencies, departments and commands should scrutinize their systems and network regularly; however, despite good intentions, the effort is often overcome by events, priorities shift and, over time, cracks develop, cracks that represent gaps in cybersecurity defenses.
As with any service provider or external auditor, the JFHQ–DODIN teams can be viewed with a certain degree of apprehension, but the teams are not the adversary. Assessment teams want to reveal weaknesses not only to improve the CCORI experience but also—and more importantly—so organizations’ systems are consistently secure. Even if a CCORI assessment team finds only a few weaknesses, the process raises awareness about the true cyber defense posture.
Although the inspection isn’t perfect, as a point-in-time snapshot, it is light years ahead of only conducting self-assessments that all too often end as shelfware.
The true benefit of an inspection is not the inspection itself but rather the preparation. But even without a planned inspection, an organization should always be ready to defend against the bad actors who aim to bring its systems down. It must constantly prepare and never let down its guard, and the true lesson of the CCORI is when the organization is in a real fight.
Robert Tappan Morris was a young man with a curious mind and a novel idea. The 21-year-old Cornell University graduate student wrote a small program designed to find a home for itself on Unix-based computers almost exclusively used by researchers and scientists in higher education and the federal government.
When Morris inserted his floppy disk into a Massachusetts Institute of Technology (MIT) computer, he released what would become known as the Morris Worm, the first example of malware. The result was widespread damage because Morris’ erroneous calculation caused the worm to launch multiple processes on infected systems, triggering them to slow down or fail entirely.
As the Internet evolved and matured, so did the methods adversaries employed to steal or alter data. The Defense Department and its industry partners have developed technical, operational and management controls to address known threats and vulnerabilities that enemies seek to exploit. Firewalls, end-point security, vulnerability scanning and patching, intrusion detection systems and other current security capabilities would have foiled Morris’ denial of service attack.
Approximately 6,000 computers were connected in 1988 when Morris made the fateful decision that would result in him becoming a semifamous footnote to cybersecurity history. He paid a steep personal price at the time: He was kicked out of Cornell, convicted of violating the Computer Fraud and Abuse Act, fined more than $10,000 and sentenced to three years of probation. Ironically, he is now a tenured professor at MIT.
Today, there are more than 20 billion nodes on the Internet, each of them representing a potential threat to an organization’s mission, a more than a 333 million-fold increase in potential threats in 30 years.
Cyber inspection teams are beneficial, but organizations should not wait for a CCORI to understand their own security posture. They are being inspected every single day by adversaries who are most definitely not interested in revealing their score and are counting on them to maintain a false sense of security.
Howard Bandler has provided information technology leadership, consulting and cybersecurity services in support of U.S. federal government and commercial organizations for almost two decades and has held leadership positions in professional information security organizations.