Cybersecurity checklist a strategy tool for increasing attack costs

SAN FRANCISCO — This week at RSAC 2016, two top officials of the U.S. Cyber Consequences Unit, John Bumgarner, chief technical officer, and Scott Borg, director and chief economist, took to the podium to unveil what they call a “new type of cybersecurity checklist” that makes “preventing penetration only one part of a much more comprehensive strategy, greatly expanding the defensive options.” The checklist is currently in draft form, but should be released in a final version later this year.

The new draft checklist, organized in a matrix, works symmetrically: Reading it in one direction provides “an attacker viewpoint,” but read in the other direction, it offers the defender’s viewpoint. The new checklist will be freely available, as was the original cybersecurity checklist.

Borg emphasized that the key to using the new cybersecurity checklist, which includes over 1,000 items, is using it to increase costs to attackers.

“The game is not about stopping penetration,” Borg said “but making it not worth the attacker’s time and expense.” The idea of the matrix is to make it easier to see how “to increase those costs.”

Bumgarner pointed out specific actions that could make potentially devastating attacks far less so. One such action is to make attacks reversible. Bumgarner used the ransomware attack against Hollywood Presbyterian Medical Center as an example: Backups, if the hospital had had them, could have been used to make the attack easily reversible.

Increasing the costs to attackers

“When an attacker steals your data, provide them false data,” Bumgarner said, suggesting the use of “honey tokens” alongside a password, because they can be used to “set an alarm that it’s being used to indicate that the data has been stolen.”

Borg noted that there are a lot of things included on the cybersecurity checklist, but he said that it is meant to be comprehensive, which means “a lot of it will be security 101.” However, it also includes some controversial things that “everybody should consider.”

For example, Borg suggested making a policy of changing network resource names and addresses periodically, because that forces attackers to “remap everything periodically.” He also highlighted the possibility of using “poisoned-bait data” to cause harm to attackers if they try to use it.

“You can use this matrix and the material in the checklist to analyze attacker paths and attacker activities,” Borg said, noting that “you can watch cases where the attacker has to cycle through activities two or more times.”

Cybersecurity checklist will have new focus

The new checklist is offered in draft form because, Borg said, “there are more cybersecurity countermeasures still to be discovered than we’ve already found. There’s a whole realm of other possibilities that open up when you look at increasing attacker costs”

When Borg and Bumgarner introduced the first version of the US-CCU checklist about ten years ago, they were concerned with the nightmare scenario of attackers who, instead of stealing or disabling networks, took over networks and systems and, in time, altered critical data so that the systems could no longer be relied on. This was a concern echoed this week at RSAC 2016 by a number of speakers, including Admiral Mike Rogers, director at the National Security Agency and commander of U.S. Cyber Command, who said that one of his three major concerns for the next few years is attackers who manipulate data so that “we can no longer trust the data we get.”

“The big worry shouldn’t be that someone’s going to shut down a company’s computer system,” Borg said in 2006. “If you shut down almost anything in our economy for a couple days, the damage is minimal. We have enough inventory to timeshift our activities so we’re not badly hurt. But if the attacker causes physical damage or makes it so the business process is faulty, the damage can be horrendous.”

The U.S. Cyber Consequences Unit (US-CCU) is an independent, non-profit (501c3) research institute that “provides assessments of the strategic and economic consequences of possible cyber-attacks and cyber-assisted physical attacks.

Borg has previously predicted major shifts in cybersecurity, including a 2002 prediction that attacks would transition from being disruptive generally to becoming the work of organized cybercriminals. He also predicted, in 2013, that the next shift would see criminals evolve to the point of manipulating financial markets.