Cybersecurity approach – a game theory?

A while back I have come across a short but very interesting book ‘Finite and Infinite Games‘ by  James Carse. I’ve really enjoyed the read and thesis around looking at pretty much everything in life as a game, be it, for example, business outcomes, personal targets or career.

In a nutshell, a finite game can be defined as:
– players are known prior to the game commencement
– fixed rules
– agreed-upon objectives
– chess, football, basketball – we declare the winner and the game is over

And then, there is an infinite game:
– players can be known and unknown
– the rules and players are changeable
– and the objective is to keep the game in play to perpetuate the game

I personally really like this approach as it can be applied to many aspects of life and can be an interesting way of looking about everything we do – what our goals are and how we are approaching them. I think this resonates particularly well in regards to a cybersecurity strategy.

Let’s take a very quick look at what’s been happening in the security industry over the recent years and what the trends have been like:

1. TalkTalk compromise
On 21 October 2015, UK telco provider TalkTalk reported a cyberattack and a possible breach of customer data. Subsequent investigation determined that a database containing customer details had been accessed via public-facing servers, with the records of approximately 157,000 customers at risk, including names, addresses, and bank account details. In addition, on the same day, several TalkTalk employees received an email with a ransom demand for payment in Bitcoins. The attackers detailed the structure of the database as apparent proof that it had been accessed.

2. Ukraine Power Grid Attack
A cyber attack on a Ukrainian electricity distribution companies Prykarpattya Oblenergo and Kyiv Oblenergo on 23 December 2015 caused a major power outage, with disruption to over 50 substations on the distribution networks. The region reportedly experienced a blackout for several hours and many other customers and areas sustained lesser disruptions to their power supplies, affecting more than 220,000 consumers. The use of the BlackEnergy3 malware has been blamed by some for the attack after samples were identified on the network. At least six months before the attack, attackers had sent phishing emails to the offices of power utility companies in Ukraine containing malicious Microsoft Office documents.

3. Atack on Bangladesh Bank’s SWIFT system
SWIFT – The Society for Worldwide Interbank Financial Telecommunications provides a network that enables financial institutions worldwide to send and receive information about financial transactions in a secure way. In early February 2016, an attacker accessed the SWIFT payment system of the Bangladesh Bank and instructed the New York Federal Reserve bank to transfer money from Bangladesh Bank’s account to accounts in the Philippines. The attempted fraud was US$951 million. 30 transactions, worth $850 million, were prevented by the banking system, however, five transactions worth $101 million went through.

4. WannaCry
The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware crypto-worm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. The estimated cost to the NHS (UK) was £92m with over 19,000 appointments cancelled.

5. “99.9% of exploited vulnerabilities were compromised more than a year after the vulnerability was published.”
Verizon 2015 Data Breach Investigations Report

6. “We recently analyzed 115,000 Cisco devices on the Internet and across customer environments as a way to bring attention to the security risks that aging infrastructure – and lack of attention to patching vulnerabilities present… We found that 106,000 of the 115,000 devices had known vulnerabilities in the software they were running.”
Cisco 2016 Annual Security Report

7. 53,000 incidents and 2,216 confirmed data breaches in 2018.
Verizon 2018 Data Breach Investigations Report

8. Stolen credentials and phishing continue to be within the top 5 action varieties in breaches. Unlike pretexting, which is financially motivated over 95% of the time, motives for phishing are split between financial (59%) and espionage (41%).
Verizon 2018 Data Breach Investigations Report

9. Out of 40,000+ security incidents, 34 percent of all attacks involved internal actors, and 15 percent of security incidents were a result of misuse by authorized users, underscoring the importance of tightening up security policies and processes to reduce the potential for malicious and/or negligent insider action and human error wherever possible. For businesses operating contact centres that process payments, it’ll be important to leverage de-scoping and DTMF technologies to ensure that sensitive data never enters the enterprise – removing the potential for data to be stolen.
Verizon 2019 Data Breach Investigations Report

10. Ransomware attacks remain a huge threat, accounting for nearly 24 percent of incidents where malware was used.
Verizon 2019 Data Breach Investigations Report

11. C-level executives are 12x more likely to be the target of social incidents and 9x more likely to be the target of social breaches than in past years.
Verizon 2019 Data Breach Investigations Report

12. In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services.
Have I Been Pwned, Troy Hunt

13. According to the Breach Level Index, there are more than 14,717,618,000 data records lost since 2013

The above list is not comprehensive by all means, this post could have gone for a very, very long time… As we can see, we have insecure systems exposed externally, unpatched and vulnerable software, phishing and credential theft, skilled and persistent attackers and extremely wide attack surfaces. This makes the job of IT Managers, IT Security Managers / Officers, CISO’s and various others extremely challenging.

What’s the best way to stay as secure as possible?

It all starts with the right mindset. You can never achieve 100% security and if someone or a vendor tells you, that their solution will give it, walk away. Staying secure is about getting as much understanding, visibility and control as possible. It’s about limiting attack surface across your organisation by focusing on people, technology and processes.

If you are looking after a security for your organisation, focus on the following:

1. Always start with a long-term, business-driven strategy

2. Think beyond security, focus on business enablers, such as reduction of infrastructure complexity:
– Hybrid-cloud ready or fully cloud based
– Enterprise mobility and agility
– Compliance

3. Identify your key assets and biggest risks

4. Focus on quick wins (for example MFA), often these simple things can have the biggest impact on the security

5. Invest in a Zero Trust architecture

6. Do not expect to achieve the goal in one step

7. Invest in people, train them in cyber security

8. Reuse and incorporate existing security, monitoring, orchestration tools – everything that can save you time and budget

When it comes to cyber security, I like to think of it as an infinite game. At the end, everything can change so quickly: attackers get smarter, new vulnerabilities and zero-days are discovered, attacks are becoming cheaper and quicker to execute. We rely on so many cloud services as well as legacy solutions. We use multiple devices and often work from different locations. As business guardians, we ought to be ready for the unknown which may come tomorrow. And most importantly, every breach of a competitor or partner should be seen as a learning opportunity and reminder for everyone to look inward and strengthen ourselves to prevent it from happening to our business.