Cybersecurity checklist a strategy tool for increasing attack costs

The U.S. Cyber Consequences Unit rolled out a new version of its cybersecurity checklist, which it claims will help reduce attacks by increasing the costs of those attacks.

SAN FRANCISCO -- This week at RSA Conference 2016, two top officials of the U.S. Cyber Consequences Unit -- John Bumgarner, CTO, and Scott Borg, director and chief economist -- took to the podium to unveil what they called a "new type of cybersecurity checklist," which makes "preventing penetration only one part of a much more comprehensive strategy, greatly expanding the defensive options." The cybersecurity checklist is currently in draft form, but should be released in a final version later this year.

The new checklist, organized in a matrix, works symmetrically: Reading it in one direction provides "an attacker viewpoint," but read in the other direction, it offers the defender's viewpoint. The new cybersecurity checklist will be freely available, as was the original cybersecurity checklist.

Borg emphasized the key to using the new cybersecurity checklist, which includes over 1,000 items, is using it to increase costs to attackers.

"The game is not about stopping penetration, but making it not worth the attacker's time and expense," Borg said. The idea of the matrix is to make it easier to see how "to increase those costs."

Bumgarner pointed out specific actions that could make potentially devastating attacks far less so. One such action is to make attacks reversible. Bumgarner used the ransomware attack against Hollywood Presbyterian Medical Center as an example: Backups, if the hospital had had them, could have been used to make the attack easily reversible.

Increasing the costs to attackers

You can use this matrix and the material in the checklist to analyze attacker paths and attacker activities.
Scott Borgdirector and chief economist, U.S. Cyber Consequences Unit

"When an attacker steals your data, provide them false data," Bumgarner said, suggesting the use of honey tokens, alongside a password, because they can be used to "set an alarm that it's being used to indicate that the data has been stolen."

Borg noted that there are a lot of things included on the cybersecurity checklist, but he said it is meant to be comprehensive, which means "a lot of it will be Security 101." However, it also includes some controversial things that "everybody should consider."

For example, Borg suggested making a policy of changing network resource names and addresses periodically, because that forces attackers to "re-map everything periodically." He also highlighted the possibility of using "poisoned-bait data" to cause harm to attackers if they try to use it.

"You can use this matrix and the material in the checklist to analyze attacker paths and attacker activities," Borg said. "You can watch cases where the attacker has to cycle through activities two or more times."

Cybersecurity checklist will have new focus

According to Borg, the new cybersecurity checklist is offered in draft form, because "there are more cybersecurity countermeasures still to be discovered than we've already found. There's a whole realm of other possibilities that open up when you look at increasing attacker costs."

When Borg and Bumgarner introduced the first version of the U.S. Cyber Consequences Unit (US-CCU) checklist about 10 years ago, they were concerned with the nightmare scenario of attackers who, instead of stealing or disabling networks, took over networks and systems, altering critical data so the systems could no longer be relied on. This was a concern echoed this week at RSA Conference 2016 by a number of speakers, including Adm. Michael Rogers, director at the National Security Agency and commander of U.S. Cyber Command, who said one of his three major concerns for the next few years is attackers who manipulate data so "we can no longer trust the data we get."

"The big worry shouldn't be that someone's going to shut down a company's computer system," Borg said in 2006. "If you shut down almost anything in our economy for a couple days, the damage is minimal. We have enough inventory to timeshift our activities, so we're not badly hurt. But if the attacker causes physical damage, or makes it so the business process is faulty, the damage can be horrendous."

The U.S. Cyber Consequences Unit is an independent, nonprofit (501c3) research institute that "provides assessments of the strategic and economic consequences of possible cyberattacks and cyber-assisted physical attacks. It also investigates the likelihood of such attacks and examines the cost-effectiveness of possible countermeasures." US-CCU focuses on "the sort of larger-scale attacks that could be mounted by criminal organizations, terrorist groups, rogue corporations and nation states."

Borg has previously predicted major shifts in cybersecurity, including a 2002 prediction that attacks would transition from being disruptive generally to becoming the work of organized cybercriminals. He also predicted, in 2013, that the next shift would see criminals evolve to the point of manipulating financial markets.

Next Steps

According to experts, cybersecurity strategies need to be more dynamic and adaptive to be successful.

How can you get the most out of cybersecurity spending?

The lack of cybersecurity skills in the workforce has infosec pros facing challenges.

Dig Deeper on Information security policies, procedures and guidelines