Cyber Resilience Means Getting Back to the Basics

Cybersecurity practices must be solid in the face of motivated and skillful adversaries. They must be reliable and dependable in an increasingly complex cyber world.

“We are linked by a mission to take on cyberthreats that are, by nature, relentless. That are conceived by those who persistently attempt to steal our data, our wealth, and our peace of mind. We are also connected by world events that threaten the very foundation of our profession. We respond by searching ever deeper within ourselves to create solutions that can withstand and quickly recover from whatever adversity is thrown at us.”

—Excerpt from RSA Conference 2021

Increased Digital Presence Increases Exposure

The current pandemic hasn’t discouraged adversaries from launching cyberattacks. In fact, some experts believe there’s an uptick in cyberattacks around the globe given the expanded reliance on teleworking and remote presence.

This expansion forces organizations to expose their digital assets and infrastructure to support and extend business functions. By exposing more attack surfaces, organizations become more susceptible to cyberattacks—and less resilient. It undermines a fundamental design principle in cyber resiliency: reduce the attack surface.

Following the Cyber Resiliency Design Principle: Reduce Attack Surfaces

It’s essential that all software engineering and software development activities stick to the cyber resiliency design principle, reduce attack surfaces. The principle encourages the least functionality (restricting ports, protocols, and services) and calls to:

• Reduce the number of interfaces available to unauthorized users.
• Depreciate unsafe/insecure functions.
• Reduce complexity.
• Minimize sharing.
• Eliminate the least common mechanisms.

The principle is consistent with what Brian Knapp, software engineer, calls “software minimalism,” which he concludes is the hardest skill to teach in software engineering. Software minimalism emphasizes using the least amount of code and software to build systems and applications in order to reduce complexity and avoid accumulating technical debt.

The approach significantly reduces the attack surface for a given software system, minimizing the available entry points and attack vectors for cyberattacks. However, modern software development has deviated from this classic approach to software engineering and is heavily focused on onboarding more features and functionality.

Product features and functionality drive competitive advantage. They’re used to highlight the unique value proposition to differentiate from competitors. The problem is that more features mean more code.

More code means more complexity.

And more complexity means more problems—as in cyberattacks.

The Challenge With Complex, Modern Software Development Systems

The complexity of modern software development systems makes it very difficult to patch in a timely fashion and fix vulnerabilities. Both increase the window of exposure that often results in cyberattacks.

The window of exposure is a key metric in mitigating cyberattacks. However, it’s becoming difficult to pinpoint and determine due to friction in vulnerability disclosures and reporting that many researchers have complained about.

Similar issues recently occurred with Katie Moussouris, CEO of Luta Security, when she disclosed bugs discovered in Clubhouse and with Sick Codes in their discovery of security issues with John Deere APIs. These situations are reminders that the system is still broken as noted in a Threat Post article in 2018 that highlights systemic problems and ongoing friction among researchers.

The research community plays a key role in putting extra eyes on bugs to make them shallower, as well as collaborating with companies to make their products more secure. Given our current threat landscape, every day counts. These hiccups in vulnerability disclosures definitely increase the window of exposure.

While the window of exposure is increasing, it seems the time to exploit is shrinking as indicated in research conducted by FireEye. The research used a sample set of Common Vulnerability and Exposures (CVEs) tracking the time between disclosures, patch releases, and vulnerability exposures.

The research highlights that the majority of exploitation in the wild occurs during one of the following time frames:

• Before patch issuance
• Within a few days of a patch or fix becoming available
• Within one month after the patch date

This doesn’t bode well for organizations struggling to patch complex systems. Such was made evident with the Apache Struts vulnerability (CVE-2017-5638) that reportedly led to the Equifax breach where the vendor fixed the vulnerable version on March 6, 2017. Three days later the bug was under mass attack on the Internet. It wasn’t until several months later that the Equifax breach occurred.

The First Line of Defense Against Cyberattacks

Software engineering and software development play key roles in cyber resiliency. In fact, they’re the first line of defense against cyberattacks. Software systems and applications must be designed and developed to anticipate, withstand, recover, and adapt to whatever adversity arises in the cyber domain. Doing so requires adopting design and development practices like software minimalism to shrink the attack surfaces.

It’s not that we have to dig deeper within ourselves to create solutions. Instead, we have to get back to the basics. That means codify sound practices like software minimalism into modern software development to make software systems and applications more resilient—more able to withstand and quickly recover from whatever adversity is thrown at them.