TIPS #18: How Secure in Operation Builds on Secure by Design
Shane Shook
August 5, 2024
- Blog Post
- TIPS
Issue: Secure by design software enhances safety and security- but even a perfectly designed tool or service is only as secure as how it is used.
In the age of endless breaches, secure by design has long been pursued to promote more secure technologies.
The need for secure software products has never been more apparent in the wake of significant cyber events like the 3CX hack and the SolarWinds supply chain attack. Today, interconnected software supply chains and broad SaaS adoption allow a single vulnerability to impact thousands of companies and millions of consumers.
CISA’s recent Secure by Design guidance, developed in collaboration with the NSA, FBI, and over a dozen international agencies and directorates, is the latest push to strengthen software products. Secure by design positions security as a business priority for software manufacturers with secure practices built into all phases of product development, including the use of secure software components and hardware, a software bill of materials (SBOM), and memory-safe programming languages. The related concept of secure by default means software is secure out of the box with features like default multi-factor authentication (MFA) for privileged users, no default passwords, single sign-on (SSO), and high-quality audit logs-all without an additional cost.
Secure in Operation
While secure by design is a critical reframe for software production, it’s also important to consider how software is used in practice (secure in operation). Even a securely designed product is subject to misuse, human error, novel use cases, and unforeseen threats once it enters a customer’s live environment. After all, “no plan survives first contact with the enemy.”*
Think of secure in operation like seatbelt use in cars. Despite the life-saving design of the seatbelt, around 8% of people in the United States still don’t wear them, leading to thousands of additional fatalities each year.
For example, a company may continue to use default security settings without adapting a tool to their specific security needs. This occurs frequently as a software product becomes more mainstream and is used in contexts vendors hadn’t anticipated. In other cases, a business might not upgrade products in a timely fashion (despite software providers’ best efforts to encourage updates) and may continue to use outdated features. Users may not follow hardening guides, ignore product alerts, or leverage a tool in a manner the manufacturer didn’t plan for.
Impact: Software which is insecure in operation creates risks and exposes companies to greater impacts from cyber threats.
Software deployed without consideration of its use in operation creates additional risk. Improper product configurations and mismanaged alerts weaken security capabilities, as do inadequate access and authentication controls. These factors increase the likelihood of and impacts from incidents, leading to longer system downtimes, increased operational costs, more exposed consumer data, and a greater loss of trust among customers.
CitrixBleed
The 2023 CitrixBleed incident provides a case study of both secure by design and secure in operation. Hacker groups mass-exploited a critical Citrix Netscaler vulnerability, dubbed CitrixBleed, which allowed them to bypass MFA and remotely extract data from organizations including Boeing and ICBC. A patch was released on October 10 but exploitations continued for over a month as some systems remained unpatched and users did not delete active sessions. The vulnerability itself is an example of insecure by design. The lack of patching and failure to delete active sessions are examples of insecure in operation.
Change Healthcare Ransomware Incident
In late February 2024, Change Healthcare (part of UnitedHealth Group) was hit with a ransomware attack by the BlackCat ransomware gang. The hackers used stolen credentials to breach a portal that didn’t have MFA enabled. UnitedHealth Group paid a $22 million ransom to get their data back and eventually faced another ransom threat from a separate ransomware group- RansomHub (though it’s unclear whether a second ransom was paid). Sensitive patient data from millions of people, including PII and PHI, was leaked due to the breach. Pharmacies, hospitals, and other medical facilities using Change Healthcare’s billing and payment software experienced widespread disruptions. The total cost of the incident to UnitedHealth Group is estimated to be around $2.3 billion this year.
In this case, insecure operation enabled the attackers to exploit the vulnerable account (no MFA) and deploy ransomware.
Action: Secure in operation requires an understanding of use cases, built-in observability, and flexible security definitions for resource access control.
Secure software operation requires an understanding of applicable use cases and user behaviors. Companies must first identify likely use and misuse scenarios in their environments to prioritize security measures during implementation and guide their monitoring efforts. Next, they should monitor the use of supporting technologies to detect and respond to evolving attacks. Finally, they should update their security tooling and procedures based on observed attacks to prevent such activities in the future. Implementing a “learning cycle” (such as OODA) improves the security posture of software design and operations.
1) Deep Visibility and Flexible Security Posture
A comprehensive view of system activity enables effective threat detection and response. Visibility must be paired with flexible security posture controls to adapt tools to your company’s unique use cases.
NowSecure’s mobile application security testing platform uncovers vulnerabilities to mitigate risks before mobile application deployment.
Uptycs’s cloud security posture management platform (CSPM) helps your company visualize, detect, and investigate threats across its entire cloud infrastructure.
RAD Security provides Kubernetes security posture management to shine a spotlight on containerized environments and provide comprehensive threat detection and response capabilities.
Symmetry Systems’ data security posture management (DSPM) platform helps companies visualize data security risks to establish and maintain strong data policies and practices.
SPHERE helps your company find and eliminate over-permissioned identities to protect critical information.
2) Granular Identity Access Controls
Customizable access controls are essential to limit insecure application and data usage. 1Kosmos offers passwordless enterprise authentication, advanced biometric MFA, and secure employee onboarding to enforce secure access to company networks, systems, and accounts.
3) Secure Middleware
Part of the secure in operation mandate is to secure the connections and communications between your applications and microservices. Synadia’s NATS platform enables secure middleware by design, securely synchronizing disparate technologies across cloud, on-premises, hybrid, and edge environments.
4) Risk Awareness
Risk awareness is an ongoing process of proactive threat identification- a critical capability which informs more secure operations. Constella Intelligence helps companies manage identity risks with monitoring and deep intelligence around identity exposures, supply chain compromises, and customer account breaches.