By: Cameron Matthews, vCISO & Sr. Security Consultant at Nth Generation
You may think every business and government outfit that creates apps practices Secure Software Development Lifecycles (SSDLC), but you’d be wrong. Thus, the tidal wave of system compromises that afflict businesses on a daily basis.
This article concerns the other SSDLC that organizations also do not practice: Secure SYSTEMS Development Lifecycle. This is an even greater problem than the first SSDLC: failing the tenets of this discipline affects IT, and especially OT, IoT, ICS. When the software defenses are weak, the overall systems (including networks) need to be able to PROTECT it, DETECT events, RESPOND to attacks, and RECOVER if all else fails.
What I call SSDLC2 is a long and complex topic, and too long for a single article. However, research the exemplar of the U.S. military and what they call SoS (System of Systems) development, a genius notion. One of the biggest failures of systems, software, and crypto engineering write large is the failure of understanding the security complexity and interdependency of the SoS as a whole. This myopia nearly dooms the system to external attacks, internal malicious actions, and non-resilience in the face of systemic stressors and challenges. Having pointed you to the military as example, please understand that their processes and certifications are extremely lengthy and very high ceremony. They deal with national security, global threats, and warfighter lives, so use that sampling sparingly.
For 12 years, I led a team of cybersecurity engineers who validated and certified military systems for CIA, not the spy agency but Confidentiality, Integrity, and Availability – the cornerstones of cybersecurity. I’ve seen many SoS failures and application weaknesses, and my team and I did our level best to teach military programs about SSDLC1 and 2. On the military side of the house, changing the way things have been done for years was as difficult as spinning the course of a nuclear aircraft carrier battle group on a dime. On the commercial side of the house, companies were very resistant to anything that increased cost with no apparent upward trend to the bottom line. And it wasn’t until the era of ubiquitous ransomware attacks that some C-level groups and boards have finally taken notice and changed how they guestimate budgets.
Let’s now turn to SSDLC2 and review some basic concepts and aspects of that pursuit. Every SoS and ecosystem is different. My best advice: build a lab, hack the solution at top speed, test often, fail early, adapt quickly. Be mean because your adversaries will be. I’ve seen excellent phishing ruses yanked out of testing rotation because it wasn’t politically correct enough, which is exactly the kind of email that foreign nation states will send out. They know us, they’ve researched our cultural pain points and social foibles, and can and will do whatever it takes to perform PSYOPS (psychological operations) in order to win. Non-PC phishing emails are key to their attack strategy, so to remove such from your phishing menu is tantamount to ripping a huge hole in your email protection profile.
The core programs and efforts that must be tackled in this endeavor include the following:
1. Design and create a highly secure system within which the applications will operate BEFORE you build the applications. This way you can secure the SoS while providing extra information assurance for application-specific vectors of attack, and particular application weaknesses that can’t be avoided. For example, IoT that can’t house a complete security framework because there isn’t requisite processor power, memory, or storage. Network-level security countermeasures, especially anomaly detection and attack prevention, are key here from vendors such as Darktrace.
2. Business Impact Analysis, which examines and determines the relative impact of the loss of key business functions or data. Without this, you are adrift in a sea of competing budgetary needs, resource allocations, and business demands unable to make value-based and accurate decisions.
3. BCP, BCP, BCP (Business Continuity Planning). This is your SoS resilience preparation. Without it, you either function with full capability or fail completely. Many businesses have a DR (disaster recovery) plan that should only be invoked in a catastrophic failure. There is a great deal of middle ground that must be covered and covered well. With a BCP, you can formulate decreasing levels of capability and security such that your business doesn’t go belly up at the first network, system, or software issue.
4. Supply chain secure design and ongoing risk management. Your systems depend on upstream vendors and business partners. Understand that they and their security must be managed; the onus is on you. If your systems use sensitive data (PCI, PHI, PII, GDPR, CCPA/CRPA, etc.), you are liable for any data exposure or loss even if it wasn’t from your systems. There needs to be interplay between this concept and the BCP such that degraded performance on your end as well as their ends can be met with a certain measure of technology and business toughness. As your business sector changes, your supply chain fluctuates accordingly. So, managing the risks represented therein is paramount to continued integrated operations. No business is an island.
5. Security identification, classification, and attendant enclave design including Defense in Depth implementation strategies. FIPS 199 and 200 are good templates to follow here. How sensitive and impactful is your data? That determines how well you must guard it. However, it is not the data itself but the systems that use it, hold it, transmit it, and through which it passes that must implement the actual security countermeasures. Plan and design accordingly.
6. External interconnections. These must be identified, secured, and monitored closely. And BCP enters the equation here again. War game what must happen if connections with an upstream or downstream partner are disrupted.
7. Personnel security management. Remember, people are part of the equation, from privilege-seeking developers, to “forward-thinking” design and marketing groups.
8. And if you’re doing globally critical things like biotech, biopharma, critical infrastructure, or farming, you need to pay attention to the global political climate, the “bad actors”/APTs (Advanced Persistent Threats), and dominant attack methodologies including PSYOPS. You can do this by employing professional threat intelligence service providers like Mandiant, Recorded Future, or RiskIQ.
In summary, design and implement your systems securely before you begin building your applications. Include in a SSDLC policy document directives to support this tenet.
If you need help in this regard, Nth has the expertise and experience necessary to build world-class, secure systems and networks. Contact us here.
If you would like to learn more about our specific services & offerings, request more info here.