On March 7, WikiLeaks released a huge cache of documents–close to 8,000 web pages–that provide a detailed glimpse into the CIA’s computer hacking capabilities. The collection of information, which WikiLeaks has named "Vault 7," appears to be the largest ever publication of confidential CIA documents.
The documents also include plans for the CIA to hack and exploit a wide range of consumer products, including iPhones, Android phones, Microsoft Windows and Samsung Smart TVs. WikiLeaks has redacted a good amount of text from the documents, but they contain enough detail that many cybersecurity professionals, including myself, attest to the legitimacy of the documents.
However, WikiLeaks has not yet released any of the actual code cited in the documents that hackers would need to manipulate consumer products. WikiLeaks founder Julian Assange has said the organization will work with technology companies to help patch their products and mount a defense against hacking before releasing the full collection of data, including all of the code, about the CIA’s hacking tools to the public.
As if the WikiLeaks dump wasn’t scary enough, FBI Director James Comey didn’t help to put any minds at ease recently at a cybersecurity conference when he said, “there is no such thing as absolute privacy in America.”
Vault7 is absolutely worthy of our attention, but truthfully, none of it should come as a surprise. If anything, WikiLeaks' dump only confirms what cybersecurity professionals have been proselytizing for years: We must always be vigilant and aware when it comes to the security of our data.
While I believe the average American has no idea how much the government truly knows about them, we also grossly underestimate how much of our own data we put into the world through basic transactions. Thanks to such transactions, companies like Amazon and Facebook know all sorts of things about our behavior and habits that we may not realize. Remember a few years ago when, due to data mining, Target exposed a teen girl’s pregnancy?
So Vault7 happened, what do we do now? I say rather than be reactive, let’s discuss a few ways that this incident can help us be proactive.
First, Take a Step Back
In a Scientific American article from 1989, IT security expert Gene Spafford noted: “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards–and even then I have my doubts.”
The WikiLeaks dump makes Spafford’s quote seem especially prescient, and I think Vault7 has given companies the perfect opportunity to take a step back and re-evaluate their security postures. In my years of working with organizations to improve their security, I’ve found that the best answer isn’t always to simply “solve” a problem.
Sometimes, the best answer is to get back to the basics in order to eliminate the root of the problem altogether.
Getting Back to Basics
To build a strong cybersecurity posture, a good road map to follow is my “6 R’s of Cybersecurity”:
- Ready: What is your company doing to ready itself? Do you offer security training for your employees? Do you have appropriate controls in place at the physical and technical levels?
- Risk: Has your company conducted a risk assessment based on a commonly accepted framework, like the NIST Cybersecurity Framework?
- Remove: Evaluate and identify unnecessary risks for removal. This includes patch management, vulnerability management, and removing old and unused assets.
- Reduce: Decrease your exposure to risk by reducing employee access to devices, data and other areas deemed superfluous.
- Resilience: Build up resilience through good backups and attack prevention (including DDoS mitigation and intrusion prevention and detection systems).
- Re-evaluate: Cyberattacks get more sophisticated every day, so don’t wait too long to re-evaluate your company’s cybersecurity posture, making sure to examine enterprise risk management, information security and more.
As a cybersecurity professional, I would encourage every organization to take the following courses of action. First, review your risk management plans in light of the above roadmap to ensure you have properly flushed out your company’s level of risk. Second, be sure you have a well-formulated, actionable incident response plan outlined. The last thing any organization can afford is to be caught unprepared for any type of security-related event. Knowing when and how to respond could mean the difference between maintaining customer trust and having to close your doors.
Steve Sanders is vice president of Internal Audit for CSI. In his role, he oversees the evaluation and mitigation of risks associated with IT, financial and operational systems. Steve is a CISA, CRISC, CRMA, and CTGA, and he speaks regularly on information security, cybersecurity, IT and IT audit topics.