“The inability to predict outliers implies the inability to predict the course of history.” ― Nassim Nicholas Taleb, “The Black Swan: The Impact of the Highly Improbable”
In modern parlance, the phrase “black swan,” as espoused by the famous intellectual personality Nassim Nicholas Taleb in his famous book “The Black Swan: The Impact of The Highly Improbable,” refers to an event that comes as a surprise, leaves a major impact and, in the absence of cyber situational awareness, can be rationalized only with the help of hindsight.
When it comes to cybersecurity, the black swan theory holds special importance. As cyberspace grows in volume and operation, it becomes more entwined with different aspects of everyday life. Given this increased integration, a black swan event could unleash major consequences through the multiplier effect.
Hindsight Is 20/20
A black swan event is impossible to predict and can be rationalized only through the wisdom of hindsight. Nevertheless, there are certain high-impact, low-probability scenarios that could be simulated or conceptualized to prepare an incident response plan.
The high-profile Yahoo, Target and Sony breaches were not typical black swan events, since they could have been predicted and prepared for. The Target breach of 2013, which exposed 40 million debit and credit card details, occurred due to the poor security practices of a third-party HVAC vendor. Similarly, the Sony breach has been attributed to lax access control policies. Meanwhile, a 2013 attack on a dam in New York happened because an insecure cellular modem allegedly allowed threat actors to take control of critical infrastructure.
These high-impact, low-probability incidents could have been avoided had unconventional security vulnerabilities been taken into account. An effective incident response plan must consider security scenarios that are unlikely but potentially damaging.
A Gloomy Picture
In 2013, the Ponemon Institute published an interesting study titled “Efficacy of Emerging Network Security Technologies.” The report revealed that the majority of security professionals around the world agree that the threat landscape is changing and becoming more complex with each passing day. As a result, most organizations, especially in banking, finance, health care and manufacturing, are deploying the latest security solutions to prevent incidents.
Interestingly, some survey participants who reported positive results from security solutions also said they considered their organizations to be vulnerable to cybercrime. The situation painted a gloomy picture of the security landscape and suggested that many organizations are unprepared to deal with unconventional and unknown threats that could kick-start a black swan cyber event.
Organizations deploy solutions that can effectively detect and contain only known threats. Solutions such as firewalls can only prevent intrusions according to defined access control policies, and intrusion prevention systems (IPS) can only protect against threats that match the database of known threat signatures. In other words, these solutions do not cover the entire ground of the threat landscape because they fail to account for the dynamically emerging threats and provide no defense against the unknown. Until all attack pathways are insulated with security barricades, cybercriminals will continue to penetrate networks and the risk of high-impact scenarios will remain.
Embracing Cyber Situational Awarness
Extraordinary threats require extraordinary solutions. You cannot predict a black swan event, but you can estimate the probability that it will occur and its potential impact by building a security architecture that evolves as the threat landscape shifts. Organizations must look beyond conventional modes of defense to achieve a security posture that is dynamic, not static. This requires cyber situational awareness and information sharing.
As defined by Dr. Mica Endsley, former chief scientist of the U.S. Air Force, situational awareness is the perception of elements in the environment, the comprehension of their meaning and the projection of their status in the near future. The perception, comprehension and projection elements of cyber situational awareness can effectively track, analyze and provide actionable intelligence about emerging threats, threat actors, vulnerabilities and malware. This enables organizations to understand their own security preparedness and proactively take steps to mitigate risks associated with emerging threats.
Securing Human Endpoints
Situational awareness must be imparted at all hierarchical echelons of an organization, including the board members and executives, IT professionals, security analysts, human resources, finance, sales, marketing, and third-party vendors and clients. These are all human endpoints with gaps in awareness that could potentially be exploited by fraudsters.
If these vulnerabilities are plugged in on a real-time basis, cybercriminals will find it tough to improve their scale of sophistication. Like an exponential graph, their innovative techniques would hit a roof and then stagnate, which would provide the requisite time for organizations to normalize their awareness levels. Furthermore, the actionable information generated by situational awareness needs to be shared in real time with industry peers and clients to protect the overall industrial security framework.
Butterflies and Black Swans
It’s also important to understand an organization’s security posture through the prism of the butterfly effect, which states that every minute, localized action can have significant consequences elsewhere in a complex system. Consider the many acts of poor cyber hygiene employees carry out on a daily basis — these missteps can ultimately lead to a massive black swan event.
Since most corporate assets are connected across the organizations to which they belong, a localized action can enable malicious actors to trigger catastrophic events within a network and even throughout cyberspace at large. Therefore, individual cyber hygiene is crucial to prevent black swan events. Just like software, user education needs regular patching, which can only be delivered through cyber situational awareness.