Attacks by malicious actors are relentless, and despite compliance standards such as FISMA (Federal Information Security Management Act) and FedRAMP (Federal Risk and Authorization Management Program), breaches still occur due to technological issues and human error. At SNOK, a firm specialising in SAP and Microsoft Azure cybersecurity, we understand these challenges and work to overcome them. To address this, the “Security by Design and Default” (SbD-D) approach was developed, which radically changes the way we view cyber defence, because neglecting security now becomes an active choice rather than an unintended mistake.
Cyberattacks and human error
Microsoft research has shown that around 921 password attacks occur every second - a 74% increase year on year. But even if passwords no longer existed and everyone had phishing-resistant identities, organisations would still be at risk. Attackers are opportunistic, always seeking the easiest route into your systems. SbD-D gives organisations a powerful set of defensive tools.
Reducing vulnerability from the outset
If every new piece of technology that organisations deploy is secure from concept to implementation, IT and security teams need only focus on maintaining its security. This is the goal of Security by Design and Default, which simultaneously addresses several issues:
Testing third-party code
Third-party or open-source code, often used to speed up development or add exclusive features, must be rigorously tested at every stage of development.
Software supply chain validation
The software supply chain must be verified and documented. Recording every component and decision made during the software lifecycle, using a tool such as an open-source Software Bill of Materials (SBOM), helps identify and mitigate issues.
Zero Trust and defence-in-depth principles
The development environment should adhere to Zero Trust and defence-in-depth principles to protect against the introduction of malicious code at any stage of development.
Default security
Default security follows a similar approach. Basic security features are enabled from the outset, and are subsequently adjusted or disabled to suit the organisation’s operational needs. Security settings and practices can then continue to evolve as the threat landscape changes.
Barriers to adopting SbD-D
So why is SbD-D not yet the standard across the entire technology industry? There are three main reasons:
Culture and human nature
Convenience often takes precedence over security. Enabling default security features for all users can lead to risky workarounds and weakening of security technologies. Phased rollouts for smaller groups of users, combined with positive reinforcement, can help drive acceptance.
Prevalence of outdated technology
Many essential industrial control systems and other operational technology based on outdated components are unlikely to be modernised any time soon. These systems require additional vigilance and layers of protection.
Pace of transformation
Budget constraints, management priorities and resource limitations are just some of the obstacles to modernisation. In addition, there is a mistaken belief that “security equals a loss of freedom.” Although developing new software using secure practices may take longer, this represents only a fraction of the cost associated with cleaning up after a serious incident.
Fortunately, as more systems are updated or replaced, there will be more opportunities to introduce products built and deployed using SbD-D.
Summary
Security by Design and Default is an approach that changes the way we view cybersecurity. Rather than being something we opt into, it becomes something we can opt out of. This approach helps limit human error and empowers organisations, giving them powerful tools to defend against cyberattacks.
FAQ
- What is Security by Design and Default (SbD-D)?
Security by Design and Default is a cybersecurity approach that assumes all systems are secure from the moment of their design and implementation.
- How does SbD-D help limit human error?
SbD-D makes neglecting security an active choice rather than an unintended mistake. This means users must consciously decide to disregard security measures, which helps limit human error.
- What are the main barriers to adopting SbD-D?
The main barriers are culture and human nature, the prevalence of legacy technology, and the pace of transformation.
- Is SbD-D already a standard in the technology industry?
No, SbD-D is not yet a standard across the entire technology industry, although it is increasingly being adopted.
- Is SbD-D effective against all types of cyberattacks?
Although SbD-D is a powerful tool in the fight against cyberattacks, it is not a solution to every problem. Attackers are opportunistic and always seek the easiest route into systems. It is therefore important for organisations to remain vigilant and continue updating their defences as the threat landscape evolves.
This article is based on the following publication: https://www.govexec.com/sponsors/2023/06/security-design-and-default-limits-human-error-and-empowers-agencies/387685/