Cloud, Assurance, Forensics, Engineering

Month: May 2023

Due Care….Due Diligence…did you know and what did you do?

I’ve been in this industry for more than a few decades and many times have come across cyber professionals and organizations who do not have a clear answer to this basic question: Why do we approach security the way we do? People have varying answers from “it’s my passion”, “bad guys are bad”, “the money”, “I love technology”, and many more. Rarely do I get the answer of “Because protecting our “fill in the blank” is the right thing to do.”

Many professionals I work with are in this because they see bad actors for what they truly are. Bad, not good, very low down, and sometimes outright evil actors. The adversary wants to own you, manipulate you, control you, or in the case of many nation states eventually break you. The terms of “Due Care” and “Due Diligence” are legal terms every cyber security professional should know on day one. These terms are drivers for everything we do. If we know we have an issue, then it’s important to protect and do something about it.  

Most cyber security professionals do not have a legal background so it is a good idea to brush up on these key terms so one can navigate the profession a little bit easier. These are as critical to me as confidentiality, availability, integrity, and non-repudiation. Topics I will discuss in a future blog because people need to be reminded from time to time.

Cybersecurity is a critical concern for organizations across all industries, with data breaches and cyber-attacks becoming increasingly common. Let’s face facts; the bad actors are bad, and they want to take companies down for reasons ranging from fame, they are mean, or worst case they represent a nation state who is in a digital war with the other country. In this context, due care and due diligence are two concepts often discussed in relation to cybersecurity. While both are important, they are distinct and serve different purposes.

Due care refers to the level of care that a reasonable person would take to protect their own personal information and that of others. It is a legal concept that obligates organizations to take reasonable steps to protect the personal information of their customers and employees from unauthorized access, use, and disclosure. Due care involves establishing and implementing reasonable security measures to protect data, such as using firewalls, encryption, and access controls. Due care is a proactive approach that emphasizes the prevention of security breaches and data loss.

Due diligence, on the other hand, is a process of conducting a thorough investigation into a company’s security practices and assessing the risks associated with a particular transaction or activity. Due diligence involves evaluating the security posture of a company and identifying any vulnerabilities or gaps that may exist in its security infrastructure. Due diligence is often conducted before entering a business relationship with another organization or acquiring a new company.

In the context of cybersecurity, due diligence involves reviewing the security policies and procedures of a company, as well as conducting vulnerability assessments and penetration testing to identify any weaknesses in the security infrastructure. Due diligence also involves reviewing the security training and awareness programs in place for employees and evaluating the incident response and disaster recovery plans of the organization.

While due care and due diligence are distinct concepts, they are both important for maintaining effective cybersecurity practices. Due care is essential for establishing a baseline level of security and implementing best practices to prevent security breaches. Due diligence, on the other hand, is critical for identifying potential risks and vulnerabilities and developing strategies to address them. Together, these two concepts help organizations to maintain a strong security posture and minimize the risk of cyber-attacks and data breaches.

In conclusion, due care and due diligence are two critical concepts in cybersecurity that serve different purposes. Due care is a proactive approach that emphasizes the prevention of security breaches and data loss, while due diligence involves conducting a thorough investigation into a company’s security practices and assessing the risks associated with a particular transaction or activity.

Both concepts are important for maintaining effective cybersecurity practices and minimizing the risk of cyber-attacks and data breaches. Down the road I will address how these two very critical terms and corresponding activities can help leaders build out their risk posture and program.

About the author

Shawn Anderson has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

Attack Lifecycle and Building a Security Strategy

The attack lifecycle, also known as the cyber-attack lifecycle or the cyber kill chain, are the steps used to describe the various stages of a typical cyber-attack. It was an overview of the process and documented by Lockheed Martin some years ago[1]. Understanding the attack lifecycle can help organizations develop more effective cybersecurity strategies, by identifying vulnerabilities and implementing controls to prevent or mitigate attacks at each stage of the lifecycle.

In order to mitigate the threats, think of your organization as a blueprint where you have to overlay the electrical, the plumbing, the HVAC, and the network cables so you see each system individually or all at once. In this case we want to look at the data in your organization as it sits, traverses, and moves in and out of your purview of control. This view is what I call a data view and all the systems/devices working to handle this data.

You have numerous pieces of software working side by side to help with collaboration, data storage, identity management, endpoint, servers for processing, and a whole lot more. There is telemetry coming from all of this and the adversaries as well as your own internal teams can use this data for both good and bad. It is up to you, as security professionals to know the attack lifecycle and the cyber kill chain so you can implement solutions to protect your home, office, organization from exposure and exploitation.

The exact stages of the attack lifecycle may vary depending on the specific model used, but generally include the following:

Reconnaissance: In this stage, the attacker gathers information about the target system or network, such as IP addresses, domain names, email addresses, and employee names. To use simpler terms this is where the adversary sits outside your house to monitor ways in, your routines, who has access, etc.

Weaponization: Here, the attacker selects the tools and techniques they will use to exploit vulnerabilities in the target system or network. This may involve creating or modifying malware or other malicious software.

Delivery: The attacker delivers the weaponized malware to the target system or network. This may be done through email phishing, social engineering, or exploiting vulnerabilities in software.

Exploitation: In this stage, the attacker uses the weaponized malware to gain access to the target system or network. This may involve exploiting known or unknown vulnerabilities in software or hardware.

Installation: Once the attacker has gained access to the target system or network, they install malware or other malicious software, which allows them to maintain persistence and control over the system.

Command and Control: The attacker establishes a command and control (C2) channel, which allows them to communicate with the malware or other malicious software installed on the target system or network.

Actions on Objectives: The final stage of the attack lifecycle involves the attacker taking actions to achieve their objectives. This may involve stealing data, altering, or destroying data, or disrupting the target system or network in some other way.

Once you understand the attack lifecycle it is my recommendation that you use some form of data analysis to track where your data is at all times. Place all the security tools your organization has on top of the cyber kill chain. Examples would be Crowdstrike or Microsoft Defender on the endpoint or using Okta, Ping, or AAD for identity. By doing this you will start to see where you have gaps or overlap.

Architecting in the cloud requires a renewed focus on data and the protection of the data. Whereas networking on premises can be accomplished by putting all your data on a standalone computer and locking it in a closet. Not very productive but somewhat secure. In the cloud your attack lifecycle can be stretched because your data can be anywhere. You must build a secure architecture to accomplish this.

So, you have an assignment to review the steps an adversary would use as outlined above then take your current security tools/capabilities and overlay them on the “attack lifecycle”. Do not try and boil the ocean as this is an initial exercise to gain a better understanding of your companies’ security posture. For more detailed analysis and effort I would recommend you look at the Mitre Att&ck Framework[2]. The Mitre Att&ck Framework is not the same thing as the LMCO Attack Lifecycle. One is higher level, whereas the Mitre framework will allow you to go into techniques and sub-techniques one should protect against. There are other frameworks out there such as the Center for Internet Security Benchmark[3] (CIS Benchmark; formerly the SANS top 20) and then overlay your security capabilities over the top. It’s not an end all be all answer but will start to show you overlap, gaps, and provide a good start to now develop a plan to improve.

Take the time to study what the adversaries are doing, understand and document your organizations network, understanding where the important data is, PICK A FRAMEWORK (cannot stress this enough), and start working to put security capabilities in place to mitigate risk at every stage of the framework your organization has chosen. You will still have to assume compromise, but you will be in a much better position knowing where your gaps/risks are regarding access and protecting your data.

About the author

Shawn Anderson has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.


[1] https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

[2] https://attack.mitre.org/

[3] https://www.cisecurity.org/controls/v8_pre