Asset Attack Vectors: Building Effective Vulnerability Mgt Strategies to Protect Organisations
Much like any seasoned Cyber/InfoSec professional, I continue my professional development through volunteer work with ISACA, attending conferences/lectures, reading articles and books. This helps me to refine my understanding and keep my knowledge up to date.
As you may imagine, after more than 30 years working in the security profession, I continue to grow a considerable depth of knowledge and experience, and have built a considerable library of reference material.
Whilst travelling out to Toronto to attend a Cyber Security conference, I decided to pursue a long-term dream of authoring a book myself and set about planning the subject and type of content that I would need.
Asset Attack Vectors
Having spent 22 years in the Royal Air Force Police, I had become very accustomed to the application of protective security through the application of asset risk:
Morey and Brad present this important aspect of any cybersecurity strategy in a very informative and thought provoking manner, introducing their 3 logical groups:
This really enforced my previous thinking and inspired me to develop this a little further into my Proactive Defense - 5 pillars model:
Often, you will find that an organisation will attempt to secure everything or will do the bare minimum needed to meet their compliance objectives (ticking the boxes), whilst not really understanding what is the most important in terms of effective protective security.
As you will see, the core of these models is the management of assets. Therefore, it is important to understand the following two important elements:
The protection of assets from compromise. Compromise can be a breach of:
Confidentiality. The restriction of information and other valuable assets to authorized individuals (e.g. protection from espionage, eavesdropping, leaks and computer hacking).
Integrity. The maintenance of information systems of all kinds and physical assets in their complete and usable form (e.g. protection from unauthorized alteration to a computer programme).
Availability. The permitting of continuous or timely access to information systems or physical assets by authorized users (e.g. protection from sabotage, malicious damage, theft, fire and flood).
Note. In assessing integrity and availability, consideration must be given to both the direct and indirect consequences of compromise.
Anything of value, either tangible or intangible that is owned or used by an organization or business".
They can be documents and information; material such as buildings, equipment, valuables or cash; operating systems or personnel.
Morey and Brad really set the scene for their book by looking at vulnerability management through the eyes of an attacker (Chapter 1: The Attack Chain), before introducing the concept of Vulnerability Landscape (Chapter 2).
Next, as per the FAIR risk model, they flow down from the asset to focus on threat and vulnerability management, which then returns a risk measurement.
As we have seen from the Equifax post-breach investigation, it is extremely important for businesses to ensure that they have an effective asset management program, supported by an efficient vulnerability management process. This will help to ensure that your critical systems are identified, subject to suitable vulnerability and risk assessment, and assigned appropriately timed remediation activities.
"The Canadian credit card information of individuals who purchased certain direct-to-consumer products or fraud alerts by phone was, at the time, held by Equifax Inc. in a database that had not been included in the scope of Equifax Inc.’s annual Payment Card Industry Data Security Standard (PCI-DSS) certification.
Industry standards require that this certification cover all systems used by an organization to handle credit card information. The forensic third party hired by Equifax Inc. which conducted an analysis after the breach, found deficiencies in compliance with the PCI-DSS standard".
Consequently, if you are responsible for ensuring that an organisation's critical assets are adequately protected (and compliant), I would highly recommend that you add this book to your reading lists.
Designing an effective defensive strategy can be extremely expansive and the default approach might be to align with a recognised industry security standard or controls framework. However, unless you know what your most important assets are, that should be prioritised for remediation, you will find the maintaining effective defences difficult to achieve.
Whether you are just starting out in a Cyber/InfoSec role, or are a seasoned professional you will find this read insightful and may well help you to prioritise your efforts - helping you to do more with less, by focusing your efforts into the protection of those most critical business assets.