Cyber Security: The Sky Is Falling In!
A career in the Protective Security industry can often leave people feeling like they are living the life of 'Chicken Little'?
So many attack vectors!
So many assets!
So many regulatory requirements!
So many industry security frameworks!
So many security tools!
So many policies and procedures!
So many security controls!
The list goes on and on..........!
How do you stop yourself sounding like 'Chicken Little'?
I must confess that this is an experience that I have been through many times and when it seems that you appear to be the only one concerned about the safeguarding the business from opportunist attackers (both internal or external) it can get very frustrating for both the security professional and the business' Senior Management teams.
This is especially true for anyone that is working in the compliance environments (e.g. PCI DSS) that insist on everything being in place. However, what happens if your organisation needs to protect more than just payment card data?
You can end up looking like 'Chicken Little', running around telling all the business leaders that their 'Sky Is Failing In!'
A Fine Balancing Act
The reality is that it is extremely difficult to do everything, yet:
You need to ensure that ALL the attacker's opportunities are remediated against, within a timely manner.
The attackers only need to identify ONE!
Consequently, as part of the research for my Guide to PCI DSS, I thought it would be beneficial to identify the commonalities from all the majority of the security industry controls frameworks and to compare them against historic root causes of data breaches.
Was there some controls that were of a higher importance than others?
Is there a way to reduce the risks of 'Boiling the Ocean'?
Is there a way to focus the message, so that the key stakeholders will take notice?
When researching for this section of the book, it soon became clear that there were 5 elements that could be prioritised, to help reduce the 'Windows of Opportunity' for the attackers (external and internal):
Pillar 1 - Asset Management
In the context and scope of the business:
Do you understand the assets that are most valuable to the organisation (e.g. Sensitive data processing, Supporting critical data processes, etc.)?
Do you understand where they reside within your business (internal, perimeter, etc.) and how they are connected?
How easily can you identify an unauthorised device connecting to the corporate network?
Do you understand where the 'Weakest Links' in your Supply Chain may reside?
Could your Supply Chain be leveraged against you?
Much like the Marriott/Starwood incident, could an acquisition undermine your security posture?
Do you know the potential impact of this asset being compromised (Confidentiality, Integrity, Availability)?
Consequently, it is essential that you know what are the critical business systems, before you can start to carry out effective Risk Management:
Vulnerabilities X Threats X Impacts
This brings me swiftly onto Pillar 2.
Pillar 2 - Vulnerability Management
Having established an understanding of what is deemed valuable to an organisation and needing to be adequately protected, you can than start to look at identifying the opportunities that can be exploited by your attackers.
Remembering, that a critical business asset extends further than just the IT systems and includes Personnel, Buildings and Data, effective Risk Management will apply suitable security measures that support the 4 T's of risk and brings the levels of risk into tolerable levels:
Having a refined your pillars 1 & 2, next comes the Pillar that an attacker will look to leverage when they are prevented from exploiting the easier avenues (poor application of pillars 1 and 2).
Pillar 3 - Privileged User Management
Most of us will now that a 'Standard User' is extremely limited at what they are able to do and present limited opportunities for attackers. Consequently, attackers will look to exploit poorly managed 'Power User' (Privileged) accounts, which allow them to bypass the defensive controls that your organisation may have implemented to help reduce the risks.
As a result, it is extremely important to strictly control the use of 'Power User' accounts to ensure that they are only allocated to trusted personnel and that they are only used when they are explicitly needed.
If it is convenient to the 'Power User', it will be convenient for the attacker!
When an attacker is able to compromise a 'Power User' account, they are given almost unlimited access to your business critical assets.
Remember, An asset IS NOT limited to IT systems!
Now that you have established Pillars 1 to 3, next comes the support from Pillar 4.
Pillar 4 - System & User Monitoring
Through Pillars 1 to 3, we should have established what needs to be protected and with whom access is granted. Now we need to establish what NORMAL looks like so that we are able to efficiently identify and respond to ABNORMAL activities.
By the establishing the earlier Pillars, your monitoring efforts should be better placed to identify any suspicious or malicious activities happening within your business environments.
Early identification, enables timely intervention to help reduce the risks of a malicious or accidental act leading to significant impact on your organisation (e.g. system outage/unavailability, data breach, etc.).
Establishing the capability for early identification and timely intervention, effectively introduces the 5th Pillar.
Pillar 5 - Incident Management
Even with all of the previous Pillars having been established, your company needs to be prepared for when something goes wrong.
How effectively can your teams respond, in the event that a 'Wheel Falls Off'?
An Integrated Approach
As you can see from the descriptions of the aforementioned Pillars, for these to be effective you need to have an integrated approach which are supported by security tools that can complement each other and automate the process, where possible.
Although there does not seem to be a single tool that integrates all these 5 pillars, I did identify a handful of stand-out security solutions that I thought could really complement the 5 Pillars:
Maintaining an effective security posture can be extremely difficult to achieve and even more so if you need to demonstrate compliance against a particular industry security standard. Frequently, it is the case that there is a disparagement between the Key Stakeholders and the Protective Security/IT Operations teams:
Key Stakeholders: "Why are you 'Boiling the Ocean'?"
Protective Security/IT Operations: "I'm made to spin too many plates, with the resources that I have. The business expects me to do more with less!"
This differing disintegration, within the business, increases the chances of an opportunity being made available for an attacker to exploit.
Why not evaluate your organisation against the 5 Pillars and see how you fair and whether you might benefit from a streamlined and more integrated approach, helping you to use automation to make a better use of your resources?
The outputs from whichever security tools you choose to support the 5 Pillars should definitely be included into your monthly security metrics, so as to provide visibility to Senior Management, to answer their 'So What?' question and to reduce the 'Chicken Little' effect!
"Protective Security is seen by business as being very expensive and invisible.
That is, until it goes wrong and it becomes extremely visible and even more expensive!"