• Jim Seaman

No need for fortified defences


Introduction

Okay, so you are a small business and no criminal would be interested in breaching your defences, as you have nothing worth stealing.

Yes, in the past, you would have been mostly correct. However, in today's digitalised and data reliant world, there is a higher number of attackers looking for opportunities to exploit your vulnerabilities.

Background

In the military, identifying the potential enemy was relatively easy, as most of the attackers were happy to publicise their desire to cause harm or damage to their opponents.

Unfortunately, with today having allegedly 23.14 Billion internet connected devices and 75.44 Billion such devices predicted for 2025 (https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/), all transmitting and storing data, the attraction and challenge for illegally harvesting, and piecing together these bits of data into something that can make criminals money (or just to allow bragging rights) is just far too great.

The global population for 2025, is predicted to be just over 8 Billion people (http://www.worldometers.info/world-population/world-population-projections/) meaning that there will be almost 10 internet connected devices for every person on the planet. These devices will be a combination of both personal and company owned devices, each needing to be maintained and the users/owners made aware of what is acceptable, and what is not.

With employees being expected to work for longer and the younger workers being increasingly tech savvy, who can businesses hope to minimise the the risks associated with having such age diverse populations?

Research shows that the highest risk of a data breach originates from your younger employees (https://www.centrify.com/about-us/news/press-releases/2018/younger-employees-identified-as-main-culprits-for-security-breaches-in-the-workplace/) and the older, less tech savvy, members of staff (http://journals.sagepub.com/doi/pdf/10.1177/1541931213601915).

A very valuable lesson I was taught, during my transition into the specialist field of Counter Intelligence & InfoSec was to assign values to assets, so that these prioritised and appropriate defences applied. This lesson was further enhanced, during a practical experience of apply this new found knowledge to the real world. Often the term used for a newly trained Counter Intelligence (CI) specialist was:

"Instant Expert, Just add water"!

Armed with my trusty Defence Manual of Security (JSP 440), for reference, and the knowledge gained from the 10 week residential CI course I set about putting this new found knowledge into practice. With the goal of enhancing the asset management, I familiarised myself with the Unit's mission statement:

"Training the pilots of the future!"

Understanding that to complete this objective, of the fleet of 30 aircraft, they needed 22 operational aircraft. With this in mind, I set up an comprehensive internal communications plan, where key personnel would inform me of any deployed aircraft (requiring risk assessments, which could present a potential impact) and which would allow me to effectively manage the 22 critical assets (listed on my critical asset register) and the eight reserves (itemised on my unit asset register). The system matured and everything was being effectively managed, allowing for escalation in the event that the operational assets may potentially breach business continuity, impacting the mission statement.

The valuable lesson-learned came 6 months later, when taking the opportunity of applying Human Factor countermeasures (having a cup of tea with the ground engineers of the aircraft). During which, I proudly described my asset management programme and how this was helping to safeguard the mission statement. However, my jaw almost dislocated from its socket in shock, when the engineer reached into a dirty and tattered tool bag to show me an old, battered and worn specialist socket. He went onto describe that this item was probably more critical to the mission statement, as each and every aircraft needed to have their bolts tightened, with this socket, every week. If this did not happen, all the aircraft would be grounded.

This was the only socket and any replacements took around 8 weeks to get, after ordering. As you may imagine, this led to the implementation of some frantic risk management - ordering spares, implementing storage safes, periodic rotation and ensuring that this socket was added to the critical asset register and 2 spares where placed onto the unit asset register.

This more than just an amusing 'War Story' but an example of the value of effective asset management procedures, which is likely to become increasingly more difficult to achieve and maintain as businesses start to rely on more and more internet connected technologies.

  • How well do you manage your assets?

  • Do you understand the importance of these devices and the potential impact, in the event of them being breached (Confidentiality, Integrity) or not being available, when required?

  • Do you ensure that the most critical assets are securely configured?

  • Do you know the dates when these technologies are no longer supported by the vendor (End of Life)?

  • Do you know what software is installed and is this software upto date?

  • Do you periodically scan the critical assets for new and emerging vulnerabilities?

If you are not confident as to how well you are managing your environment of internet connected devices, how are you planning to manage and maintain your ever-increasing estate (predicted to grow by over 200%, in the next 7 years)?


Recommendations

  • Understand the importance of asset management.

  • Do not assume that you know the importance of all your assets - Engage with your employees.

  • Budget and plan for the maintenance and replacement of your assets.

  • Maintain an inventory of all critical assets (based upon business or regulatory importance).

  • Visualise data flows to show any connected assets.

  • Train all support personnel as to the value of the assets that they are responsible for.

  • As a useful baseline: Familiarise your self with the Asset Management (AM) controls from Identify family of the NIST Cybersecurity Framework (https://blog.trendmicro.com/nist-cybersecurity-framework-series-part-1-identify/).

Conclusion

Without a plan, effective asset management can be very hard achieve and maintain, and can be likened to 'herding cats'. The number to be controlled is predicted to significantly grow and will be increasingly become more difficult to manage and you should plan to have to deal with some that escape.

Effective asset management is just one of the ways to reduce the exploitation by opportunist attacker. Being able to identify the early signs of an uncontrolled of loose device, enabling you to swiftly respond and round up any stray or loose assets is essential for helping to reduce the impact on your business, in light of the growing use of internet connected devices.




6 views

©2018 by IS Centurion. Proudly created with Wix.com