• Jim Seaman

Protective Security: Command and Control


Introduction

When you take a look back at some of the biggest data breaches of 2020 there appears to be a common factor that contributed to these data breaches:

  • Ineffective Command and Control

1. 10.88 billion records were compromised when the database associated with adult live-streaming website CAM4.com was hacked.

  • Being a public-facing sensitive consumer service, you would think that they would have understood that protecting their consumers' data was essential.


2. As a result of maintenance work being carried out, by a new service provider, on a Keepnet Elasticsearch database 5 billion records were compromised.

  • Being that the Elasticsearch database was public-facing and managed by a third party supplier, they might have benefited from some periodic monitoring.


3. Researcher Jeremiah Fowler discovered an unprotected online database belonged to cosmetics giant Estée Lauder and contained a total of 440,336,852 records, which could be freely accessed by anyone with an internet connection.

  • Once again, being a public-facing organisation, they could have benefited from the monitoring their business from the 'Badlands'.


4. Security researcher Bob Diachenko discovered an exposed cluster of databases belonging to the Voice over IP (VoIP) telecommunications vendor Broadvoice that contained the records of more than 350 million customers.

  • Another business that had public-facing unprotected databases, which would have benefited from external monitoring of their business' digital footprint.


5. Wattpad suffered a huge data breach that exposed almost 268.745.495 million records.

  • As an immensely popular web site (ranked as the the 150th most visited site worldwide), you would think that this is something that they might be interested in protecting.


What is Command and Control?

Within the corporate world, the term 'Command and Control' is frequently used but do they truly employ the structure and strategies that align with the concept of true 'Command and Control'.


Definition

"Command and control' is the exercise of authority and direction by a properly designated commander over assigned and attached forces in the accomplishment of a mission.
Commanders perform command and control functions through a command and control system".

As you can see from this definition, the concept of Command and Control is far more integrated than just having a hierarchical organisation structure. Everything revolves around the effective protection of an organisation's critical assets.


What is an asset?

NIST defines an asset as being:

"Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards)."


Recommendations

Do not be solely reliant on compliance initiatives to safeguard your business from a valuable asset being compromised on its Confidentiality, Integrity or Availability. Look at the potential benefits to your business for the adoption of a more Protective Security style approach, incorporating a military-style 'Command and Control' structure, where the focus is on the following 3 areas:

  1. Business Context. What business operations are the most important? What specific scenarios concern the key stakeholders the most?

  2. Risk & Resilience. What are the vulnerabilities, threats and impacts? If something goes wrong, how quickly can these operations bounce back?

  3. Identify & Isolate. What are the assets that support these important business operations? What other assets are connected that could undermine the valued assets?

Where you are considering implementing compliance into your strategy, ensure that it aligns with and enhances the 3 areas above.


Ensure that any investments in mitigation security controls show a demonstrable value in reducing the risk or improving resilience, for your business valued operations.


For example, your stakeholders' are concerned about the risks to a customer database containing circa 1,333 records. Based upon the Ponemon Institute's cost of a data breach calculations, it is estimated that the cost of a data breach could have a mean estimate of $200,000.


Consequently, by considering a suitable tokenisation solution, to reduce the potential probability and loss exposure, such an investment can easily be seen to show a considerable return on investment (ROI) and would, therefore, be regarded as a proportionate measure.


Conclusion

Too many organisations are leaving their valuable assets unprotected and exposed. The reason being that they are not focussing on prioritising what is deemed valuable by the business and as a result are failing to build an appropriate 'Command and Control' structure to ensure that sufficient oversight is applied.


Have a look at your organisation and ensure that any risk registers accurately reflect the risks that are important for the business and that all the supporting assets are analysed for their associated risks, and make sure that any risk mitigation efforts can clearly demonstrate a ROI.


Effective Protective Security requires an effective 'Command and Control' structure to ensure that an integrated approach is applied to ensure that all the stakeholders understand the risks that pertain to their business operations and that the key stakeholders have a centralised view of all the risks that could impact the company.