Protective Security: Hitting a Six
Using the wise words of Peter Drucker, Educator and business management thinker sums up many of the mistakes that are made in the security industry today:
"There is nothing so useless as doing efficiently that which should not be done at all"
During 2020, we have seen a substantial increase in the number of businesses becoming the victims of a cyber attack and having their data or systems compromised. The reason for this, is not because the attackers have started using more sophisticated tactics, it's due to the fact that most organisations have failed to prioritise their defensive efforts.
Consequently, to help businesses to be less of an easy target, it is essential that the effort is made to prioritise their defensive efforts. The end result will be that these organisations are better prepared to defend their 'Crown Jewels'.
Prioritising the six
To effectively win the game, you need to be looking to achieving the six, which compose of the following priorities:
Priority 1: Asset Management.
An asset is not restricted to data or IT systems but is anything that is valued by an organisation and can be best summarised by some of the NIST definitions:
"A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of system."
"Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards)".
Consequently, this asset management should always be priority No. 1:
Have you identified the assets that are the most valued by your organisation?
What business functions do they support?
Are they involved in the processing, storage, or transmission or sensitive information?
Do they support important business function?
Where do they reside within your infrastructure (external-facing, internal-facing)?
Are they connected to, or have a potential to impact, critical business systems?
Do you understand their life-cycles?
Priority 2: Risk Management
Having identified the assets, do you appreciate and the risks that are associated with these assets?
NIST defines Risk Management as being:
"The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes:
(i) establishing the context for risk-related activities;
(ii) assessing risk;
(iii) responding to risk once determined; and
(iv) monitoring risk over time."
Priority 3: Vulnerability Management
Harking back to the year 1767 and originating from the noun 'vulnerable':
c. 1600, from Late Latin vulnerabilis "wounding," from Latin vulnerare "to wound, hurt, injure, maim," from vulnus (genitive vulneris) "wound," perhaps related to vellere "pluck, to tear" (see svelte), or from PIE *wele-nes-, from *wele- (2) "to strike, wound"
Think of vulnerability management, as being like 'First Aid for your business'. In order to be an effective 'First Aider', you need to understand basic human anatomy and to be able to quickly identify, confirm, respond and triage any wounds to the body, based upon those that are most likely to cause harm to the body.
For example, after a road traffic collision, you would expect a first responder to identify a ruptured lung and prioritised this over a grazed to the skin. Both the skin and the lungs are organs of the human body, however, the lungs are considered as being vital organs and, therefore, damage sustained to the lungs would be more detrimental to the health of the person.
The same applies in Protective Security. You need to understand the basic business anatomy and be able to identify, confirm, respond and triage any vulnerabilities to the business assets, based upon those that are most likely to cause harm to the business.
For IT systems, Techopedia defines Vulnerability Management as being:
"A security practice specifically designed to proactively mitigate or prevent the exploitation of IT vulnerabilities which exist in a system or organization.
The process involves the identification, classification, remedy, and mitigation of various vulnerabilities within a system.
It is an integral part of computer and network security and is practiced together with risk management as well as other security practices".
Priority 4: Access Management
Having established an understanding of what assets are important and ensuring that the risks and vulnerabilities are being effectively managed, it is important to ensure that effective access controls systems and practices are in place, to ensure access to these business critical systems are strictly restricted based upon a legitimate business requirement.
The more systems and personnel that are granted access, the greater the risk of the access restrictions becoming compromised.
For IT systems, Techopedia define Access Management (AM) as being:
"The process of identifying, tracking, controlling and managing authorized or specified users' access to a system, application or any IT instance.
It is a broad concept that encompasses all policies, processes, methodologies and tools to maintain access privileges within an IT environment".
Priority 5: Security Information Event Management (SIEM)
Once you have established priorities 1 to 4, you need to understand what NORMAL looks like and be able to quickly and effectively identify the ABNORMAL. Consequently, it is important to have an effective solution that is able to centrally collate various sources of information, from your various systems, to be analysed so that you can quickly identify potentially harmful activities.
Think of it like a CCTV monitoring centre, where you are able to proactively identify suspicious or negligent activities. Ideally, this will enable a response to be activated before the business valued assets have been compromised or impacted.
Additionally, any monitoring activities need to be synchronised, to ensure evidential material can be obtained.
For IT systems, Technopedia defines SIEM as being:
"Security incident and event management (SIEM) is the process of identifying, monitoring, recor ding and analyzing security events or incidents within a real-time IT environment. It provides a comprehensive and centralized view of the security scenario of an IT infrastructure.
All suspect or ABNORMAL events should be investigated to ascertain whether they should be escalated for Security Incident Management.
Priority 6: Security Incident Management
Finally, to effectively defend your organisation from attacks, you need to ensure that you have an effective incident response plan, which is well-rehearsed for a wide range of scenarios, so that you have developed a suitable data breach response and incident response life-cycle:
Detection and analysis.
Containment, eradication and recovery.
The Digital Guardian defines Security Incident Management as being:
"The process of identifying, managing, recording and analyzing security threats or incidents in real-time.
It seeks to give a robust and comprehensive view of any security issues within an IT infrastructure.
A security incident can be anything from an active threat to an attempted intrusion to a successful compromise or data breach.
Policy violations and unauthorized access to data such as health, financial, social security numbers, and personally identifiable records are all examples of security incidents".
A proactive approach to the defence a business needs to be focused and prioritised on maturing the aforementioned 6 areas, before added any additional layers of defensive and any additional layers should be built upon these strong foundations to ensure that any defensive efforts are proportionate and aligned with what is deemed to be important to the business.