As I look back on my 40 years as a cybersecurity expert, I often think of the basic principles of cybersecurity (what we think we have in common) need a lot of extra clarification. For example, what is a vulnerability assessment? Five cyber experts sit around a table and discuss this question, resulting in seven or eight answers. I would say vulnerability assessment is only for vulnerability scans. Another says the assessment is much bigger than the scan and addresses ethical hacking and internal security testing. Another would say that it is a passive review of policies and controls. Everything is correct in one way or another, but the answer really depends on the requirements or criteria you are trying to achieve. It also depends on the skill and experience of the risk owner, auditor or assessor. Is your head still spinning? I know it’s mine! Thus, it is a “three-part art”.
The cybersecurity business is quite subjective. An auditor will look at the evidence and agree that you are in compliance. Others will say no to you. If you want to protect sensitive information, do you encrypt, obfuscate, or partition your data before giving users access to it and place it behind very strict identification and access controls? Yes. When providing advice to your customer base, it’s important to understand all the circumstances you need to make the right risk-based decisions and recommendations.
Let’s talk about the artistic methodology of Connection. We start with a canvas that covers the key components of cybersecurity: protection, detection, and response. By addressing each of these three pillars in a comprehensive manner, we ensure that people, processes and technology all work together to ensure a full dialogue on how to deliver a comprehensive risk strategy.
RELATED: Cybersecurity is everyone’s business.
protect:
people
Users understand the threats and risks and know the role they play in their protection strategy. For example, if you saw something, say something. Don’t let others surf behind you through badge checks. And don’t even think about blocking your endpoint antivirus or firewall. In today’s remote working environment, good security awareness among employees is essential, especially when it comes to phishing.
process
Policies are established, documented and socialized. For example, personal laptops should not be connected to the corporate network. Also, don’t send sensitive information to your personal email account so you can work from home.
technology
Some examples of barriers used to deter attackers and breaches are edge security with firewalls, intrusion detection and prevention, sandboxing, and advanced threat detection. Security leaders must be students of threats and deploy the right technology to protect, detect, and respond to threats.
detection:
The average average time to identify an active incident in the network is 197 days. The average time to contain an incident is 69 days.
people
Incident response teams must be identified and trained, and all employees must be trained on the concept of “If you see something, say it.” Detection is a proactive process.
process
What happens when an alert occurs? Who sees? What is the documented process for taking action?
technology
What steps are you taking to detect malicious activity? Is it configured to ignore noise and only alert you to real events? Will it help reduce the average detection time of 197 days?
reaction:
people
What happens when an event occurs? Who responds? How do you recover? Does everyone understand their role? Do you play war games to be prepared when an incident occurs?
process
What is the documented process to reduce the kill chain (average time to detection and containment) from 69 days to 69 minutes? Do you have a business continuity and disaster recovery plan to respond to major cyber breaches or pandemics such as natural disasters, ransomware, and DDoS?
technology
What cybersecurity consoles have been deployed to allow quick access to system patches, firewall rule changes, ACL adjustments, or endpoint policy settings, or to track security incidents through the triage process?
All of these are important to creating a comprehensive InfoSec program. Science is a skill that helps build a layered defense-in-depth approach. Technology is a way to assess threats, define and document risks, and create strategies to manage cyber risks that apply to the environment, users, systems, applications, data, customers, supply chains, and third-party support. Partners and business processes.
More Art – Are you a risk avoider or a risk transfer expert?
A better way to say, “Are you shirking all risk, or do you pass the risk on to someone else?” Hint: I do not believe in hedging or risk transfer.
Yes, I have skills in risk management. With the Carnegie Mellon Hazard Tool, for example, there is also science. However, good risk owners and managers document risks, prioritize them according to their risk severity, turn them into risk registrations or roadmap plans, make necessary modifications, and embrace what makes sense from a business and cybersecurity perspective. Oh, by the way, the 5 cybersecurity experts I talked about have 17 definitions of risk.
To close this conversation, let’s talk about the importance of choosing a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and stats. Which framework will you choose? Do you paint with watercolor or oil? Have you developed your own framework, such as a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or a Nardone puzzle chart? I developed this feature a few years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. Artistically improved over the years to incorporate more security components, but loosely coupled to the NIST 800-53 and ISO 27001 standards.
When choosing a security framework as a CISO, I prefer the NIST Cybersecurity Framework (CSF) as pictured below. The framework is comprehensive and provides a scoring model that allows risk owners to measure and target the level of risk they believe should be achieved based on their business model, threat profile, and risk tolerance. There are 5 functional focus areas. The ISO 27001 framework is also a very robust and frequently used model. Both of these frameworks are capable of generating attestation certificates that demonstrate compliance with standards. Many commercial companies perform an annual ISO 27001 assessment for that very reason. There are a growing number of commercial enterprises working with NIST CSFs, especially governments. Keep in mind that frameworks mature and compliance requirements change. For example, a for-profit company doing business with the federal government will soon need to comply with the new Cyber Security Model Certification (CMMC) to continue doing business with the government.
As I look back on my 40 years as a cybersecurity expert, I often think of the basic principles of cybersecurity (what we think we have in common) need a lot of extra clarification. For example, what is a vulnerability assessment? Five cyber experts sit around a table and discuss this question, resulting in seven or eight answers. I would say vulnerability assessment is only for vulnerability scans. Another says the assessment is much bigger than the scan and addresses ethical hacking and internal security testing. Another would say that it is a passive review of policies and controls. Everything is correct in one way or another, but the answer really depends on the requirements or criteria you are trying to achieve. It also depends on the skill and experience of the risk owner, auditor or assessor. Is your head still spinning? I know it’s mine! Thus, it is a “three-part art”.
Stephen Nadon
Stephen Nardone of CISSP is Connection’s Director of Security Practices with over 38 years of experience in both the government and commercial aspects of the security business.