Partner Perspectives  Connecting marketers to our tech communities.
6/9/2015
03:50 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Breach Defense Playbook: Assessing Your Cybersecurity Engineering

Is your cybersecurity infrastructure robust enough to defend against future attacks?

Many organizations that thought they were safe from hackers stealing their data find themselves in a state of shock when their name ends up on the front page of newspapers with the word “breached” in the headline. In order to mitigate the threat, organizations need to first assess the current state of their cybersecurity infrastructure before any changes can be made. From this starting point, the organization can then quantify the underlying levels of risk and implement a plan to enhance their security posture in the short, medium, and long terms.

To assess the engineering of your cybersecurity infrastructure, you need to use a security-controls-based and systematic approach, focusing on critical data systems and information. This is called a Cybersecurity Engineering Assessment, or CEA. The methodology for assessing your cybersecurity engineering needs to take into account not only industry-wide accepted information security practices, but also the threat to critical business processes and sensitive data. Thieves target public and private sector organizations for their intellectual property, and some such as hacktivist groups do so for the sole purpose of making this information public. Most companies have some type of intellectual property that they do not want “out in the open.”

If you are assessing your cybersecurity engineering, you should ensure that the organization with whom you partner has a cyber-intelligence and threat research capability to maintain real-time awareness of threat actors and whom they are targeting. This allows you to better understand the types of intellectual property and other information that thieves are targeting to better protect your information from theft.

The CEA should provide a gap analysis to understand where gaps currently exist in your security posture. A common framework for analyzing gaps is the 20 Critical Controls as outlined in the Consensus Audit Guidelines. The CAG provides a relevant technical baseline from which organizations can glean strategic and tactical cybersecurity planning and budgeting. The CAG identifies specific guidelines that focus on the most critical baseline security controls, and the list was derived from guides, standards, and requirements put forth by some of the first organizations to tackle this type of problem. Organizations such as the NSA, US-CERT, DC3, Federal CIOs and CISOs, DoE, DoD, GAO, MITRE, and SANS all contributed to the creation of the CAG.

A key component of the CAG is to provide suggestions on ways in which network security can be maintained in the most functional and cost-effective manner. Each control area includes multiple individual sub-controls that specify actions an organization can take to improve its cyber defenses. The control areas and their associated sub-controls focus on various technical aspects of information security, with the primary goal of helping organizations prioritize their efforts to improve their information security posture and defend against the highest technical and operational threat areas. An NSA spokesperson at the Defense Cyber Crime Conference in 2012 stated that the CAG will prevent 95% of the known breaches in the United States if followed in a sustainable manner. The guidelines are periodically updated and are currently on Version 5.

Regardless of whether you use the CAG or some other methodology to perform your gap analysis, you should include a documentation review, interviews of key personnel, defense-in-depth review, and a network characterization with analysis. These key areas will allow you to comprehensively assess the state of your security and ultimately yield actionable actions for improvement.

Documentation Review

When reviewing documentation, you should be able to easily collect data such as network drawings, security device configurations, security policies, planned security enhancements, and existing cybersecurity roadmaps. Successfully measuring gaps that exist in documentation is directly related to the quality of the data you collect. If your documentation is outdated or missing, then you should assume that it doesn’t exist. However, if it does exist and you simply do not have access to it as an analyst, then you are not going to provide any value to the assessment. Therefore, start with your policies at the highest level and then move downward through your sets of documentation (e.g., procedures, instructions, diagrams, manuals, and handbooks). Ensure that all documents are up to date, that personnel are following them, and that proper signatures exist.

Key Personnel Interviews

The next step is to interview key personnel, which should include security personnel, IT management, and key owners of vital technologies. The interviews should paint a picture of current security practices when compared to policy documents. In other words, just because it says you will not display passwords on sticky notes, do people really follow that policy? Another critical takeaway from interviews is to understand the organizational culture as it relates to security. Lastly, those being interviewed should be encouraged to voice ideas and areas to which they think security should pay attention.

Defense-in-depth Strategy Employment

Defense-in-depth is commonly defined as the application of people, process, and technology in a manner that ensures overlapping security controls in the enterprise. When assessing defense-in-depth employment, organizations should consider the holistic security strategy for their enterprise, not just within the IT silo. This should include user training, encryption policies, centralized logging, SIEM employment, data loss protection, privacy restrictions, and other strategic security controls. It is very important that organizations understand that cybersecurity is not an IT problem, it is a problem of risk and it rests on the entire organization, not just under the CISO or within the IT department.

Network Characterization with Analysis

Lastly, a CEA should include a characterization and analysis of network design from a logical, as well as a physical architecture, perspective. The goal is an in-depth view of the network architecture that is then used to determine design gaps and potential security issues. As a result, you should gain best-practice network security recommendations. During the characterization, organizations should focus on overall enterprise characterizations, security controls, and appliances used; hardware and software used to run and manage the network; and network design documentation and network configuration files, as well as physical layouts of network hardware. From this characterization, you then analyze the data and ask questions of your infrastructure owners, security personnel, third parties, and technology owners to understand the purpose, history, functions, and uses of the technology they manage. The question “Why?” should be asked often.

Ultimately, the CEA is meant to delve into the weeds of your engineering and architecture, then pull the focus back to view the entire environment from a holistic perspective. The goal and scope should be to empower executives to justify enhancing security. Influences such as regulations, statutes, and standards place considerable impetus on organizations to comply with due care toward the confidentiality of both customer and their own data. A CEA goes a long way, especially if done by a trusted third party, to demonstrate that an organization is taking proper due care of their data.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
Why the CISSP Remains Relevant to Cybersecurity After 28 Years
Steven Paul Romero, SANS Instructor and Sr. SCADA Network Engineer, Chevron,  11/6/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19220
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows remote attackers to execute arbitrary PHP code via the host parameter to the install/ URI.
CVE-2018-19221
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows SQL Injection via the admin/login.php guanliyuan parameter.
CVE-2018-19222
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows a /install/mysql_hy.php?riqi=0&i=0 attack to reset the admin password, even if install.txt exists.
CVE-2018-19223
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows XSS via the first input field to the admin/type.php?id=1 URI.
CVE-2018-19224
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. /admin/login.php allows spoofing of the id and guanliyuan cookies.