Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

12/12/2019
10:15 AM
100%
0%

Lessons from the NSA: Know Your Assets

Chris Kubic worked at the National Security Agency for the past 32 years, finishing his tenure as CISO. He talks about lessons learned during his time there and what they mean for the private sector.

Over the past decade, Chris Kubic has worked to secure the US intelligence community's information systems and environment, architected the National Security Agency's cloud infrastructure, and, for his past three years, led the agency's network-security efforts as the chief information security officer. 

His lessons for public companies? Focus on your assets. Not enough companies know what is in their environments — the first step to knowing what to protect, he says.

"Securing the NSA is not that much different to securing a large, complex environment in the commercial sector," he says. "It comes down to this: You just need to be good with the basic blocking and tackling of cybersecurity. What I mean by that is you really need to start out by gaining a very firm understanding of the environment that you are trying to secure."

Kubic, who joined Fidelis Cybersecurity in October, spent 32 years at the NSA, working his way up from a security project engineer to CISO. During that time, the National Security Agency has had many successes but quite a few high-profile information-security failures, from the massive leak of operational data and tools by contractor Edward Snowden to the overreach of a surveillance program that Congress is now calling to end. In July, NSA director General Paul Nakasone argued for the agency to refocus on cybersecurity, following years of reportedly failing to prioritize the discipline

Chris Kubic
Chris Kubic

While Kubic would not discuss the details of his time at the NSA, he did discuss his thoughts on cybersecurity strategy that could be applied to the private sector. A key component of that is situational awareness, he says.

"You need to understand all your assets that are part of the enterprise that you are securing," Kubic says. "You need to understand how those assets are configured, where they are deployed, how they are connected, how they are patched and updated — all those kinds of details are important when you are trying to secure your domain."

With nation-states continuing to develop their capabilities, assistance from the government will become increasingly important, he says. The government has a lot to offer companies, he adds.

"Coming from the government, not surprisingly, I think it is a good idea to have more government involvement to defend nations' networks," Kubic says. "It gets a little dicey when you are talking about private industry, and it's really hard to mandate government involvement in that, but I think the government has a lot to offer, and certainly can offer, to be that independent broker that helps by connecting the dots across industries."

Looking toward 2020, Kubic sees the application of machine learning and artificial intelligence to security as inexorable. With a shortage of knowledgeable workers, using analytics to sift through the massive data produced by companies and detect threats is critical, he says.

"On the cybersecurity side, the continued use of analytics, machine learning, and artificial intelligence will be important in securing our environments, but on the negative side, I think we will see a lot more adversary use of such technology to disguise their attacks, making it even harder for folks to defend their network," he says.

The majority of cybersecurity workers see machine learning and artificial intelligence as a positive benefit. A July 2018 report by the Ponemon Institute found 60% of respondents believed AI would help them enrich security information and simplify the detection and response to security threats. Only a third of respondents, however, thought the technology would reduce workload for security teams.

For companies overwhelmed with data, Kubic recommends the security team identify the truly critical data and systems and focus on making sure those are secure. 

"Not all assets are created equal," he says, "so you really need to sit down and understand what are those high-value assets that need to be protected better than the rest of the enterprise. That is either where you have your critical data stored or assets that are supporting your business' critical functions. It is not easy to map out those workflows, but without that it is hard to prioritize where you need to make investments in cybersecurity."

Most of all, companies need to do the basics right, he says. 

"In 2020, people need to stay focused on the basics of cyber hygiene," Kubic says. "It is the unpatched systems and unmitigated vulnerabilities that are the easy button for the cyber adversary. You cannot take your eye off the prize there."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Next Security Silicon Valley: Coming to a City Near You?"

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DouglasF354
100%
0%
DouglasF354,
User Rank: Author
12/13/2019 | 12:48:28 PM
Know your assets
The 'blue collar' control that is 'asset management' doesn't get the love it needs. And that critically undermines the CISO and the security program. The 'asset management' problem to cyber security is like the 'high blood pressure' problem that leads to stroke. It's quiet, often undetected, not discussed commensurate to the risk. And it's a security killer.
  1. The ability to do 'basic cyber hygiene' is undermined when it's difficult to get a proper fix on in-scope assets. Threats will find what you didn't.
  2. Of course, it costs more to be able to understand the asset-scape better. And that has been a difficult budget pitch and win for security. It's generally easier to win budget for that cool new tech than it is for what is perceived as general maintenance.
  3. More insidious is the strategic problem of connecting with executives and the board. Having robust asset inventories is tactically critical, but strategically the pitch needs to be focused on protection of big impact/ high value business assets. That is the bullseye to gain executive buy in. If you cannot robustly connect high value business assets strongly to the asset inventories, then you cannot confidently pitch a strong protection result to executives. And that undermines CISO success and confidence.
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5527
PUBLISHED: 2020-03-30
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource co...
CVE-2020-5551
PUBLISHED: 2020-03-30
Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured in the re...
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.