Many organizations that thought they were safe from hackers stealing their data find themselves in a state of shock when their name ends up on the front page of newspapers with the word “breached” in the headline. In order to mitigate the threat, organizations need to first assess the current state of their cybersecurity infrastructure before any changes can be made. From this starting point, the organization can then quantify the underlying levels of risk and implement a plan to enhance their security posture in the short, medium, and long terms.

To assess the engineering of your cybersecurity infrastructure, you need to use a security-controls-based and systematic approach, focusing on critical data systems and information. This is called a Cybersecurity Engineering Assessment, or CEA. The methodology for assessing your cybersecurity engineering needs to take into account not only industry-wide accepted information security practices, but also the threat to critical business processes and sensitive data. Thieves target public and private sector organizations for their intellectual property, and some such as hacktivist groups do so for the sole purpose of making this information public. Most companies have some type of intellectual property that they do not want “out in the open.”

If you are assessing your cybersecurity engineering, you should ensure that the organization with whom you partner has a cyber-intelligence and threat research capability to maintain real-time awareness of threat actors and whom they are targeting. This allows you to better understand the types of intellectual property and other information that thieves are targeting to better protect your information from theft.

The CEA should provide a gap analysis to understand where gaps currently exist in your security posture. A common framework for analyzing gaps is the 20 Critical Controls as outlined in the Consensus Audit Guidelines. The CAG provides a relevant technical baseline from which organizations can glean strategic and tactical cybersecurity planning and budgeting. The CAG identifies specific guidelines that focus on the most critical baseline security controls, and the list was derived from guides, standards, and requirements put forth by some of the first organizations to tackle this type of problem. Organizations such as the NSA, US-CERT, DC3, Federal CIOs and CISOs, DoE, DoD, GAO, MITRE, and SANS all contributed to the creation of the CAG.

A key component of the CAG is to provide suggestions on ways in which network security can be maintained in the most functional and cost-effective manner. Each control area includes multiple individual sub-controls that specify actions an organization can take to improve its cyber defenses. The control areas and their associated sub-controls focus on various technical aspects of information security, with the primary goal of helping organizations prioritize their efforts to improve their information security posture and defend against the highest technical and operational threat areas. An NSA spokesperson at the Defense Cyber Crime Conference in 2012 stated that the CAG will prevent 95% of the known breaches in the United States if followed in a sustainable manner. The guidelines are periodically updated and are currently on Version 5.

Regardless of whether you use the CAG or some other methodology to perform your gap analysis, you should include a documentation review, interviews of key personnel, defense-in-depth review, and a network characterization with analysis. These key areas will allow you to comprehensively assess the state of your security and ultimately yield actionable actions for improvement.

Documentation Review

When reviewing documentation, you should be able to easily collect data such as network drawings, security device configurations, security policies, planned security enhancements, and existing cybersecurity roadmaps. Successfully measuring gaps that exist in documentation is directly related to the quality of the data you collect. If your documentation is outdated or missing, then you should assume that it doesn’t exist. However, if it does exist and you simply do not have access to it as an analyst, then you are not going to provide any value to the assessment. Therefore, start with your policies at the highest level and then move downward through your sets of documentation (e.g., procedures, instructions, diagrams, manuals, and handbooks). Ensure that all documents are up to date, that personnel are following them, and that proper signatures exist.

Key Personnel Interviews

The next step is to interview key personnel, which should include security personnel, IT management, and key owners of vital technologies. The interviews should paint a picture of current security practices when compared to policy documents. In other words, just because it says you will not display passwords on sticky notes, do people really follow that policy? Another critical takeaway from interviews is to understand the organizational culture as it relates to security. Lastly, those being interviewed should be encouraged to voice ideas and areas to which they think security should pay attention.

Defense-in-depth Strategy Employment

Defense-in-depth is commonly defined as the application of people, process, and technology in a manner that ensures overlapping security controls in the enterprise. When assessing defense-in-depth employment, organizations should consider the holistic security strategy for their enterprise, not just within the IT silo. This should include user training, encryption policies, centralized logging, SIEM employment, data loss protection, privacy restrictions, and other strategic security controls. It is very important that organizations understand that cybersecurity is not an IT problem, it is a problem of risk and it rests on the entire organization, not just under the CISO or within the IT department.

Network Characterization with Analysis

Lastly, a CEA should include a characterization and analysis of network design from a logical, as well as a physical architecture, perspective. The goal is an in-depth view of the network architecture that is then used to determine design gaps and potential security issues. As a result, you should gain best-practice network security recommendations. During the characterization, organizations should focus on overall enterprise characterizations, security controls, and appliances used; hardware and software used to run and manage the network; and network design documentation and network configuration files, as well as physical layouts of network hardware. From this characterization, you then analyze the data and ask questions of your infrastructure owners, security personnel, third parties, and technology owners to understand the purpose, history, functions, and uses of the technology they manage. The question “Why?” should be asked often.

Ultimately, the CEA is meant to delve into the weeds of your engineering and architecture, then pull the focus back to view the entire environment from a holistic perspective. The goal and scope should be to empower executives to justify enhancing security. Influences such as regulations, statutes, and standards place considerable impetus on organizations to comply with due care toward the confidentiality of both customer and their own data. A CEA goes a long way, especially if done by a trusted third party, to demonstrate that an organization is taking proper due care of their data.