Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
03:50 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly

Breach Defense Playbook: Assessing Your Cybersecurity Engineering

Is your cybersecurity infrastructure robust enough to defend against future attacks?

Many organizations that thought they were safe from hackers stealing their data find themselves in a state of shock when their name ends up on the front page of newspapers with the word “breached” in the headline. In order to mitigate the threat, organizations need to first assess the current state of their cybersecurity infrastructure before any changes can be made. From this starting point, the organization can then quantify the underlying levels of risk and implement a plan to enhance their security posture in the short, medium, and long terms.

To assess the engineering of your cybersecurity infrastructure, you need to use a security-controls-based and systematic approach, focusing on critical data systems and information. This is called a Cybersecurity Engineering Assessment, or CEA. The methodology for assessing your cybersecurity engineering needs to take into account not only industry-wide accepted information security practices, but also the threat to critical business processes and sensitive data. Thieves target public and private sector organizations for their intellectual property, and some such as hacktivist groups do so for the sole purpose of making this information public. Most companies have some type of intellectual property that they do not want “out in the open.”

If you are assessing your cybersecurity engineering, you should ensure that the organization with whom you partner has a cyber-intelligence and threat research capability to maintain real-time awareness of threat actors and whom they are targeting. This allows you to better understand the types of intellectual property and other information that thieves are targeting to better protect your information from theft.

The CEA should provide a gap analysis to understand where gaps currently exist in your security posture. A common framework for analyzing gaps is the 20 Critical Controls as outlined in the Consensus Audit Guidelines. The CAG provides a relevant technical baseline from which organizations can glean strategic and tactical cybersecurity planning and budgeting. The CAG identifies specific guidelines that focus on the most critical baseline security controls, and the list was derived from guides, standards, and requirements put forth by some of the first organizations to tackle this type of problem. Organizations such as the NSA, US-CERT, DC3, Federal CIOs and CISOs, DoE, DoD, GAO, MITRE, and SANS all contributed to the creation of the CAG.

A key component of the CAG is to provide suggestions on ways in which network security can be maintained in the most functional and cost-effective manner. Each control area includes multiple individual sub-controls that specify actions an organization can take to improve its cyber defenses. The control areas and their associated sub-controls focus on various technical aspects of information security, with the primary goal of helping organizations prioritize their efforts to improve their information security posture and defend against the highest technical and operational threat areas. An NSA spokesperson at the Defense Cyber Crime Conference in 2012 stated that the CAG will prevent 95% of the known breaches in the United States if followed in a sustainable manner. The guidelines are periodically updated and are currently on Version 5.

Regardless of whether you use the CAG or some other methodology to perform your gap analysis, you should include a documentation review, interviews of key personnel, defense-in-depth review, and a network characterization with analysis. These key areas will allow you to comprehensively assess the state of your security and ultimately yield actionable actions for improvement.

Documentation Review

When reviewing documentation, you should be able to easily collect data such as network drawings, security device configurations, security policies, planned security enhancements, and existing cybersecurity roadmaps. Successfully measuring gaps that exist in documentation is directly related to the quality of the data you collect. If your documentation is outdated or missing, then you should assume that it doesn’t exist. However, if it does exist and you simply do not have access to it as an analyst, then you are not going to provide any value to the assessment. Therefore, start with your policies at the highest level and then move downward through your sets of documentation (e.g., procedures, instructions, diagrams, manuals, and handbooks). Ensure that all documents are up to date, that personnel are following them, and that proper signatures exist.

Key Personnel Interviews

The next step is to interview key personnel, which should include security personnel, IT management, and key owners of vital technologies. The interviews should paint a picture of current security practices when compared to policy documents. In other words, just because it says you will not display passwords on sticky notes, do people really follow that policy? Another critical takeaway from interviews is to understand the organizational culture as it relates to security. Lastly, those being interviewed should be encouraged to voice ideas and areas to which they think security should pay attention.

Defense-in-depth Strategy Employment

Defense-in-depth is commonly defined as the application of people, process, and technology in a manner that ensures overlapping security controls in the enterprise. When assessing defense-in-depth employment, organizations should consider the holistic security strategy for their enterprise, not just within the IT silo. This should include user training, encryption policies, centralized logging, SIEM employment, data loss protection, privacy restrictions, and other strategic security controls. It is very important that organizations understand that cybersecurity is not an IT problem, it is a problem of risk and it rests on the entire organization, not just under the CISO or within the IT department.

Network Characterization with Analysis

Lastly, a CEA should include a characterization and analysis of network design from a logical, as well as a physical architecture, perspective. The goal is an in-depth view of the network architecture that is then used to determine design gaps and potential security issues. As a result, you should gain best-practice network security recommendations. During the characterization, organizations should focus on overall enterprise characterizations, security controls, and appliances used; hardware and software used to run and manage the network; and network design documentation and network configuration files, as well as physical layouts of network hardware. From this characterization, you then analyze the data and ask questions of your infrastructure owners, security personnel, third parties, and technology owners to understand the purpose, history, functions, and uses of the technology they manage. The question “Why?” should be asked often.

Ultimately, the CEA is meant to delve into the weeds of your engineering and architecture, then pull the focus back to view the entire environment from a holistic perspective. The goal and scope should be to empower executives to justify enhancing security. Influences such as regulations, statutes, and standards place considerable impetus on organizations to comply with due care toward the confidentiality of both customer and their own data. A CEA goes a long way, especially if done by a trusted third party, to demonstrate that an organization is taking proper due care of their data.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
A Lawyer's Guide to Cyber Insurance: 4 Basic Tips
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  7/12/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-18
The set_ipv4() function in zscan_rfc1035.rl in gdnsd 3.2.0 has a stack-based buffer overflow via a long and malformed IPv4 address in zone data.
PUBLISHED: 2019-07-18
The set_ipv6() function in zscan_rfc1035.rl in gdnsd 3.2.0 has a stack-based buffer overflow via a long and malformed IPv6 address in zone data.
PUBLISHED: 2019-07-18
The Sleuth Kit 4.6.0 and earlier is affected by: Integer Overflow. The impact is: Opening crafted disk image triggers crash in tsk/fs/hfs_dent.c:237. The component is: Overflow in fls tool used on HFS image. Bug is in tsk/fs/hfs.c file in function hfs_cat_traverse() in lines: 952, 1062. The attack v...
PUBLISHED: 2019-07-18
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt (https://github.com/saltstack/salt/blob/devel...
PUBLISHED: 2019-07-18
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically ...