Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
03:50 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly

Breach Defense Playbook: Assessing Your Cybersecurity Engineering

Is your cybersecurity infrastructure robust enough to defend against future attacks?

Many organizations that thought they were safe from hackers stealing their data find themselves in a state of shock when their name ends up on the front page of newspapers with the word “breached” in the headline. In order to mitigate the threat, organizations need to first assess the current state of their cybersecurity infrastructure before any changes can be made. From this starting point, the organization can then quantify the underlying levels of risk and implement a plan to enhance their security posture in the short, medium, and long terms.

To assess the engineering of your cybersecurity infrastructure, you need to use a security-controls-based and systematic approach, focusing on critical data systems and information. This is called a Cybersecurity Engineering Assessment, or CEA. The methodology for assessing your cybersecurity engineering needs to take into account not only industry-wide accepted information security practices, but also the threat to critical business processes and sensitive data. Thieves target public and private sector organizations for their intellectual property, and some such as hacktivist groups do so for the sole purpose of making this information public. Most companies have some type of intellectual property that they do not want “out in the open.”

If you are assessing your cybersecurity engineering, you should ensure that the organization with whom you partner has a cyber-intelligence and threat research capability to maintain real-time awareness of threat actors and whom they are targeting. This allows you to better understand the types of intellectual property and other information that thieves are targeting to better protect your information from theft.

The CEA should provide a gap analysis to understand where gaps currently exist in your security posture. A common framework for analyzing gaps is the 20 Critical Controls as outlined in the Consensus Audit Guidelines. The CAG provides a relevant technical baseline from which organizations can glean strategic and tactical cybersecurity planning and budgeting. The CAG identifies specific guidelines that focus on the most critical baseline security controls, and the list was derived from guides, standards, and requirements put forth by some of the first organizations to tackle this type of problem. Organizations such as the NSA, US-CERT, DC3, Federal CIOs and CISOs, DoE, DoD, GAO, MITRE, and SANS all contributed to the creation of the CAG.

A key component of the CAG is to provide suggestions on ways in which network security can be maintained in the most functional and cost-effective manner. Each control area includes multiple individual sub-controls that specify actions an organization can take to improve its cyber defenses. The control areas and their associated sub-controls focus on various technical aspects of information security, with the primary goal of helping organizations prioritize their efforts to improve their information security posture and defend against the highest technical and operational threat areas. An NSA spokesperson at the Defense Cyber Crime Conference in 2012 stated that the CAG will prevent 95% of the known breaches in the United States if followed in a sustainable manner. The guidelines are periodically updated and are currently on Version 5.

Regardless of whether you use the CAG or some other methodology to perform your gap analysis, you should include a documentation review, interviews of key personnel, defense-in-depth review, and a network characterization with analysis. These key areas will allow you to comprehensively assess the state of your security and ultimately yield actionable actions for improvement.

Documentation Review

When reviewing documentation, you should be able to easily collect data such as network drawings, security device configurations, security policies, planned security enhancements, and existing cybersecurity roadmaps. Successfully measuring gaps that exist in documentation is directly related to the quality of the data you collect. If your documentation is outdated or missing, then you should assume that it doesn’t exist. However, if it does exist and you simply do not have access to it as an analyst, then you are not going to provide any value to the assessment. Therefore, start with your policies at the highest level and then move downward through your sets of documentation (e.g., procedures, instructions, diagrams, manuals, and handbooks). Ensure that all documents are up to date, that personnel are following them, and that proper signatures exist.

Key Personnel Interviews

The next step is to interview key personnel, which should include security personnel, IT management, and key owners of vital technologies. The interviews should paint a picture of current security practices when compared to policy documents. In other words, just because it says you will not display passwords on sticky notes, do people really follow that policy? Another critical takeaway from interviews is to understand the organizational culture as it relates to security. Lastly, those being interviewed should be encouraged to voice ideas and areas to which they think security should pay attention.

Defense-in-depth Strategy Employment

Defense-in-depth is commonly defined as the application of people, process, and technology in a manner that ensures overlapping security controls in the enterprise. When assessing defense-in-depth employment, organizations should consider the holistic security strategy for their enterprise, not just within the IT silo. This should include user training, encryption policies, centralized logging, SIEM employment, data loss protection, privacy restrictions, and other strategic security controls. It is very important that organizations understand that cybersecurity is not an IT problem, it is a problem of risk and it rests on the entire organization, not just under the CISO or within the IT department.

Network Characterization with Analysis

Lastly, a CEA should include a characterization and analysis of network design from a logical, as well as a physical architecture, perspective. The goal is an in-depth view of the network architecture that is then used to determine design gaps and potential security issues. As a result, you should gain best-practice network security recommendations. During the characterization, organizations should focus on overall enterprise characterizations, security controls, and appliances used; hardware and software used to run and manage the network; and network design documentation and network configuration files, as well as physical layouts of network hardware. From this characterization, you then analyze the data and ask questions of your infrastructure owners, security personnel, third parties, and technology owners to understand the purpose, history, functions, and uses of the technology they manage. The question “Why?” should be asked often.

Ultimately, the CEA is meant to delve into the weeds of your engineering and architecture, then pull the focus back to view the entire environment from a holistic perspective. The goal and scope should be to empower executives to justify enhancing security. Influences such as regulations, statutes, and standards place considerable impetus on organizations to comply with due care toward the confidentiality of both customer and their own data. A CEA goes a long way, especially if done by a trusted third party, to demonstrate that an organization is taking proper due care of their data.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...
PUBLISHED: 2020-11-25
A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19. This client-side attack requires user interaction (opening a link) and successful exploitation could lead to encrypted e-mail content leakage via messages/sent?format=js and popup?format=js.
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) co...
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on...