Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
03:50 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly

Breach Defense Playbook: Assessing Your Cybersecurity Engineering

Is your cybersecurity infrastructure robust enough to defend against future attacks?

Many organizations that thought they were safe from hackers stealing their data find themselves in a state of shock when their name ends up on the front page of newspapers with the word “breached” in the headline. In order to mitigate the threat, organizations need to first assess the current state of their cybersecurity infrastructure before any changes can be made. From this starting point, the organization can then quantify the underlying levels of risk and implement a plan to enhance their security posture in the short, medium, and long terms.

To assess the engineering of your cybersecurity infrastructure, you need to use a security-controls-based and systematic approach, focusing on critical data systems and information. This is called a Cybersecurity Engineering Assessment, or CEA. The methodology for assessing your cybersecurity engineering needs to take into account not only industry-wide accepted information security practices, but also the threat to critical business processes and sensitive data. Thieves target public and private sector organizations for their intellectual property, and some such as hacktivist groups do so for the sole purpose of making this information public. Most companies have some type of intellectual property that they do not want “out in the open.”

If you are assessing your cybersecurity engineering, you should ensure that the organization with whom you partner has a cyber-intelligence and threat research capability to maintain real-time awareness of threat actors and whom they are targeting. This allows you to better understand the types of intellectual property and other information that thieves are targeting to better protect your information from theft.

The CEA should provide a gap analysis to understand where gaps currently exist in your security posture. A common framework for analyzing gaps is the 20 Critical Controls as outlined in the Consensus Audit Guidelines. The CAG provides a relevant technical baseline from which organizations can glean strategic and tactical cybersecurity planning and budgeting. The CAG identifies specific guidelines that focus on the most critical baseline security controls, and the list was derived from guides, standards, and requirements put forth by some of the first organizations to tackle this type of problem. Organizations such as the NSA, US-CERT, DC3, Federal CIOs and CISOs, DoE, DoD, GAO, MITRE, and SANS all contributed to the creation of the CAG.

A key component of the CAG is to provide suggestions on ways in which network security can be maintained in the most functional and cost-effective manner. Each control area includes multiple individual sub-controls that specify actions an organization can take to improve its cyber defenses. The control areas and their associated sub-controls focus on various technical aspects of information security, with the primary goal of helping organizations prioritize their efforts to improve their information security posture and defend against the highest technical and operational threat areas. An NSA spokesperson at the Defense Cyber Crime Conference in 2012 stated that the CAG will prevent 95% of the known breaches in the United States if followed in a sustainable manner. The guidelines are periodically updated and are currently on Version 5.

Regardless of whether you use the CAG or some other methodology to perform your gap analysis, you should include a documentation review, interviews of key personnel, defense-in-depth review, and a network characterization with analysis. These key areas will allow you to comprehensively assess the state of your security and ultimately yield actionable actions for improvement.

Documentation Review

When reviewing documentation, you should be able to easily collect data such as network drawings, security device configurations, security policies, planned security enhancements, and existing cybersecurity roadmaps. Successfully measuring gaps that exist in documentation is directly related to the quality of the data you collect. If your documentation is outdated or missing, then you should assume that it doesn’t exist. However, if it does exist and you simply do not have access to it as an analyst, then you are not going to provide any value to the assessment. Therefore, start with your policies at the highest level and then move downward through your sets of documentation (e.g., procedures, instructions, diagrams, manuals, and handbooks). Ensure that all documents are up to date, that personnel are following them, and that proper signatures exist.

Key Personnel Interviews

The next step is to interview key personnel, which should include security personnel, IT management, and key owners of vital technologies. The interviews should paint a picture of current security practices when compared to policy documents. In other words, just because it says you will not display passwords on sticky notes, do people really follow that policy? Another critical takeaway from interviews is to understand the organizational culture as it relates to security. Lastly, those being interviewed should be encouraged to voice ideas and areas to which they think security should pay attention.

Defense-in-depth Strategy Employment

Defense-in-depth is commonly defined as the application of people, process, and technology in a manner that ensures overlapping security controls in the enterprise. When assessing defense-in-depth employment, organizations should consider the holistic security strategy for their enterprise, not just within the IT silo. This should include user training, encryption policies, centralized logging, SIEM employment, data loss protection, privacy restrictions, and other strategic security controls. It is very important that organizations understand that cybersecurity is not an IT problem, it is a problem of risk and it rests on the entire organization, not just under the CISO or within the IT department.

Network Characterization with Analysis

Lastly, a CEA should include a characterization and analysis of network design from a logical, as well as a physical architecture, perspective. The goal is an in-depth view of the network architecture that is then used to determine design gaps and potential security issues. As a result, you should gain best-practice network security recommendations. During the characterization, organizations should focus on overall enterprise characterizations, security controls, and appliances used; hardware and software used to run and manage the network; and network design documentation and network configuration files, as well as physical layouts of network hardware. From this characterization, you then analyze the data and ask questions of your infrastructure owners, security personnel, third parties, and technology owners to understand the purpose, history, functions, and uses of the technology they manage. The question “Why?” should be asked often.

Ultimately, the CEA is meant to delve into the weeds of your engineering and architecture, then pull the focus back to view the entire environment from a holistic perspective. The goal and scope should be to empower executives to justify enhancing security. Influences such as regulations, statutes, and standards place considerable impetus on organizations to comply with due care toward the confidentiality of both customer and their own data. A CEA goes a long way, especially if done by a trusted third party, to demonstrate that an organization is taking proper due care of their data.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...