Cyber security has reached a heightened level of attention both in the media and in the minds of U.S. citizens. When household names openly admit that they have been compromised by sophisticated adversaries, it gives the American public an uneasy sense of vulnerability. If it can happen to those large organizations, the thinking goes, it can easily happen to the average person surfing the Internet as well. Beyond awareness, the media attention has also caused a significant amount of confusion not only about what constitutes a cyber threat, but also what non-government as well as government organizations and agencies should be doing to improve and protect their cyber security systems and overall readiness.
What many citizens do not fully comprehend – this generalization also applies to many senior leaders of both public and private organizations – is the level of sophistication and complexity that already has been achieved by the nation's cyber adversaries. In fact, an attacker “supply chain” has developed that is analogous in many respects to how the illegal drug industry works: One group focuses on developing malware, another is responsible for and effective in quality assurance, yet another acts as the "trusted broker" between supplier and buyer, and the buyer specializes in developing and implementing exfiltration strategies. When large quantities of data – e.g., credit card numbers, healthcare records, and other personal-identity information – are stolen, the data is broken down into smaller units and sold to groups that use the information for illegal, larcenous, and sometimes dangerous actions against private citizens and public officials alike.
Greater in-depth understanding of the global "underground" cyber economy and its participants can be found in Fatal System Error by Joseph Menn. The bottom line is that, if an organization – whether it is a government entity providing critical citizen services or a commercial enterprise – possesses valuable information, someone, or some group, will go after that information.
Advance Planning, Total Awareness & a Meticulous Attention to Detail
Despite existing in an increasingly hostile and dangerous environment, many public as well as private organizations and agencies still lack the basic fundamentals of a sound information security program. Following are 10 common-sense mandates ["IT Rules for Knuckleheads," as one observer put it] that can and should be promptly developed, and fully implemented, in almost any type of organization to help prevent and detect threats to that organization's most critical operations.
- Accept the fact that an organization will be compromised at some time or another. This is not fear, uncertainty, and doubt, but a statement of fact – backed by industry research and public datasets. There is virtually no doubt that a security breach will happen at some point in time – which means that the appropriate detection and response systems and processes must be in place – beforehand.
- Know both the business risks and the areas where the data is stored. Before developing a security strategy, there must be a baseline of the risk posture needed, as well as conversations with management to determine what risks may be acceptable and which ones require mitigation steps. In addition, the types and amount of data on the network must be understood. Many organizations do not segment and/or compartmentalize their most sensitive information from other information that might be considered either public or at least less critical. Extra effort in this area will pay lasting dividends so that additional resources can be properly applied both to the systems themselves and to the data that matter most to the organization.
- Using a baseline risk assessment, develop both an information security policy and the operational procedures needed to implement that policy – which should be designed to cost effectively: (a) reduce risk to the organization; and (b) ensure compliance with any applicable requirements.
- Develop a complete inventory of every asset on the network, including the applications running on those systems. Unfortunately, relatively few U.S. organizations, public or private, now have effective asset inventory and management systems in place – despite the fact that it simply is not possible to prepare an effective defensive stance or response effort if the systems that could be potential openings to compromise are not recognized.
- Patch vigilantly, and implement effective configuration and change-management processes. Operations and systems depend on software functioning properly and being patched in a timely manner. A healthy patch-management program is one of several possible layers of defense that can help guard against known vulnerabilities.
- Employ effective access controls – both to restrict access to computer programs and data, and to prevent and detect unauthorized access. A workable procedure for assigning user access rights and permissions should be in place, with periodic reviews of access rights and permissions scheduled, and carried out, to ensure that individual access, which should be granted on the basis of job responsibilities, remains appropriate.
- Use "endpoint" protection technology as another layer of defense. Endpoints – e.g., desktops, laptops, and mobile devices – are typically the main entry point for attackers and malware into a network. Much if not quite all current anti-virus technology has been commoditized and is frequently ineffective. However, most organizations have moved toward policy-enforced endpoint security suites that integrate several technologies into a single system for simplicity.
- Develop a more effective network monitoring capability to give the network a memory. Many and perhaps most intrusion-detection and other signature-based approaches do not detect the most serious network attacks. To cope with today’s threat environment, the data will have to be not only recorded, but also analyzed for post-incident forensics and real-time situational awareness – as well as, not incidentally, for predicting potential future intrusion scenarios and the development of preventive countermeasures (similar to those used in business-continuity planning and disaster-recovery exercises).
- Also have in place a solid incident-response plan and capability, either in-house or through an external provider, to swiftly and efficiently: (a) remediate any cyber incident; and (b) collect forensic evidence. (This step probably does not have to be mentioned to preparedness professionals, but it does have to be reinforced.)
- Educate end-users on the risks posed by cyber threats. Also, enable them to make informed decisions when performing their jobs, and to act responsibly when using the Internet. Human error – e.g., clicking on email attachments from unknown sources, and visiting infected websites – and social engineering are quite possibly the biggest threats to an effective information security program. In ways somewhat analogous to those used in other domestic preparedness and response scenarios, users must know how to act, quickly and effectively, and react in the cyber realm.
By implementing a sound information security program, backed by an easily understood and enforceable policy, preparedness professionals and their organizations will be in a much better position to defend against cyber attacks. Armed with both factual knowledge and operational intelligence, a level of situational awareness and confidence can be achieved to answer the truly difficult security questions such as “Did we have a breach?" and "Was there any data lost?"