By M.K. Palmore, Assistant Special Agent in Charge, Cyber Branch, FBI San Francisco
As an executive and someone responsible for outreach on behalf of my organization, I do a ton of talking on information security matters. I also get to see a fair amount in the post-mortem analysis of some fairly interesting technical exploits. Time and again information security practitioners and the executives they work for want to know what they should be doing to protect their enterprises.
What are cyber threat actors trying to accomplish? They are trying to get to the data and information that your agency has behind a “wall” of protection that has value to you and, therefore, can be monetized by most cyber threat actors. So, all your agency has to do is protect your enterprise from attackers, right? Yes, in the simplest answer ever given, but there is more to it than that.
Back to the basics
Start with the basics to protect your agency’s enterprises – at least as a starting point. I recognize this can be misleading, as the basics or fundamentals require steady adherence to principles which require qualified teams to take a systematic approach to keeping an enterprise safe from would be attackers. But, if you are great at the basics or fundamentals your agency will be in better shape than most.
In today’s market, there’s no shortage of vendor tools promising the end to your security nightmares. Some of those tools are great and likely will do some of what they promise, while others can be a fancy visual showing of an already confusing landscape.
Understanding risk management
The problem is that some practitioners and most executives have no idea what enterprise protection looks and feels like. Let’s assume your agency just approved an increase in the InfoSec budget and the CISO has promised the implementation of several controls and solutions and maybe even an event management tool to protect your enterprise. That’s all you need to do, right? While most business operations have straightforward metrics taught at every business school that shows you exactly how to calculate ROI for an investment, information security managers have various tools and templates that show a similar value; however, the problem arises in communicating these results to the c-suite.
Information security is about enterprise risk management. Most organizations have hundreds, or even thousands, of security events and probably tens/hundreds of actual security incidents all of which require some level of adherence to the incident response model (prepare, identify, contain, eradicate, recovery and lessons learned). But how much effort needs to be applied all depends on where those risk fall on your overall enterprise risk management register.
Using proven risk methodologies, you can begin to “rack and stack” information security risks among all of your other enterprise risk issues. Your limited resources are then used to target the issues potentially causing the greatest impact and likelihood of occurrence.
Effectively communicating risk assessments
The chasm exists when security professionals are unable to effectively communicate this delta to business leaders who then provide either a complete blanket approach to addressing InfoSec issues (expecting absolute system integrity) or they tend to guard the business treasure with angst exercising the least engagement necessary hoping upon hope that nothing happens on their watch. Happiness and effectiveness lies somewhere in between.
The InfoSec triad of Confidentiality – Integrity – Availability is the foundation of all instruction in the security realm. From this triad flows security frameworks, system controls and every other fancy high-level control, approach and protocol in the security world. If you have a highly capable and mature security apparatus you are likely following the tenets of the triad and using a viable template, like the NIST framework, to structure your approach to InfoSec. If you are winging it, well you are probably doing a lot of things, some of which is helpful while other aspects are not.
When I talk about the fundamentals, I’m speaking of these five areas when engaged and practiced allow you the greatest ROI (not an exhaustive list):
- Effective patch management
- Access and identity management
- Effective password management – along with the use of 2FA,
- Effective use of encryption of data at rest and in transit
- Implementation and effective use of the commonly referenced SANS 20 security controls only to name a few
Let’s encapsulate this in a relatively decent understanding of the cyber threat landscape and you are off to the races. If you can get to a point where these fundamentals become second nature, you will be better situated than most.
Back to the premise of this piece, I believe practitioners lose sight of the fundamentals because there’s too much noise and not enough signal on the landscape. Because of the sheer increase in our reliance on tech and all things it brings; frankly there’s just too much information coming at those expected to protect these environments. We must learn to focus on the fundamentals because it’s a darn good starting point.
About the Author
M.K. Palmore, CISSP, is a Senior Federal Law Enforcement Executive and has strong leadership and mentoring skills responsible for cybersecurity, risk management and strategic-vision creation and implementation. His skilled competencies and areas of excellence include Cybersecurity, Enterprise Risk Management, Governance & Compliance, Information Security Program Development, Digital Forensics, InfoSec Incident Response & Management, Physical Security, Executive-Protection, Crisis Response & Management, Business Continuity and Disaster Response Planning.
Q+A: How a cyberattack can bring down your department & how to identify, respond, recover
Webinar: Cyberattacks against gov't agencies