Many people assume critical infrastructure protection is the responsibility of a selected few, such as the utilities and transportation sectors. But the truth is, in fact, critical infrastructure security is an issue for us all.
With the growing, connected world we live in, everything is open to threat penetration — from retail stores to government, andautomobiles to IoT devices. Any of us can be a pivotal link to a security breach. Take the Office of Personnel Management (OPM) data breach, for example. It involved two contractors doing background checks on behalf of the agency. Another instance is the recent Chrysler Jeep vulnerability; in that instance, Sprint cellular network and Harman Kardon Uconnect devices were involved.
Early last year, the Obama administration introduced the National Institute od Standards and Technology (NIST) Cybersecurity Framework 1.0, which has been met with a lot of mixed reactions. Personaly, I believe this is the best non-controversial achievement on President Obama’s watch. Through open and joint government-private efforts, it’s meant to have a voluntary following. Furthermore, it advocates best approaches to managing cybersecurity risks in the face of advanced threats and evolving IT.
To understand the essence of the framework, it needs to be thought of in three levels; Executives, business and implementation/operation. What we need from executives is essentially done — they are concerned enough to spend money; and since the board is worried, there is motivation to take effective action. So, now, the heavy lifting is left to the CSO, CISO and everyone in the trenches to execute.
But how do you do that? Well, I have identified 5 key actions that need to be taken for cybersecurity implementation. These actions, although they may not cover all aspects of implementation in detail, should help a lot of practitioners get the ball rolling in the right direction.
Understand business specific risks is important because all businesses are different; they have different threats and different priorities. Identifying what you need to protect is crucial. Here are some examples:
- Office of personnel management — personnel records;
- Healthcare — patient records;
- Financial — client records, transaction system;
- Design house — blueprint, schematics; and
- Internet service provider- customer account info
We need to learn from where others have failed. A recurring refrain we continue to hear is, people are treating compliance as the ends instead of the means for better risk management. Didn’t Target say they are PCI compliant? It’s time to deal with risk management head on.
Plan for complete threat mitigation cycle — There are two major reasons why we need to plan for full mitigation cycle. The first one is that today’s threats are very advanced. It’s not just Grandpa’s “buffer overflow,” anymore. There used to be only one security problem to solve, but, now, an attack can be achieved many different ways. It can happen without buffer overflow exploits or without you seeing a malware download. The second is there are many roads to Rome, thus the need to monitor all access paths to protected assets.
Anticipate how to deal with consequences — If we focus on consequences, it forces the clarity of objectives. There indeed is a new defense paradigm, and it’s justifiably learned from traditional warfare that focuses on the attack consequences. You need a multipronged approach. The deploy and forget defense does not work; you have to think what you can you realistically protect, detect, respond and recover.
Ask for ready-to-take mitigation options — Your plan, your choice … ask yourself what tools you are missing? Timely, relevant … and specific detection provides you with prioritized ready-to-take actions. It should be a given that a security tool that’s telling you you were hacked three months ago is not very useful.
Consequently, prepare for worst case recovery — It seems an obvious statement, but it pays to be prepared. I am not saying you waste time planning for “Armageddon” or a “Singularity.” But I am saying plan for the worst you can handle.
Here are some examples:
- Privileged user gets infected by RAT malware – what do you do?
- Unauthorized access to your source repository – what do you do?
- Cryptolocker infection on file share server – what do you do?
By the way, while asking yourself these questions, do not forget to ask what you have done to avoid getting in these problems in the first place.
Dr. Fengmin Gong is co-founder and chief strategy officer of CYPHORT.