Editor’s note: Wired for Safety is a column on cybersecurity and other tech issues. Duane Dunston is an assistant professor of cybersecurity and networking at Champlain College. He received his bachelor’s and master’s of science from Pfeiffer University. From 2001 to 2011 he worked in cybersecurity for NOAA. He is a doctoral student at Northeastern University with a concentration in Curriculum, Teaching, Learning, and Leadership. His other activities include “You Have A Voice,” a project to develop an electronic screening assessment to identify human trafficking victims.
“Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment.”
This week, we will look at how important knowing your own organization is when it comes to the development of policies and maintaining control over information assets. The discussion below breaks the definition above into smaller parts.
IT professionals use a variety of automated and manual tools in order to help maintain the information system where they work. Security professionals use similar tools to help maintain the confidentiality, integrity and availability of the information system they are protecting. When the tools are used together properly, they provide a unique insight into the organization. For example, a Network Intrusion Detection System (NIDS), used to look for anomalous network traffic, may alert to Social Security numbers traversing the network from a host. An investigation may uncover that the host where the data was destined was to the organization’s backup computer system. However, the host that sent it shouldn’t have had the Social Security information there in the first place.
The tools that are used by system/security administrators should be used in unison to better understand how the organization works and how data flows within the organization.
This type of information and insight helps to drive the development of effective cybersecurity policies. In the case of Social Security numbers (SSN), a policy could be developed that addresses the proper handling of SSNs, what types of systems can hold SSNs, or even that SSNs aren’t allowed to be stored within the organization. This may be acceptable in organizations that have distributed offices. Only the main headquarters could be the one that maintain SSNs. This type of policy leads to the implementation of technical tools, best practices, guidelines, etc., that allows the implementation and enforcement of the policy. In this case, a tool, the NIDS, is being used to help understand where information is stored within the organization. This helps to fulfill one of the key items mentioned in the definition which is understanding the “totality of transmitted and/or stored information in the cyber environment.” Further, software programs can be used to scan documents that are at-rest (not being actively processed) on hosts to check for the existence of SSNs.
The primary point is that when admins use their tools together, it can provide a clearer picture of the organization which needs to be known to develop good cybersecurity policies. Also, tools help fill in the gaps where manual assessment isn’t feasible or is too laborious. Automated tools can help discover computer devices that no one knew about. The larger the organization, the more likely there is that hosts may have been forgotten during upgrades.
Other ways to know the organization is to review the organizational mission statement and purpose. Review reports that discuss its future plans and strategic plans to accomplish its mission. Meet with board members to understand how the organization is growing and plans to grow in the future. As policies are being developed, knowing this information will allow the policy to be flexible enough that it can be updated based on the organization’s growth. IT professionals must make a concerted effort to understand the direction of the organization, it will help ensure policy developments are geared towards the needs of the organization.
VTDigger’s business coverage is underwritten by:
Security must be understood throughout the organization. It needs to be driven from the top down of the organization — beginning with upper management. Everyone in the organization needs to understand what security is, what they should keep secure, their part in the process, and how the organization maintains the level of security it requires. It needs to be clearly communicated in order for there to be support across the board and for everyone to understand their role in maintaining a strong defensive cybersecurity posture. However, it must start at the management level. They are the ones that have to answer to the lawyers, customers and auditors when a compromise occurs. They have to understand the type of information that is in the organization and the value of it to an adversary. When they are onboard, everyone else follows.
“Security Safeguards, Guidelines … Actions … Best Practices”
When security is clearly communicated, the proper tools are in place, everyone understands the need for maintaining a strong security program, and the policies are in place, then the safeguards can be put in place more effectively and efficiently. Those that will be affected by the security controls will have a better understanding of why it is necessary and they will understand what they need to do to report any deviations or problems with those controls. Policies will help drive the safeguards needed. For example, all desktop computers shall be configured with industry standard security best practice controls. If need be, the policy can state which guidelines and best practices to use. It may state that the CIS benchmarks, a suite of documents outlining how to secure operating systems and applications, are required for the respective applications it provides secure configurations for or the NIST Secure Content Automation Protocol (SCAP) checklist, another suite of documents for securing operating systems and applications, for respective applications and operating systems. The policy won’t state the specific configuration, only that it has to be used. It can also dictate how often security checks will be used to ensure compliance with the baseline security configurations. This kind of policy can help with ensuring the right financial and people resources and training are available to fulfill the requirements of the policy.
“Risk Management Approaches”
We’ll spend the next lesson discussing risk management and risk assessments, but conducting a thorough risk assessment is one of the key practices that help determine if policies are being followed, need to be upgraded, or need to be implemented. These should be conducted at least once a year. When we discuss configuration management, it will outline how it is possible to perform continuous risk assessments.
Training must be continuous and must be geared toward the audience for whom it was intended. Annual training isn’t enough for non-system admin employees. An annual training followed up by periodic refreshers is best. This helps to keep the information in their mind as they go through their day. The most common vectors can be discussed periodically regarding not opening suspicious attachments, clicking on unknown web links, etc. Also, training is expensive for admins. One training class can use up the entire IT training budget for an organization. However, there are a plethora of free training resources that exist on the internet, such as Cybrary, it just takes some time to sift through and find it. The use of virtual machines can help with the training because it doesn’t require purchasing additional computer systems.
Training needs to be focused and applicable to the organization in order for it to be meaningful to employees. Policies can dictate how often training must occur and the training required for administrators. Once again, if the policy dictates the training, then management must find the funding to ensure it happens.
“… Assurance …”
The assurances are that the security controls that are in place adequately protects the organization. That will be different based on the type of organization, by all means. The use of tools, risk assessments, and understanding the safeguards in place can help to ensure the controls in place are adequately protecting the organization. If you decide to use the CIS benchmark for Apache, for example, it doesn’t mean it is going to adequately protect the applications installed on the server just because the Apache service is secured. There are other concerns that need to be addressed with the applications that are installed so maybe installing mod_security will help protect the applications that are installed by preventing the most common types of web-based attacks or that web developers use a formal and documented secure coding and security testing process prior to deploying applications. If that is not considered as a security concern for the organization, then the assurance level of the web services as being a method of attacking the organization isn’t that high.
Policies on how web applications will be deployed, whether custom or commercial, and how web services will be delivered can help minimize the threat because there are documented rules on what must be done. Not only that, but the person held responsible in the policy will ensure the proper policies are followed.
“… Technologies …”
The use of technology within an organization needs to be heavily regulated. There is a tendency to want to bring in the latest tools and technologies because it offers features that have been long desired or because it is supposed to make processes more efficient. Newly developed technology often uses the word “secure” in it, but doesn’t provide the much needed security based on its functions. It’s also not clear what “secure” means in the technology, except it may use SSL for data transport, but what happens when the data is received? How does the application maintain the security then? Organizational policy should dictate how to handle the introduction of new technologies into the organization, especially when it comes to mission critical tasks and systems. While organizations should continue to keep up-to-date on new technologies and determine how to streamline their processes, care should be taken to ensure the technology does what it claims. Not only that, but it should allow you to continue to perform the tasks that used to be completed, but in a more timely manner. It has to be determined how the new technology will affect all factors involved in business processes in which it interacts. Policy should dictate the process that must be followed in order to determine how best to integrate the new technology into the organization and ensure it states that all the right people must be involved in the process. This is the high-level view of policies because it can’t determine who the people are, but anyone reading the policy should be reasonably aware of how to get the right people involved. If not, they should contact the person responsible for the policy.
“Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems”
Every organization needs to understand its security boundary. The security boundary contains all information assets for which an organization’s security responsibility resides. If an organization doesn’t have a handle on its assets, then policies have little value and attempts to secure the organization become futile. Administrators need the right tools to uncover the assets that exist in their organization. All network connected devices and all types of information must be accounted for in order to have a firm grasp of the scope of what needs to be protected. The requirement to document and understand the security boundary is compounded by a few factors. One is if the organization has geographically separated offices, another is if the offices are located in a foreign country, and if the organization’s information is in the cloud.
The cloud introduces a complexity when attempting to address security concerns. Namely, the organization has no control of the security mechanisms of the underlying server or the virtual server they are using depending on the service provided. The concerns can be mitigated with policies such as requiring file-integrity checks, which checks to see if files have been modified and checking with the cloud provider to determine what types of security scans the organization can conduct against its assets on their servers. The level of control will depend on the type of data involved, but highly sensitive data shouldn’t be stored in the cloud. Once again, policies and proper training should dictate how sensitive information is handled. Additionally, policies can require scanning the files on cloud servers to check for sensitive data.
The definition of cybersecurity by the ITU entails the various aspects of the organization that need to be known before effective cybersecurity policies can be implemented within the organization. The definition has the overall meaning that the organization’s mission, assets, information, and other factors have be to known in order to develop cybersecurity policies that are relevant to the organization.