All of the highly-publicized breaches last year continue to highlight that organizations are still wrestling with how to get a handle on their cybersecurity. Breaches put the confidentiality and the integrity of your information at risk, as we recently saw with the hack into the Democratic National Committee’s email. A denial of service attack impacts your availability, as we have recently seen with the attacks against the DNS provider Dyn. In cases like these or similar, organizations were not aware of the extent of the issue until they read it in the press.
So, why are organizations usually the last to know?
- Protecting confidentiality requires surgically reducing access to information. The information needs to be available and modifiable, just not to everyone. To do this takes an understanding of the workflow. Just opening the data up to all is a fast way to get a system deployed.
- Management lacks clear metrics on the state of cyber security in their organization. Few know any real information on how effective their current protection is. For example are all the virus scanners up to date in an organization? Can people bypass the proxies? Currently, management is given useless data like number of attacks blocked at the firewall, number of spam messages stopped, or number of viruses caught by virus scanner. (Why do I call these useless? I’ll be following that up in my next post – and tell you what you should be looking for. But suffice it to say – you have the data – you just aren’t looking at it correctly.)
- The perimeter defense just isn’t working. Many organizations have firewalls, web proxies and virus scanners that protect laptops at work. However, those same laptops are then used at home, where they are not behind the web proxy or firewall.
- There are very few really good cybersecurity professionals out there, which probably contributes to #2
- The bad guys are relentless.
As management is not seeing the right picture, most then are unaware that their cybersecurity defenses are inadequate. They don’t yet see a need to invest in monitoring the technologies they’ve invested in. And, this leads to no monitoring, which re-enforces the strategy of not investing in cybersecurity.
The Cycle of Inaction
Good management means that you invest efficiently, and investing in something that is not needed is inefficient. Lacking effective information, the perception becomes that there isn’t a problem. This feeds what I call the Cycle of Inaction. This cycle is caused by believing the investment in protection is enough, and lacking additional information, must be working. This leads to complacency, when metrics are actually needed. A complacency that sometimes is broken by a press article.
This cycle of inaction can lead to spectacular failures. Of note over the past couple of years, we have the hack of the NSA toolkit, the recent release of the CIA cyber toolkit, the hack of Yahoo!’s passwords, the hack of Target, the hack of …
We know of these events because the press is the Intrusion Detection System (IDS) of default for many organizations. That IDS, however, is not easy to control, and definitely reports what we call “trailing metrics,” or a metric about a problem AFTER it has happened.
What Is Your Cybersecurity Maturity
I’ve found that the cybersecurity issue that the industry is confronting is very similar to the quality issues that the industry tackled in the 1970s and 1980s. To address and improve quality, the ultimate solution was to install a mature process within an organization. A mature process is defined as a process that is repeatable, with quality-based decisions made using meaningful metrics.
I offer that many organizations are at a maturity level of 1, if the Capability Maturity Model (CMM) metrics are used. Getting to a CMM maturity level of 2 (of which there are 5) appears to be a little bit away for cybersecurity. If the struggle is to get to CMM 2, perhaps it makes sense to sub-divide the maturity level 1 into sub levels, as in the list below.
|Level||Action||You are first to tell the story||You can investigate privately||You can prevent a large incident|
|1.1||Organization learns about cybersecurity failures via the press, where the message is uncontrolled and incident needs to be addressed.|
|1.2||Organization learns about cybersecurity failures via a third party, privately (e.g. law enforcement or a business partner) The message can be controlled, as can the response to the incident.||√|
|1.3||Organization learns about cybersecurity failures internally. This allows the organization to control the message of the incident as well as the response.||√||√|
|1.4||Organization notes indicators that an incident is about to happen. Here, the organization can take steps to mitigate an incident before it happens.||√||√||√|
To increase your cybersecurity maturity, you need to improve your ability to monitor the cybersecurity of your digital assets, by analyzing the outputs of the technologies you have invested in.
Consider, your organization currently has firewalls to protect against bad things coming from the outside. You have web proxies and even content filters to protect against bad things coming from the outside. And, you have anti-virus scanners on your desktop.
With all of those layers of defense, it seems reasonable to conclude that no virus should ever reach the desktop. Measure that. Any time that any computer’s virus scanner detects a virus, a root cause investigation should be performed to determine which security control failed. For example, if a desktop has recently been infected with ransomware, a forensic analysis should be performed to determine how the virus got on the system. At the highest level, the cause will be one of these two things:
- The user violated a security practice, such as plugging in a USB.
- An existing cybersecurity technology failed. Did it not work? Was it improperly deployed?
Collect these metrics on the root causes, and soon you will have a clearer picture of the effectiveness of the controls.
Next topic, suggestions for effect metrics, to help you increase your “sense” of cybersecurity within your organization.
 Let’s define cybersecurity as the protection of the confidentiality and integrity of information, along with ensuring that the information is available when needed to whomever needs it
 Krebs, B. (2017,January). The Download on the DNC Hack. Retrieved from https://krebsonsecurity.com/2017/01/the-download-on-the-dnc-hack/
 Newman, L. H. (2016, December). The Botnet That Broke the Internet Isn’t Going Away, retrieved from https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/