All too often, organizations do not recognize the importance of a strong cybersecurity posture. Every day, businesses are being compromised in a very real way yet they are still focusing on the fundamentals when it’s clearly time to move beyond the basics. The threat is real, the enemy is active and so our defense must be stronger than the threat.
Welcome to Cybersecurity University. The following “course outline” is a broad overview of the levels of Cybersecurity Management, taking you from the simple but necessary 101 basics through the advanced 401 strategies.
Cybersecurity 101: Fundamentals
In any university level-101 course, the focus is typically on the terminology and fundamentals of the topic. One would not expect to achieve a high level of expertise after only completing level 101. Yet in business, this is often the extent of our knowledge base. How do we wage a war with our level-101 knowledge while the attackers are operating at a level 201 or 301?
Cybersecurity 101 focuses on the minimum security an organization must have as a starting point, to be sure that it is not “giving away the store” without any protection at all. In level 101, your organization must have the following elements (using a home analogy to illustrate the importance of each component):
• Firewall: The firewall, if configured properly, acts as a fence around your property. It is meant to communicate that what is behind it belongs to you. Using an incorrectly configured firewall is like having an open gate or no fence at all.
• Passwords: Passwords represent the doors of your house. With weak passwords, the doors are closed but not necessarily locked. Strong passwords put locks on the doors but locks can be picked or broken.
• Anti-virus Software: Antivirus software is similar to a burglar alarm system. Some homes have one and some homes do not. For full coverage, every entry point must be kept secure, the system must be set to notify of an unlawful entry and it must be updated with the latest technology.
Cybersecurity 201: Identify & Protect
In Cybersecurity 201, we move beyond the basics and learn that, in order to improve our cybersecurity posture, we must first identify what is important to the business, the level of its importance and how to protect what is important. This includes the following areas (for those familiar with ITIL®, you will see many similarities as we move forward):
• Asset Management: Assets are the data, personnel, devices, systems and facilities that enable your organization to operate and meet its business objectives. In order to protect your assets, they must be identified and managed; their relative importance must be classified.
• Business Environment: The organization’s mission, objectives and stakeholders, as well as personnel roles and responsibilities, must all be identified, understood and prioritized.
• Governance: The policies, procedures and processes to manage and monitor the organization’s regulatory, legal, and operational requirements must be defined, documented and communicated.
• Risk Assessment & Risk Management: The organization must analyze and understand the risk of a cyberattack and how it would affect its data, customer base, mission, reputation, assets and resources. Once this understanding is reached, the level of importance can be adequately applied to organizational and budgetary priorities.
• Access Control: Access control limits access to assets and data to authorized users or processes. It goes beyond simple user names and passwords and moves into multi-factor authentication, where a user is required to provide more information or have a security device that must be used in combination with their user name and password.
• Awareness & Training: The majority of security incidents happen from within an organization. End users must be educated on defense methods against hacking techniques (such as phishing, clickjacking and others) and on the importance of strong passwords and how to protect them.
• Data Security: Data Security is the protection and management of the organization’s data, confidentiality, integrity and availability of sensitive information. This would also include the processes and procedures, roles and responsibilities, and maintenance of company, client and partner information.
• Maintenance: Maintenance and repairs of information system components must be conducted regularly in alignment with consistent policies and procedures to limit exposure due to system and/or component failure.
• Protective Technology: Protective Technology security solutions must be managed to ensure security and resilience of systems and assets consistent with defined policies, procedures and agreements.
Cybersecurity 301: Detect
In Cybersecurity 301, we move from a reactive, defensive posture to a proactive, offensive posture. At this level, our goal is to install management applications that will continuously monitor for anomalies and automatically remediate when an incident occurs. This includes the following areas:
• Anomalies & Events: Ensure that events outside the norm are detected in a timely manner and that the impact of the anomaly can be quickly assessed.
• Continuous Monitoring: Put tools in place that are continuously monitoring information systems and assets at specified intervals to detect potential security violation events.
• Detection Process: Define processes and procedures that are maintained and tested to ensure and provide critical notification capability when a security violation event occurs.
Cybersecurity 401: Respond & Recover
While most intruders specialize in maneuvering around level 101 and level 201 areas, most have not mastered the level 301 and 401 areas. In Cybersecurity 401, we really start to take and secure ground by protecting against, responding to, and recovering from a cyberattack. Our focus here includes the following areas:
• Response Plan: The response plan is a formal set of processes and procedures to ensure the timely response to cybersecurity events. This eliminates the confusion and panic that wastes valuable time and allows an attack to flow through the information systems and cause more chaos.
• Communications: Communications are response activities coordinated with internal and external stakeholders to be sure everyone is informed and assisting appropriately. This would also include support from law enforcement and the cybersecurity legal team.
• Analysis & Mitigation: Analysis and mitigation activities are performed to analyze the impact of the event, so the appropriate response activities can be initiated, thereby preventing the expansion of the event.
• Improvements: Improvements are the organizational responses, including Problem and Change Management, to identify root causes and institute changes, so that security violation events can be avoided in the future.
• Recovery Planning: Recovery planning includes the recovery processes and procedures that must be maintained, tested and improved upon so that when a recovery is needed, it is available for rapid restoration of service. The time to test your recovery process is not while attempting an actual recovery in the heat of battle.
Graduation from Cybersecurity University
It should now be apparent that a corporate cybersecurity posture is far more than a firewall, passwords and antivirus software. It involves thorough planning, a strong design, defined processes and procedures, automation and notification by way of software tools. It also requires executive commitment to the organization to recognize the need for a mature cybersecurity posture.
Cybersecurity University represents the NIST (National Institute of Standards & Technology) Cybersecurity Framework. This framework is based on industry best practices and focuses on managing and reducing cyber risk. For more information, visit the NIST website at nist.gov/topics/cybersecurity or contact Mike@Solutions3LLC.com.
Thank you for your interest in Cybersecurity University. We hope to see you in classes along the way.