CHAPTER 19
Know Yourself Before you can take any action, you must know yourself more than any other entity. You need to know what you need to protect. You need to know the resources available to protect an organization. You need to know your people. The list can be almost infinite. Imagine protecting a medieval castle. To protect it, you need to understand it’s strength and weaknesses. Is the castle on top of a tall mountain wall, such as the Salzburg Castle? If so, it reduces the risk from one type of attack. How tall are the walls? How many gates are there? Is there a mote? Are there windows in the wall that allow people to fit through? Are there concentric walls, so an attacker has to make it through multiple walls to breach the actual castle? Are there emergency escape routes? Is someone watching those routes for enemy incursions? Then there are logistic issues. If the castle is under siege, how long can supplies last? What type of weapons does the castle possess? Does the view from the castle allow you to see an approaching army, with sufficient time to lock the gates and take other required actions to prepare for a siege? If there is a breach, are there still additional areas where defenders can make a stand? None of these questions are simple to answer. However, unlike computer networks, many castles were designed with security as a primary concern. It is significantly easier to protect a structure that is designed with security in mind. As you look to defend your enterprise, there are aspects of your enterprise that you need to know and understand. What follows is a basic, but not exhaustive, list of considerations. There are many aspects that are specific to your industry and to circumstances. A seasoned security professional will be able to determine the issues that need to be considered for an organization. It is, however, better to have as many people as possible involved, because experience matters, and the more experienced people are involved, the more considerations will be taken into account. 209 Advanced Persistent Security. http://dx.doi.org/10.1016/B978-0-12-809316-0.00019-1 Copyright © 2017 Elsevier Inc. All rights reserved.
210
CHAPTER 19:
Know Yourself
IS THERE PROPER GOVERNANCE IN PLACE? As stated in Chapter 8, proper governance should drive a security program. It should define how security is implemented. A good security program without proper governance is a complete accident. Review all policies, procedures, guidelines, and relevant standards. Ensure that the relevant standards and/or regulations are embodied properly in the created policies, procedures, and guidelines. If they are, you have your starting point for proceeding forward. If they are not, you have your first strategic task to perform. Regardless of the state of the documents, you need to ensure that they are complete and also that there is appropriate management support, along with the proper resources, to fully implement proper governance.
HOW MANY PEOPLE ARE THERE IN THE ENTERPRISE? The number of people within an organization drives a great deal of concerns. Everyone represents a potential security risk, as well as a countermeasure. It is also important to understand where they are located and the job functions. There are social and cultural norms that need to be accounted for. Some areas of the world present more risk than others, such as war zones or high-crime areas. If people are widely dispersed, it makes it more difficult to consistently implement and enforce policies and procedures. There might need to be more policies and procedures, or at least they might need to be modified to the locations.
WHAT IS THE RANGE OF JOB FUNCTIONS? Although in some ways this consideration is implicit to the previous question, the type of job functions performed has a very significant impact on security considerations. The legal staff has different considerations than the IT staff. The maintenance staff has different considerations than the executive staff. Job functions dictate security considerations. Each job has different uses for computers and information. Jobs also create different physical and operational security risks. Even if there are people scattered throughout multiple locations, they might very likely have similar security concerns, if they have the same job function.
WHAT INFORMATION IS INVOLVED? Different organizations have different types of information and different uses for that information. Different types of information create different security
Are There Special Technologies in Use?
requirements. There needs to be a firm understanding of all the information in use in an enterprise. The types of information can also create adversaries for you. If money is your information, then criminals will target money. Government information will be targeted by intelligence agencies. Prerelease movies may be targeted by organized crime to facilitate piracy, or in some cases, by foreign governments that are unhappy with the plot of the movie. Intellectual property may be targeted by competitors or governments. It is therefore critical to know the information and who might want to take advantage of its value.
WHAT INDUSTRY ARE YOU IN? To a large extent, a great deal of your risk, vulnerabilities, information targeted, adversaries, etc., can be predicted solely based on your industry. Although there are, of course, variations from company to company, vulnerabilities within an industry are generally standard. For example, medical practices need to protect patient information. They have traditional computer systems, and frequently use the same software from one medical practice to the next. Personnel have similar job responsibilities from one practice to the next. Security practices should likewise be similar from one organization in an industry to another. Again, every organization has unique conditions and information, but there are frequently more similarities than differences.
WHAT IS YOUR TECHNOLOGY POSTURE? We have seen that even the best technologic environments can be compromised through nontechnical means. However, it is still a very significant concern. You need to understand your technical architecture. What type of computers do you have? Are networks segmented? What are the communications links?
ARE THERE SPECIAL TECHNOLOGIES IN USE? A general understanding of the network is critical, but there is also a need to understand special technologies. These might include industrial control systems (ICSs), which are responsible for billions of dollars of operations and might have life-and-death consequences. Anyone who gains control of an ICS can potentially cause critical damage to an organization. There can be specialpurpose devices. Special technologies present special security considerations.
211
212
CHAPTER 19:
Know Yourself
ICSs are a high priority target for attackers. They present special security concerns as well. They, therefore, require enhanced protections and detection capabilities. You need to put in specialized reaction strategies, if there is a potential compromise. Special technologies might also be highly targeted. They are a specific type of intellectual property. Communications points are critical to attackers, and if there are unusual types of communications, they can be compromised. In general, the more unique a technology is, the more likely it is to be poorly maintained and therefore, poorly secured.
DO YOU UNDERSTAND YOUR NETWORK? We find that in most organizations, there is not a real understanding of their network. If there is no centralized control of network implementation, it is very likely that there is little knowledge of the overall technology in use. Rogue IT is a phrase that defines the act of people bringing in their own devices. It can also extend to employees acquiring Internet connections. In one company we assessed, we found that there were more than 1000 Internet connections that they were not aware of, and that was only on the 80% of the network we had visibility into. When the enterprise does not know about the Internet connections, they cannot properly protect them. They provide backdoors into what otherwise would be a reasonably secure network. Frequently, an enterprise will lose control of its network after mergers and acquisitions. Very rarely is there a full understanding of the network of an acquired company, before an enterprise is attached to the acquiring company’s network. Then assuming that there is a formal process for merging IT infrastructures, which is extremely rare, it can take years to complete bringing an acquired network up to the standards. We will just leave it as a simple fact that you cannot secure a network that you do not understand.
PERFORM A SECURITY ASSESSMENT Vulnerability assessments are critical to understand how vulnerable you are to technical attacks. Although you can assume that eventually any highly skilled attacker would get through, it is important to understand if you can face basic attacks. There is a continuum of technical security, and you need to know where you fall before you determine how to take action. Understanding this allows you to strengthen your protection, as well as better define your detection and reaction strategies.
How Is Data Transported?
If you have a poor technical security posture, you clearly have a great deal of work to do. You would need to focus on implementing basic security measures. If you have a more advanced posture, you can spend time on targeting specific issues that need to be addressed, rather than on implementing a basic security program. A good security assessment, performed by highly capable people, will usually go beyond just providing the protection levels of systems and will identify issues that were not originally intended. Ideally, a red team assessment will also identify weaknesses, and strengths, in the detection and reaction capabilities of an organizaion as well.
WHAT IS YOUR PHYSICAL SECURITY POSTURE? You need to take the same action with physical security that you did with technical security. It is easier to understand physical security, as buildings and assets are tangible. A computer should be protected against theft or being physically left vulnerable. You need to understand all the physical locations within your sphere of responsibility. You need to understand how physical assets are brought into and removed from facilities. You need to understand the surrounding environments of your facilities. As implied in our discussions of threats, you need to understand the threats that are specific to different locations. Are your facilities within hurricane zones? Are there inherent risks at different locations? Although you should carefully assess each facility, you should be aware that the information you need should usually be known to people within your organization, and especially your physical security team.
HOW IS DATA TRANSPORTED? When we assess enterprises, we inevitably find issues with regard to how data is transported and stored, including Internet access. Many enterprises are limiting how data can be exchanged. For example, many enterprises standardize on Box or Dropbox and block access to similar services. USB slots on computers are frequently deactivated, so that people cannot copy large volumes of data from systems and networks. If data is physically transported via tapes or other mass media, is it encrypted? What are the acceptable measures of transporting large and small amounts of data? Is there data leak prevention software on Internet connections? Is there a filter on Internet connections? You need to examine egress points to understand how
213
214
CHAPTER 19:
Know Yourself
data can potentially be filtered to ensure that you are not losing intellectual property or other critical data.
WHO ARE YOUR ADVERSARIES? Although we go discuss adversaries further in Chapter 20, here it is important to at least consider who your adversaries might be. You can look through our past discussion of threats to develop an initial list. There are many default adversaries, such as random hackers and insiders, but adversaries who specifically target your organization are driven by issues such as your industry, geographic locations, and general drivers specific to your business. A consideration of these issues would further refine what information you have is at risk. It, therefore, helps define where you need to focus protections, as well as where to implement detection capabilities. The nature of your adversaries can also tell you the resources that might be used to target your organization.
WHAT IS THE SECURITY POSTURE OF SIMILAR ENTERPRISES? Although we do not necessarily believe that you should base your security program on those of other organizations, by looking at similar organizations, especially those within your industry, and hopefully in similar geographic regions, you can determine a starting point for your security program. Assuming of course your peers will share information, learn about their successes and failures. For many industries, there are centers referred to as an ISAC, i.e., Information Sharing and Analysis Center. These organizations allow for sharing of information and also have resources that allow for communications between members. They share information about ongoing threats, as well as other information to assist with improving the security programs of its members. Similarly, they are good for finding peers who want to learn, share, and help. There are also many professional associations that could provide access to peers in other organizations. Frequently, these organizations and conferences hold events that are specific to CISOs. These are great venues for finding peers who are willing to share information. There are also industry associations, similar to sector-specific ISACs, such as EDUCAUSE in the higher education industry, that allow for sharing of information, as does the FBI-sponsored InfraGard organization.
Summary
SUMMARY To create a security program, you need to take complete stock of where you are, your available resources, your vulnerabilities, etc. This sounds obvious, but frequently, people running security programs sink into operational modes and just work with the program already in place, instead of stepping back to get the big picture. No matter what the intent is, without fully assessing the situation, you cannot create an optimal security program. You need to understand what you need to secure and where you are starting from.
215