Raise the level of your cyber team with sound fundamentals
Michael Jordan is not usually cited as an authority on
Information Security, but few will question his standing as a leading authority
on team sports. As a player, Jordan was famous for spectacular dunks where he
seemed to float across the key, and a fade away jumper that always seemed to
find the basket. There is no doubt however that it was his consistency with the
fundamentals, and teamwork that put him in a position to make the spectacular
plays we remember. There is also little doubt that Information Security is a
team sport.
In basketball, the fundamentals are grouped by offensive,
defensive and ball handling skills. Whether shooting a layup or foul shot, boxing
out or blocking a shot, dribbling and passing are the skills of a winning team.
In cyber security sound execution of the fundamental skills surrounding Policies
& Procedures, People and Products are the keys to a winning team.
Policy and procedures
Technical people frequently mistrust and underestimate policy
& procedure as effective controls, but without them even the most skilled technical
team is blindly flying by the seat of their pants. These documents are the foundation
for any program. They set priorities and expectations as well as foster consistent,
repeatable results. To be effective, policies and procedures need the
participation and support of the entire team from the top levels of management
down.
Key policies for any organization should include:
·
Security and Risk Management to define the rules.
·
Acceptable Use Policies and Rules of Behavior to
communication proper code of conduct
·
communications policies and procedures ensure that
all team members understand how authentic information is distributed throughout
the organization.
·
Robust change and configuration management policies
ensure that changes and additions to a system are validated and introduced in a
controlled manner as well as documented in a way that they can be repeated at a
later date.
One need look no further than your favorite new outlet to
see the importance of comprehensive patch management and hardening procedures.
From WannaCry to this week’s congressional
hearings on the Equifax Breach, ineffective systems patching has been a consistent
theme.
The need for comprehensive Incident response plans detailing
who needs to do what are critical in any response. Even more important, knowing
your legal and regulatory obligations in an incident or data breech as well as who
need to be notified are essential.
When building a program this is definitely an area where
better is the worst enemy of good! These plans need to be living documents that
adapt and grow as your organization’s needs evolve. Don’t wait for perfection. Use
templates to ensure key information such as; definition of terms, roles and
responsibilities, and a framework to de-conflict competing priorities are
included by all authors.
People
The next family of controls focus on people, both internal
and external to your organization. There is little doubt that one of the most
important concerns in this control family is “Be careful who you trust”. This
concern extends to your partners and service providers as well. Additionally,
it does your organization no good to do exhaustive reference and background
checks on employees, if they allow unvetted service providers access to their systems
or data carte blanche. It is equally important to take steps such as multi
factor authentication to ensure people who are who they claim to be.
Every organization has that one user who will click on
anything. Training at all levels is one of the most effective preventative
control in your arsenal. Whether training your technical staff, or instructing your
user base in basic cyber awareness, training has the capability to stop an
incident before it occurs.
Another important facet of training is exercises. Whether
performing system recovery exercise with your technical staff, or conducting a phishing
exercise you’re your users, don’t wait for an actual incident for your staff to
see if your incident response or system recovery procedures work. Over the
years my organization has conducted everything from table top exercises to live
recovery drills. We have improved our knowledge, systems and processes with every single one of them!
Products
Thanks to the marketing budgets of product manufacturers,
the last control family is often the first many consider. The show floors of
every conference, targeted advertising accompanying every web session and the
advertising in every published magazine push products that offering “industry
leading” solutions “guaranteed” to protect our enterprises from the myriad of
threats and vulnerabilities plaguing our organizations. The truth is, there are
no silver bullets that will send our cyber nightmares to the netherworld.
I am not advocating for a product free existence, but to be
effective, the products in our security arsenal should support policies,
procedures and provide efficiency and risk mitigation for the ever-increasing
scope of our cyber programs. In his keynote speech
at this year’s RSA Conference in San Francisco, RSA’s Chief Technology Officer,
Zulfikar Ramzan advocated that organizations consolidate and minimize the
number of vendors and products used to secure their environments. This is a remarkable
statement from the CTO for one of the leading providers of Cyber Security
products, but the truth is that each product in your portfolio requires
resources to administer and monitor them. As we add more and more products in
the name of security, our limited resources are stretched thinner and thinner, the
limited amount of attention available for the task at hand can easily overcome our
ability to execute the fundamentals. As a result, our overall programs become
ineffective. The Agile ethos of “minimizing work in progress” is really about
allowing people to focus on the tasks that deliver value to the organization.
It’s all about the team
One defining trait of championship teams and winning
players, is they never stop practicing and looking to get better at the simple
things, the fundamentals. As your organization develops, make certain that they
don’t overlook them either. In this post, I presented these skill sets in a
specific order for a reason, each build on what came before. The people learn
and implement the policies and procedures, products provide the needed efficiency
to get the tasks done. The lessons learned by the people through exercises and
experience with the products need to be brought back to the policies and
procedures to update and improve them
To paraphrase another luminary on the subject of winning
teams, the key to winning is fundamentals, And the occasional three run homer
never hurts!
"The key to winning baseball games is pitching, fundamentals, and three run homers”Earl Weaver