This article is the beginning to start your reading into the various security ventures. The key takeaways are o have the right strategy direction, with a robust plan tapping on good technology leverages and resources. It is a mindset change to achieve a more positive security outcomes!
The changes ?
It is my first post and being a security "centric" fellow, I would not think of other better starting topic then security itself to start the ball rolling and starting first with what I perceived from the community and internalised to share with you all.
The "engine" start now - The "fear factor" need to be be instilled at the very start as security does not really exist or even "Flourish" without knowing the threat and risk we are been exposed with such interconnected cyber space.
One commonly known security term is the cyber kill chain which simply means the agenda from the perpetrator (trying as much to do some harm and malice directly or indirectly) is beginning with their good (old) recon, persists through biting the bullet if the defence is stubbornly "dropping" their fake social engineering attempts and their long night routine (and staring at the PC screen) and eventually to their (hopefully) successful penetration.
What changes ?
We can take one well known example such as the Gauss infections originally publicised by Kaspersky in 20121].
While it is difficult to define the exact intent of the people behind Gauss, along the Kaspersky’s proposed attribution of Gauss and its purported siblings (Stuxnet, Duqu and Flame) to an Israeli state entity, one can expect such a program serve to provide valuable to a state intelligence mission. The group full agenda is unknown and their grand finale has yet to be revealed.
One thing clear is that a targeted attempt is far more advanced and prepared compared to past kiddie trial or opportunistic attempts. The determined perpetrator wanted intelligence (and MORE than you ever would expected) and is earning big bucks from this - in a long term basis. At this juncture, we are not going and hoping the face off are not with those hacktivist groups or nationalistically motivated "cyber-militias" whom are far more persistent. Embracing technology is "doubled sword" as it inadvertently also widen the organisation exposure.
Why the changes ?
Most have the least idea of what to anticipate and what are the actionable intelligence that can help translate into beefing up their cyber defences. Some even choose to remain status quo and being on the waiting end - hoping their current traditional cyber defences are "good enough" fending off any attacks.
With the user being more interconnected and driven very much into mobility indirectly can become "easy targets" to the evolving threats. As the Cyber guardian of you organisation, we need to reflect and review the below.
- Will the management be insured of the due diligence in the Cyber Wall put up for the organisation?
- How reactive and long can this Cyber Wall stance last in all attack waves in each Cyber kill chain phases?
- What the more security solution that can be purchase to beef up the defence?
But do not start off a wild shopping spree of security technology not knowing what the organisation need and want. We should stop procastinating and gain stakeholders' support in cyber defense as an important initiative in safeguarding the business running.
How to change ?
Let's take a step back and identify those weak areas and what can be done BETTER?
A simple approach is to start building a Security playbook revolving around the People, Process and Technology. The "content page" of the playboard covers the prologue, epilogue ("*") and content scope around Paradigm shift, Strategy and Capability.
(People - THE Strategy): Becoming more "Reactive" > Growing more "Proactive"
*Build a Hard shell ("Outside-in") and Toughen Soft inner core ("Inside-out")
- Paradigm shift - Top DOWN to get management support and buy-in first (Security ROI)
- Paradigm shift - ICT only > Business for ALL
- Strategy - Early warning signs adopting “canaries in a coal mine”
- Strategy - System centric > Information centric > People Centric security objective
- Capability - Rule Trigger > Heuristic/Behaviour > Risk and Contextual based
*Change is the ONLY Constant (attack is real and can happen to anyone, anytime and anywhere)
(Process - THE Plan) Reducing Complexity > Increasing Simplicity
*Compliance does NOT leads to Secure state, (however) Secure state leads to Compliance state
- Paradigm shift - Detect-Respond > Prevent-Detect-Respond (Continuous Monitoring)
- Paradigm shift - AIM and Shoot > Shoot and AIM
- Strategy - Perimeter defence > Critical Asset defence (Golden Goose)
- Strategy - Compliance Focus > Risk based Focus (Business attributed)
- Capability - Network aware > Application aware > Big Picture (Haystack vs Needle)
*Start Security EARLY > Share and Support Intelligence sharing effort
(Technology -> THE Leverage) Having "More" means Achieving "Lesser" > Having "Lesser" means Achieving "More"
*Security as Process NOT as product (Reuse, Recycle, ReBuild)
- Paradigm shift - People intensive > On demand driven (with Technology)
- Strategy - Defence in Depth > Defence by Breadth (NO Silver bullet)
- Capability - Micro > Macro (focus BIG Data = Actionable + Quality NOT Visual + Quantity)
*Security is just a Mean to the END (Know Weakest link NOT Just Broken Chain)
As a whole, PLAN EARLY, and START a TEAM which you need to GATHER the LIKEMINDED stakeholder to support. Remember Security is to CONVINCE and not COERCE.
What is next to change ?
For the remaining few that is still reading on (while I plan out other sharing in subsequent post), one good knowing is on the latest NSS Lab Report on Cyber Resilience 2] addressing this silver bullet fairy tale (the paper has a nice picture in it stating "it only takes a single compromised endpoint..."). In short, it highlighted it is not the 98 percent of threats that security defences catch which we (organisation) must be concerned about, it is the remaining percent that miss which surface the beginning of the scary story - breach and more.
Good (and final) takeaways for considerations.
- Anticipate attacks - Assume such 'bad' will happen and priority is to reduce such exposure and containing the impact
- Security Controls are not Silver bullet - There is no 100 percent protection against malice attempts, staying proactive and leading the perpetrator to play long your playbook will give defender a upper hand and manage the expected risks.
- Security Weakening is not necessary bad - Disabling or removing the control intentionally and forcing below par performing can help reveal more intelligence and indirectly more preparation time. This can include hidden insider doings and early signs of perpetrator agenda.
- Stay prepare and flexible to substain normal operation with 80 - 20 and 60 - 40 strategy - Plan your operating capacity such that running services (must include critical asset) vs 'unavailable' service due to attacks.
TAKE a STEP BACK ... Cyber Security is a mean, not an end. It is no longer a matter of IF you (or your organisation) will be attacked, it is a matter of WHEN and how you are ready for it.
In subsequent posting, we will look at other build up to start (or aid) ones to reconcile the 5Ws, to further our security posture defence in CYBER READINESS.