Please share your comments; critics make life meaningful!

Monday, March 30, 2015

Developing a common understanding of Cybersecurity

1.      Introduction
1.1       Semantics often come in the way of common understanding. The impact of semantic confusion can be extreme when the subject under consideration is critical to business. Cybersecurity has been in use to mean a wide variety of things in recent times; there is even dichotomy in the term itself – it is also referred to as Cyber Security (I have adopted Cybersecurity over Cyber Security for reasons explained in section 4 of this document). Whatever the interpretation, it is concurred by all concerned that Cybersecurity matters pose significant risks to Governments, to industry sectors and to the general public. An entire industry itself has sprung to meet the perceived need around managing these risks and is valued over $160 Billion [1]. There is also consensus that Cybersecurity is closely related to domain of Information Security [2]. Hence, professionals working in the domains of Information Security need to develop a good understanding to fulfil their mandates.
 
1.2       Being a practicing Information Security professional myself, I have faced the same challenges myself and tried to develop a clear firsthand understanding of Cybersecurity. Through this paper, I have made an attempt to capture a brief summary of the same.

2.      Origins of ‘Cyber’
2.1       The word ‘Cyber’ has Greek roots roughly meaning one who guides a boat, such as a pilot or rudder operator. Plato adapted this word to mean something like ‘governance’ and associated it with Government control as the Governments steer society. In the twentieth century, American mathematician and philosopher Norbert Wiener foresaw the rise of sophisticated robots which would need artificial intelligence to control their actions. Wiener coined the word ‘cybernetics’ borrowing from Greek roots to mean such intelligent controllers and indicated that they would be difficult to design and build. So Weiner retained the connection between technological control and governance. Speculative fiction novelist William Gibson foresaw the ‘space’ of virtual interactions in his 1984 novel ‘Neuromancer’ and coined this as ‘Cyberspace’ borrowing ‘Cyber’ from Wiener. Many adopters of the early Internet were fans of Gibson’s work, so cyberspace became a standard name for the place you went when you were on the Internet. Gibson’s usage however reversed the context of governance in the word cyber as Internet inherently is not amenable to central control systems.
 
2.2       Meanwhile, security experts had already settled on the term ‘Information Security’ to mean securing of information and digital systems, and it was considered synonymous to ‘Computer Security’ and ‘Network Security’. The British Standards Institute (BSI) published the first set of standards around Information Security, namely BS 7799 [3] in 1995, which were later incorporated into the global standards from International Organization for Standardization (ISO), namely the ISO 27000. The current standards of Information Security are ISO/IEC 27001-2 [4] updated in 2013.
 
2.3       It is interesting how ‘Cybersecurity’ got mindshare when we already had another useful term ‘Information Security’ for the same thing. There is no clear research establishing this, but it is attributable to combination of military influence, marketing hype and societal acceptance. As digital technology became vital for business and Governments, the military started preparing to defend national interests around this area. Conventional military thinking being around defense and attack of some kind of space – terrain, aero-space etc., cyberspace became a handy reference to the digital domain. Hence, securing cyberspace became cybersecurity; and besides a lot of defense measures, it also came with some offence measures as well. The term Cyber has found easier acceptance with media and through it with the wider society. While Information Security sounded formal and demanded deeper understanding of technology aspects, Cybersecurity connected well with science fiction, and popular imagination as it struck a chord with business leaders and industry experts in the increasingly digital global commerce. No surprise then that the accepted semantics was quick to overflow into other areas - cyber criminals, cyber attacks, cyber war, cyber defence, cyber diplomacy etc.
 
2.4       Interestingly, with leading global Governments increasing their Cybersecurity capabilities, designed to exert control and exercise governance on Cyberspace, we have come full circle as regards the meaning of ‘Cyber’ to Wiener’s vision of technocratic control, and Plato’s vision of Government control.

3.      Searching for a reliable definition of ‘Cybersecurity’
3.1       Having understood the origin of the term, it is essential to get an understanding of the term itself. There are quite a few close variations in the meaning and scope of Cybersecurity, and there are some outliers. I have summarized them in the succeeding paragraphs and in the end provided recommendations that Information Security professionals may like to consider.
 
3.2       Dictionary Meaning: A prominent online dictionary defines it as ‘measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack [5] .
 
3.3       General understanding in Computer Security communities: Security aspects have always lagged behind functionality in the world of computing. This has been an oft repeated sequence at all stages of the Information Technology revolution – be it mainframes, PCs, Internet, cloud, mobile, social media or cyber. However, the time lag between the two has been narrowing with each stage of technology advancement. Computer security [6] or IT Security has come to be known as a discipline applied to computing devices such as computers and smartphones, as well as computer networks such as private and public networks, as also the Internet. It includes ‘all processes and tools by which digital equipment, the information they contain and services provided using them are protected from unintended or unauthorized access, change or destruction’. Computer security has grown in importance due to the increasing reliance of computer systems in most societies. It includes physical security to prevent theft of equipment and information security to protect the data on that equipment. In recent times, ‘Cybersecurity’ is often referred to synonymously as Computer Security.
 
3.4       Views from Technology Media: Few leading technology publishers have tried to define Cybersecurity:
3.4.1 Tech Target: ‘The body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies Cybersecurity. [7]
3.4.2 Techopedia: ‘Preventative methods to protect information from being stolen, compromised or attacked in some other way. It requires an understanding of potential information threats, such as viruses and other malicious code.
[8]
 
3.4       Definition by Industry Sectors: The International Telecommunication Union (ITU) defines Cybersecurity [9] as ‘the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.’ Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment.
 
3.5       Definition by Govt.: NIST defines [10] Cyberspace as a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. A cyber attack is defined as an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. Consequently, Cybersecurity is defined as ‘the ability to protect or defend the use of cyberspace from cyber attacks.’
 
3.6       Definition by Research Firms: In June 2013, Gartner acknowledged that there is confusion in the market over how the term should be used, and published a research paper to defining ‘Cybersecurity’ [11] .
3.6.1 Analysts Andrew Walls, Earl Perkins and Juergen Weiss wrote that “use of the term ‘Cybersecurity’ as a synonym for information security or IT security confuses customers and security practitioners, and obscures critical differences between these disciplines.” To help set the record straight, the team defined the term: ‘Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries.
 
3.6.2 The paper clarified that ‘Cybersecurity is a superset of the practices embodied in IT security, information security, Operational Technology (OT) security and offensive security’ and provided an illustration to underline this.
 

3.6.2 Gartner advised: ‘Security leaders should use the term ‘Cybersecurity’ to designate only security practices related to the combination of offensive and defensive actions involving or relying upon information technology and/or operational technology environments and systems.


3.7       Recommendations: The Gartner definition encompasses in spirit all the preceding definitions suggested by industry bodies, professional organizations and Government. It also clearly outlines the components of Cybersecurity and sets them in context with an illustration. However, it underlines an offensive element which may not apply to entities other than Government organizations with specific authorized mandates. Moreover, employment of such measures would amount to infringement of law in most parts of the democratic world. So, for understanding and implementation of Cybersecurity measures at an enterprise or entity level other than such Government organizations, the Gartner model is very suitable; however, it needs to be applied minus the offensive security measures. This does not alter the definition of Cybersecurity as such; rather it limits applicability or scope of Cybersecurity for enterprises. 
 
4.      Is it Cybersecurity or Cyber Security?
4.1       In addition to the multiple definitions of Cybersecurity, we also need to consider the different ways of referring to the term itself - ‘Cybersecurity’ or ‘Cyber Security’ [12]. These terms are getting more and more mixed usage lately. There isn't any recognized authority on the subject per se, but we could take guidance from the Associated Press, which still holds the throne when it comes to news copy style, says it is one word – Cybersecurity: ‘Cyberspace is a term popularized by William Gibson in the novel "Neuromancer" to refer to the digital world of computer networks. It has spawned numerous words with cyber- prefixes, but try to avoid most of these coinages. When the combining form is used, follow the general rule for prefixes and do not use a hyphen: cyberattack, cyberbullying, cybercafe, Cybersecurity.’ There are some exceptions to the prefix rule, specifically around proper nouns, such as ‘US Cyber Command.’ Besides Associated Press, most of the credible sources quoted in section 3 above use the single-word form.

5.      Staying clear of the hype around Cybersecurity
5.1       There are a few in the research community who have held out against painting everything cyber, although their ranks are thinning due to the growing global acceptance of the term from Governments, industries and even public in general. Gartner VP and distinguished analyst, John Girard is urging enterprises to ignore the hype around cyber security spending and look at areas of their business that need protection [13]. He adds that a lot of the activities labelled cyber security are not only not new but could also be dangerous practices that should not be followed. Girard suggests that executives need to question the use of Cybersecurity budgets before making decisions on the subject as according to him, a lot of security vendors and practices in cyber security tend to work the same way.
 
5.2       Girard recommends that enterprises should engage in spending on core operational and procedural security rather than investing lots of money in zero-day vulnerabilities, and country watching, and sinking huge budgets to deal with advanced threats. He advised enterprises to concentrate on core infrastructure security, application security and security processes.
 
6.      Conclusion
6.1       I echo Girard’s sentiments as Security Management is a function with which come expectations of very high trust and it is belied by such hype. I can see a connection between the hype and the offensive element in the definition of Cybersecurity. Thus, by discarding the offensive element from the definition of Cybersecurity, enterprises can avoid the associated hype as well.
 
6.2       Something is common to all enterprises – the need to understand their business, document critical information infrastructure, and deploy multi layered protection measures to provide a tiered set of preventive, detective and corrective controls which define their information security and OT Security framework. While doing so, a risk based approach is an absolute must where residual risks, risk mitigation road map and risk appetite should be clearly understood by security leadership and articulated to executive leadership. There is no room here for hype while developing this understanding, making recommendations for risk mitigation, and taking executive decisions.
 
6.3       Offensive measures are out of scope for enterprises being violations of law. However, enterprises in some critical sectors may need to establish tight partnerships with suitable Government establishments to report cyberattacks and the concerned Government establishment may have the mandate for retaliatory or offensive measures.
 
References:

Thursday, March 19, 2015

INFORMATION SECURITY STRATEGY AND MEASURING ITS EFFECTIVENESS THROUGH SECURITY METRICS

 
Introduction:
Enterprises have learnt to give Information Security (IS) the wide berth it deserves. However, the realization has not come any sooner. It has perhaps been accorded a little later in the day than it ought to have been. However, there is still the opportunity to make good the delay by adopting a pro-active and holistic approach while creating, maintaining and augmenting an Enterprise Information Security (EIS) program.  Key aspects of such a program are:
·         Formulating a customised EIS strategy and road map.
·         Its effective implementation in an integrated manner.
·         Measuring effectiveness through customised EIS metrics.
 
Plethora of technology platforms, voluminous processes and significant numbers of people are available and deployed in implementation of security programs in enterprises, while scant attention is paid to the other two elements of the spectrum. This paper focusses on the latter.
 
Security strategy and metrics go hand in hand, and both are very dynamic in nature owing to changing business requirements and threat landscape. Hence, there is a need to understand their dependence and symbiotic nature, from creation of the respective programs, to their execution and continuous improvement. It is also pertinent to note that EIS metrics is a facet of EIS strategy. Thus, although it is possible to create an EIS metrics program independently, it is best practised with an eye on the big picture and created as an indispensable part of a dynamic EIS strategy.
 
Why:
EIS strategy is of paramount importance to align the EIS program with enterprise business objectives and provide the necessary return on investments (RoI). In the absence of an EIS strategy, the program can flounder and would not be positioned to deliver the results that are expected of it; also there would be no accountability of the program, hence no productivity.
 
There are multiple reasons for measuring EIS metrics:
·         EIS metrics are vital to demonstrate EIS program effectiveness, provide accountability, justify past investments and seek future investments, and instil stakeholder confidence/assurance.
·         Federal agencies in US are mandated by a number of existing laws, and regulations such as Clinger-Cohen Act, Government Performance and Results Act (GPRA), Government Paperwork Elimination Act (GPEA), and Federal Information Security Management Act (FISMA) to undertake IT performance measurement in general, and IT security performance measurement in particular. IT Security metrics are a core component of EIS metrics.
·         Similar regulatory regimes are prevalent in most developed and developing economies globally.
  
How:
EIS strategy should be simple. It should take into account the industry sector, the size or revenue of the enterprise, its risk appetite, the business model and its unique business objectives or goals.
 
EIS metrics should be practical, standardised and scalable. They should evaluate security at the system level, and facilitate decision making as also aggregate all operational level metrics to produce dashboards at the enterprise level and business unit and/or geographical entity level. EIS metrics should also provide relevant trends over time; help track performance and direct resources to initiate performance improvement.
 
Development Process:
EIS strategy development process consists of following generic activities which would require to be customised for individual enterprises:
·         Enumeration of business objectives.
·         Identification of EIS drivers – Legal, Regulatory, Financial, Operational etc.
·         Stock taking of the current EIS program, if any.
·         Creation of a risk based and business aligned EIS program including:
o   IS Roles and responsibilities (both within IS as also outside of it)
o   IS Organization structure
o   IS Governance framework
o   IS Risk Assessment methodology and framework
o   IS Controls and Assessment framework
o   IS Architecture framework
o   IS Operations framework
o   Outline roadmap including major projects and initiatives
o   EIS Metrics framework
 
EIS metrics development process consists of following generic activities which would require to be customised for individual enterprises:
·         Definition/documentation of the current EIS program
·         Selection and development of metrics to measure implementation, efficiency, effectiveness, and impact of the EIS program
 
Detailed Considerations for EIS Strategy:
EIS strategy should be aligned to business strategy and corporate vision. It must leverage all existing strengths, tools, processes, people and frameworks of the enterprise. It should spell out the security organization structure, roles and responsibilities, catalogue of services provided, road map of security programs, projects, and initiatives, and define customised security policies/standards/procedures. It must work out the cross-functional collaboration framework and touch points with complimentary functions including Enterprise Risk Management, Compliance, Legal, BCP, DR, Privacy, Information Management, HR, IT Operations, and Physical Security etc.
 
Detailed Considerations for EIS Metrics:
EIS metrics should reflect security program maturity (status of all programs, projects, and initiatives) as also security control effectiveness (compliance to policies, standards and procedures). Both data types should be processed through a customized framework aligned to the risk appetite of the organization and the results of such processing should be demonstrated through multiple dashboards configured around the needs of specific target audiences. Generally, 3 levels should suffice; however, it could be either re-appropriated to two levels in case of smaller enterprises with lesser consumers for such dashboards or increased to additional levels to provide higher levels of granularity in case of large and global enterprises with higher complexity.
 
While adopting a 3 level representation, the highest level should be an overall indicator. The next level should be indicative of the component sub-domains that security has been carved out into for the enterprise, and each sub-domain should get an appropriate weightage with the total adding up to 100%. The sub-domains should be broken down to one more level of metrics which can come from security technology platforms or security processes, and have varying weight contribution to the sub-domain they comprise of. These last level metrics are real data from systems and processes while the above two levels would be abstractions based on this data as per a framework customised for a specific company.
 
Some options for level 1 dashboard are:
·         3 colours (Red/Yellow/Green) or 5
·         % of score out of 100
·         Levels 1 to 3 (or 5)
 
Suggested components of level 2 dashboards are:
·         Governance
·         Risk
·         Compliance
·         Architecture
·         Operations
 
Suggested components of level 3 dashboard with types of operational metrics for each are:
·         Asset Management metrics
·         Communication Security Metrics
·         Perimeter Security Metrics
·         End Point Security Metrics
·         Application Security metrics
·         Identity & Access Management metrics
·         Access Control metrics
·         Vulnerability Management metrics
·         Patch Management metrics
·         Malware Management metrics
·         Change Management metrics
·         Incident Management metrics
·         Business Continuity and Disaster Recovery metrics
 
Each of the suggested operational metrics domains comprise of multiple metrics elements and each applicable element need to be customised for a specific enterprise. Also, the list above does not cater to GRC metrics which need to be configured for an enterprise in a customised manner based on its EIS strategy and implementation roadmap.
 
Conclusion:
The above considerations are not sacrosanct or sequential. Rather, they provide a framework for envisioning EIS metrics, and their appropriate customization for a specific enterprise. The type of operational metrics depends on the status of enterprise processes and supporting technology platforms, as also evolution of the EIS program and its stage in the maturity life cycle.