Page 19 - index
P. 19
cryptographic key management – it’s good stuff. The basic thing to remember is that keys are
generated for different purposes and not all key generation methods are suitable for all
purposes. It’s complicated.
Oh, right… Backup your data. This Control can’t be understated. If you don’t like it when Word
crashes and hasn’t saved your work for the past hour, imagine how much you’ll dislike losing
your organization’s systems that run the business.
Areas for Improvement
Make allusions explicit. Don’t make it more difficult than it already is for us in the profession.
The more complicated and ambiguous a control framework is, the less likely it is that we’re
going to get it right. Not only are we likely more vulnerable, we are also wasting valuable
resources.
Be prescriptive only when necessary. There’s a requirement (the first one, in fact) that says you
need to ensure that each system is backed up on at least a weekly basis. That may not be true,
as per my notes on the matter. In my opinion, a prescription should be provided only when it
can be generalized well, and I don’t believe this requirement carries that property. Instead, I
would have characterized the requirement in a manner that ensures backups happen when
significant or materiel change occurs. Of course, this would assume that you’re forwarding daily
information (i.e. audit logs) to a central place (see what I mean about process dependency?).
Acknowledge the extreme importance of good key management. I’m picking on this subject
primarily because I called it out as part of the second Key Take Away, but it’s an area of
improvement for this Control Framework (and others) overall. Key management is hard and
takes resources. A lot depends on key management, not just encrypted backups. Consider SSH,
HTTPS, POP-S, and the countless other protocols relying on public or private key systems. We
have keys everywhere, and mostly in places we don’t know and almost certainly under no real
management. This could be an area of Control in its own right, and would be one I’d argue
belongs in any Top 20.
Add a Metrics section. So far, all the Controls being examined have a Metrics section. Why not
this one? At least cite measurements that would substantiate a claim that 1) you’re doing
backups appropriately, 2) they’re secured appropriately, and 3) you’re validating restoration
capability appropriately.
For more details on this Control - including a numbered list containing each requirement, its
description, and my notes pertaining to the requirements – refer to the full analysis here.
About the Author:
Adam Montville is formerly a Security and Compliance Architect for Tripwire Inc.
who ensured that technical architectures and solution capabilities solved real
world security and compliance.
Adam can be reached by email at [email protected] and on Twitter
at @AdamMontville.
19 Cyber Warnings E-Magazine – August 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
