Page 6 - CDM-Cyber-Warnings-January-2014
P. 6
Leveraging Policy and Procedure to Get the Most out of Cyber Defense Technology Why Policy and Procedure is Critical to Effective Technology Countermeasure Deployment by J.R. Cunningham, Regional Director, Accuvant Technology countermeasures have come a long way since the dawn of information technology security. Just over a decade ago, IT security technology could be loosely categorized into endpoint and network security. With these broad categories one would have covered the vast majority of technology countermeasures available to mitigate risk. Fast-forward to the present: even trying to categorize certain technologies into a broad “type” such as network security is difficult, especially when we consider cutting-edge technologies centered on dealing with advanced persistent threats. Times have changed. The complexity of cyber technology countermeasures is further complicated by how those technologies are deployed in an organization; and effective policy and procedure is an often- overlooked aspect of an effective cyber defense strategy. Mitigating risk with technology requires a balanced, risk-centric approach which is codified by an effective security policy and the appropriate procedures surrounding specific defenses. One of my favorite examples of this concept is vulnerability management. A few years ago I was deploying a cutting-edge vulnerability management system for a client. The client asked me if we could exclude a block of IP addresses from being scanned by the vulnerability management solution. “Sure,” I said. “What do you want to exclude?” The client’s reply startled me, “The phone system. Every time we scan it for vulnerabilities, it crashes.” I asked the client, a mid- level IT security analyst, if he thought this represented a vulnerability. An attacker would certainly not exclude the phone system from a reconnaissance gathering mission, and therefore likely crash the phone system during a scan. “Of course, but our department gets a lot of attention when we bring down the phone system, so let’s exclude it from being scanned.” To me, as a cyber security professional, this represented a profound failure of policy and procedure in the risk management process. In this instance, my client had all of the components necessary for effective situational awareness regarding vulnerabilities, and yet had a phone system that was vulnerable to the most basic pre-attack activity: a vulnerability scan. I spent some time with this client and built an effective case to demonstrate to the CISO the real and acute risk that could be effectively mitigated in a number of ways. Approaching the phone system vendor for a software update was obviously the preferred approach, but several technologies existed to help mitigate this specific risk. This particular client had an IPS system in the network core, so creating a signature to block the specific attack that exploited the phone system vulnerability was also an effective method for eliminating the vulnerability and allowing the vulnerability management system to effectively do its job. Once the CISO understood the risk of an attacker taking down the phone system with a simple reconnaissance scan, she determined the appropriate approach was to create the + % %! ! & , ! . !( %+ ' "! "#+% ' - + % !& , ! % '& % & %) *"% *