Page 7 - CDM-Cyber-Warnings-January-2014
P. 7
recommended IPS signature while attempting to provide a fix from the phone system vendor. In this example, technology wasn’t the issue: all of the tools necessary to identify and mitigate risk were present—the failure (which created vulnerability) was in procedure. A coherent explanation of the risks to the CISO was the only thing necessary to enable a risk-centric decision. Intrusion prevention is another common example of this phenomenon. So often my clients shut off the medium level signatures on their IPS as well as protocol anomaly detection because their custom applications trigger “false positives.” Often times, these “false positives” are actual vulnerabilities or weaknesses in custom code which are ignored, not by policy, but by lack of policy and procedure surrounding such risks. Again, in this instance, all of the technology exists to mitigate risk, but often times we make “lack of policy” decisions at the technical level within an organization and aren’t able to effectively communicate such risks in a business-centric view to an appropriate risk decision maker such as the CISO or CIO. The solution, albeit simple, takes dedication and commitment at all levels within an organization. Before technologies are deployed, a basic policy and procedure framework should be established as part of the requirements definition for a new cyber defense technology. In the vulnerability management example, for instance, some basic policy and procedure items would be: the scanning interval, how detailed the routine scans will be, how quickly vulnerabilities of a particular severity will be patched, how discovered vulnerabilities are communicated within the organization, and how patched vulnerabilities are verified. Once a basic policy and procedure framework is in place and the technology deployed, further procedure work is necessary to fine-tune how the organization adopts and manages the new risk-mitigation technology. Just as we fine-tune technical countermeasures during their lifecycle, we must also fine-tune our policy and procedures to ensure we are getting the maximum possible situational awareness and risk mitigation from the technology. Cyber defense is complex, and effective risk management is a complex relationship between technology, process, and people. Effective policy and procedure is a critical component in cyber defense and should be given its due attention in any cyber defense strategy. About The Author J.R. Cunningham is a regional director for Accuvant. He has performed security consulting, architecture, and assessment work across the globe and across a wide variety of industries including finance, insurance, healthcare, education, intelligence community, Department of Defense, and civilian government sectors. J.R. has worked with the world’s largest providers of security products and services in the delivery of complex custom security solutions. Prior to his work in security and risk, J.R. directed technology operations at CBS MarketWatch, one of the world’s most visited websites. J.R. can be reached online at [email protected] and at our company website http://www.accuvant.com + % %! ! & , ! . !( %+ ' "! "#+% ' - + % !& , ! % '& % & %) *"% *