Page 73 - Cyber Warnings
P. 73
to quickly probe and pursue targets. CISOs need to be able to respond quickly by monitoring
their systems to detect and react to intruders in real time. Attackers use automated systems to
rapidly search for vulnerabilities, defenders can use automated detection systems to determine
that scanning is underway and dynamically adjust their environment to confound scanning. A
continuing issue is that many organizations do not establish software lifecycle programs to deal
with software that is no longer supported. Most of these systems’ vulnerabilities are no longer
patched which makes them static targets that can no longer easily maneuver which often leaves
these systems open to easy compromise. Because threats are so dynamic, CISOs have to be
very agile and dynamic as well.
Lesson 3: Identify the Correct Center of Gravity
The next major lesson from classical military theorists for a modern CISO is the importance of
focusing on the correct center of gravity. In cyberspace terms, this center of gravity is also often
referred to as cyberspace key terrain. There are many thousands of devices on any medium
sized network, which ones does a CISO pay attention to first? There are always limited
resources so prioritization is a key question for any CISO. Clausewitz identified the center of
gravity as the, “hub of all power and movement” which is notoriously difficult to understand and
20
apply to a practical situation. For a CISO, their center of gravity should encompass only the
most critical business systems and what those systems are will depend on the nature of the
business and the strategy of the firm. As a simple example, for a bank, e-mail servers are
presumably of far less importance to the survival of the bank than the systems that transfer
money. For a major manufacturing firm the cyber key terrain might be the computer systems
controlling manufacturing.
There are several key characteristics of cyber key terrain that are worth exploring. One factor is
that cyber key terrain can change very quickly. Gregory Rattray identified that the geography of
cyberspace is extremely mutable and the cyberspace equivalents of mountains and oceans can
21
be shifted, deleted, or inserted with the flick of a switch. However, cyberspace is not endlessly
mutable as it is tied to the physical world. The physical devices that create cyberspace matter,
22
and defending them is a critical element of an effective defense in depth. Many a CISO has
learned this the hard way when an attacker gains physical access to inadequately protected
hardware or someone with a backhoe digging a trench accidentally takes down a critical data
center.
Both the physical and virtual portions of cyberspace matter and should be mapped to a
comprehensive enterprise architecture if it is going to be defended properly. A good enterprise
architecture is the first step, but if a CISO is going to identify what is truly critical, they will have
to also do a mission analysis of what elements are most important to the organization.
There are numerous methodologies that enable this type of analysis available from numerous
organizations and it is hard work to sort out, but absolutely imperative if a CISO is going to
understand their center of gravity and cyber key terrain.
Lesson 4: Use an Indirect Approach
73 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
