In Part 1 of this two-part series, we examined the rise of cyberwarfare, its characteristics, and expectations of government involvement. In this final installment, we look at what it takes to protect private and public organizations from the effects of state- or group-sponsored warfare.
Defending networks isn't a new concept. We've known how to implement prevention, detection, and response controls for years. This isn't the problem. The challenge we face is the lack of will to do what's required to deal with the increasing threats from nations, terrorists, and others. Relying on the Federal government to protect us is simply finger pointing. The fingers need to come down while organizations start assuming responsibility for their own defense.
Cyberattacks related to warfare differ little from those associated with criminal activity. The main difference is in the effort expended. Cybercriminals tend to walk away when the cost of reaching their objectives exceeds expected revenue. Cyberwarriors take a different approach. Using advanced persistent threats (APTs), cyberwarriors use any means necessary (including time) to achieve political or social objectives. However, the basic defense for both financial and sociopolitical attacks is the same.
- Management acceptance of defense as a cost of doing business. Once C-level management accepts security in general, and cyberwarfare defense in particular, as a necessary part of doing business, an organization's culture begins to change. As executive management approves and supports security policies and their expected outcomes, all levels of management tend to integrate information-safe business practices into their employees' day-to-day processes.
- Development of a security program/framework. Security programs contain policies, standards, and guidelines required for consistent compliance with management expectations of risk. In addition to program- and issue-level policies that provide general guidance, system-level policies should exist for probable cyberwarfare targets.
Security frameworks are typically based on a standard of best practice adopted by the organization. Standards of best practice, such as COBIT 5 and ISO 27002, provide the foundation for understanding potential gaps in policies and controls.
- Risk management. Risk management processes identify gaps between management's expectations and reality. In general, a risk assessment provides a roadmap to achieving a reasonable and appropriate defense by identifying
- Critical systems, including targets of interest to cyberwarriors
- Intellectual property
- National defense technology
- Critical national public services delivery components
- System interdependence
- Impact if critical systems or data are compromised
- Overall risk associated with each identified probable target
- Change management. Although in danger of beating the proverbial dead horse, I have to say it again; SECURITY IS A PROCESS. Every time an organization changes an application, adds a system, or makes an adjustment to a network device, the potential for increased risk exists. A solid change management program helps prevent acceptable residual risk from crossing the line to high risk.
Risk management supports change management by requiring risk assessments as part of the software/system development lifecycle (SDLC). Integrating security into every facet of IT projects is a necessary component in cyberwarfare defense.
- Monitoring. The most basic monitoring controls are alerts from various devices if something questionable occurs. However, this approach requires time to track down the cause and delays response. Understanding how the reported event fits into the overall state of the network requires time and effort: time used by an attacker to accomplish additional steps leading to the target.
A better approach is a comprehensive log management solution. Commonly known as security information and event management (SIEM), this type of solution gathers information from across the network. Once information is aggregated, a correlation engine looks for patterns. When a pattern falls outside what is expected for an organization's unique network/device operations, the SIEM sends an alert. At this point, responders have a clear picture of the overall activities involved in a possible attack.
- Incident response. It's unrealistic to believe an organization will never be successfully attacked at some level. Monitoring helps detect unwanted behavior, and it's supported by quick and effective response to probable attacks. Incident response requires policy, processes, and team training to be effective. The quality of any response directly affects the impact of an attack.
Controls implemented and managed due to the above processes must include prevention, detection, and response elements. Within each of these, controls related to physical, logical, and administrative security are necessary. For more information on control types and related controls, see Enterprise Security: A practitioner's guide - Chapter 1.
The final word
No organization is truly immune from cyberwarfare activities. If attacking a network provides sociopolitical value, that network is a probable target. Relying on government intervention or cooperation to protect private and public industry infrastructure is unreasonable. It's up to each of us to take steps to secure our information resources and the processes they support.
We don't have to look far to find guidance for achieving reasonable and appropriate protection. Mature standards of best practice already exist. It simply takes a shift in perspective at the management level to begin integrating security into every facet of business operations. The perspective needed is one of accepting cyberwarfare as a growing reality and defense as a cost of doing business.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.