Proactive Security
It’s true that anything that could possibly go wrong will definitely go wrong, no question about that. This is from experience! In engineering fields, there’s this saying that, “When everything is working just fine, that’s normal. But our existence is recognized when something goes wrong!”. I totally agree with that, I mean that’s why we work every day, to make sure that everything works well. In a digitally connected world, things will always go wrong. Most of the time! There are people out there out working so hard just find a little mistake and breach the security put in place. In fact, the question is not whether the security will be compromised, but when is it going to happen. But are supposed to just sit and wait for the “when” so that we can act? Definitely not. Security is a continuous process and collective responsibility. It involves having effective policies in place, putting strategic security measures in place and training the employees and end-users. We call this a proactive security.
So how exactly do we achieve all these to secure the infrastructure? Well, that’s what this article is all about. To shed some light on how to attain a secure environment for the organization’s assets. It’s important to understand that each company or organization has its own unique security design requirement, which is based on their needs. NIST (National Institute of Standard and Technology) has a framework that acts as a blueprint for the security design. And again, this is just a blueprint. Remember that each organization has its security needs, which can be built from this framework. The framework breaks down the security layout in five stages:
1. Identify
I know this is kind of weird, but we just can’t protect what we don’t know. So, what exactly are we supposed to identify? You guessed it right! As a security engineer, security analyst or whatever the title you have, you first need to identify the organization’s assets. What are the assets that need to be protected? These could be the organization’s data, systems and any other things that are of great value to the organization operations. Identifying the assets is the first step of laying down a secure environment. Next, we need to identify the threats that these assets should be protected. We call this threat analysis. We need to identify and know the vulnerabilities that could be exploited to compromise the security in place. There’s an easier method I prefer in threat analysis. I usually use the Johari Window to categorize the threats.
Johari Window works with the notion of 'us' against 'them'. It’s based on what we know and what they (attackers) know. Once we know what is known to us and them, we can then decide on which security strategies to deploy. As it can be seen in the diagram above, Johari Window has four rectangles: Known Knowns, Unknown Knowns, Known Unknowns and the Unknown Unknowns.
Known Knowns: these are the vulnerabilities which are known to both the organization and attackers. Most of these vulnerabilities are easy to protect because there are patches since they are known. Attacks on these vulnerabilities are usually due to the security officers who don’t take their work seriously, I would say that. The thing is, it’s easy to protect the organization from the vulnerabilities which both known to us and attackers. Period!
Known Unknowns: these are the vulnerabilities that the organization is aware of, but the attackers are not yet aware of. These are the easiest to fix and they don’t pose a greater threat if the attacker is still in the dark. Once identified by the organization, they should be fixed immediately to ensure that assets are secured.
Unknown Knowns: this is the category of vulnerabilities that poses a greater threat to the organizations. We call them “Zero-Day” vulnerabilities because the attackers have identified before the security experts. They have no patches or fixes in place, and the attackers can exploit them without notice. They require stronger and strategic security layout in place to protect the assets from them.
Unknown Unknowns: this category of vulnerabilities still poses a big threat to the organization, but not as much as the previous category. The threat depends on who identify the vulnerability first, and the organization still needs to put stronger security measures in place.
Identifying the assets to be protected and the threats to the identified assets are the first stage of good security. At least we now know what we are dealing with and what could possibly go wrong.
2. Protect
So, what do we do with the identified assets and threats that could compromise their security? Nothing, we just protect the assets from the identified threats. As easy as that. But it’s never too easy as it sounds to be, this is the toughest job of a security officer (whoever is mandated with this task). The first step of protection is having a well-defined security policy in place. Security Policy outlines the “what”, “who”, “when”, “why” and “how”. The policy states how the security should be implemented, who is responsible for the implementation and the procedure followed for each step of implementation. A good security policy plays a fundamental role where followed.
Protection also involves the deployment of physical security devices such as firewalls, intrusion detection systems, and intrusion prevention systems to protect the company assets. The selection of the devices to deploy require skilled personnel with the understanding of all the security risks, the organization’s operations and the functionalities of the selected devices. Protection involves the training of the end-users on the best security practices. Remember that security is a collective responsibility, a single mistake by an unaware user could jeopardize all the security layers in place. The protect functionality offers the ability to limit the attack surface and containing the impact of a possible security breach.
3. Detect
Sometimes the security measures in place can still be breached and the organization security compromised. This often happens for many reasons, but the main one is that the attackers are smart people, with a lot of dedication, commitment, and sometimes they have powerful resources at their disposal. And don’t forget, they drink coffee too! So, if they find a single loophole, they will take advantage of it. For this reason, there should be measures in place to detect any breach of the organization’s assets. Again, this can be achieved in different ways depending on the organization’s security design. You need to be able to tell any suspicious network activities, all over sudden changes on critical-infrastructures and anything out normal. I use the term, “see something, say something!”. It provides the ability to discover cybersecurity occurrences on time.
4. Respond
By now, we should all know that once any cybersecurity event has been detected, the next move is to respond immediately, to avoid massive damages. This functionality is essential for the development and implementation of appropriate actions to stop and mitigate the already detected cybersecurity incidences. At this stage, our main goal should be containing the impact of the potential security breaches. A successful incidence response depends on several factors like response plan in place, the way communication flows in the organization, threat analysis, and mitigations. A good security policy will provide the response procedure on what should be done, how it should be done and who should do it. The main goal of security response is to contain the situation and retain the normalcy in business operations. This is where backups and redundancy become handy. The response could mean a complete disconnection of infected and breached systems from the network to prevent more infection.
5. Recover
We need to have the capability to retain normal operations even after the breach. Life happens, and so is death. We need to move on and ensure that everything is working as they should, that’s our job. Recovery involves the development and implementation of appropriate activities for maintaining plans for resiliency and restoration of data and services from a cyber-attack. Again, the security policy should define the recovery plans for the organization. Communication also plays a major role in ensuring that there’s a successful recovery.
It's now clear to most of us now that being recognized isn't a deal, the more we do our job well, the more we stay in low profile. But stay in the low profile comes with a lot of responsibilities: showing up early and sometimes leaving late, just to get the damn low profile. Communication plays a bigger role here and you don't want to forget about that. Be proactive, and always prepare for the worst: it's the rule of the game. And don't you ever allow someone to remind you about your COFFEE. Never!