#287 – DO YOU REALLY KNOW WHAT YOU’RE PROTECTING? – DAN SHOEMAKER PH.D.

I have talked in earlier posts about holistic solutions to cybersecurity problems. But the term “holistic” is actually an empty word. Especially when you couple it with the king of all empty words, “cyber security”. So, let me start this with a couple of necessary definitions. Cyber security is a concatenated term, “cyber,” in essence, of or related to computers, and “security,” protection from threat.”

As in all concatenated terms, the last word is the actual purpose. So, “national security,” “home security,” and even “investment security,” are all types of protection. Hence, when you practice investment security you are not doing any actual investing. You are protecting the investment.  In the case of cyber security, you are seeking to ensure that computers and computerized information are comprehensively protected from any viable threat.

Comprehensive protection requires a holistic approach. That is because legitimate threats to computers and the information that they process and store can originate from a wide variety of human, physical, and electronic sources. So, a complex and typically tailored set of  security controls is deployed as the intentional mechanism for protecting a defined set of computer and information assets.

The key term here is “defined”. And I am here to challenge anybody who tells you that they know exactly what assets they are protecting when they deploy a cybersecurity response. That simply isn’t true. I WILL concede that they CAN tell you about threats to the assets that’ve been identified and that somebody has decided are important. And they can probably even target the electronic repositories those items are kept in. What they CANNOT tell you is whether critical assets were overlooked, and they cannot guarantee that interdependencies and linkages do NOT exist that will permit backdoor entry into protected space. I know this is the case because EVERY zero knowledge exploit in the hacker’s playbook starts with those two assumptions.

In fact, because of the time and cost involved in getting a basic understanding of the assets that actually fall within a cybersecurity protection scheme, the practical, money-saving approach of most organizations is to simply fire shots in the dark. And you don’t have to be Sun Tzu to recognize that not knowing exactly what your protecting is seldom good strategy. That’s because important things can be left out of the protection scheme, or tunnels into your critical information can be missed and that opens your organization to a wide range of threats.

I believe it was Clausewitz who first said that if you want to defend the ground you have to walk it. So, if you truly want to protect your information you have to take the time to painstakingly identify and manage what you plan to protect, along with all of the interdependencies. Thus, the first step in the development of any effective cybersecurity response is to always do a comprehensive inventory and valuation of each meaningful piece of information that the organization holds.

In effect, all of the information in all physical and virtual repositories has to be identified and assessed. That identification and assessment has to document the status of every information item, in every one of its forms. And the ensuing documentation has to be managed as a proxy for the asset. That proxy is THEN placed under strict configuration management, which ensures that the exact status of the asset that you plan to protect is always known.

Ensuring the known state of the protection target requires a disciplined process of identification and change control. It is relatively easy to keep track of a TANGIBLE inventory. That’s because you can see it. Nevertheless, unlike tangible things, information is invisible and dynamic. Meaning it is far too easy to alter. So, some form of strict organizational control is necessary to prevent an operational unit from inadvertently creating holes in the protection scheme by making a change to the asset that isn’t accounted for by the security function.

For instance, a business component could make the decision to add “social security number” to one of its forms. If that happened, the overall protection requirements would change, perhaps radically. Yet, the necessary safeguards would not be put in place because the cybersecurity function wouldn’t know that the sensitivity of an item had just changed.

That is the reason why nearly every best practice standard, the Risk Management Framework, or NIST 800-161, or the CSF for instance, are initiated by a thorough, inventory, classification, labeling and baselining of all items that are to be secured against threat. What I am suggesting involves hard work, and it is resource intensive. But it is not exactly new, nor is it rocket science. For instance, financial managers know to the penny what all of their current balances are, the same with materials managers. Whereas, it would never cross the mind of managers of an equally valuable INTANGIBLE asset, like information, to know what’s actually in the vault, or stockroom.

There is an old vaudeville joke about a guy standing on a street corner snapping his fingers. A passerby asks him what he’s doing, and he says, “I’m protecting us from tigers.” The passerby looks around and says, “I don’t see any tigers?” and the guy says, “See, it works!” As far as I’m concerned THAT sums up the cybersecurity profession’s current approach to asset security. Holistic security starts with knowing what you are protecting. And you are just snapping your fingers if you don’t know what you have.

Bio:

In addition to my own teaching, research and publication program, I am accountable for developing innovative research programs in cybersecurity. I am also responsible for leadership in all aspects of curriculum design and development for a National Center of Excellence in Information Assurance Education (CAE/IAE). Courses taught include:

 Graduate Secure Software Management
 Graduate Software Assurance
 Graduate Information Assurance Principles

Leave a Reply

Your email address will not be published. Required fields are marked *