Arming the Fortress: Principles for Securing Your Enterprise

by Dan Shoemaker

We as a nation -- and each CEO as the individual custodian of a business enterprise -- are going to have to rethink how we define "secure." On most planets there is no way anybody would consider him or herself safe if the average evil-doer could penetrate a defense simply by walking around it. Nevertheless, that is precisely the situation when it comes to cybersecurity.

This lapse is directly attributable to the apparent fact that people running the world's corporations don't recognize that cybersecurity is not just an IT, or even an electronic, problem. The truth is that whatever money a corporation is dumping into securing networks is not going to provide sufficient protection, which is why human-centered exploits took up three of the top four spots in the Computer Security Institute (CSI) annual survey. The success rate of nonelectronic exploits also contributes to the fact that the US annualized corporate losses to cybercrime now hover consistently in the range of US $500 million a year.

Of course, two-thirds of those losses did come from the exploits of folks in organized crime. Based on the CSI's figures, about a third of the loss is attributable to the fact that companies do not deploy a highly coordinated set of physical security safeguards against human-centered violations. Those violations include things such as theft of the machine, awareness and training protections from phishing and other social engineering scams, or management controls over employee behavior.

Moreover, companies that are serious about protecting their data are essentially just rearranging the deck chairs on the Titanic without an integrated set of security governance controls. So, what should you do to ensure that you are actually protecting all four sides of your fortress? Here are a set of principles that you might find useful:

1. Inventory your information. Most corporations couldn't actually know what records they keep and, thanks to dependencies, that lack of knowledge can open the door to exploitation from a seemingly infinite number of sources. Therefore, companies need to identify for certain what to secure. And the only way to find that out is to describe and baseline any information of value. The maintenance of that information baseline is then kept current and ensured by configuration management. Then companies should:

2. Know the risks and prioritize. Nobody has the resources to protect all of the information they keep. There are items of information that have to be protected at all costs and there are things that are too trivial to care about. The art lies in deciding which is which. That requires formulation of a defense in depth that is based on a realistic prioritization of risk versus value. Prioritization is a political process as much as it is an empirical one. However, once a priority is established it can be used to guide the creation of a coherent and comprehensive set of:

3. Policies, procedures, and strategic plans. These are needed to create and manage a proper array of countermeasures. This array should be comprehensive and coherent for the problem. It should embody a realistic understanding of the human factors involved in carrying out the security process. In practical terms, the organization needs to ensure that whatever security measures are deployed correspond to the culture and capabilities of the people who will be asked to execute them. If this is done correctly, then an explicit set of accountabilities can be associated with each procedure that will ensure effective execution of:

4. A full spectrum of managerial and technical countermeasures. There are five potential areas where managerial countermeasures might be required and three areas of technical protection. These are legal and regulatory compliance, business continuity, physical security, personnel security, and software assurance. The technical areas are communication and network security, application and system software security, and cryptography. All of these have to be considered in the design process. Taken together, these countermeasures represent a complete set of practical areas of protection. Consequently, the deployment of specific controls in these areas has to provably align with the policy and planning specifications developed in the prior stage. If those policies and procedures address priority risks, then it can be assumed that the protection is proper and complete.

I welcome your comments about this Advisor and encourage you to send your insights on the market in general to comments@cutter.com.

-- Dan Shoemaker