Rock Silo Cyber Security Platform by Jarvis Labs - Firewalled Appliances with an Artificial Intelligence EngineRock Silo Cyber Security Platform with Artificial Intelligence by Jarvis LabsRock Silo Cyber Security Platform with Intelligence by Jarvis LabsRock Silo Cyber Security Platform with Intelligence by Jarvis Labs is Ranked #1 by Hackers, attackers, and other maliciousFirewall appliances with an Artificial Intelligence Engine by Jarvis Labs help IT staff get better sleep.Well rested IT staff members report that they have been sleeping like babies.Sleep like a baby when your network is protected with Rock Silo by Jarvis Labs.IT Staff members are sleeping like babies.

Cyber security starts here - the Security Management Process

 

A technically minor attack like a defaced web page may or may not be as devastating as a backend server breach.  What about a multi-vector DDoS (distributed denial of service) attack?  The security management process helps your organization get a better understanding of your attack surface i.e., exposure to risk.  It is important for your organization to perform your own risk analysis to determine how costly a data breach or offline system is.

An incident response plan detailing what to do in the event of a cyber breach is key to helping your organization recover.  Technology changes, vendors change, and people change around your cyber landscape so it is important to keep your incident response plan up to date and relevant.  For many organizations this is a perpetual process.

The first part of your organization’s solution is to gather your management team and ensure that IT security is an included and thorough part of your risk management plan.  Healthcare, education, government, and financial organizations are required to include information security and many industry catered templates or programs can be leveraged.

Security risk management is an important business and financial undertaking. It includes identifying important assets to an organization and helps to determine the value or emphasis that should be placed on protecting those assets.  These assets can be information (data), facilities, people, products, or systems.  A complete risk management program is not only required for many organizations but imperative to their survival and financial well being. 

The security management process is outlined here.  Your organization can use this as a guide to determine risk assessment probabilities and impacts.  This process helps to determine the proper administrative, physical, and technical safeguards to implement in order to best manage the risks involved with your organizational mission.

It is important to note that not all risks can be eliminated and that in order to protect against some risks your organization might be unable to perform its mission.  Risks should be ranked based on your organization’s financial capability, operational ability, and willingness to assume and correlate risk mitigation measures.

The security management process consists of risk assessment, risk management, sanctions, and auditing.  Risk analysis should be thorough and complete and will help to identify critical assets and potential risks they pose.  Risk management is the administrative, physical and technical safeguards that your organization puts into place to manage the risks identified by your risk assessment.  It is important to develop sanction policies in order to identify the repercussions for those that violate the policies and procedures that you put into place in your organization.  Your security management process should be audited.  Processes can be put into place to audit and manage system logs, access control, and any other security incidents that are detected.

A thorough risk analysis helps to identify critical assets and the value that they have to the organization.  This procedure helps to determine the expense and effort involved with either mitigation or remediation of the loss of an asset.  As you work your way through the risk analysis process you begin to see a better inventory of your information assets and their exposures to risk.  Each organization is different and has their own priorities regarding the security and safeguarding of their information assets.

During risk analysis you begin to build a matrix with risk assessment probabilities.  These probabilities are the likelihood and frequency that an event is expected to occur.  The index values we use here for this probability are Frequent, Probable, Occasional, Remote, and Improbable. 

Frequent probability events are expected to occur and often.  Probable events are likely to occur.  An occasional probability level is known to occur from time to time.  The remote probability ranking is used to rate events that are known to occur on rare occasions.  An improbable event is not likely to occur but cannot be ruled out thus included in the risk assessment matrix.  Descriptions of these probabilities are included in table 1 below.

 

 TABLE 1:  Frequency - Risk Assessment Probabilities - Likelihood and frequency of occurrence

   

Frequent

Expected to occur and often

Probable

Likely to occur

Occasional

Known to occur from time to time

Remote

Known to occur on rare occasions

Improbable

Not likely to occur but cannot be ruled out

 
 

Once you have identified your risk assessment probabilities, you must determine the associated risk assessment impact of your events.  The risk assessment impact helps you to identify the level which an event’s occurrence affects your organization.  The index values we use for the impact level are Catastrophic, Critical, Moderate, Marginal, and Negligible. 

A catastrophic event would have severe repercussions including but not limited to death, health consequences, and severe economic impact.  A critical impact event would cause substantial damage or economic loss, and affects the organization’s mission and ability to operate.  At the moderate impact severity level some damage to the organization’s mission or operations occur, and material economic loss can be realized.  A marginal impact event would cause minor economic loss, with no damage to the organization’s mission or ability to operate.  Negligible impact events are those that have minimal impact and not worth considering.  A description of each risk assessment impact level is provided in table 2 below.

 

 TABLE 2:  Severity - Risk Assessment Impact - The level to which event occurrence affects the organization

   

Catastrophic

Severe repercussions, death, health consequences, severe economic impact

Critical

Substantial damage or economic loss, affects organizations mission and ability to operate

Moderate

Some damage to organization mission and operations, material economic loss

Marginal

Minor economic loss, no damage to organization mission or ability to operate

Negligible

Minimal impact, not worth considering

 
 

Your risk analysis process then consists of determining the risk rankings for your identified events.  You organization’s risk ranking will help you identify which risks you should avoid or assume, reserve, or transfer.  The index values we use for risk rankings are Unacceptable, Undesirable, Acceptable, and Minimal. 

An unacceptable risk should be avoided.  Undesirable risks should be reduced and reserved or transferred.  An acceptable risk can be assumed and reserved or transferred.  Risks that are ranked with a minimal ranking can be assumed.  Their rankings are detailed in table 3 below.

 

 TABLE 3:  Risk Rankings

   

Unacceptable

Avoid risk

Undesirable

Reduce risk and reserve or transfer

Acceptable

Assume risk and reserve or transfer

Minimal

Assume risk

 
 

Now you are able to build your risk level matrix.  This matrix is built by using the risk probabilities, risk impact, and risk rankings that we outlined above.  These risk assessment factors are compiled into a matrix as seen below.  Table 4 below illustrates how this risk matrix comes together.

 

 TABLE 4:  Risk Level Matrix

Frequency

Severity

 

Negligible

Marginal

Moderate

Critical

Catastrophic

Frequent

MINIMAL

ACCEPTABLE

UNACCEPTABLE

UNACCEPTABLE

UNACCEPTABLE

Probable

MINIMAL

ACCEPTABLE

UNDESIREABLE

UNACCEPTABLE

UNACCEPTABLE

Occasional

MINIMAL

ACCEPTABLE

UNDESIREABLE

UNDESIREABLE

UNACCEPTABLE

Remote

MINIMAL

MINIMAL

UNDESIREABLE

UNDESIREABLE

UNDESIREABLE

Improbable

MINIMAL

MINIMAL

ACCEPTABLE

ACCEPTABLE

ACCEPTABLE

 
 

Using this matrix we are able to get a picture of our risk exposure.  As you can see an improbable event that has negligible severity corresponds to a minimal risk level matrix value.  On the other hand a frequently occurring catastrophic event is unacceptable according to the risk level matrix.

The risk management process includes identifying and implementing safeguards to help protect your organization and mitigate security events that occur.  Risk management involves detailing the administrative and management safeguards that are put into place to manage your risk exposure.  Physical and technical safeguards can then be put into place to enforce your security initiatives.  The events that you place into your risk level matrix help you to determine your risk management plan. 

Many organizations have created a CISO (Chief Information Security Officer) or a compliance leader to oversee the risk management implementation.  Operations and finance departments are just as important to the security management process as the IT staff and this CISO position needs to be able to work with the entire organization.  This position is the assigned and named security role.

Workforce security is an administrative safeguard that includes identifying and defining your authorization and supervision procedures.  Often times you work with identifying key HR roles and responsibilities as well as your work force supervisor roles.  You address your organization’s workforce clearance procedures as well as termination procedures. 

Information access management involves identifying your organizations protected systems and data as an administrative safeguard.  As you detail your protected information assets you define access authorization policies.  For instance you may determine that custodial or grounds workers don’t need access to customer data and backend financial systems.  The information access management process helps determine your access control policy so that your IT department can help ensure that users are given access only to what they need once they are authorized.

Security awareness and training is often times the most important component of your administrative safeguards.  Often time’s organizations put too much emphasis on firewalls or password policies and neglect informing and educating end users.  Your organization should have regular reminders for instance, “don’t click on links or attachments from people you don’t know”.  Spear fishing attacks are one of the most common ways that an attacker gets into an organization’s network.  These reminders need to include best practices for social media and conference travel as well.  Your organization should inform users of account policies and enforcement procedures.  A login banner at user login is a good place to remind them each time they log into the network of your security awareness and practices. 

Security incident procedures involve responding to and reporting security violations and/or findings within your organization.  A compromised system, data breach, or compromised user needs to be proactively and expediently remedied based on your incident procedures.  Your organization should detail specific responses and remedies for all of the security events that you identify in your risk assessment findings.

A contingency plan is an important administrative safeguard that is included in the security management process.  Your contingency plan should include a thorough data backup plan, disaster recovery plan, and emergency mode operation plan.  An applications and data criticality analysis is also important to help determine what needs to be brought back online for your organization to operate successfully.  Your contingency plan should be tested and revised based on findings. 

Another important component of your organization’s administrative safeguards is business associate and 3rd party agreements.  Many organizations today use 3rd party cloud hosting platforms for mainline business applications.  It is important to have a service agreement for your 3rd party platforms.  Internet service providers and telecom voice providers are an example of critical 3rd parties that need to be documented and maintained.  Also, contractors that are working for your organization need to be informed and aware of your security policies and procedures.  Contractors that require user accounts on your system should be monitored and should be set to expire once contractor work is finished. 

Table 5 below illustrates administrative safeguards.

 

 TABLE 5:  Administrative and Management Safeguards

Topic/Need

Implementation

Security Management Process

Risk Analysis

Risk Management

Sanction Policy

Information System Activity Review

Assigned/Named Security Role

Identified Security Officer or Manager

Workforce Security

Authorization and Supervision

Workforce clearance procedure

Termination Procedures

Information Access Management

Identifying Protected systems and data

Access Authorization

Access establishment and modification / Access control policy

Security Awareness and Training

Security Reminders

Log-In monitoring

Password management

Security Incident Procedures

Incident response and reporting

Contigency Planning

Data backup plan

Disaster Recovery plan

Emergency mode operation plan

Testing and revisions

Application and Data criticality analysis

3rd party and vendors

Contracts, non-disclosures, and associate agreements

 
 

Physical measures and safeguards are developed to help your organization protect its information assets.  Facility access control is meant to help ensure that only authorized people are allowed into controlled areas of your facility.  Your organization may require vendors and contractors to check-in with the front desk or security desk.  Facility access control should include a contingency plan for violations as well as facility emergencies, like fire.  Your facility security plan should identify key areas of your facility.  Maintenance records and door access logs should be kept and monitored.

Servers systems and other critical network components should be physically secured and protected from the elements.  Physical access to server systems should be limited to only those that are authorized.  Adequate power and HVAC are important considerations for your server systems.

Physical security for workstations needs to also be considered.  Employees that use laptops or other mobile platforms should be required to adhere to your organization’s policies regarding stolen or misplaced items.  Employees need to report lost or stolen assets and may be subject to applicable sanctions regarding those.

Another important measure for physical safeguards is to define and implement device and media controls.  Your organization should adopt a policy regarding the disposal of data assets.  The disposal of workstations, laptops, or mobile devices needs to include data wiping procedures.  If your organization is required to keep archives, then these archives need to also be protected and safeguarded.  Data backup media and offline data storage policies should be defined and enforced.

Table 6 below illustrates physical measures and safeguards.

 

 TABLE 6:  Physical Measures and Safeguards

Topic/Need

Implementation

Facility Access Control

Contingency operations

Facility Security Plan

Access control and validation procedures

Maintenance records

Server Systems Security

Workstation Security

Device and Media Controls

Disposal, Media re-use, accountability, Data backup and storage

 

 

Technical measures and safeguards are used to help enforce your organization’s policies regarding identified information assets.  Access control is the basis for implementing secure multi-user network environments.  Each user should use a unique login account.  Users should be sanctioned and dissuaded to share user accounts with co-workers.  Technical measures should be put into place to control user login times, automatic log off, and workstation locking.  An emergency access procedure should be developed.  Emergency access procedure would determine what happens if a key supervisor or manager is out or if someone needs to get access to a system outside of their normal job duties.  Temporary access can be given and should be audited when invoked.  Access to server systems and between servers should use encryption.  Remote users should have access to systems securely via encrypted SSL or VPN sessions.

Audit controls are a necessary technical safeguard.  Access to systems should be logged and monitored.  User logins, successful or not should be logged.  Successful and denied access attempts to system resources can help determine where a security problem starts.  You can find compromised users or workstations just by looking at your log files if auditing and permissions are implemented robustly.

System, data, and authentication integrity is a technical safeguard that should be implemented.  Multifactor authentication along with encrypting all data between end points can help ensure data integrity.  Some online systems are now using text messages to account owner’s cell phones to add an authentication factor to logins.  For this type of added factor security a user is given a username and chooses a password, but upon login they have to use a PIN that is sent directly to them.  Smart cards, RSA keys, and other biometric authentication methods can be implemented to help increase integrity and authentication factors.

Table 7 outlines technical measures and safeguards.

 

 TABLE 7:  Technical Measures and Safeguards

Topic/Need

 

Access control

Unique user accounts

Emergency access procedure

Automatic log off

Encryption and Decryption

Audit Controls

System logging auditing

Integrity

Mechanism to Authenticate and validate

Person or Entity Authentication

Multi-factor authentication, biometrics

Transmission Security

Integrity controls and encryption

 
 

Now that you have your risk management plan put together with detailed safeguards a sanction policy is helpful to enforce it.  Sanction policies also help increase user awareness around security issues.  Sanctions include repercussions for those that violate a policy.  Technically implemented safeguards can complement administrative sanctions.  For instance, if a user forgets their password then the system will lock them out.  An administrative sanction could include employee termination and legal proceedings against them if needed.

The only way to measure the performance of a risk management program is to perform audits.  Audits help to inform you of whether or not your administrative, physical, or technical safeguards are working and properly in place.  If a security incident uncovers a new gap in your security management plan then your team must account for this new gap or vulnerability.

Your cyber security plan should consider compromised users and ways to mitigate and trap such users.  It’s all in the log files.  Log file correlation and automation is a good practice to adopt, and getting problems to the human awareness and response level is ultimately what your organization needs to successfully mitigate a cyber event. 

Successful attacks take time to implement and realize.  Most all major cyber incidents like that of retail chain Target or the Playstation network of Sony go unnoticed for weeks or even months.  Recent attacks in the news show that organizations are often times lazy about log file auditing or simply don’t know what they are looking at. 

Table of Contents