CS Operational Managment
Security management involves operational planning (e.g. Information system security plan) and making decisions on security personnel (e.g. hiring hackers, in-house sourcing vs. MSSP).
Planning an Information Systems
Security Plan (ISSP)
An Information Systems Security Plan (ISSP) guides manager, system owners, and security personal to to be effective in the system security process. The ISSP outlines the controls needed for an information system and describes acceptable use of those systems. The intention of the ISSP includes outlining clear responsibilities from CEO to the user base and defines communication lines and processes to deal with a range of issues affecting the network.
The ISSP starts in the development phase to identify the information system environment and identify threats and vulnerabilities in the network. It may begin with penetration testing, vulnerability scanning, and compliance audits. Here, managers understand the security and performance trade-offs. This may involve identifying the critical areas that need improvement. For example, in a sales or customer service departments where open communication is vital, has the highest risk of social engineering attempts. To mitigate, the ISSP should outline how the network will be segregated in the network from other corporate data (e.g. accounting).
By understanding the common performance vs. security trade offs, the ISSP has a higher chance of success during implementation. See in the document below for a paper on these trade-offs:
In addition to understanding the business environment, the procedures to implement and execute cyber security plans are equally as important. The procedures to implement an ISSP must be consistent with the security policy to support the enterprise plans and objectives for three main control areas: management, operation, and technical. For management controls, system training and awareness requirements must be identified in the document. Included should be the type of training and topic areas, frequency of training, personnel required to take it, and the manager for training record maintenance. For implementing operational controls, the ISSP should require both technical and management activities associated with the technical controls. When implementing technical controls embedded in the computer system, the system should be tested at appropriate intervals and make sure the automation is working as defined in the ISSP.
For federal and non-federal systems, the ISP can mirror controls from NIST 800-53 Security Controls to obtain a comprehensive framework or benchmarks for management to work towards.
Touhill, G.J., Touhill, J.T. (2014). Cybersecurity for Executives: A Practical Guide. Hoboken, NJ: John Wiley & Sons, Inc.
FAA.Gov. (2016, November 21). Develop Preliminary ISSP (Including Basic Security Policy) (c). Retrieved from https://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/operations/isse/items/c%20-%20Prelim%20ISSP.cfm
What to Include in a Corporate ISSP?
Here are important items for consideration:
-Standard Operating Procedures (SOPs): Unusual Events and Backup/Restoration Procedures
-Company Paid Training Before Key Staff Uses New Technology
-Effective Training Against Social Engineering (Not Basic)
-Forensic Capability: Logs and staff to investigate those logs
We all know how frustrating it is to deal with new tools, processes, and procedures without documentation. What I would include is greater emphasis for specific departments or workers to have well defined SOPs (Standard Operating Procedures) for common, sudden, and unusual issues. Organizations should make employees come in on weekends as needed so that it doesn’t interfere with usual business activities. Make that weekend fun as needed to increase attendance. Self-written SOPs of job function can give the employee a sense of responsibility to play out their job specification as written and provide a window for management (CISO) to identify correctness of procedures and identify any gaps in security. If SOPs already exist, the employee should improve and notate any changes.
This has two impacts on the business: efficiency and security. An example of its impact on efficiency is when the knowledge base does NOT need to be recreated by an employee (often for months) because both company and employee provide comprehensive documents to deal with issues in a time efficient and secure manner. Another example on efficiency is when Ransomware hits a machine and the staff did not research the database backup location or failed to document what to do in such an event. An SOP may reduce downtime of many different events related to confidentiality, integrity, or availability.
The SOP has several impacts on security, for good and bad. On one hand, a well summarized SOP may save an employee from falling victim to a social engineering attempt after the HVAC was hacked, but another may include details needed for an insider threat to carry out further spying and attacks. The SOP document transmission should include rules on “need to know” authority, file permissions, and encryption in storage that may be overlooked by a new incoming CISO. To add a layer of offensive security, one can include directories and files of SOP decoy documents written in different languages to activate security alerts. This may provide hints of who is targeting the organizations and what they are looking for. I believe the most important SOP is for travelling employees with mobile devices. Leaving devices in a rental car, hotel, and some customers facilities pose a risk to the intellectual property of the visiting organization. Imaging technology and what contacts, pictures, and information stored on those devices should be written out.
The second issues would be the Company provide comprehensive training to staff before they use cloud and database technologies. What I believe most organizations due is think that 30 years’ experience with technology somehow automatically makes people experts on any new technology that comes along. Next thing you know, the same person is talking to a person in tech support who has 2 months experience to resolve the issue. Security best practices for the new technology should be learned by key staff before deployment. For example, maintenance tools and analysis for the cloud is completely different than the ordinary server. This can leave staff stranded for weeks if IT doesn’t know what can be causing a slowdown. It’s no secret that many today’s vulnerabilities are in configuration /deployment of new systems.
“The most effective way to implement cyber-security measures is to include them as part of the original system or service deployment, instead of retrospectively. Including security requirements and factoring in measures at the beginning makes systems more robust. Cyber-security requirements should also include how the system is operated to reduce the risk of unauthorized access or system misuse” (paconsulting.com, 2018).
Third, the ISSP should have comprehensive training on how social engineering really works. I don’t believe it’s enough to say “if you didn’t expect the email, don’t click on the link”. I think for certain industries; Nation State level attacks are a real concern and the staff should not have their head stuck in the sand when it comes to Vishing, Smishing, watering hole, and social media attacks.
Fourth, a company should have the ability to investigate events in a time efficient manner if an employee suspects there are unusual events going on their devices. This would be important to have an SOP for as well. This means administrators should have the knowledge of location of logs, ability to understand if the logs were tampered with, and ability to use company owned forensic tools to investigate incidents in detail.
“The log data you collect from your systems and devices may seem pretty mundane. However, it could contain the precise evidence needed to investigate and successfully prosecute a crime. In order for log data to stand up in court as admissible evidence, you must take care in how you collect, handle and store the data. Read on for experts' best practices for using log data to support a forensic investigation.”
(Musthaler & Musthaler, 2009).
Musthaler, L., Musthaler, B. (2009, May 15). Using computer log data to support a forensic investigation. Networkedworld.com. Retrieved from https://www.networkworld.com/article/2254368/infrastructure-management/using-computer-log-data-to-support-a-forensic-investigation.html
Paconsulting.com. (2018, April). Overcome the Silent Threat: Building Cyber Resilience in Airports. Paconsulting.com. Retrieved from http://www2.paconsulting.com/rs/526-HZE-833/images/PA_Airport%20Cyber%20Security%20Report.pdf
Ethical Crossroads: Hiring Hackers
The reason we are discussing this subject is because the line between “good” and “bad” hackers can be thin. As one should know, they can be professional burglars. These are the same thoughts of infamous hacker Max Butler, who most thought was a “reformed” hacker. He started a company named Max Vision Network Security, and specialized in penetration testing, attempting to break into corporate networks to prove that their security wasn't as good as it could be. Max ended up going to jail for creating a modified worm intended to patch the holes created by another worm. The only problem was the worm he created contained a backdoor exclusive to him while he locked out the other hackers from the original worm (Delio, 2001).
The above example can be applied to the worst-case scenario for a security engagement. Where the hacker uses vulnerability information to infiltrate for their own means. Which can be several reasons without monetary motivation.
On the flip side, hacker teams are essential to look for vulnerable systems that cannot be identified by ordinary audit teams. The difference between the two auditors lies internally in the individual and team. Ira Wrinkler spoke at a Defcon 7 mentioned a scientific study of Chess Grand Masters and Chess Masters. The main difference was that Chess Grand Masters had more passion for the game than Chess Masters. The reason to explain difference of skill level between regular auditors and hackers can be applied.
Take the case Leon Johnson, Penetration Tester, who works at Rapid7. Johnson tests mobile applications, attempts to bypass physical building security, tests social engineering exploits using phishing and vishing, and attempts to break into a website externally or internally (MacMillan, 2017). The knowledge gained from these tests not only sheds light on the security needed in the organization, but for the industry and country.
Johnson shares his experience:
“The hours vary as well because sometimes the client makes me stop. They only want testing between these hours and these hours. If the client does not make me stop, my girlfriend will have to make me stop, because I will go until late. Most people who do what I do tend to love it. We don’t know for sure if there’s a way to break into whatever we’re breaking into; but once we do, it’s hard to put it down. What happens, inevitably, is you start making way, and the next thing you know it’s 2 in the morning” (MacMillan, 2017).
“Sometimes, it makes you nervous because you’re doing something that’s somewhat illegal. Your heart starts racing. I’ve hacked a major sports league, and a Fortune 500 company that caused me to lead a team of guys that went to ten different countries. I hacked a major credit bureau, and police departments. I’ve hacked cities and created scenarios to essentially simulate a terrorist attack. I hacked an airport after they just had a security assessment that told them they were unhackable. I’ve done assessments for banks before. I’ve done nuclear power plants” (MacMillan, 2017).
Personality Difference of Hackers at Work
Scott Blake gave a presentation at Defcon in 2000 titled “The Pros and Cons of Hiring Hackers”. Shown below are his pros and cons.
Difficult to focus them on manager’s goals
The youngsters require supervision
Some have poor communication skills
Tend to see things in black and white: “Good and bad business moves quickly judge “
May pursue dead-end directions too long
Political motivations: “Strong libertarian tendencies
Smelling snake oil from their employer: “low tolerance for their company’s software that doesn’t follow what the marketing say it does”
Bright, creative people
Many are not motivated by money
Highly motivated to learn
In touch with latest trends
Requires little guidance for research
Comfortable during technical operations
Can impress customers during consultations
Need for Hackers in the Workforce
In 2014, the RAND Corporation’s National Security Research Division have the following recommendation in the analysis of the cyber security labor market:
“More active waiving of civil service rules that impede hiring talented cybersecurity professionals, maintaining government hiring of cybersecurity professionals even through adverse events such as sequestrations, funding software licenses and related equipment and educational programs, refining tests to identify candidates likely to succeed in cybersecurity careers, and, in the longer run, developing methods to attract women into the cyber security profession” (Libicky et al., 2014).
Despite the initial criminal records and unruly behavior in young hackers, Journalist like Misha Glenny believe hackers need their energy directed in positive directions:
“we need to engage and find ways of offering guidance to these young people because they are a remarkable breed, and if we rely as we do at the moment solely on the criminal justice system and the threat of punitive sentences, we will be nurturing a monster we cannot tame” (Glenny, 2011).
So now that we see what these hackers are learning about vulnerabilities about small business to critical infrastructure what do we know should be done about such engagements? Here’s a list from personal experience:
1. Be Prepared to Patch Fast or Utilize Team to Establish Workarounds
The worst thing to do after the engagement is have the vulnerabilities lingering. The hacker or hacking teams network security is unknown, along with how they gain 0-day information. Someone unauthorized may find working papers, databases, and reports discussing vulnerable systems. Current or employees may explore those vulnerabilities on a later date unsupervised.
2. Price of Patching Up and Fixes
Another consideration before the engagement is to establish costs of having the team patch up software and networks. Ira Wrinkler spoke at a Defcon 7 on the subject of “The Myths Associated with Hiring hackers”. While working as a security entrepreneur, he spoke of clients that couldn’t pay the high price of patching the systems. This essentially turns into a mild form of legal extortion, where the danger lingers around and too expensive by the organization to get fixed.
3. Secure Communication of Vulnerability Reporting
Probably don’t want to email the vulnerability findings or speak to a group of people unrelated to the team that will fix the vulnerabilities.
4. Limit Number of Individuals to Know About Findings
Keeping vulnerability finds on a “need to know” basis is the best strategy. Details regarding the report (possibly providing a summary with vague language versus a detailed vulnerabilities and CVE numbers)
5. Follow Guidance from NIST
NIST Provided detailed guidance according to low, moderate, and high-risk categories. Example guidance shown below:
Imagine if the hacker performing the pen tests had social links to your competitors? Or disagreed with your political and social decisions? Having a team with an objective mindset is important.
6. Is Your Pen Testing Team Hidden in the Fog
If I was a nation state actor… would I stay up night after night looking for vulnerabilities in companies roaming US infrastructure or setup sat com link to a compromised pen tester laptop? Just saying, pen testing companies doing the heavy lifting might be the most targeted. Therefore, they need pseudo names and agendas to stay off nation state radar.
Blake, S. [Blackhat]. (2000, July 26). The Pros and Cons of Hiring Hackers [Video File]. Retrieved from https://www.youtube.com/watch?v=ARQ3eHowW40
Delio, M. (2001, May 22). A ‘White Hat’ Goes to Jail. Wired.com. Retrieved from https://www.wired.com/2001/05/a-white-hat-goes-to-jail/
Glenny, M. [TedTalks Global ]. (2011, July). Hire the Hackers [Video File]. Retrieved from https://www.ted.com/talks/misha_glenny_hire_the_hackers#t-1168522
Libicki, M.C., Senty, D., Pollak, J. (2014). H4cker5 Wanted: An Examination of the Cybersecurity Labor Market. Santa Monica, CA: Rand Corporatio
MacMillian, T. (2017, March 28). The Penetration Tester Who Your Boss Hires to Hack Your Email. Nymag.com. Retrieved from http://nymag.com/thejob/2017/03/penetration-tester-cybersecurity-interview.html
NIST. (2013, April). NIST Special Publication 800-53 (Rev. 4). Retrieved from https://nvd.nist.gov/800-53/Rev4/control/CA-8
Shinder, D. (2010, August 10). Hiring hackers: The good, the bad and the ugly. Techrepublic.com. Retrieved from https://www.techrepublic.com/blog/it-security/hiring-hackers-the-good-the-bad-and-the-ugly/
Wrinkler, I. [TalksDump]. (1999, July 9). The Myth of Hiring Hackers [Video File]. Retrieved from https://www.youtube.com/watch?v=R5oseI_MX7M
Aligning Information Security with NIST
For a CEO, finding time for security would be hard to find. There are yachts to inspect, celebrities to schmooze, meetings with the NSA for software backdoor plans, private jet conventions to attend, employee and customer complaints to ignore, and forums to troll. If they couldn’t hand off the task to an executive to develop cyber solutions, they should use NIST Pub 800-18 as one of many foundational documents for the Company's Information System Security Plan (ISSP).
The goal of NIST documents are to define federal information security standards (e.g. FISMA, DOE, OMB) (EM, 2015). Specifically, NIST Pub 800-18 is designed to help meet:
Appendix III, "Security of Federal Automated Information Resources," of OMB Circular A-130
Title III of the E-Government Act, Federal Information Security Management Act (FISMA)
While NIST is designated for federal classified and unclassified systems, private and public organizations can use NIST Pub 800-18 as a “starting point”, for personnel roles and responsibilities, information system security planning, and information assurance.
Sections 1.7.1 through 1.7.6 provides roles and responsibilities of six roles involved with securing information systems. Since the size of the organization has 500+ personnel, I would establish roles of CIO, CISO (i.e. SAISO), system/database administrator (i.e. information system owner), compliance manager (i.e. authorization official) roles to make sure all aspects of information security are covered. The responsibilities listed as bullet points can be used as a checklist to ensure all processes and procedures are carried out and/or assigned to a responsible person. A meeting would take place to evaluate the feasibility of the assigned tasks to make sure the workload is evenly distributed and no single security person is overwhelmed.
Some of the tasks will be consolidated if it was a small to midsize agency. For example, the role of “Authorizing Official” who approves security plans can be the “CIO” if they are accredited with compliance knowledge. The document allows the consolidation of roles as it states: “Recognizing that agencies have widely varying missions and organizational structures, there may be differences in naming conventions for security planning-related roles and how the associated responsibilities are allocated among agency personnel (e.g., multiple individuals filling a single role or one individual filling multiple roles)”. Section 1.9 for “Security Plan Approval” specifies that an official approves plans prior to implementation who is independent from the system owner. I suspect this can be done by a compliance officer to ensure new security plans fall into alignment with existing regulations and audit needs.
Second, section 1.8 of the document will be used as a starting point for developing the “Rules of Behavior” to comply with OMB circular A-130, Appendix III. The document provides an outline of topics (Figure 2) to be addressed (e.g. Consequences of behavior, restoration priorities, and use of copyrighted work). As CEO, I would make sure the Rules of Behavior reasonable, procedures are comprehensive and appropriate to the business, and consequences are not draconian. I would place particular importance on the delivery of the content and its comprehension by employees. Probably would investigate the best communication mediums and utilize the Ten Commandments of Information Security Awareness.
The corporation can use the recommendation of 1.5 “Major Applications, General Support Systems, and Minor Applications” to categorize major applications and general support systems. This is also discussed in section 3.8 “Information System Type”. Descriptions and purpose of the system is created along with a list of user organizations (specifying whether internal or external).
Section 1.6 provides additional resources for the Security manager to implement security controls of the information system:
1. NIST SP 800-53, Recommended Security Controls for Federal Information Systems
2. FIPS 200, Minimum Security Requirements for Federal Information and Information System
3. NIST SP 800-30, Risk Management Guide for Information Technology Systems
4. NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems
Following section 3.10, the CIO or CISO can provide a 1-3 paragraph description of the system environment. In this case, it
would be a “Managed or Enterprise” system for 500+ users. We would specify any specialized security, functionality, or legacy systems.
The bulk of work would be from section 3.11 “System Interconnection/Information Sharing”. For organizations with a deep supply chain, this would be a large list to compile. The section requires the following description:
Name of the system
Type of Connection
Authorization for interconnection (MOU/MOA, ISA)
Date of agreement
FIPS 199 Category
Certification and accreditation status of system
Name and title of authorization official
Section 3.1 “System Name and Identifier” states each system should be identified with a unique identifier. This allows the corporation to easily identify each system and trace security related metrics during implementation and operation: “This identifier should remain the same throughout the life of the system and be retained in audit logs related to system use.” Naturally, to keep account of company assets and expenses, this would have been already completed by the company.
Another process that should already be completed by the compliance manager is in Section 3.12: “Laws, Regulations, and Policies Affecting the System”. The organization is to make a comprehensive list of all laws, regulations and policies affecting the level of confidentiality, integrity, and availability of the system. This makes sure the security plan and architecture support the laws and regulations in the host nation (e.g. GDPR).
Next, these systems are mapped to FIPS 199 Categories as described in section 3.2. Using Table 1, “FIPS 199 Categorization” the company can assign Low, Moderate, and High impact levels for each system used for system/data confidentiality, integrity, and availability. Section 3.13 “Security Control Selection” applies security controls to the control baseline (low, moderate, high impact information system). I would refer to SP 800-53 to identify management, operational, and technical controls.
The matrix to classify these systems can be used as a valuable map to where to place important security measures and implement regular internal audits. I would place special attention to section 3.14 “Minimum Security Controls”. In this section the selects controls are described with the following:
1. The security control title
2. How the security control is implemented
3. Any scoping guidance that has been applied and what type of consideration
4. Indicate if it is a common control and who is responsible for its implementation
With the above written out, it can be used by internal audit, or compliance manager, to make sure control is up to date, current and appropriate staff are responsible for the control, and if the scope of the control is reasonable.
To ensure certification of the security system, the CIO and CISO would have to ensure they can monitor and record changes in the security plan as described in Section 3.16:
Changes in personnel (e.g. information system owner, information security representative)
Changes in architecture (e.g. system status: operational, under development, major modification; additions or deletions in interconnections)
Changes in Certification and accreditation status
The “spirit” of NIST appears to revolve around the categorization of systems, personnel, and interconnections; the level of impact of those systems; prioritizing minimum controls for those systems, and a process to track changes to all aspects of the security plan to maintain accountability.
NIST. (2006, February). NIST Special Publication 800-18 Revision 1: Guide for Developing Security Plans for Federal Information Systems. Retrieved from https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-18r1.pdf
EM. (2015, September 9). The Authorizing Official (AO): DOE EM Role Based Training. Retrieved from https://www.emcbc.doe.gov/SEB/EM_HQ_IT_Services/Documents/Document%20Library/The%20Authorizing%20Official%20(AO)%20DOE%20EM%20Role%20Based%20Training%20-%20Sample.pdf
Ending the MSSP vs.
In-House Sourcing Debate
Among the security world, exist a debate whether to use a managed security service provide (MSSP) or use in-house resources. The debate is put to rest on three factors:
1.Maturity of the organizations cyber security department
2.Services needed from the MSSP
3.A 24/7 coverage requirement
The matrix below is a very simplified overview of an organization’s reliance on an MSSP.
Low: Organizations in the low maturity category can learn a lot from an MSSP to help get up to speed. They will need time to find personnel to fill cyber roles and have executives increase a budget for a cyber department.
Medium: As the organization enters medium maturity territory, the organization can take over more and more of the day-to-day duties and reduce reliance on the MSSP.
Medium-High: The organization is maturing, but not quite filled with experts yet. They will still need consultation and coverage in some areas.
High: The organization has experienced personnel that could cover alerts 24/7 and innovate their work in their respective roles. They will improve mostly from offensive security lessons or bi-annual review from pen testers on their controls to check for gaps in coverage in relation to the latest threats.
At each level of the organization’s maturity, is an opportunity to revisit the contract and renegotiate terms for reduced costs. This is essential, as cyber budgets may be fixed for an organization, they will need to free up costs somewhere to make room for new employees or employees expanding their operational duties previously managed by the MSSP.
-Overnight 24/7 support (incident response). For an organization that performs critical functions, this is a requirement.
-Extra time for security team to focus on internal requests and engineering. An MSSP can deal with the monotonous alerts to avoid disruption to engineers.
-Alert creation and review for new threats. Leveraging the expertise of the MSSP can obtain important alerts needed for the SOC.
-Access to expertise for a wide variety of cyber security topics.
-MSSP may have eye on other organization experiencing heightened cyber issues. Organizations use analyst to cover multiple entities.
-May not have access to all internal resources to assess risk. Example: One tool may show possible compromise while the internal tool only accessible by employees shows a block. Incident response of MSSP delayed due to their necessity to reach back to the internal employee at the organization. Response time may be better with internal department being directly paged.
-Alerts created start off as a “one size fits all” and often will need constant review to reduce false positives.
-An MSSP contains intimate information about the inner workings of the organization. Third-party risk is expanded.
-MSSP’s suffer from the unattainable triangle when assessing an MSSP by the qualities of fast, good, and cheap. The differences are similar to comparing fine dining, casual dining, and fast food.