Physical object security and cybersecurity defense have many similarities, such as:
- Defense in depth
- Intelligent adversaries
- The need for awareness
- Structure of response activities
There is one thing, however, that is taught to everyone responsible for providing physical security: you main focus is to protect the “vital objects”. These things can be a power substation, decision makers (like a prime minister), it can be a munitions storage or about anything you can imagine. But if a military unit, or private security guards, or the police, is told to secure this object – they will know exactly what the “vital object” is.
Jump to the world of cybersecurity in businesses. Here the main focus is on “vulnerabilities”. Obviously, that is a key part of the security equation – without vulnerabilities to exploit (human or technical), there is no way to access the target assets. The problem is, when people start with the “hunt for vulnerabilities”, they tend to forget what their vital object is. In fact, in many cases there has been no criticality analysis at all. This is why the step “risk and vulnerability assessment” must be taken seriously. So here’s a suggested approach to narrow down the scope for the teams responsible for providing security:
- List all your assets and perform a critciality assessment. What will be the consequence to the overall goal of the owner organization, its partners and customers, if you should experience the following:
- Confidentiality breach: adversaries get access to the asset’s core information
- Integrity breach: adversaries can manipulate the asset’s core information
- Availability breach: adversaries can deny legitimate users access to the asset
- Perform a risk assessment based on known adversaries and available intelligence. Determine if it is likely or unlikely that the asset can be breached.
- Narrow down your asset list to “assets” and “vital assets”.
Now, you have your priorities set. It is time to plan your security strategy. You should apply baseline security measures to all assets. The minimum baseline would be:
- Network segregation: at least keep vital and non-vital assets on separate network segments with firewalls between them
- Keep things patched and up-to-date
- Harden both software and hardware as appropriate for “normal assets”
- Apply monitoring as suited. Created red flags for suspicious activity (e.g. form an intrusion detection system).
- Ensure your automated backup system is working and that you are able to restore when needed
- Teach people what they need to know to reduce the likelihood of breaches, and what to do when one is suspected (usually call support).
For your non-vital objects this would typically be enough. For vital objects (a database containing credit card information for example) you need to base your defense on the risk exposure and your available resources.
- Limit access as much as possible
- Monitor and log more aggressively, and be prepared to refine the mesh on higher threat levels
- Design sufficient capacity for fail-overs if possible
- Apply stricter hardening policies
- Apply backups as suited for this asset.
- Be ready to act fast (train for it, and have sufficient resources available)
The last point cannot be stressed enough. In physical security you would typically have a team in place to provide deterrence and monitoring, and a quick reaction force to act fast when necessary. In many IT organizations the sysadmin on duty will be expected to fill both these roles with little training or backing to do so. That does not work.
- Assign roles and responsibilities for responders
- Pay them enough to make the extra vigilance feel worth it
- Give them the resources needed to train, and focus 1/3 on baseline defense breaches and 2/3 on vital object breaches
Cyberinsurance cannot play the role of a great and well-prepared response team. If your vital data is breached it may easily be the IT equivalent of a nuke to your head office – your customers will lose trust in you – especially if you fail to respond fast and in a structured way to limit the damage as much as you can.
Don’t apply the same defense strategy to everything. Establish a baseline, and then focus on your vital assets.