It is time to rethink the notion of an audit from something that happens periodically to some that can be continuously analyzed at will, in real-time. It is unacceptable that an organization wouldn’t have complete visibility into activities associated with all users, hosts, and applications within their network infrastructure. This becomes minimal acceptable hygiene, a starting point, inclusive of threat intelligence... more »
1. Addressing Cyber Fundamentals
How do we move from inconsistent security/privacy protection control approaches to solid fundamentals that address most basic risks faced by agencies?
Endorse existing ideas by voting for them. YOU MUST BE LOGGED ON TO VOTE.
Inconsistent security controls are often a result of human error. A move to “Orchestration”, or an approach that automates control implementations can lead to more effective and relevant utilization of controls. Benefits include: Enabling the Software Defined Data Center Centrally define security policy Security policies move with VMs Reduce security as a choke point; accelerate business agility and responsiveness by... more »
The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting,... more »
We could take a human-centered or human factors approach to answering the question, “Why don’t we do what we’re supposed to do, and what can we do differently to get a better outcome?” We'd have to drive conversation to the point where the rubber meets the road, by which I mean an action or behavior, performed by a person, which creates a particular harm. Assuming we could categorize the harms in a way useful for analysis... more »
1. Establish “white hat” teams that test employees through phishing and spear-phishing intrusion testing.
2. Change enterprise email policy to only allow plain text, preventing unintentional click-through threats.
3. Similar to the “Cybersecurity Tip of the Day” concept, establish a “Cybersecurity Blunder of the Day” program.
Situation: • Cyber-attackers have no fear of retaliation, risk or viable legal proceedings. • There is no U.S. Government legal doctrine to counter cyber-attacks on U.S. industries, governments and citizens. • The U.S. Government does not have the cyber capacity to protect U.S. industries. Proposal: The U.S. Congress should create a newly crafted Cyber-Castle Doctrine legislation for a legal framework for U.S. industries... more »
The NIST Cybersecurity Framework (CSF) did a great job describing what is needed to have a good cyber security posture, but it leaves you hanging on how do you do it; what are good practices; how do you measure it? To help assess the operational cyber defense posture of Department of Defense (DoD) systems, Office of Secretary of Defense (OSD), Director Operational Test and Evaluation (DOT&E) developed metrics using the... more »
Adding additional cyber requirements from the OMB / DHS without allocating funds implies that existing funds have to be spread ever thinner , or monies have to be diverted from the Department Agency mission. Perhaps an alternative is providing prioritization for allocation of existing funds (This mandate is #1, then this exec order etc etc). With the "public" availability of such a list, audit should become more effective,... more »
Use Cyber Investment Management Boards (DOD example) where cyber projects are presented, defended, and measured against outcome based performance measures for funding. Helps get cybersecurity accountability as a shared responsibility across senior leadership of the organization and to understand costs and risk benefits.
Cyber Tips of the Day – first thing to pop up on intranet logon-screen would be a cyber awareness question (with ability to quickly check against answer). These would be focused on knowledge leveling, increasing awareness of vulnerabilities created by SPAM/Phish attacks, etc. etc.
Create a self-audit checklist that agencies could use on a regular basis to assess themselves on fundamental security capabilities. It would be risk profile based for each agency. Addresses the problem of just having this done by auditors (GAO/IG) or consultants. Keeps attention and resource needed to close weaknesses and vulnerabilities.
Note: FCC is example.
1) How do we move from inconsistent security/privacy protection control approaches to solid fundamentals that address most basic risks faced by agencies?
This is the difference between thinking tactically and thinking strategically. If you are thinking tactically, your to-do list is endless. There is always one more control to install, one more security practice to implement. There is no way to prioritize the workload or to measure your improvement. Security practitioners sprint from task to task putting out fires, never taking the time to build a program that can absorb... more »
Security/Privacy Protection Controls consistency is critical to mitigating organizational risk. Risk mitigation begins at the highest level of an organization. It is a combination of three key things—governance, accountability, and culture. Implementing an organizational governance process will bring myriad benefits, including lower costs, greater control, and overall increased efficiency and effectiveness. A benchmarked... more »
Leverage the self audit capability of the SEC as a guidance for other agencies.