Digital Conflict

By Kevin Coleman

Blog archive
Kevin Coleman

False sense of cybersecurity

Cybersecurity has now moved front and center in the government and private sector alike. This is due to a number of factors including the frequency of cyberattacks, the sophistication of those attacks and, most importantly, their implications. Why do you think Russia has moved to typewriters in order to stop the flow of compromised information? That speaks volumes about the state of cyber insecurity.

Organizations routinely leverage standards and regulations like the Federal Information Security Management Act as the foundation of the enterprise security strategy. In a National Institute of Standards and Technology document addressing FISMA, the following section was included under the topic of what an effective information security program should include:

“Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually.”

The cyberwar gaming component has become a hot topic as of late. It is being used to evaluate the effectiveness of cybersecurity efforts and programs that have been implemented by organizations. However, the way an organization addresses the cyberwar game scenario significantly impacts the value of the exercise. Many organizations are staffing both the red (attackers) and blue (defenders) from inside the organization. That has a number of shortcomings, least of which is bias of those selecting the team members. In one instance those designing the evaluation exercise actually stated, “We want our security team (blue defenders) to win. We want to build their confidence.” That is a dangerous as it gives a false sense of cybersecurity and does not meet the intent of the NIST/FISMA section identified above.

At a recent cybersecurity event, one individual went as far as to suggest taking the same approach as was used in the Payment Card Industry security compliance requirements for FISMA. That would mean an independent evaluation of an organization’s cybersecurity program. At a minimum all organizations should be using outside objective red teams. That would give a much better evaluation of the effectiveness of the cybersecurity measures that were put in place. Cybersecurity is too important to shortcut the evaluation of cybersecurity measures.

Posted by Kevin Coleman on Jul 18, 2013 at 6:07 AM

Reader Comments

Mon, Jul 22, 2013 Don O'Neill

The state of Cyber Security is best illustrated by two things: the Defense Science Board report that the Cyber threat is serious and the President's Executive Order directing NIST effort to produce a Cyber Security Framework. The January 2013 Department of Defense Defense Science Board Task Force report on Resilient Military Systems and the Advanced Cyber Threat is a critical self assessment that paints a sobering picture of a dysfunctional Cyber culture. It acknowledges a Cyber threat that is serious and insidious, current DOD actions that are fragmented, U.S. networks that are built on inherently insecure architectures, present capabilities and technologies that are unable to defend with confidence those Cyber attacks labeled most sophisticated, and an expectation that it will take years to build an effective response. In such an environment, how can an organization safeguard its proprietary information? The NIST effort has just completed its third working group meeting and has found itself with more questions than answers. The most contentious question revolves around whether the framework is voluntary or subject to regulation. Here the issue of trust in government is at the heart of the matter.

Thu, Jul 18, 2013 Don Gray Pittsburgh PA

One thing I think doesn't get enough attention is the mitigation of an attack through the execution of the Incident Response plan. Everyone focuses on detecting the attack and while that is extremely important you can't stop there. You need to ensure that not just the security team is prepared but that they can work efficiently and effectively with 3rd parties, the IT organization, and the business units to effectively contain and mitigate the attack. Seconds count when executing Incident Response and those who fail to plan and train should expect to spend more money and endure more impact from an attack.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Defense Systems eNewsletters