7 Steps to Improve Cybersecurity Operations

Some arrows going a lock to represent cyber security.

By Jason A. Minto

Network Intrusion Analysis 

All Federal Agencies have a responsibility to improve their critical infrastructure's Cybersecurity as outlined in Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity”[1].  This directive helps agencies become more responsive and enables accelerated, improved reaction for Information Assurance Management with the most effective, sustainable technology. Many agencies are making strides to mature and improve their overall Information Security Program and seek to employ the Risk Management and Cybersecurity Framework[2], as published by the National Institute of Standards and Technology (NIST) and depicted in Figure 1: NIST Cybersecurity Framework. This is actually a much-needed development in national strategy, but how exactly does an agency go about supporting and improving their infrastructure? 

Figure 1: NIST Cybersecurity Framework

NIST provides clear direction on how to improve Cybersecurity capabilities in their “Framework for Improving Critical Infrastructure Cybersecurity.”  It is a comprehensive seven-step sequential process from Prioritizing and Scoping to Implementing and Action Plan.  This process takes place in the context of framework implementation tiers.  Management may use these tiers to direct organizations toward a target profile.  Subordinate managers may also adapt the framework to assess their own business unit. 

Step 1: Prioritize and Scope

Identify business objectives, mission objectives and strategic organizational priorities.  This information should  already be available.  Typically, a definition has already been identified by leadership and through the SDLC.   For example, a security control like Network Intrusion Detection (NID) devices may be old and in need of upgrade or replacement.  This is a strategic priority.  The organization would suffer considerable risk with this needed defense.  Priorities must not be limited to strategic ones; they should also include organizational priorities.  A very secure firewall could block important public communications for a public affairs agency that focuses on external communication.   

The listed priorities next need to be aligned with supporting systems and assets.  This identifies the scope of the assessment.  All of the systems and assets must have clear functional traceability to everything on the list.  A lack of traceability should reveal excess resources that may be applied elsewhere.  This complete matrix of priorities and scope is the basis for all that is to follow. 

Step 2: Orient

Threats and vulnerabilities for the priority and scope are identified next.  This involves the analysis of everything in the matrix as well as considering regulatory requirements and guidance. 

It is important of personnel familiar with Cybersecurity risk management to identify threats and vulnerabilities.  All too often, “experts” in risk management have no knowledge of technical underpinnings.  It is important to have a certified Cybersecurity professional to help in this stage.  Without such expertise, “new risks” will significantly increase cost during the later risk assessment. 

Regulatory requirements may not be ignored in this step.  Not following regulatory requirements is a material weakness.  Each requirement must be addressed or the organization is liable to penalization, lawsuits, or other punitive actions that would cause a significant burden – regardless of practical security considerations. 

Organizing the orientation may be completed with a multi-dimensional matrix or a detailed list of security controls with traceability back to the priority and scope matrix.  The important thing is to enumerate the threats and vulnerabilities of systems and assets. 

Step 3: Create a Current Profile

A profile is created at this point using the priority, scope, and orientation.  NIST makes this super easy by offering a template with their Cybersecurity Framework.  This template features the function and a number of different sub-categories.  This template or some other mechanism may be used to identify the current capabilities of the organization. 

The NIST template uses the five functional areas of the framework with multiple categories.  Each category has at least one subcategory.  Creating the current profile is as easy as documenting and filling out the organizations capabilities for each of the 98 categories.  Each category may have multiple capabilities.  NIST’s documentation includes references for every category to help. 

Figure 2: NIST Cybersecurity Framework Categories

The point of this exercise is to identify exactly what the organization has now when it comes to Cybersecurity.  This is not a projection of what you want the organization to do.  Fortune telling at this stage of the game will only hurt the process.  Planned projects and projects currently underway manifest themselves in the target profile step – not in this step. 

Step 4: Conduct a Risk Assessment

This is a process where the operational environment is analyzed to discern the likelihood of a Cybersecurity event and the impact it would have.  This activity may have already taken place.  The assessment should follow the NIST categories for the framework. 

Other assessments may be used to realize this overarching assessment.  Many organizations periodically utilize risk assessments for systems and their networks.  Using those assessments to address these questions is a responsible usage of resources and helps accelerate the gap analysis process.  While these assessments may not be comprehensive, it is essential to understand the risk for all of the categories. 

Each category should receive a rating of High, Medium, or Low.  This category indicates the completeness of security protection for that particular category.  A category with no security controls would receive a High risk rating.  A category with comprehensive and significant security controls would receive a low rating.  This risk assessment identifies the weaknesses within in the organization.  In a cybersecurity dashboard application for the organization, this may be used to illustrate the efficacy of the organization to senior leaders. 

Step 5: Create a Target Profile

The target profile is an understanding of all the activities needed to mitigate the risks identified during the assessment.  The target profile is a depiction of what would change in the current profile to improve the security posture.  This target profile is an ideal portrayal and may involve unique categories not found elsewhere. 

At the very least, the target profile must account for the high-risk deficiencies identified in the risk assessment.  The target profile is a summary of mitigating actions to be conducted that will reduce high-level risk to a lower level risk.  The team should also focus on medium level risks to understand how they may be reduced to a low risk.  The target profile should present a residual risk value after the new controls are identified. 

Most organizations are different and unique; as such, different unique categories may best represent their needs.  For example, “Payment Card Industry” requirements are not always applicable to a Federal agency.  However, a credit card company must account for those requirements and would use their own categories unique to the industry. These unique categories would satisfy not only regulatory security requirements, but also requirements identified by customers, business partners, or shareholders.   

Step 6: Determine, Analyze and Prioritize Gaps

A comparison between the current and target profiles reveals gaps that need to be addressed – this is not an absolute statement.  Not all gaps are equal, and the risk assessment helps identify which are the most pressing.  That alone, however, is not the end-all be-all.  Fiduciary responsibility must be addressed with all seriousness.  This responsibility must not stop the active defense of the organization, but it most certainly can never be ignored. 

A cost and benefit analysis must be undertaken to understand how the outcomes affect the organization.  One investment may mitigate multiple gaps in the risk analysis.  It is important to responsibly identify solutions that adequately reduce risk optimally across the current profile.  The analysis must not be limited to technological security widgets and gadgets.  It is imperative to consider the human element and what simple controls that may be implemented to reduce risk with simple changes in the day-to-day process.  Both tools and tactics must be presented. 

The organization then needs to review the analysis of available tools and tactics so informed decisions can be made from all of the options.  The options will reveal resources for consideration that address the gaps.  The profiles used at this step helps identify cost-effective, targeted improvements.  The end result of this review is a prioritized list of activities that will effectively reduce the overall risk with the organization. 

Step 7: Implement Action Plan

Now that there is a prioritized list of action to take; everyone needs to get moving to make it happen.  Prudent oversight monitors these developments while high-impact low-cost controls are established to help mitigate risk until the plan is in place.  All of these steps must be implemented with the standards, guidelines, and practices for the organization. 

Oversight needs to make certain that the action plan hits all of the milestones.  People are not perfect and in some cases a lot of these actions will have the devil in the details.  It is important that someone not close to the problem reviews the various steps in the action plan.  This will help make certain that all of the actions are implemented as expected and found deficiencies are reconciled before hackers are able to find them. 

This whole process should be the start of a feedback loop as the current profile is updated (see Figure 3 -- Cybersecurity Infrastructure Feedback Loop).  Doing so will reduce the level of effort used in this process.  The current profile will change as new actions are completed.  Sometimes an action will improve the risk posture more or less than expected.  When this happens, the team needs to understand the impact and how that affects the rest of the profile.

Figure 3: Cybersecurity Infrastrcutre Feedback Loop

Conclusion

Following all seven steps of NIST’s gap analysis process makes certain your organization has taken all the steps necessary to responsibly update and maintain their Cybersecurity posture.  It identifies the current state of the network.  It identifies any risks within that profile.  It creates a target profile to reduce the risk.  Finally, an action plan is implemented to mitigate all of the identified risks.  This is a feedback loop operation that will change over time.  New security controls will reduce risk.  New functionality will create risk exposure.  The Information Assurance (IA) team needs to be vigilant to understand the evolving challenges of a network and react accordingly. 

NIST makes it easy with guidance on the Cybersecurity Framework.  Read it if you haven’t already.  It is very helpful, especially when it comes to presenting Cybersecurity holistically. 

 

[1] Executive Order no. 13636, Improving Critical Infrastructure Cybersecurity, DCPD-201300091, February 12, 2013. http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf 

[2] National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cybersecurity, version 1.0, February 14, 2014. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214...