Imagine this. You've been hired to run a company's cybersecurity team and discover that your team is under-resourced. Not only that, but you're facing a major corporate event where your threat profile escalates and have a management team that doesn't see the risks in the same way.
That's the scenario described by security consultant Ashley Deuble during AusCERT 2019. Leaning on his experience as a cybersecurity professional. Deuble led the audience through a scenario where each step was determined through audience participation.
On arrival at his fictitious new employer, Deuble asked the audience which of three things he ought to focus on first; policies and frameworks, incident response frameworks, or tools and technologies. The crowd chose to go with boosting the tools and tech he would have at his disposal. This is the sort of decision most CSOs need to make. With budgets and personnel often constrained, choices have to be made about where to best spend resources.
With that decision made, Deuble's next challenge was to navigate a new potential threat - a major corporate event. However, the management at Deuble's 'employer' didn't perceive this event as changing the company's risk profile and refused to support more security controls being put in place. Fortunately, the next chapter in this adventure didn't result in a breach or detectable attack. However, the crowd determined that the next chapter in this story required that Deuble and his team remained vigilant.
This was fortunate as a series of smaller breaches, followed by more significant attempts to exfiltrate data were detected.
The 'Choose your own Adventure' story ended here, with Deuble moving to the lessons that can be learned from this sort of desktop exercise in threat planning.
Deuble highlighted that no matter what we do when it comes to choosing where to focus resources or how vigilant we are, we can never be ready for every possible attack. But we can mitigate the risks of the next chapter in our own stories by taking some specific steps.
One tool that offers a set of useful controls and a framework for creating a cybersecurity and risk dashboard that can be easily understood by all levels of management comes from NIST. The five main areas of the NIST Cybersecurity Framework are:
The framework provides a set of controls that can be used to assess your maturity and readiness for each area. It also means you can create a dashboard that makes it easy for everyone to understand where the business stands in each of those areas.
Another tool recommended by Deuble is the CIS Controls, formerly known as the SANS 20 Critical Controls. And there are also the ASD Essential Eight and CERT New Zealand's Critical 10.
Although adherence to these frameworks doesn't guarantee 100% resilience against all possible threat actors, following them mitigates the risk of an attack occurring and limiting the damage if an attacker is able to bypass your edge controls.
Along with these controls comes another important consideration. Deuble stressed the importance of helping users determine the difference between good and bad and empowering them to easily report potential security issues. Simple actions, such as adding a 'Report phishing' button into email clients takes the friction away and makes it easy for users to share information with security teams.
It's also critical to practice incident response. Deuble's 'Choose your own Adventure' exercise showed how different decisions could impact what happens next, even in a relatively simple desktop exercise. It was also critical to involve external service providers in those exercises so they understood their role during incident response.
CSO and AWSN brings to you the first Women in Security Awards in Australia
In September 2019, CSO & AWSN will partner together to bring the IT security industry together to keep in line with International Women in Cyber Day, to celebrate the women of IT Security, along with delivering a series of Awards that recognise and honour the accomplishments , value and contributions of women within the wider world of security.
We have a series of awards that you can nominate for ranging from "The One To Watch" to "Male Champion of Change" to "the Best Place for Women in Security to work". There are also sponsorship options available if you would like to support the nominees, for all enquiries email firstname.lastname@example.org .
To nominate click here
To register for the event click here