A number
of strategies exist for controlling risk including defense, transferal,
mitigation, acceptance and termination (Whitman & Mattord, 2014) . The first seeks to
put in place safeguards to eliminate or reduce risk. Transferal seeks to shift
risk outside of the organization, such as with outsourcing or insurance.
Mitigation is the application of controls to reduce the impact to organization
resources during an attack. Acceptance occurs when an organization chooses to
leave a certain amount of risk in the system(s). This typically occurs for two
reasons, risk cannot be eliminated fully under any reasonable circumstance and
funds for are scarce. Termination seeks to remove systems from the
organization, such as the Federal government did with Windows XP systems, or at
least tried to do, after Microsoft support ended.
Another
term that is often mentioned when addressing risk is defense-in-depth. This
strategy is in line with the strategies listed above and seeks to ensure
security mechanisms exist throughout the system architecture so that an attack
is less likely to be successful. There are several areas in an organization
that can be addressed. The National Institute of Standards and Technology lists
18 separate families of InfoSec controls that seek to address all areas of the
information system architecture (National Institute of Standards and Technology,
2013) .
When implementing these controls, an organization will be able to address
defense-in-depth within its systems.
An example
of the benefits of these strategies can be seen in a typical attack taking
place across an Internet connection. The first thing that must be available is
an attack vector to a target system. The second is that the target system must
generally have a vulnerability that can be exploited. Last, the attack needs a path
for exfiltration of data or for any malware installed on the victim system to
communicate back. The strategy of defense could prevent all three of these
factors. A mitigation strategy would ensure backups are available for the data
as well as rebuilding the victimized system. Transferal could also aid via
insurance payments or offloading responsibility to a third party provider.
Several families of the NIST controls would play into these protections
including access control, audit and accountability, awareness and training,
configuration management, incident response, system and services acquisition,
system and communications protection, and system and information integrity.
How well
these strategies and controls get implemented is another story. One has to
consider funding as well as the vast size of the federal government including the
diversity of its many branches and organizations. Included in this should be an
understanding of the differences in a headquarters office at the Department of
Homeland Security all the way to a very small remote office with limited staff.
There is likely to be a wide range of capability differences between two such
offices and organizations must be aware of this in planning InfoSec strategies.
Mandating controls that a small site does not understand or have the
capabilities to manage will not aid in securing systems, no matter how well the
“training” family of controls is implemented.
Funding is also a serious concern. With the OPM data breach (see
previous post), there was adequate warning of security issues and also a
significant lapse in time before the breach was discovered and reported. This
is likely to be at least partially attributable to a lack in funding in IT and
security staff and resources. If intrusion detection systems are deployed, that
certainly would meet one of the controls but it serves no purpose if there is
not enough staff to actually monitor the systems. Likewise, when staff
resources are stretched and then pressed between keeping a system up and
running or patching vulnerabilities, typically the mission will win out and the
vulnerabilities will remain. This does not absolve any organization of
responsibility for breaches, but decision makers should be aware that a lack of
investment in both IT and security has consequences and may in fact accelerate
those consequences.
Works Cited
National Institute of Standards and Technology.
(2013, April). Security and Privacy Controls for Federal Information
Systems and Organizations. Retrieved July 24, 2015, from nvlpubs.nist.gov:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Whitman, M. E., & Mattord, H. J. (2014). Management
of Information Security. Stamford: Cengage Learning.
No comments:
Post a Comment