Call For Practice Of Assumption Of Breach
Today’s organizations depend on information technology and the ability to deliver information to their customers and partners. Compromises that affect the confidentiality, integrity, or availability of information are serious events and can cause damage to the organization. The exploitation of information security vulnerabilities by adversaries is inevitable. These adversaries are highly motivated, organized, and often wellfunded, which gives them an advantage over current information security controls and methods. The financial and reputational damage from these adversaries has negatively impacted many organizations over the last decade.
The primary mandate for information security programs is the protection of institutional information and information systems from unauthorized access. The struggle to protect the organization’s assets continues despite the significant financial investments in resources and controls. This struggle and failure to protect the assets are due to the inadequate security strategies we currently use. Traditional information security strategies and standards have diminished effectiveness, are disproportionately technical, and do not adequately address the rapidly evolving and dynamic threat landscape. The standards we typically use are based on the basic principle of perimeter protection and only provide a necessary but minimum level of protection. Proof of traditional security approaches failing are in the news almost every day. Examples include Stuxnet (2010) Sony Play Station (2011), RSA (2011), KT Corporation Hack (2012), and Adobe Systems (2013). Many of these attacks were well planned, carefully targeted, and executed. Besides the damage to the reputation of the organizations involved, the attacks also have lasting repercussions that affect the information security industry. The perpetrators of these attacks signaled that the cyber-security industry is at serious risk with a new level of threat. They demonstrated that the technical security infrastructure and protection methods currently used are unreliable. If organizations want to decrease their risk, they must learn from the previous failures and change their information security practices. The organization can no longer say, “It will never happen to us.” Successful organizations are beginning to understand that they can no longer fully protect their networks and information assets from the persistent adversaries who are dedicated to compromising their assets. All organizations need to adopt critical new practices that are nimble enough to stay ahead of the evolving threats. One possible approach is the practice of“Assumption of Breach”. This practice provides a reasonable approach for the protection of all of the organization’s assets. It requires several key practices to be developed, implemented, and must be based on actual conditions, business objectives, and risk tolerance levels specific to the organization.
One of the most fundamental practices of the Assumption of Breach approach is the implementation of a risk management process. Many of our beliefs in risk management need to be challenged, and a shift in how we assess real threats is required if we want to have any impact in reducing risk in the future. When determining information security risks, knowledgeable and credentialed security professionals, along with business owners, should frequently be engaged to evaluate the information security risk to the organization and ensure that the process is in line with the mission of the organization.
Without a practical and easy-to-use process, most organizations will tend to postpone, take a reactive posture, or incorrectly apply the risk process, all of which can negatively impact the organization. To ensure that the information security program assesses the risks from a holistic and organization perspective, the risk management process must include objectives and threats in the following thirteen areas: organization and authority; policy; audit and compliance; risk management; privacy; incident management; education and awareness; intelligence, reporting, and monitoring; operational management; technical security and access control; physical and environmental; asset identification and classification; and account and identity management.
The assessment of risk in each area is integral to the information security program, can help to identify protection efforts across the entire organization, and help the organization to be nimble enough to adapt to new threats. One of the necessary concepts to adopt in the risk management process is the identification, documentation, and clear understanding of the assets that are critical or have a significant value for the organization and its mission. This practice is not intended to create just a simple inventory listing. Besides the obvious and traditional assets like data, databases, intellectual property, applications, systems, and other critical technology services, assets need to include key services, business partners, and key individuals.
While challenging to shift to this broader asset perspective, the effort is required to understand the comprehensive aspect of information security risk to the organization and significantly enhances the organization’s awareness and decision capabilities about its information security objectives. Once we understand the assets of the organization, we can they apply a more advanced and comprehensive understanding of risk and determine factors like the Attack Vector potential (the exploitability of the attack, prevalence of the attack, and the maturity of the controls implemented within the organization), Target potential (the business type, mission or activity of the organization, and the data types targeted), Asset Threat potential (motivation of the attacker, asset types available, and maturity of the controls implemented within the organization), and finally the Information Security Program potential (the maturity of the controls implemented within the organization and the ease of exploitation of the identified threats). To operate in today’s environment requires constant attention to issues that affect the business risk. To fight the adversary, it is essential that the organization select an assumption of breach practice which includes risk management. Properly designed, the risk management process can provide extraordinarily useful reports for executives, operational decisions, work prioritization, and budget needs. Even with limited resources and budgets, risk management is one information security tool that can be used effectively to adapt to new threats and attacks.