Cybersecurity readiness is a state that every enterprise should strive to achieve. In part one of this series on...
cybersecurity readiness, a set of fundamental cybersecurity objectives was presented that must be accomplished for an organization to consider themselves cybersecurity ready. The previous article presented seven elements that enterprises need to achieve that state of readiness. This article discusses the first element on that list: a cybersecurity plan.
Cybersecurity plan objectives
To achieve any goal or objective, a plan that provides guidance toward those goals and objectives is essential. Cybersecurity is no different than any other kind of endeavor in that regard. In this context, cybersecurity readiness is the goal and a cybersecurity plan is the first of several objectives.
A cybersecurity plan should clearly describe what an organization wants to achieve relative to cybersecurity. If we take a look at the kinds of computer and network security problems being reported every day, there are some obvious security planning topics to pick from. Examples of cybersecurity planning objectives that support cybersecurity readiness might be:
- Protect intellectual property that represents the core value and market differentiation of an organization from theft by threat actors located either inside or outside of the network.
- Protect customer and employees' personally identifiable information and protected health information from theft by threat actors located either inside or outside of the network.
- Being able to see and understand the security context of every packet that enters and leaves the corporate network. To be able to monitor and understand what information is flowing in, out and through the network and to know whether that flow of information is wanted or unwanted and appropriate or inappropriate.
- An electronic mail system that is completely confidential regardless of the location and transmission of email either inside the local network or out on the internet. The email system should provide a high degree of confidentiality even if the mail is stolen.
Each one of these four cybersecurity action plan objectives could and should be treated as a project with a timetable, milestones, measures and metrics. The first and second objectives will likely share many of the same controls and security practices. The third objective will be discussed in-depth in an upcoming article that discusses security architecture and network monitoring.
In this article, achieving a confidential email system is discussed as an example of an objective for a cybersecurity plan. This example includes identifying some obstacles and examples of measures and metrics that may be used to measure progress toward achieving the objective.
The objective of confidential email is achievable through the use of email encryption. Email encryption technology has been around for decades. Why then, are stolen emails from large corporations, government agencies and political parties regularly disclosed on WikiLeaks and similar sites? Encryption seems like a get out of jail free card where you may not even have to report the loss or theft of encrypted email and other information. So why not use it?
Encryption, particularly public key infrastructure (PKI)cryptography, is not well understood by the average system administrator; it can be tough to implement correctly, it can have a very high administrative effort and it can be costly. If an encryption system is poorly managed, large amounts of information can be lost. These are some of the reasons that argue against employing encryption. One particular concern with PKI is that if everyone who needs to receive encrypted email does not have their own PKI key pair, then they cannot participate in a secure email conversation. For large organizations where the majority of email is exchanged between members of the organization, as well as in government, military and intelligence agencies, the costs associated with PKI may be well worth it. For these organizations, the advantage of automatically encrypting, decrypting and securely storing every email message is a distinct plus.
There are other available products or tools that are less costly and easier to manage, especially if not every email message needs to be encrypted. These other options are essentially web mail services where a recipient of an encrypted email may need to go to a secure email portal to read encrypted email sent to them. Recipients may need to register with the portal and set up authentication credentials, typically username and password, but no PKI-style key pairs are required. Issues with secure web mail include ensuring that mail is encrypted while at rest on the server, not just in transport, whether or not your encrypted email provider can decrypt your email, the complexity of introducing a new email system just for secure email and the fact that users are in the position of deciding which email messages need to be secured and which do not.
There are email gateway systems that can scan unencrypted email before sending, looking for keywords and patterns -- such as social security numbers and credit card information -- and forward email matching its content filter rules to a secure web portal for recipients to log in and download. This system has the advantage of working with any email system, but requires the administrative overhead of creating and maintaining keyword lists and the content filter rules. In this system, only email flagged by the content filter will be secured and there is no assurance that every email that should be secured will be identified by the filter.
There are also simpler email encryption systems using email client plug-ins and symmetric shared-secret keys, where the same key is used for decrypting as is used for encrypting. Again, the user must decide which email messages are to be encrypted and there also is the problem of exchanging, and maintaining, the shared secret key. In the past, exchanging secret keys was one of the problems that public key cryptography was meant to solve. These days, it may be just as easy to share a secret key by SMS text messaging as any other method.
Measures and metrics
Once a suitable email security plan is selected and built, a way of understanding how effective the product or service is needs to be determined. It cannot be determined by how much information was "not lost" due to the email security system, but there are simple ways to show progress against the cybersecurity objective of "confidential email."
A simple measure might be the total amount of email sent per day, week or month. A metric that shows progress of achieving the cybersecurity objective would show how much of the email sent is encrypted, as a percentage of all email sent.
Editor's note: Stay tuned for more in this series on enterprise cybersecurity readiness.
Find out the CISO shortlist for their 2018 cybersecurity plans
Learn how organizations can build a strong information security culture
Read more on how a defense-in-depth strategy can benefit enterprises