As I look back on the past year, there are two interesting trends that occurred: First, the amount of money, energy,...
effort and focus I saw organizations direct toward security increased exponentially; second, the number of attacks, the amount of compromises and the amount of damage occurring to organizations also increased exponentially.
While this may seem puzzling to many -- after all, one would expect to see a decrease in breaches with the increased focus on security -- there are two reasons why this was not the case.
First, attacks continue to be more focused, stealthy and data-motivated. Therefore, if an organization is still using traditional security measures that look for traditional attacks (i.e., attacks that are visible and opportunistic, and go after low-hanging fruit), it will not catch advanced attacks. As a result, organizations that have been under attack did not realize it because they were not focusing their security efforts on the correct areas. Only when an organization focuses on the correct areas will it see the attacks they previously missed.
Second, while organizations are spending a lot of money on security, they are not always spending on the correct areas, which is what I will address in this column. For the past 30 years, organizations have been looking for the security "magic bullet" -- the single technology they believe will provide 100% security. But a simple exercise can help enterprises adopt a more effective, risk-based approach and make better use of those security investments.
Identifying critical assets
When I conduct post-incident follow-up with my clients, it's often discovered that, while the investment in security that these organizations made was a good investment that will help them over the next several years, they are not always targeting the areas necessary to stop the most dangerous threats. The trick to aligning security spending with security needs is to use a risk-based approach. It is important to remember that everything an organization does with security has to be aligned with its critical assets.
Concentrating on an organization's critical data will ensure that it addresses the proper areas of security. As seen in the diagram above, an organization must identify its critical assets and put measures into place to protect it. Once the critical information has been identified, the business process (or applications) that support and utilize the information must be identified; then the proper security controls can be implemented.
Data and business processes reside on servers. The critical servers that house information should be identified and the proper security should be implemented to fix high-priority vulnerabilities. Finally, the networks these servers reside on must be identified.
Another way to look at this problem is to perform a mini risk assessment. The easiest way to do this is to take a piece of paper and draw three columns on it, as seen in the figure below.
In the first column, identify your highest-priority assets and the business processes that support them. In the second column, identify the threats that have the greatest likelihood of causing harm to these highest-priority assets. In the third column, identify the vulnerabilities that would allow these threats to have the greatest likelihood of causing harm. Items in the third column, labeled vulnerabilities, are the highest-priority items that need to be fixed. If those items are not listed on a security roadmap, the security roadmap is not aligned with the most serious risk.
For example with a hospital, the highest-priority assets would be PHI (patient health care information), treatments and payment information. The threats that have the greatest likelihood of causing harm would be both internal and external. Internal threats would be individuals who have access and could use it to steal prescription drugs. An external threat would be someone who could use the patient Web interface to alter or modify records or treatments. Vulnerabilities would be older operating systems or unpatched servers that cannot be fixed because of legacy applications.
For this mini risk assessment to work, use only one piece of paper. This will force your organization to prioritize, since there can only be five items per column. This is a straightforward yet very effective way to validate a security approach and make sure that your organization is focused on the correct areas. While this might seem simple, this exercise has been one of the biggest game-changers for our customers because it helps them visualize their high-risk areas and focus on the ones that really matter.
Saying that security is all about risk is easy, but very few organizations are actually practicing what they preach. Performing this three-column assessment will help validate whether your organization's security efforts are properly aligned. In summary, a quick way to always verify and validate whether your organization is focusing on the right areas of security is to ask three questions before you spend any time or budget dollars on security:
- What is the risk?
- Is it the highest-priority risk?
- Is the solution the most cost-effective way to reduce the risk?
Always asking these three questions will keep your security program on track and ensure that your organization is focusing on the areas that really matter.
If there is an article that you would like written or a problem you are looking to solve, please contact Eric Cole at firstname.lastname@example.org.
About the author:
Eric Cole is an industry-recognized security expert with more than 25 years of hands-on experience. He is the founder of, and an executive leader at Secure Anchor Consulting, where he provides leading-edge cybersecurity consulting services and expert-witness work, and leads research and development initiatives to advance state-of-the-art information systems security. He was the lone inductee into the Infosecurity Europe Hall of Fame in 2014. He is actively involved with the SANS Technology Institute and is a SANS faculty senior fellow and course author who works with students, teaches, and develops and maintains courseware.
Learn more about the three stages of the ISO 31000 risk management process