False sense of cybersecurity

Testing your own defenses is important -- and too many organizations are doing it incorrectly.

Cybersecurity has now moved front and center in the government and private sector alike. This is due to a number of factors including the frequency of cyberattacks, the sophistication of those attacks and, most importantly, their implications. Why do you think Russia has moved to typewriters in order to stop the flow of compromised information? That speaks volumes about the state of cyber insecurity.

Organizations routinely leverage standards and regulations like the Federal Information Security Management Act as the foundation of the enterprise security strategy. In a National Institute of Standards and Technology document addressing FISMA, the following section was included under the topic of what an effective information security program should include:

“Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually.”

The cyberwar gaming component has become a hot topic as of late. It is being used to evaluate the effectiveness of cybersecurity efforts and programs that have been implemented by organizations. However, the way an organization addresses the cyberwar game scenario significantly impacts the value of the exercise. Many organizations are staffing both the red (attackers) and blue (defenders) from inside the organization. That has a number of shortcomings, least of which is bias of those selecting the team members. In one instance those designing the evaluation exercise actually stated, “We want our security team (blue defenders) to win. We want to build their confidence.” That is a dangerous as it gives a false sense of cybersecurity and does not meet the intent of the NIST/FISMA section identified above.

At a recent cybersecurity event, one individual went as far as to suggest taking the same approach as was used in the Payment Card Industry security compliance requirements for FISMA. That would mean an independent evaluation of an organization’s cybersecurity program. At a minimum all organizations should be using outside objective red teams. That would give a much better evaluation of the effectiveness of the cybersecurity measures that were put in place. Cybersecurity is too important to shortcut the evaluation of cybersecurity measures.