Two of the most fundamental and perhaps difficult questions to answer in relation to information protection are:
- 1.How do I know what to protect?
- 2.How do I go about protecting it?
The answers to these questions should form the basis of your information protection measures as without this, you may be wasting effort by protecting the wrong things or not protecting them well enough.
Having answered these questions a few times already, I thought I should share my views with the rest of the information security community.
Let’s start with the first question. The simple answer to this is your most valuable information assets. However, what constitutes a ‘valuable information asset’ will vary between businesses. The easiest way to answer this is to identify your systems, the information they process or handle and list these down. Then talk to the business (people that use the various systems) and try and understand what the loss of those systems and their data would mean to them. Typically systems that directly support the core function of the business are most critical. An example would be the SCADA system in a utility company.
Plot the results on a grid similar to the one below and focus on protecting the systems to the top right first:
You will notice that I have paid particular attention to availability requirements as this is often the neglected part of the Confidentiality, Integrity and Availability matrix.
Now you are ready to answer the second question.
Once you have identified the information assets and associated systems to protect, critically evaluate your ability to predict, prevent, detect and respond to threats to your critical information assets. These four things are defined as follows:
- Predict – systems, tools, policies and procedures that help detect vulnerabilities in systems and predict potential avenues of attack
- Prevent – systems, tools, policies and procedures that prevent threats affecting your systems. An example would be the corporate firewall
- Detect – systems, tools, policies and procedures that give you the ability to detect threats that may be affecting your system. An example here would be an Intrusion Detection System
- Respond – systems, tools, policies and procedures that allow you to respond to threats and contain / eradicate them. A policy example would be the corporate Incident Response Plan and associated tools
It is extremely important to ensure that ALL of the above items are addressed and available to protect your critical information assets. Having just one is not enough. Unfortunately, usually the ‘prevent’ component is addressed and limited focus is given to the ‘predict’, ‘detect’ and respond’ components. As an example, having a firewall is not enough. With the threat landscape forever increasing, having the ability to predict (regular vulnerability scanning), detect (an intrusion prevention system for example) and respond (people, tools and policy) to detected threats is very important. Let’s not forget that your firewall is always open, as everyone allows web traffic (HTTP / HTTPS) through and attackers are increasing taking advantage of this fact.
The above strategy can perhaps best be illustrated by looking at the protection we apply in our homes. Our family is what we try and protect as that is what we value most. We will survey our homes to detect points of weaknesses so that we can predict avenues of attack and vulnerabilities and control these. We have doors and locks to prevent intruders from entering our homes. Most of us will have installed an alarm system to detect intrusions while we are away or asleep. And increasingly people are acquiring automated response capability from security companies when alarms get triggered. Even the simple act of having a guard dog allows us to have this response capability when required. A similar philosophy should be applied when protecting our information assets to ensure complete coverage.
You must also ensure that the ‘predict, prevent, detect and respond’ measures you come up with address all three basic controls types to ensure full coverage. These control types are as follows:
- Administrative – security policies and procedures that provide guidance on how to protect critical information assets e.g. IT Security Policy
- Physical – locks, keys, etc. that prevent intruders from gaining physical access to systems processing or holding critical information assets
- Technical – technology e.g. firewall utilised to stop intruders from gaining logical unauthorised access to critical information assets
Drawing up a simple grid like the one below for each critical information asset and the related system can allow you to perform this assessment:
Please note that the above is an illustrative example and is not meant to be an exhaustive listing of all controls expected to be applied. The take away from this point is that you should NOT have any blocks empty and if you do, then you need to address that immediately.
Due to resource constraints it can be difficult to address all areas particularly the ‘detect and response’ areas on a 24x7 basis. 24x7 capability is important with businesses that operate on this basis or have critical information or infrastructure to protect. In such cases, outsourcing some of these responsibilities to a specialist managed security provider can be advisable as a quick and cost effective solution.
Within this article I have tried to highlight what needs protecting and how to go about protecting it. It certainly is not easy doing this, but as the saying goes ‘the pain of discipline is far less than the pain of regret’.