What do we do about Cybersecurity? Part 2

Data center - where is your critical data located?

Do you know where your critical data is?

You can’t protect your crown jewels if you don’t know what you need to protect, where it is located, have a good strategy for protecting it, and have good execution of your strategy.

In part 1 of the blog series “What do we do about Cybersecurity?“, I identified the best way to get started with improvement is to perform a cybersecurity risk assessment of your organization using the NIST Cybersecurity Framework (CSF), along with several key problems with implementing it.

I found this nice overview for small & medium sized businesses cybersecurity overview (not tied to any framework), “The SMB Cyber Security Survival Guide” at the We Live Security blog.

In this part of the blog series, let’s look at how to identify and prioritize your assets and threats, the first two steps in the CFS process.

Identify (part 2)

Step 1, Data Classification

There are only 2 kinds of data:

  1. What somebody wants to steal
  2. Everything else

Attackers are after the data you have.  Most organizations have not thought much about what data is critical to their business or sensitive to their customers, thus, data is strewn across the entirety of the organization’s computer systems: email, file shares, laptops, mobile devices, databases, etc.  This is equivalent to a bank having their employees store all of the bank’s money in their desk drawers and filing cabinets.

Microsoft just published a very good blog post “Protect your highly sensitive information”.

You can’t protect your crown jewels if you don’t know what you need to protect, where it is located, have a good strategy for protecting it, and have good execution of your strategy.

Best practice recommends only 3 data classifications, unless required by regulation.  The terminology may vary from organization to organization:

Radio Active, Toxic, and Unclassified data classification values

Sensitivity Model 1 Model 2 Model 3
High Radio Active Confidential Restricted
Moderate Toxic For Internal Use Only Sensitive
Low Unclassified Public Unrestricted

A few resources for data classification are:

The kinds of information that you need to protect for your business survival:

  • Intellectual Property. What would you lose if your competition obtained your trade secret, proprietary process, key personnel, product plans, etc?  How much worse would it be for a foreign competitor, with lower labor rates, to easily reach parity with you, or surpass you?
  • Organizational operations including mission, functions, image, reputation / brand, personnel, contractors, organizational assets.
  • Customer data including identity, location, financial, medical, history, and trends.
  • Other organizations, contractors, working relationships, non-disclosure information, etc.

Remember that “60% of small businesses close within six months of experiencing a data breach”. Your Brand is your company.  Lose customer trust in your brand, you may lose your company.

Next, identify your critical systems by data classification level:

  • Applications that process each classification type. Is it encrypted in transit?
  • Data storage location (system and location).  Is it encrypted?
  • Credentials allowed access, and access type.
  • Access Path(s) to the storage and processing systems.

By limiting the number of systems and access paths to those systems processing or storing critical data, you can prioritize the security focus, protections, and effort towards the most important assets.

Step 3, Threats

Identifying and prioritizing threats and vulnerabilities is a process whereby you analyze the possible actors and their motivations, and your vulnerabilities that would lead them to interfere with what you have.

If the level of value a threat actor would receive from a successful attack is greater than the cost (including effort and negative repercussions) of performing the attack, then there is motivation to proceed.  The greater the net value is, the more motivated and persistent the threat actor will be in executing the attack.

The threats are various: Malicious actors, Criminals, Economic Adversaries, Nation state adversaries, disgruntled organization personnel, disgruntled nation state, etc.  There are many known and unknown reasons someone may attack you.  Don’t forget about the natural threats including natural disasters, civil disruptions, and other non-IT specific threats.  Threats should include all possibilities so that their associated risk may be determined.

The most common motivations for a cyber attack you might consider are:

  • Financial gain (direct, or indirect), such as Identity Theft, or tamper with financial transactions
  • Obtain proprietary / internal information (Intellectual Property)
  • Disrupt or disable targets capability
  • Ransom / Terrorism against a person, organization or state
  • Revenge (sense of revenge, righting a wrong, etc.)
  • Hijacking your infrastructure for their own purposes
  • Because they can – joy or prestige associated with overcoming a challenge, i.e., they break in and leave their mark to show they’ve been there

The value to the threat actor for some of these motivations are easier to quantify than others.  If someone wants to attack you because of revenge, how do you estimate the threat actor’s motivation level?  Doing so is highly dependent upon your organizations specific ever-changing business and threat environments.

Then analyze your weaknesses, which may include the lack of technical people, lack of budget, lack of processes, infrastructure configuration, tools, technology, etc.  It is important to evaluate this analysis regarding your business environment and agree on a risk tolerance level, as depicted in the following diagram.

Risk Profile Heat Map, indicating threat probability versus impact.

A couple of resources for risk management are:

In next part of this blog series, I’ll go through the creation of a current CSF profile and conducting a Risk Assessment.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s