What’s in YOUR Profile?

Part 3 of the series “What do we do about Cybersecurity?”

In part 1 of the blog series “What do we do about Cybersecurity?”, I identified the best way to get started with improvement is to perform a cybersecurity risk assessment of your organization using the NIST Cybersecurity Framework (CSF), along with several key problems with implementing it. In part 2, I provided some considerations for identifying your critical assets, data categorization, and threat identification.

In this part, I am asking “What’s in YOUR Profile?

Please answer in the comments to this post, because I really would like to know! Given that my Google, Bing, Yahoo, DuckDuckGo searches for a sample of, or recommended data elements for, a NIST Cybersecurity Framework Profile have all returned nothing other than referenced to paid content, so I’ll be the creator of a profile template that we are integrating into our Enterprise Cybersecurity Risk Management solution, Rofori.

The next step in the CSF process is to create a “current” profile that:

“… represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories.”

The CSF guidance for profile content is:

“This Framework document does not prescribe Profile templates, allowing for flexibility in implementation.”

Flexibility is great, but some suggestions or a sample or two would be nice. With no samples, or suggested content other than that described in the CSF core document, we need to figure out how to represent a CSF profile. The framework suggests the following for developing a profile:

“To develop a Profile, an organization can review all of the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important; they can add Categories and Subcategories as needed to address the organization’s risks. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation.”

“The Current Profile indicates the cybersecurity outcomes that are currently being achieved.”

My objective is to ultimately compute a Cybersecurity Posture value based upon the actual results of an organization operating its CSF Profile. Since we will be performing risk based analysis, we need to identify and prioritize the CSF Subcategories currently being performed and then provide an outcome effectiveness value. By doing this, we can compute an overall effectiveness value and produce a heat map (risk profile map) for cybersecurity outcomes in a manner analogous to threats in a threat matrix.

As a starting place for my current CSF Profile, I am taking the CSF Core spreadsheet (…review all of the Categories and Subcategories …) and adding 2 columns:

  1. Subcategory Priority (…determine which are most important …)
  2. Outcome Effectiveness (“The Current Profile indicates the cybersecurity outcomes that are currently being achieved”)

A subcategory that has a priority value (I like using 1 to 10, with 10 being the highest priority) is a subcategory that is included in the profile. I then enter an effectiveness score that I derive from a self-assessment or a recent cybersecurity audit and enter the score (again, 1 to 10) for each subcategory that is in the current profile:

As you can see in my sample Current CSF Profile above, we are currently performing 8 of the 98 CSF subcategories with varying degrees of outcome effectiveness. I have computed the overall score, which is not robust enough to be a posture assessment, by calculating a scaled weighted average: For each subcategory, multiply the Priority and Outcome Effectiveness values, add them up for each of the 8 subcategories, divide by the number of subcategories, and scale the results to be between 1 and 10. This results in an overall score of 4.94 over 8 subcategories.

But, the score of 4.94 needs to be put into perspective of the number of subcategories employed. We next compute the normalized score by scaling the result by the percentage of subcategories in the profile (i.e., 4.94 x 8 / 98 = 0.40). This enables a more direct raw score comparison, but I believe that it is critical to know the number of subcategories along with the score. Thus I propose reporting scores in the form of “score|subcategories” (0.40 | 8).

The best approach is to be honest, it is better to identify a weakness than to ignore it. By identifying the accurate outcome effectiveness, you can make better informed risk-based business decisions. Notice subcategory PR.PT-3. We all know that we should operate our computers as a “user”, but it sure is convenient to log into an Administrator account 😉

Risk Assessment

In part 2 of this blog series, in addition to identifying and prioritizing your threats and weaknesses, I gave a preview of risk assessment results.

Step 4, Risk assessment – analyze your operational environment to discern likelihood and impact of cybersecurity events. Take your prioritized list of threats and weaknesses and for each one, add a score value (1 to 10) of the Probability of the event taking place, and then a score for the Impact of the event. You can create a heat map (risk profile map) that plots the events and identifies the threats and weaknesses where you need to take proactive action to prevent or mitigate threats.

In next part of this blog series, I’ll go through the creation of the Target CSF profile, identifying gaps, and implementing an action plan.

As always, your feedback and comments are welcomed,


What do we do about Cybersecurity? Part 2

Data center - where is your critical data located?

Do you know where your critical data is?

You can’t protect your crown jewels if you don’t know what you need to protect, where it is located, have a good strategy for protecting it, and have good execution of your strategy.

In part 1 of the blog series “What do we do about Cybersecurity?“, I identified the best way to get started with improvement is to perform a cybersecurity risk assessment of your organization using the NIST Cybersecurity Framework (CSF), along with several key problems with implementing it.

I found this nice overview for small & medium sized businesses cybersecurity overview (not tied to any framework), “The SMB Cyber Security Survival Guide” at the We Live Security blog.

In this part of the blog series, let’s look at how to identify and prioritize your assets and threats, the first two steps in the CFS process.

Identify (part 2)

Step 1, Data Classification

There are only 2 kinds of data:

  1. What somebody wants to steal
  2. Everything else

Attackers are after the data you have.  Most organizations have not thought much about what data is critical to their business or sensitive to their customers, thus, data is strewn across the entirety of the organization’s computer systems: email, file shares, laptops, mobile devices, databases, etc.  This is equivalent to a bank having their employees store all of the bank’s money in their desk drawers and filing cabinets.

Microsoft just published a very good blog post “Protect your highly sensitive information”.

You can’t protect your crown jewels if you don’t know what you need to protect, where it is located, have a good strategy for protecting it, and have good execution of your strategy.

Best practice recommends only 3 data classifications, unless required by regulation.  The terminology may vary from organization to organization:

Radio Active, Toxic, and Unclassified data classification values

Sensitivity Model 1 Model 2 Model 3
High Radio Active Confidential Restricted
Moderate Toxic For Internal Use Only Sensitive
Low Unclassified Public Unrestricted

A few resources for data classification are:

The kinds of information that you need to protect for your business survival:

  • Intellectual Property. What would you lose if your competition obtained your trade secret, proprietary process, key personnel, product plans, etc?  How much worse would it be for a foreign competitor, with lower labor rates, to easily reach parity with you, or surpass you?
  • Organizational operations including mission, functions, image, reputation / brand, personnel, contractors, organizational assets.
  • Customer data including identity, location, financial, medical, history, and trends.
  • Other organizations, contractors, working relationships, non-disclosure information, etc.

Remember that “60% of small businesses close within six months of experiencing a data breach”. Your Brand is your company.  Lose customer trust in your brand, you may lose your company.

Next, identify your critical systems by data classification level:

  • Applications that process each classification type. Is it encrypted in transit?
  • Data storage location (system and location).  Is it encrypted?
  • Credentials allowed access, and access type.
  • Access Path(s) to the storage and processing systems.

By limiting the number of systems and access paths to those systems processing or storing critical data, you can prioritize the security focus, protections, and effort towards the most important assets.

Step 3, Threats

Identifying and prioritizing threats and vulnerabilities is a process whereby you analyze the possible actors and their motivations, and your vulnerabilities that would lead them to interfere with what you have.

If the level of value a threat actor would receive from a successful attack is greater than the cost (including effort and negative repercussions) of performing the attack, then there is motivation to proceed.  The greater the net value is, the more motivated and persistent the threat actor will be in executing the attack.

The threats are various: Malicious actors, Criminals, Economic Adversaries, Nation state adversaries, disgruntled organization personnel, disgruntled nation state, etc.  There are many known and unknown reasons someone may attack you.  Don’t forget about the natural threats including natural disasters, civil disruptions, and other non-IT specific threats.  Threats should include all possibilities so that their associated risk may be determined.

The most common motivations for a cyber attack you might consider are:

  • Financial gain (direct, or indirect), such as Identity Theft, or tamper with financial transactions
  • Obtain proprietary / internal information (Intellectual Property)
  • Disrupt or disable targets capability
  • Ransom / Terrorism against a person, organization or state
  • Revenge (sense of revenge, righting a wrong, etc.)
  • Hijacking your infrastructure for their own purposes
  • Because they can – joy or prestige associated with overcoming a challenge, i.e., they break in and leave their mark to show they’ve been there

The value to the threat actor for some of these motivations are easier to quantify than others.  If someone wants to attack you because of revenge, how do you estimate the threat actor’s motivation level?  Doing so is highly dependent upon your organizations specific ever-changing business and threat environments.

Then analyze your weaknesses, which may include the lack of technical people, lack of budget, lack of processes, infrastructure configuration, tools, technology, etc.  It is important to evaluate this analysis regarding your business environment and agree on a risk tolerance level, as depicted in the following diagram.

Risk Profile Heat Map, indicating threat probability versus impact.

A couple of resources for risk management are:

In next part of this blog series, I’ll go through the creation of a current CSF profile and conducting a Risk Assessment.


What do we do about Cybersecurity?

An illustration of the Target credit card data breach

An illustration of the Target credit card data breach

We all know that our computer systems are not really secure, especially when connected to the Internet.  So much is being written about the need to improve and guides to get started (i.e., DHS, FCC, SBA, Stop Think Connect, etc.).  Most of these programs inform you of what needs to be done, but not how to do it.

What I want to do is to identify some specific steps and considerations for “how to do it”.  Since the “how to’s” for cybersecurity improvement can’t be condensed down into a single blog post, it looks like this will become a series.  The best thing to do is to get started!

Start (part 1)

The use of a Risk Management approach is an excellent way to measure and manage cybersecurity risk in harmony with your other business risks.  The place to start is the NIST Cybersecurity Framework (CSF), here is the link to the PDF.  I used the Cybersecurity Framework when it was first published in February 2014 to start a discussion with our CEO and Board of Directors. It was the first time that they understood, more than superficially, why cybersecurity is important to our company and what it meant to provide cybersecurity protection.  In fact the ensuing discussion about what were our critical assets (data), what were the threats, and what our strategy should be for protecting our critical information transformed our approach to business.  The following is a nice summary video “NIST Cybersecurity Framework Explained” from rapid7.

The NIST Cybersecurity Framework suggests the following steps to create or improve a cybersecurity program:

  1. Identify and prioritize your critical assets (data), and the systems that process it.
  2. Identify and prioritize threats to your critical assets and systems.
  3. Create a current Framework Profile – which Category and Subcategory outcomes are currently being achieved.
  4. Risk assessment – analyze operational environment to discern likelihood and impact of cybersecurity events.
  5. Create Target Framework Profile – describing the organization’s desired cybersecurity outcomes.
  6. Determine, Analyze, and Prioritize Gaps.
  7. Implement Action Plan.

While these steps sound easy, there are challenges with differing terminology, definitions, value assessment, expectations, and lack of measures and metrics that are identified in trying to create your CSF Profile.  We have found that as discussions proceed, clarity and consistency improvements spread through the organization.  This clarification activity alone will contribute to improved cybersecurity posture.

Once this baseline is established, part of the implementation should be the defining and collection of metrics that will be used by the organization to re-assess their cybersecurity risk by repeating the steps with updated metric and changing business and threat environment information.

There are several key problems in actually implementing the Framework:

  1. Most organizations have not identified and prioritized their critical assets, thus the data is strewn across the organizations infrastructure.  This is like using a bank in which their employees store all of the bank’s money in their desk drawers and filing cabinets. It’s distributed, but not very accessible or secure, and you have to secure everything at a high level, which is not cost effective.
  2. Most small and medium sized businesses think they are too small, or don’t have anything of interest.  Wrong – every organization is a target to someone.
  3. Risk assessments may not be typically expressed in terms of dollars.
    • What are the costs to your business if the threats were successful in obtaining your critical assets?  Could you stay in business?
    • How much is the business willing to spend to prevent the Cybersecurity Risks?  In other words, how much are you willing to spend in prevention, or risk transfer, while retaining a viable business model?  This may set the upper limit for your cybersecurity budget, including cybersecurity insurance.
  4. How do you measure the effectiveness of the cybersecurity program or outcomes (steps 3 and 5)?
    • If you can’t measure, how do you know if you improve or not?
    • How do you know if you are measuring the right things?
    • Who knows of any consensus standard metrics?
  5. How do you respond to all of the alerts and indicators you receive from the array of security tools that have been deployed in your organization?  For almost every breach documented, there were indicators that the organization missed.

In the next few posts, I’ll share some “how to’s” for identifying and prioritizing your assets and threats, creation of your current profile and risk assessment, creation of your target profile, gap assessment, and action plan.  I’ll conclude this series with how to tie all of this up into an integrated operational process, with automated support solutions, and how to take the subsequent steps towards continuous cybersecurity improvement.

In a preview of the solution, Rofori is a real-time collaborative continuous Situational Awareness (SA) process management system for cybersecurity. Rofori provides real-time continuous management and assessment against the NIST Cybersecurity Framework, thus providing organizations insight into their cybersecurity posture based on continuous monitoring activity across time and in turn, measure cybersecurity improvement.

Rofori Brings  Process Control to Continuous Monitoring within the NIST Cybersecurity Framework

Rofori Brings Process Control to Continuous Monitoring within the NIST Cybersecurity Framework


3 Reasons we’re not ready for the Internet of Things

IoTThe Internet of Things (IoT) will be great, I’ll be able to tell my refrigerator to defrost those steaks I want for dinner before I leave the office. I’ll be able to have my house warm before I get home from working overtime on a cold day (hello Nest). According to McKinsey Global Institute, the Internet of Things has the potential to create an economic impact of $2.7 trillion to $6.2 trillion annually by 2025 (McKinsey Global Institute, Disruptive technologies: Advances that will transform life, business, and the global economy, May 2013). From Microsoft’s White Paper on IoT for business:

The term “the Internet of Things” isn’t new. It was actually coined nearly 20 years ago by professors at MIT to describe a world where “things,” which can be devices or sensors, are both smart and connected, with the ability to collect and share data. Data coming from those devices and/or sensors is endless, and when combined and analyzed with other types of data, it can uncover insights that were out of reach in the past.

There is a statement in the Wired article Why Tech’s Best Minds Are Very Worried About the Internet of Things which declares the importance of IoT: “Everyone will be affected by this collision of hardware and software, by the merging of the virtual and real”. This Wired article is a very good summary of my view on IoT, but I would like to expand 3 reasons we are not ready for the Internet of Things.

1. Increasing Complexity

“The web will be embedded in everything from your car to your sneakers”. We will live in a world where many things won’t work and nobody will know how to fix them”. How many people can set the clock on their DVR? How many people can fix their PC, tablet, or smart phone application problem?


How are users expected to set up, configure, manage, and update everything? Download the app to your smartphone to connect to the device, make sure everything is connected to the same network? Or are the device manufactures going to ask users to remove WiFi passwords, or other approach that reduces the consumer’s security posture to make the devices work? Are vendors going to deploy WiFi cracking or security bypassing techniques to make it easier for users to set up and use?


Tomasz Tunguz goes into more detail in his article What’s Wrong with the Internet of Things.

2. Loss of privacy (or anonymity)

Also in the Wired article was the statement “By 2025, we will have long ago give up our privacy. The Internet of Things will demand–and we will give willingly–our souls.” In my view, most people have already given up their privacy in 2014. This involves the ethics of it.

Pay attention to that last point in the opening quote from Microsoft: “uncover insights that were out of reach in the past“. Why do you think that large corporations such as Google, Microsoft, Yahoo, Facebook, and others, are so interested in IoT? They already collect a tremendous amount of tracking and personal data about us that in many ways we have already lost our privacy and practical anonymity.

I think user “jose_e” put it poignantly in his comment to the Wired article:

“The crucial thing to consider about the I.o.T. is its integration with Big Data, which wasn’t mentioned in this article. If every ‘thing’ around us is keeping track of some aspect of our use of it, over time that information will coalesce into recognizable patterns, to the degree that our preferences and behaviors — thought and action — will become so predictable and ‘easy to use’ that the inconveniences of free will and self-responsibility could easily become ‘outdated’. I think that’s the real fear when people say stuff like “reduction of people into numbers: the dark side of the quantified self” and “The Internet of Things will demand–and we will give willingly–our souls”. I don’t think it’s as much about privacy (which sounds kind of vague) as it is about a condition of diminished human agency.”

IoT further negatively impacts misbehavior: ID theft. Stalking. Custody disputes. Freedom of Speech (inhibiting the feeling of being able to speak without reprisal). And more….

3. The Internet of Broken (insecure) Things

“Most of the devices exposed on the internet will be vulnerable”. Most? How about ALL of those devices will have vulnerabilities, some of which may be exploited. Perfectly secure software cannot be produced. And, as complexity increases the chance for bugs, exploits, and security gaps increases exponentially.

Look, people can’t update and protect their current computer equipment even when it runs automatically, and the government and industry can’t secure their computing infrastructure.

Cyber-attack is the number one threat to the United States. IoT is going to make the current state of insecurity pale in comparison, just look at what is already happening:


Until the Information Technology industry begins with security design and secure programming from the very beginning (i.e., 101 course level), we will never begin the process needed to secure our devices. A good place to start is to teach and ingrain into our developers and processes the prevention of the SANS Institute TOP 25 Most Dangerous Software Errors. These 25 coding errors account for the vast majority of all software vulnerabilities. In fact, the Heartbleed vulnerability was a basic mistake of not validating the input and performing the function as eloquently shown in the following cartoon:

Finally, “They [IoT devices] will also be prone to unintended consequences: they will do things nobody designed for beforehand, most of which will be undesirable.” Exactly, how about Nest recalling its smart Smoke detector because if it detects waving arms or other movement it won’t sound the alarm or it will shut off – a design feature (wave) to make it easy to turn off the alarm when there really isn’t an emergency. There is no way we can possible understand all of the use cases (and mis-use cases) the IoT devices will be subject to, let alone the interactions between and infinite number of them.

I’m not saying we shouldn’t work towards the Internet-of-Things, but our industry has a lot of maturing and work to do before we become ready for it.