Friday, November 8, 2013

What is cyber security?

Once again I'm ranting again about things that I thought should have already been settled long ago.  And in some ways, they have… but on the ground, I see nothing but confusion. So today is: what is this thing that we do?

I purposely chose the blandest and overused term "cyber security", because I see it thrown around by the folks who seem the most clueless about it.   This simple thing of what is expected of a cyber security professional gets to be particularly problematic when an organization goes to staff up and build their first cyber security program.  You're hiring your first security professionals, what should they know?  You're reorging your IT group, where does the security department fit in?  Who does your head of security report to?   What should the dedicated cyber security team be responsible for and more importantly, be not allowed to do?  I've seen a wide variety of expectations across industries and organizations.  In some cases, the role is defined by regulation but when it's not, it tends to be squishy and inefficient. 

As previously alluded to,  old school cyber security equated IT security entirely with info security.  A tactical place to start but definitely not a mature or effective model to thrive in a DevOps meets APT world.  And in the most ineffective and inefficient cases, you'd see normal IT and development stuff going on with the security team coming in afterwards to "make things secure".    

First off, let me say that I don't know exactly what cyber security should definitively encompass.  In this post, I'm only going to discuss my own thoughts and experience.  A bit of background, I'm an IT ops guy (first 10 years of my career) who grew into IT security (next 5 to 7 years) and now does information assurance (last 10 to 12 years).   I think the best way to break this down in this first cut is to roll thru the ISC2's CBK.  It ain't perfect and it's kinda old, but it's a general shape matches what we're supposed to be doing in cyber security. 

Access Control
I see this is as split between the security group and the IT operations group.  The security group should definitely consult, design and assess against The big picture stuff, like models, techniques, and threats around access control.  The IT ops group should deal with the specific mechanisms.  You will not see me tinkering with AD permission groups or managing two-factor tokens.  But I will provide guidance on how these things should done to match the risk and business requirements of the organization.

Telecommunications and Network Security
Same as access control.  I grew up as a firewall guy but I haven't configured a firewall for years.   The IT network engineering team is best to do this.  Especially since they understand all the nuances and implications of opening this port over that port, splitting a particular VLAN or how the VPN links should be laid out.  I absolutely consult and oversee the design and configurations to make sure they meet our requirements.  I still keep up on latest DDOS techniques and research new perimeter controls and make sure the infrastructure team gets the highlights regularly as well.

InfoSec Governance and Risk Management
Pretty much entirely the security department to drives this.  That doesn't mean that everyone else doesn't understand and follow the policies to the best of their abilities.  Hopefully, the message that security is everyone's job applies here.    I often spend a bulk of my time translating and interpreting the organizations policies for individuals and departments wanting to accomplish some business thing in accordance with policy (well, actually they want to make sure they flag the attention of the auditors, but that's mostly because I've trained that way).

Software Development Security

Realistically, this is it's own thing looking like network security but for programmers.  A group of security consultants and assessors doing the big picture stuff embedded with the developers doing the actual implementing of the more secure code.  I can think of no better concrete example of how to organize this than Microsoft Trustworthy Computing.  I'd even slice web security off as it's own specialty here as well, but still following the same model.

Beyond the specialized discipline, the security team would know the concepts, the algorithms and the pitfalls as to advise the various IT and developer teams on implementation of specific controls.  

Security Architecture and Design
This is something that consumes a lot of my time… and something I enjoy doing.  This is definitely where I would expect a "cyber security professional" to know things deep and wide.   Lots of advising and assessing both up and down the organization chart on how and why some designs are better than others.  And yes, lots of research and upkeep to keep abreast of new threats and technologies.

Operations Security
Ideally, I think this should be something designed with direction from the security team but run at the edges or even outside of the security team's domain.  Realistically, it's often part of the day-to-day duties of the security group.   Vulnerability management should really be part of the IT groups daily grind.  Incident response is led by security but should pull from all groups, tho forensics is it's own thing and usually owned by security or legal (see below)

Legal and Compliance
Security should definitely understand a lot here, especially because in some organizations, the legal department can be often lack cyberlaw knowledge.  The minimum expected of any security professional should be to able to translate compliance requirements into technical standards.  If the security team is lucky, they've got a technically savvy legal team that collaborates on cyber security matters. I haven't been lucky.   Cyber forensics and investigations should also live in the legal department, with some assist from security.

Business Continuity
Again, I think this should be it's own group but often security owns most if not all of this function.  It's a deep and wide discipline and affects everyone in the organization which demands a lot of resources.  Because of this, when it's own solely by security, it's often not done very effectively.  The security team is often so busy they rarely have time (or interest or skills) to do a great job here.

Physical and Environmental Security
In large organizations, this is a separate group standing parallel to cyber security.  In most, the security team owns it as well.  Typically, the security group does the design and sets the standards, then works with either facilities and/or the IT team to make sure things are enforced.  Things definitely get strained when a physical security event occurs and three different groups come to the table and try to figure what the heck happened and where the fingers should be pointed.  Since I'm in a medium/small organization with high assurance requirements, it means that I own most of this and have to know a bit about alarms, door locks, and building materials. 

Okay, that's it. Rant off.  What's your experience?  What is it do you think we should be doing?

Extra credit: does infosec require an IT background or can you be a pure infosec professional with minimal engineering training?