In previous articles on understanding big data, the need for AI, using encryption and tokenization (including the drawbacks of encryption), and the series on human vulnerabilities, we laid down just some of the building blocks necessary to create a robust cybersecurity strategy. Yet there is a larger problem we often experience: losing the trees for the forest. All the tips we have mentioned thus far are great, but only if you are situationally aware of your own challenges. If you have legal or regulatory compliance issues, such as European Union’s General Data Protection Regulation (GDPR) or Health Insurance Portability and Accountability Act (HIPPA), you have no choice but to follow them. However, neither of us are big fans of standards and certifications for the simple reason that they rarely meet your specific needs in addition to being a costly undertaking in both time and money. This is why we are fans of frameworks, such as NIST Cybersecurity Framework (updated in January 2017) for the exact reason that a framework allows you to meet your own needs. Humorous (scary?) aside: in our encryption and tokenization article, we mentioned the benefits of HTTPS (which Tripwire uses). Yet the official European Union Law Access Portal (which we link to above for GDPR) does not use HTTPS. C’mon, girls and boys. Time to step up your game, especially since you’re trying to regulate an entire continent and want the world to follow! Let’s get back to dealing with your own challenges. A necessary requirement for cybersecurity decision-making is something amazingly simple but – in our experience – poorly done: being aware of your surroundings. Without that awareness, during the best of times, you will be literally flying by the seat of your pants at the speed of light and at the worst of times, tripping over falling “logs” hoping not to break your legs. Let’s get back to basics, and we will do so by asking the following question: what do you pack when you go on vacation? We’re willing to bet a bright shiny penny that you are about to ask: well, it depends… where am I going? And by asking that simple question, you just took the first step to being situationally aware (with much more on that topic, self-quiz and all, courtesy of US Coast Guard). Much like you would not pack a winter parka on a summer trip to Florida “just in case” there is some freak cold spell, you really should not be investing heavily in technologies and techniques that you have little likelihood of using. For example, it may look great that you are ABC:12345 certified, but you may have also spent valuable resources on a whole bunch of things you are never going to have any use for, in turn, leaving some of your most critical vulnerabilities unaddressed or underfunded. Back to the “what to pack” question. There are some things you will almost certainly take on all of your vacations, such as a toothbrush, a piece of IDnand local currency. In “cyber-speak,” we could say these “must-have” travel items include encryption, reviewing your privacy/access settings and having backups. Spoiler alert: chances are you not only use a toothbrush, a piece of ID and local currency on vacation but also in your daily life at home, wherever your home happens to be. So, why aren’t you using encryption, reviewing your privacy/access settings and creating regular backups? Encryption may be widely used by the generic user if it is implemented for them end-to-end, such as iMessages or WhatApp, but otherwise, only 20% of the US population has encrypted a phone call or e-mail. Reviewing privacy/access settings should be standard practice for everybody. (C’mon, be honest: you’ve NEVER scrolled down to the bottom of something and clicked “I Accept” in all of your web/computer experiences?). Understandably, most people do not because doing so easily becomes a head-spinning exercise, with privacy policies taking at least 10 minutes to read. But is that really a good enough excuse? Even a step-by-step process on how to make your Facebook profile private is not necessarily an easy or time-efficient task. And did you know that March 31st is World Backup Day? If you did, that’s impressive. More impressive would be if you actually back up your data! While the results of this 2017 survey are encouraging, namely that 42% of respondents say they backup their data daily and 67% were able to restore virtually all their data after a loss, we still remain skeptical about how widespread data backup is and how well data backup is practice. The survey does note that many backups are unencrypted (oops, forgot my toothbrush!), but a sample size of 1,000 respondents from North America, Europe and Australia with no profiles of the respondents still makes us believe that most people do not make regular backups of their data. Another red flag for us that came out of this survey is that most backup activity is cloud-based. That is all fine and dandy if you have a plan for when you cannot access your cloud. (Also, would it be untimely to ask if you read your cloud provider’s privacy agreement?) All these little pieces of information add to your situational awareness, and when applied correctly, they make a world of difference. To prove our point, we have curated just a few small pieces of information with no alteration from the USCG text, but when applied to a cybersecurity environment, they apply just wonderfully: To ensure a Shared Mental Model of the situation, team members must share their knowledge relative to:
- The task and team goals.
- Their individual tasks.
- Team member roles and responsibilities.
The loss of Situational Awareness usually occurs over a period of time and will leave a trail of clues. Be alert for the following clues that will warn of lost or diminished Situational Awareness:
- Confusion or gut feeling.
- No one watching or looking for hazards.
- Use of improper procedures.
- Departure from regulations.
- Failure to meet planned targets.
- Unresolved discrepancies.
- Ambiguity.
- Fixation or preoccupation.
Maintenance of situational awareness occurs through effective communications and a combination of the following actions.
- Recognize and make others aware when the team deviates from standard procedures.
- Monitor the performance of other team members.
- Provide information in advance.
- Identify potential or existing problems (i.e. equipment-related or operational).
- Demonstrate awareness of task performance.
- Communicate a course of action to follow as needed.
- Demonstrate ongoing awareness of mission status.
- Continually assess and reassess the situation in relation to the mission goal(s).
- Clarifying expectations of all team members eliminates doubt.
Chains of human error are normal and should be expected. There are three levels of human error.
- Slips.
- Mistakes.
- Errors.
Did anything seem familiar to you or perhaps ring a bell? Did the first series of points look like something you would look at during a vulnerability assessment? Did the second series look like a bunch of compensating controls? They sure looked like that to us and tie in very nicely with the NIST Cybersecurity Framework. One of the main reasons we are supporters of the framework is because it is adaptable to your situation. Imagine how well your cybersecurity strategy would work if you are situationally aware. Imagine how well your cybersecurity strategy would work if all the members of your team are situationally aware! Every single point listed above applies to a cybersecurity environment, and we challenge anybody to prove otherwise. So, for all the solutions out there, make sure you are packing the right material for you because you only have a finite amount of resources. This is what it means to be situationally aware. And this exercise also helps you prioritize what data you value most. Industry-changing technologies will be developed and will hopefully make widespread adoption of cybersecurity techniques more prevalent. Some will almost certainly change the cybersecurity business forever, such as AI and machine learning. But until these technologies are fully deployed, we still need to make do with what we have at our disposal, like encryption, tokenization, two-factor authentication, and educating yourself and your staff. Also, take advantage of knowledge bases that help prepare you for things that may impact you, like GDPR, and employ quick (and easy) tips that help jump start your efforts on the cheap. And just as we said in our earlier articles, the cybersecurity problem is really a combination of problems, making one issue: network security + information security = data security. If you are situationally aware of what is happening on with your network and what is going on with your information, you’ll be ahead of all others. About the Authors: Paul Ferrillo
is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them. George Platsis
has worked in the United States, Canada, Asia, and Europe, as a consultant and an educator and is a current member of the SDI Cyber Team (www.sdicyber.com). For over 15 years, he has worked with the private, public, and non-profit sectors to address their strategic, operational, and training needs, in the fields of: business development, risk/crisis management, and cultural relations. His current professional efforts focus on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.