Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/822642
18 APRIL/MAY 2017 www.vanguardcanada.com cYBersecurItY c Targets may be laptops, devices and databases (that store an information asset), device firmware (that stores configuration values), electronically-locked rooms (that store documentation, controlled substances ammunition, evidence, etc.) or network connections (that transmit asset data). Assets are the Holy Grail of your threat actors and can vary in criticality or classification and require securitization to maintain organizational integrity and reputation, availability, confidentiality and credibility of data, pub- lic safety, and investigative and judicial processes. 3 Threat actors are less important than threat scenarios – As much as profiling a threat actor is important to downstream intelligence formulation, in the earlier stages of prevention and detection (and sometimes, deterrence) the focus must be on the actual threat scenarios: theft, modification, destruction/disrup- tion and in some instances, planning and executing (surveillance, etc.). Understanding these operational-level exploits will dictate the required countermeasures of protection, much more than under- standing the modus operandi of the actors. Basically, this considers the possibility and probability of threat scenarios and the associated damages should the asset be breached; it forces the valuation of the asset from the perspective of the malicious actor. "they weaponized Pikachu!" It's true. Although a low-level means to extract credit card num- bers while silently installing further viruses and recording data from unsuspecting Pokémon-Goers, the Pokémon malware has fed the coffers of who knows who. Not uncommon and often paired with ransomware, it's still a threat, and the weaponiza- tion of technology and its introduction to secure environments remains one of the most serious advancements in recent decades. Appropriately enough, in his book "The Art of War" Sun Tzu said, "If you know your enemies and know yourself, you can win a hundred battles without a single loss." While lofty, it holds substantial truth – knowledge is everything and armament doesn't hurt either. In this context, technology has augmented criminal tradecraft of the theft, modification and destruction of data, as well as key planning, espionage and surveillance activities. In the post-Snowden security climate, the civic laws of cyber-security have evolved to emphasize personal and classified data security and impacts to privacy and integrity increasing liability in these areas. Knowing and responding to these concepts in an operational environment refines the new constructs of cyber-security. More and more, the weaponization of technology is a reflection of the sophistication of threats and their ability to leverage the various security domains: the more domains that are accessed to breach sensitive information, the more asymmetrical and more difficult to counter the threat. single Point (domain) Failure A domain failure is essentially when only the most obvious do- mains are secured, such as an organization's network and con- nected devices meet the required security posture, but its soft- ware and device updates and patch management policy is weak or non-existent. The maintenance falls apart and the security posture collapses, allowing for unknown vulnerabilities to leak through. Similarly, weak employee screening or access policies may allow for unauthorized, uncredentialed access to sensitive assets, relying strictly on their physical hardening to protect them. In this case, if a cross-domain, multi-layered approach is in effect, this will bal- ance the risk-stress over several domains to close gaps and to act as a failback. Anything less amounts to leaving the lights on and doors open for the malicious actors. Moving to cross-domain (or multiple domain) and multi-lay- ered security approaches will increase initial resource costs, but the downstream benefits will make up for the upfront investment. Also, the higher degree of compartmentalization and isolation of security approaches is going to improve prescriptive countermea- sures and increase the ease of maintenance and agility of the envi- ronment once implemented. Here are some examples of detailed domain categories that would make up a framework, and eventual security assessment: • Corporate security policies and procedures – documentation that makes the organization and its resources act and behave in a certain way; • Physical security – traditional hard-wall, room and building se- curity; • Resource security – your people, their screening and their access to things; • Device security – techy stuff; • Network security – more techy stuff; • Network and Application Development (as in OSI layers) secu- rity – really techy stuff; • ... and possibly more depending on the organization. there Is no end game Behind every malicious threat is a human – for now – and cement- ing a proven cyber-security framework will be easier today than when the Internet of Things, machine-to-machine learning and custom cipher technology bear down on our systems, delivering unbelievably complex threats. Not unlike countering other crimi- nalized activities, communication and collaboration remain to be effective methods to "close command and control" of an active threat. But until we master that dialogue and the means to share infor- mation, threat mitigation and vulnerability management must be- come part of the daily conversation and habitus of organizations. Adopting a higher strategic view along with multi-disciplinary, short-cycle approaches and renewable cyber-security practices, organizations will evolve to continuous assessment as an ongoing activities, instead of an end-game. valarie Findlay is a research fellow for the Police foundation (USA) and has two decades of senior expertise in cybersecurity and policing initiatives. She holds a Masters in Terrorism Studies from the University of St. Andrews.