Open in app

Sign in

Write

Sign in

Cybersecurity Playbook: Critical Services

Kevin Fleming
6 min readMar 9, 2021

--

With no CISO/CSO, how can you make cybersecurity a core part of your culture and business strategy, and maybe even a competitive advantage? Here’s a roadmap to get you going until you can hire one. This is the second article in the cybersecurity playbook series. The first article is an overview of the series, What to do when there is no CSO.

Image of the critical services portion of the cybersecurity roadmap.
The critical services section of the roadmap is straightforward, as long as you really understand your system, as well as their vulnerabilities and threats.

Your highest priority piece of work is to ensure that you have fully identified, documented and mitigated the risks of your critical business services. Your overarching goal is to increase the operational resilience of your organization by increasing cyber resilience.

The inventory is not a simple list of systems; it must be created from a business perspective, and must be an enterprise-wide exercise. For each critical service, you must identify and document the people, technology, data, facilities and vendors that are needed to keep the service running, and keep this inventory up-to-date.

Do not make the mistake of assuming that you know everything that the business needs to keep running and their dependencies. Involving business stakeholders also demonstrates that you value their contribution and it makes them responsible partners in security.

Once you have identified even one critical service and its dependencies, the cyber security team (CS) must begin to document the baseline controls in place for the dependent systems. The team must also begin a vulnerability, threat and risk assessment for each of the critical systems so that you can: a) understand the impact if a critical system suffers degradation of confidentiality, integrity or availability (CIA), and b) provide recommendations that will mitigate risk while still providing functionality, usability and availability.

• Who and what are the threats and vulnerabilities?

• What are the implications if CIA is degraded due to an incident?

• What are the various impacts to the organization?

• What are the risks (risk = probability x impact) or choose one of five different techniques for risk quantification.

• What can be done right now to minimize exposure?

Answering these questions will help you to achieve the overarching goal of cyber resilience.

Filling in the security control gaps

By now, you should also have chosen your cybersecurity framework. I have suggested three frameworks (two, really): SANS, NIST and ISO/IEC 27001. Please see the notes below for more information and links to the various framework documents you’ll want to read.

Your choice of a cybersecurity framework is vital as it will be used to perform a security control gap analysis. Once you have completed the gap analysis, then it’s just a matter of documenting the controls that need to be put in place, prioritizing the work and getting your plan approved and resourced. Easy!

Don’t forget to do it all again in six months. The threat landscape is evolving faster than you can imagine.

What’s the hard part? Determining who and what the threats and vulnerabilities are.

This may be the most difficult part of the whole process for a number of reasons. While you’re going about the enterprise-wide exercise to identify the critical services and their dependencies, nobody tells you about a particular spreadsheet that is actually vital to one part of the business. It turns out that your organization can’t go more than about four hours without this spreadsheet. So, one fine day, this spreadsheet is accidentally deleted or corrupted, and it will take more than a day to restore from the backup. This was an insider threat that nobody thought of. Insider threats don’t have to be malicious to result in loss.

According to Fireeye:

By 2021, 50% of enterprises will unknowingly and mistakenly have some cloud storage services, network segments, applications or APIs directly exposed to the public internet, up from 25% at year-end 2018.

Through 2023, at least 95% of cloud security failures will be the customer’s fault.

Oops!

Performing the threat and vulnerability assessment successfully requires that you not only know about all of the critical services’ dependencies, you also need to have a solid foundation in threats (malicious and otherwise) and vulnerabilities. This means you have to know how your systems work. For instance, if you have a site that relies on federated login, and the 3rd party provider of the login has an incident, then your users can’t login. How will you mitigate this risk? Maybe you just have to accept the risk?

Example: API threats and vulnerabilities

The whole world is going crazy putting APIs online, but have you put in place adequate controls to detect and respond to an API DoS attack? No, not a DDoS attack against your APIs, API-DoS attacks are much more subtle. Depending on your APIs, it may be possible to make a request that sends JSON as input, and this JSON can be crafted to have so many nodes that your hardware resources quickly become consumed while the JSON parser tries to build a valid JSON object. The JSON input doesn’t even have to be particularly large and the attacker doesn’t need to make high volume of these kinds of requests. Your log files won’t necessarily show a sudden spike in requests but your servers will slowly grind to a halt. How would you know what’s actually happening? I’ll discuss this at length in an upcoming article.

That’s just one vulnerability/threat.

So, you can see that you really need to be well-versed in your particular technologies and systems, and understand the likely threats and vulnerabilities before you can complete the risk assessment.

One final note, in addition to appropriate security controls, cyber resilience requires a solid foundation of visibility to tell you that your systems are working correctly, and to tell you WHY they aren’t working correctly. Basic logging wouldn’t catch the API DoS attack example above. In order to detect an incident you must know what the indicators of compromise are and make sure that those indicators are visible and that they draw the attention of your SIEM or operations team or alert system or whomever is minding the store.

Next up: Cybersecurity strategy. I look forward to positive comments and questions!

Cybersecurity Frameworks

SANS has An Overview of Threat and Risk Assessment and an overview of cybersecurity tools. SANS/CIS 20 (Center for Internet Security) has three versions, a small business no budget implementation, a version for small and medium enterprises (SMEs), and the full set of security controls, and there is the CIS Risk Assessment Method.

For an overview of the NIST risk management framework, please see

Risk Management Projects/Programs or NIST Risk Management Framework Overview

NIST has a much larger set of resources: Cybersecurity framework (CSF); Risk Framework; and Security Controls. NIST is appropriate for organizations of any size, but they do have a Small Business Cybersecurity Corner.

SANS/CIS has 20 controls, while NIST has over 900 controls in 18 control families. There’s no reason you can’t start with SANS and migrate to NIST. SANS has an awesome poster with an overview of the CIS controls and Five keys for building a cybersecurity program.

ISO/IEC 27001 is an international standard on how to manage information security. It’s less technical than SANS or NIST, focusing more on information risk management. It really requires a high degree of organizational maturity and capability, as well as a serious commitment to making the standards a core part of your operating model.

The third article in the series, Cybersecurity playbook: Strategy is online now.

An image of the full cybersecurity playbook work streams
The full cybersecurity playbook work streams.

A high-res version of the full roadmap can be found here.

The master roadmap

Immediately:

  • Begin the process of improving cyber resilience of your critical business services (CBS)
  • Begin document current security controls, tools and practices
  • Begin to identify gaps in security controls for CBS
  • Understand the threat landscape
  • Begin threat and risk assessment for CBS
  • Identify all the people responsible for confidentiality, integrity, availability, compliance.

Within three months:

  • Document compliance requirements
  • Complete the CS strategy
  • Decide on a CS framework
  • Complete threat and risk assessment for CBS
  • Identify all the gaps in security controls for CBS
  • Fill high risk gaps
  • Begin documenting all your CS capabilities
  • Begin planning basic CS training.

Within six months:

  • Complete filling gaps in CBS controls
  • Complete your capability assessment
  • Begin to develop future state and long-term roadmap
  • Begin to develop long-term implementation plancommittment.
  • Begin basic CS training.

Within one year:

  • Complete future state road map and plan
  • Complete basic CS training.

Git a move on!

Cybersecurity
Business Continuity
Cyber Security Strategy
Critical Services
Risk Management

--

--

Kevin Fleming
Kevin Fleming

Written by Kevin Fleming

4 Followers
2 Following

Startup founder, bootstrapping a VERY BIG a16z sized idea. Spatial computing, AI, Enterprise IT. Looking for tech sales and art director co-founders.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams