Security Controls – Tools for Your Gameplan

FOOTBALL
In football (and other sports) the gameplan is an important part of success. How well the gameplan is implemented on the field will determine the final score, but with a flawed gameplan, performance may become irrelevant. Football organizations may use groups of scouts and coaches and spend weeks performing an analysis of their upcoming competition in order to be fully prepared with attack and defense strategies and well thought out contingency plans.

The attack and defense strategies usually take the form of “down and distance” charts that show the tendencies found in the analysis. For any given down, distance, position on the field, time point in the game, and tactical balance, both the offensive and defensive play callers would like to know what their opponent is thinking and planning. The analysis of their tendencies helps to reveal this and forms the framework for the gameplan. If you know your opponent is more likely to be running or passing in any given down and distance scenario, you can shift your defense to stop the play. Gameplan analysts also look for “keys”, telltale clues such as the way a player plants his feet differently on different plays or how a blocking scheme develops or what plays the opponent can run from which formations.

Once a gameplan is developed, maintaining situational awareness becomes important for enabling the plan to be carried out on the field. The coaching process transfers the analysis and gameplan to the players and they must study it and then rehearse it in implementation drills and practice. Contingency plans offer decision branching to allow for adjustments to game situations.

CYBERSECURITY
In cybersecurity, we also develop gameplans, often called System Security Plans (SSP). The SSP contains risk assessment, contingency planning, security controls, configuration management planning, monitoring schemes, incident response planning and more.

Security controls offer the basic toolkit for “play calling” in the information security gameplan development. Once the analysis (risk assessment) is complete, the assortment of plays that will be used (security controls) are selected from a catalog and the gameplan (SSP) is assembled.

Some of the opponents strategy (attack methodology) is known and can be anticipated. They will begin with some form of reconnaissance, then attempt to penetrate the perimeter of the defense, and when that is successful, they will move on to entrenching their position inside the network, setting up command and control communication channels, exfiltrating any valuable information gained and possibly disrupting normal network activity.

Depending upon the value of systems and information in the network being defended and the assessment of vulnerability to known threats, security controls are selected to thwart the attacks and protect the network. Monitoring controls are employed to attempt to detect any recon efforts. Boundary defense controls, configuration management controls and patching are used to protect the perimeter. Monitoring, intrusion detection, malware protection, integrity checking, configuration management, access control, auditing and more groups of controls are employed to harden the interior and detect any unauthorized access or tampering.

A complete security gameplan begins when an organization is first being set-up and initialized. In order to have an organization that uses an information system that needs protection, the organization must have a mission, some planning, basic infrastructure and hire some people. There are preliminary security controls involved with all of this. Before an office is leased, or a desk and phone system are acquired, the mission definition or business purpose starts laying out the foundational requirements of security. As soon as assets and people start to accumulate, security controls pertaining to acquisitions, personnel, physical security and contingency planning (power outages, backups, and more) are needed.

As elements of the information system are assembled, security controls for access control, configuration management, risk assessment, communications and integrity of the system and information become necessary. And then operational issues like training, auditing, assessment, incident response, maintenance and media control come into play. Here are some of those control areas:

Access Control

  • Account management
  • Information flow
  • Least privilege
  • Session lock
  • Remote access
  • Wireless access

Contingency Planning

  • Impact assessment
  • Contingency plan
  • Alternate sites
  • Backup procedures
  • Recovery procedures
  • Testing the plan and training on it

Risk Assessment

  • Threat identification
  • Vulnerability identification
  • Risk analysis (balancing threats and vulnerabilities)

System Integrity

  • Patching
  • Anti-malware
  • Network monitoring

Incident Response

  • Incident handling
  • Incident reporting
  • Testing the plan and training on it

KEY POINTS
There is a need for a security gameplan
There is a need to understand attacker methodology
There is a need for security policy to guide our actions
There is need for “play calling” security controls

[for references to security controls and how they are used in the defense plan, follow the links below]

SEE ALSO:
Attack Methodology
Security Control Matrix
Attack vs Defense on an Organizational Scale
Agile Defense With NIST Controls
OODA Loops

Comments are closed.