ISACA CISM – Domain 04 – Information Security Incident Management Part 7

39. Management Metrics and Monitoring Part1

Managing also means we have to have measurements that we can respond to and make decisions about, right? I said it before, you can’t manage what you can’t measure. And so part of managing, again, is the metrics and monitoring. And now, I know we’ve talked about this many times, but just as a reminder, the metrics can be categorized as strategic, which you might think of as navigational. The metrics can be management based, which is you’re checking of compliance or risk and operational that might be based on the technical types of metrics. Now, there are many types of quantitative metrics that could be useful, and there’s a lot of activities that we could utilize those quantitative metrics for.

Things like the compatibility maturity model or I should say the capability maturity model to know where we are as far as the level of maturity on your key goal indicators. On your key performance indicators. If we have basically some checkpoints that we want to be able to get to, that means we have to have some sort of quantitative measurement that we can compare to, say, yeah, we hit that key goal or we hit that key performance balanced scorecards. Another example are the Six Sigma quality indicators, the ISO 9001 indicators, right? They all have outlines of things that we can use. That quantitative metrics can be useful for us to be able to monitor where we are, where we should be, how we’re proceeding to our goals, are we operating, as we keep saying, within compliance and many other issues that are important for us in the management world.

40. Management Metrics and Monitoring Part2

The information security manager should develop a consistent and reliable method of monitoring the effectiveness of their security program. Now, things that they need to look at and I realize it sounds like a lot of work, sometimes it sounds like a repeat work. But that is the goal of security is to constantly be assessing to see if you are as secure as you were the day before and if you’re still going on. That right. Objective. Objective. To meet those minimum risk requirements. That means we have to have ongoing risk assessments. Now, what else can we do? Well, again, testing the assumptions of security is important. So we offer things like the vulnerability assessments, scanning or penetration testing. And when we are doing these things, we’re trying to gather information that we can use for this evaluation to be able to really see are we being effective in our security program, where we really at.

And one description we give of these metrics are that they should be smart, meaning specific, measurable attainable, repeatable and time dependent. And again, we’ve always said that they need to be metrics that are meaningful. So if they’re meaningful, hopefully it’s because they’re smart metrics. Your business applications also need to be monitored. Now, most of those business applications are running 24/7.That means that they need to be monitored. Twenty four seven. Now, I realize that that doesn’t mean that you always have the staff available through the entire set of days, every day of the week. But there are ways to automate a lot of the monitoring. So with business applications, usually you want to have continuous monitoring of things like intrusion detection systems or other security devices to help give you real time information. And remember that there are as I said before, there are many sims out there that can gather this information and help with the alerting process by adding some automation into the analysis of what’s being gathered.

Now, we also should look at how successful we are with the investments of information security. It’s a part of our managing and what we can measure. The security manager should, of course, be able to evaluate the effectiveness of their investment into security. This can be done through often the key performance indicators. The use of the metrics and monitoring can also help us to verify these key performance indicators to show that we have effective security, that we’ve have effective control, and that our performance is hitting the expectations. Or if it’s not, then it shows that too. But that’s part of managing. Because if we’re not hitting our metrics that we think the key performance indicators are, then that’s our indication in management that we need to work towards getting to those goals.

41. Other Security Monitoring Efforts

Now, there are some other things that we can monitor, some other efforts we can take. Number one, your controls themselves should go through a regular monitoring and testing just to make sure that they’re working fine at Status Quo or if they need some modifications. Now, again, remember, there may be some regular change control things that we have to go through. Most every device that I know, especially on the countermeasure side, it’s a targeted control run software. And every device I’ve ever seen at some point has an upgrade. The only devices that I don’t ever see with the upgrades to the software is because the company has gone out of business, but you still have the equipment. So that means that there’s regular maintenance windows, regular change controls that we have to go through.

And as we make those changes, that means that we should have ongoing monitoring and testing to make sure that it’s still functioning as we need or if there’s any modifications. Now, of course, if there are modifications needed, whether you found them from testing or just because it’s a maintenance plan, these are still things that should go through the proper change controls procedures that we have that are in place. Now, we also need to make sure we’re looking at the outsourced service providers. Now, it’s not uncommon for us to outsource some of the services. Often we do outsourcing usually because of financial constraints. Sometimes it’s just cheaper in the long run for us to bring somebody in on a part time or contractual basis to handle some of the security issues.

But we still need to have overview and oversight into what their actions are. Now, there are some issues we have to deal with. Number one is by bringing somebody in, we might be bringing them in just because of financial issues or maybe just because we’ve lost the skill set. We may have had somebody we depended on who had the skills that we needed that are gone. But we also realized that if I’m bringing people in and outsourcing them, I may permanently have the loss of those skills within my resources, directly within the organization, because now we have them on the outside. What else? Well, hey, you know what? Those people coming in, they might be, in a way, working for me because I’m their customer, but they report to different management. That means that I have a lack of management viability or visibility into that outsource provider. And I do, because, again, it’s a separate organization.

All right, bringing somebody in does introduce new risks, especially when we determine how it is that they’re getting entry. Now, I know I’ve been around with a lot of the large vendors out there, cisco and Juniper as an example, and I’ve assisted a lot of different companies where they are using what we call resident engineers. Technically, a resident engineer is a person who works for the Cisco or the Juniper, but goes to work every day at one of their customers offices and they kind of report like they’re a part of the staff to provide the skill sets. But in a way, they are still a third party. Now, I’m not saying there’s anything wrong with it. This is a very common production methodology that we see out there. But let’s consider if it was somebody working remotely. I know that I have certainly made remote connections to different devices for customers of mine during maintenance windows because I don’t like to travel all that much.

If I can stay home, I’ll do that. But anyway, this introduces new risks because now you have other access people coming in whose loyalties aren’t necessarily with your company, they’re with the one who’s hired them. And we have to worry about the dissemination of information, about what can we release to them, about how they’re making the connection into the network if it’s a remote access. And of course, it really can add to the complexity of the response management. That’s something we’ll talk about in the domain that really kind of deals with that. But these are options or things that we have to monitor and look at with third parties. And of course, it’s also have to realize there may be a difference of culture and ethics between what our companies do or how they operate. So all of these are what we have to consider when we are doing reviews of outsourced service providers.

42. Lesson 7: Current State of Incident Response Capability

All right, so now what we’re going to do is talk about the current state of incident response capability. And what we’re going to do is talk about that as it deals with threats and vulnerabilities.

43. Threats

So when we think about the current state most of the organizations are going to have some sort of incident response, maybe the IRT or incident management as we’ve talked about. And the problem is though is that some of them may not have formalized plans and kind of go in an ad hoc fashion towards their approach of taking care of the different types of events. And that’s not necessarily the best state that we want to go through. We’ve talked already about when we look at the current state and I’m just going to take some notes before we deal with how we should respond to threats. When we think about current state, one of the things that we often think about is that we have kind of, I guess you could say some sort of organization.

That organization has gone through the work of dealing with senior management, business managers, all of the different roles that we talked about through a selfassessment type of setup perhaps or having conducted a self assessment against different criteria so they know what their capabilities are and maybe even through an external or an internal audit. Okay, so what we want to do is say no to the ad hoc. What our hope is, is that we actually have a formal method of dealing with these different types of events. And of course here we’ve kind of classified the first part of these events as threats and that is, as it says, any event that can cause harm to organizations, asset operations or personnel. And I’m going to kind of keep this as an overview because we’ve talked a lot about this already.

We’ve certainly talked about environmental threats. Again, natural disasters which could be over time. How do you deal with those? I know one company that was a restaurant company, management company that had several different chains across the country who have operations in Florida and what they’ve done is they said they came up with a remote site in case of a hurricane. Now the problem with this remote site is if you think about site one being in this part of the country and site two being in the other part of the country and it is what we called a hot site which meant that there really weren’t personnel but the equipment was there. The question was how did they get there? And what they did as a part of their response to the threat was that they used their charter jet to fly their personnel over there as well as their families.

People usually wouldn’t leave a hurricane, leave their spouse and children behind and then they would be set up and ready to continue moving on with business. So that’s kind of an example I guess you could say, for planning for natural disasters and that’s just one of many different types of natural disasters on the technical side of the threats. Well there’s, I guess a couple of different ways we could look at it it could be fire related and by technical you’re probably thinking that sounds physical. Well, it could be electrical failure, fire, HVAC problems which is the heating, ventilating and air conditioning, if you’re not familiar with all the acronyms. But it could also be software. I mean, we did say that, right? Besides all of those, it could still be software related. I would normally put malware in that category but again, it’s malware.

Well, let’s call that kind of a technical but I do understand that it is man made as well disgruntled employees certainly are another issue that may be involved in stealing information, damaging, destroying like I said, it could be espionage, right? There could be a spy. But in any event, these are all different areas here that, as we said, could cause harm to the organization’s assets, operations or personnel. And so that’s a part of what we should be looking at when we are talking about the incident response and our capabilities. Not every company has this private airplane. I shouldn’t have even tried to draw the airplane here to fly the employees over to another hot site, as I was talking about before. But it is a part of our study, at least to look and know what our capabilities are.

44. Vulnerabilities

Now, vulnerabilities, okay? Vulnerabilities exist whether you like them to be there or not. We define it as a weakness. And as a weakness, it could be, as I said, a weakness in the system. All right? So a system, again, could be, even if we wanted to go back to the word power, weakness in the power system. So outside of where I live is a small little town called Jackpot, Nevada. And they’re only known for being a mile off the border of my state. And that’s where everybody goes to gamble. And somebody decided to place a bomb at the power relay station just on the other side of the border, blew it up, and suddenly that city was without power for almost, I think, a week, week and a half. It was many years ago. But I guess you could say in some aspect they found a weakness in the system.

I guess explosives were a weakness and probably one that they didn’t plan on. Well, actually, one of the casinos did. They had a generator that kept them open and in business all that time. But again, maybe that’s a little too extreme for an example. But that’s just one that at least is not something that you’ve heard me talk about a couple of times already. Obviously, technology, we know that there’s all sorts of malware and other types of attacks could be a weakness in a process. There’s a number of different processes. Let’s take a process of a web application. Maybe not exactly the same type of process you had in mind, but what was the process here? Years ago, you’d be sitting here on your laptop connecting out through the Internet, going to a store, online store that sells flowers, and this truly did happen.

The process was that you connect to the server, it sends you the web page, and then it stored all of your data about your shopping cart on what we called a cookie. And some hackers found out that if they were to adjust the prices of those flowers on the cookie and then reconnect to the store, that that information on the cookie was what was sent to the store for the prices. And suddenly they were able to order dozens of roses for a penny instead of however much it was supposed to be. I mean, you could think of that as a process. You could consider that might be even part of a technical aspect. But the idea is that to get something done, we have to go through several steps. And one of the steps might not be as strong as you would like.

And of course, on controls. I think of controls a lot of times as a hardware solution, but it could also be a software solution. Firewall software, applying permissions to a file, whatever the case may be, we’re trying to control or even use, often, depending on where you go. In the realm of security, sometimes the control is also known as a countermeasure. And certainly none of those are perfect either. So what you need to do as far as incident management is you need to proactively look for those vulnerabilities. As an example, if you think that your Windows server is completely patched, you might be making an assumption. Microsoft has what they call a baseline security analyzer tool called MBSA that will run against your servers.

It’ll use your administrative privileges to do a vulnerability assessment and tell you if it’s up to date, if it’s patched correctly or not. Internally, there’s a security, I think, called a Security Control Wizard that will give you a list of best practices for how to harden these servers. And so if you’re being proactive and you’re doing those scans from the outside and from the inside, then you’re going to hopefully make a more secure type of environment here. And those are just things you can do. Proactively you should educate yourself on vulnerabilities. By monitoring vulnerabilities. We’re not suggesting that if you find them, you don’t fix them.

In some cases, there might not be a fix, but maybe by education, by keeping up to date on the current vulnerabilities, then you know what’s out there and what you should be aware of as well as patch vulnerabilities. All right, so I already talked about zero days once, and the problem with the zero day is we often don’t have a patch, sometimes don’t even know they exist. So I’m going to keep them out of the discussion. But many years ago, one of the directors of security for Microsoft in a conference had said that from the time they put out a security patch to the time there was a weaponized method of taking advantage and exploiting that vulnerability was 30 minutes from the time they announced the patch or made it available for download.

And that was at least seven years ago that that statement was made. So we do have vulnerabilities there. I mean, one of the issues with patches is often we want to test a patch before we roll it out because that’s part of our change control. And it’s not a bad idea, by the way, to test out those patches because sometimes a patch doesn’t work or can kill another application that is a third party. And so that means we’re talking time before it’s deployed and rolled out and over time, that means if it’s going to take these people 30 minutes to exploit it, that we are just giving them more opportunities. But again, that’s just kind of your way. Basically, all of this was done just to say, again, remember, the topic is how to determine what your current state is and how you can proactively look at dealing with that current state. Bye.

• Category: Uncategorized