360 Degree Cyber Security, LLC

Tag Archive:critical security controls

Critical Security Controls for Truely Small Businesses – Identify

I listen to a number of podcasts weekly.  One of my favorite is Down the Security Rabbit Hole (#dtsr).  Frequently I hear the hosts talk about focused measures and that basically one size does not fit all.  If you look at the Critical Security Controls initially published by SANS & Council on Cyber Security and now promulgated by the Center for Internet Security.
The controls fall into broad categories defined the U.S. Governments National Institute of Standards and Technology (NIST) Cyber Security Framework.  The framework breaks down controls into five areas.  This blog post will cover the first Identify.
The controls while applicable to larger small businesses (20+ endpoints) Let’s take a look at ways that smaller businesses with less can make this happen without going broke.  So breaking this down into items easily accomplished by completed by the business IT person or a consultant. For a small business they can look at “quick wins”.


The Critical Security Controls show seven Quick Wins.  Some are not so easy to implement and may require purchasing additional software and hardware to manage.  But what it comes down to is really knowing what you own.


For example a local accounting firm may only have five or six computers, a server, a couple of printers, and basic networking devices.  For simplicity sake, let’s say 10 endpoints.
Why did I choose an accounting firm?  Typically these firms process a considerable amount of personally identifiable information (pii) and additionally there is quite a bit of financial information about their personal and business clients.  This can make them a juicy target for cyber criminals.
So of the seven Quick Wins, really only two are initially necessary.  I say initially, only because the others can be addressed later as the business is able to.  The same goes for the other items under the Identify framework category.
1.2 – Deploy automated asset inventory.  Well maybe not automated, a hand developed list with manufacturer, model number, serial number, location, and assigned IP addresses.  Maintain and update the list as things change within the business.  Identify those pieces of hardware that process or store information critical to the business.  In the case of an accountant, it might be a server and workstations that store the information.  If you utilize a managed service provider, have them provide this list to you.  To go with this, draw out a map showing how the network is connected. 


2.3 – Deploy software inventory tools.  Again like the hardware, a hand developed list of software is all that is really necessary that contains the developer, version number, and last time updated.  A typical list can be derived by looking at the add/remove programs console.  Given that it is possible that not everything installed will appear in the list, it will contain your major applications and add-ons (Adobe Acrobat, Flash, etc.)
By completing these two items, a small business can meet the intent of the Identify category.  If you require assistance, please contact us.  We will be glad to assist your small business.

Incident Response – Not as simple as pulling the plug

Imagine this…  You are in charge of a major bank’s cyber security operations center.  It is 2:10AM and your cell phone is blowing up.  The network has been compromised.  The night time analyst has identified a worm and isolated it in……….  a system that controls the air conditioning at one of the branches.  A threat exists… Yes… But does not warrant taking down all of the banks networks.  It does indicate that extra vigilance and investigation are required.   The analyst performed all the steps as outlined in the incident response plan and mitigated the threat.

A well-defined and practiced incident response plan will provide the guidelines necessary to make a determination by the network administrator if the system/network should be shut down immediately or require remediation in place.

The response plan should take into consideration the criticality of the system, the value of the information, and the attack/threat characteristics.  Depending on the system/network’s purpose questions about the operation of the system need to be answered.  Questions such as:

•    Is the system critical to life/death/dismemberment?  Will physical damage result from an attack on the system?  What would happen if the device or network was disconnected or immediately shut down?
•    Does the device support critical infrastructure?  Will fail safe’s kick in if the system/network access is removed?
•    Is the device simply a database that contains personally identifiable information (PII) or electronic protected health information (ePHI)?
•    Is the network/device a mail server or web site server?

With the network/devices and criticalities identified, make a determination on the threat and how pervasive is it.

•    Is it a worm?
•    Is it a botnet?
•    Is information being ex-filtrated?
•    Are devices being remotely controlled preventing use?
•    What are the characteristics of the attack?

It is these types of questions that need to be answered and documented in an incident response plan.

A good example of an attack occurred late last year in Germany.  A steel mill in Germany was attacked that caused actual physical damage.  The attackers took control of a blast furnace and prevented an orderly shutdown of the furnace.  Technicians Utilized immediate emergency shutdown procedures over riding the control system at the furnace and prevented further damage (Zetter, 2015).  This example highlights that removing the system from the attack prevented subsequent damage.

However if the system is a critical system, like a power substation controller, and the attack vector appears to be a worm that is not immediately degrading the network or system, it may be beneficial leaving the system as is and attempting to mitigate the problem by migrating the responsibilities elsewhere.

A case can be made either way for shutting down the system/network immediately.  Factors such as attack impact and system criticality must be weighed.  A good response plan will take into account many such scenarios and will allow for improved decision making, coordination between internal and external entities, and a unified response which will ultimately result in the limitation of data.

Zetter, K. (2015, January 8). A cyber attack has caused confirmed physical damage for the second time ever. Retrieved 2015, March 26 from http://www.wired.com/2015/01/german-steel-mill-hack-destruction/