[BreachExchange] Gather round folks, it's time to talk Security Integrity

Audrey McNeil audrey at riskbasedsecurity.com
Mon Feb 26 19:48:47 EST 2018


Discussing “integrity” in the workplace can either raise the bar for
employee conduct or reveal behaviour that deviates from the organisation's
established standards. Either way, it's a good discussion to have, and one
that can greatly benefit both the employee and employer. The same is true
when using a more narrow application of the term “integrity,” specifically
in the context of an enterprise's computing environment. Given the threats
facing those responsible for securing such environments, there is no better
time for security executives to have the ‘integrity talk.'

The concept of integrity isn't new to information security by any means. In
fact, it's been an established part of the CIA (Confidentiality, Integrity,
Availability) triad since its inception, which is, frankly, hard to pin
down. If we want to understand a current definition for the Integrity
portion of the CIA triad, we can turn to the SANS Institute. It defines
‘Integrity' as protecting data from modification or deletion by external
sources with the ability to make necessary changes if damage was sustained.
Of course, the CIA Triad is also composed of Confidentiality (protecting
data from external forces by initiating access levels) and Availability
(allowing access to data and applications when needed).

That understanding of integrity's role in information security has driven
particular applications of the concept. Most organisations invest heavily
in confidentiality and availability. If you take a cursory look at
information security budgets, you'll find they lean towards controls that
protect the ‘C' and ‘A.' Integrity is mostly treated as a proxy term for
encryption, and is exclusively focused on data. This approach stays true to
the definition of CIA as stated, but it leaves a lot of space for
uncontrolled risk.

A change is needed, quickly

It's time to look at integrity as the core concept for a more holistic
approach to information security. At its heart, integrity is about
maintaining a desired state. While that might be applied to data, it can
also be applied more broadly to systems. In this sense, the whole of
information security can be viewed through a lens of Integrity. That shift
in thinking drives activities like defining desired states, measuring
systems against those desired states, and monitoring for changes that cause
deviation from the desired state. Those changes, importantly, aren't
limited to intentional, internal changes. A broad definition of change
encompasses external changes in the threat environment as well. For
example, the discovery of a new vulnerability is a change that affects
Integrity. Changes in exploit activity would be included as well. All of
these changes should be evaluated for how they might cause deviation from
your desired state. If remediation is necessary, it's focused on returning
to that desired state.

In 2017, there were some clear examples of how a broader approach to
integrity management could have averted a number of high profile breaches
in one form or another. For example, WannaCry, arguably one of the most
devastating ransomware attacks to hit last year, happened because there
were known, unpatched vulnerabilities on the systems. The changes that led
up to this incident included the discovery of those vulnerabilities, a
deviation from a desired ‘vulnerability' state for those assets. During the
incident there were numerous changes on systems caused by the ransomware
itself, but these were all dependent on the initial change that made
organisations vulnerable. There are also multiple examples of misconfigured
Amazon S3 storage buckets exposing sensitive data. Here, there are a few
possibilities. Either the desired state wasn't defined, or it was defined,
but not measured. Or, it was defined, measured, but no change detection was
in place to identify deviation after initial deployment. The lens of
Integrity drives a structured root cause analysis, and change detection
drives early identification and remediation.

There's a clear sense in the industry that the stakes are being pushed even
higher, and security professionals must assume that the attackers are
already within the vicinity. The portrayal of growing threat re-enforces
the need for a broad, inclusive framework to address security. A focus on
Integrity management delivers just that. Not only will flaws be detected
more effectively, but also fixed quickly before anything becomes exposed or
compromised. Integrity management drives greater visibility and control.
After all, if you know what you have and you know what's changed, you
significantly improve your ability to recognise and react to security

So let's give CISOs a fighting chance.
Much like how the world of cyber-security has evolved, so too should the
definition of integrity which can now be regarded as the maintenance and
assurance of the accuracy and consistency of the entire system – including
data over its entire life cycle. By approaching cyber-security from the
perspective of ensuring system integrity, security professionals can employ
well-known, established best practices more effectively, and evaluate new
technologies more accurately.

Integrity management gives CISOs the clarity and ammunition they need to
make the switch from a limited approach to a security strategy layered by
foundational controls which, according the IT Process Institute, has proven
to prevent and detect 90 percent of all breaches. It will require a shift
in the way many approach security management, but represents one of the
most promising approaches to effective enterprise security, both now and in
the future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180226/ccfdc1f4/attachment.html>

More information about the BreachExchange mailing list