While the sophistication of cyber-threats facing our government grows every day, traditional thinking about how federal information security leaders should fight that challenge is evolving. It was once accepted that cyber-security in an enterprise could only be achieved by driving out all vulnerabilities that are susceptible to attack. But there is now increasing recognition that this isn’t necessarily the case.
In order to successfully operate a secure cyber-environment, federal government entities must take a cue from cross-sector and industry approaches and learn to be comfortable with something that feels very uncomfortable — accepting risk.
It has become clear that cyber-infrastructures cannot be defended from all risks; in fact, it must be accepted that many risks — both the known and the unknown — will continue to persist. Historically government entities and private organizations have directed tremendous resources toward complete risk elimination, only to see emerging threats outpace their efforts. As a result, security goals have shifted to focusing on identifying the threats that would impact the mission the most.
By focusing on security that matters, enterprises effectively manage their risks by directing the majority of their security efforts toward high-priority threats. Many commercial enterprises have already embraced this shift to maintaining enterprise protection by implementing effective risk management processes.
The 2010 Top Cyber Security Risks Report published last September by Hewlett-Packard exposes the precarious situation of public- and private-sector enterprise systems by revealing a surprising statistic about system vulnerabilities due to “zero day” attacks. Such an attack tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. This attack occurs on or before the first day of developer awareness (hence “zero day”), meaning the developer hasn’t had any time or opportunity to distribute a security fix to software users. According to the report, the number of unpatched zero day vulnerabilities has grown rapidly in the past five years, with at least six or seven undiscovered vulnerabilities existing in any given product or enterprise system at any one time. Beginning around 2006 and continuing unabated for the past four years, a drastic increase in Web application vulnerabilities has been witnessed as well. These mounting vulnerabilities provide direct access for cyber-attacks.
This data underscores why total eradication — trying to defend against every attack vector — is a futile effort that treats threats equally: There will be vulnerabilities in cyber-assets that don’t pose a major threat to mission outcomes, and there will be undiscovered zero day attacks that can be devastating. Recognizing that no single countermeasure is effective against every threat, layering defenses can mitigate many but not all risks. The bottom line is that successful system security becomes a matter of placing priorities based on systems that will have the highest likelihood of impacting delivery of critical services.
While rigorous, analytics-based risk management is ideal, doing so in a robust manner is inherently difficult for the IT industry because of the qualitative approaches commonly used today. In industries that are rich in quantitative analysis, such as the financial and insurance sectors, the risk management process is much more rigorous and intensive. Insurance actuaries, for example, can apply an array of quantitative processes to model and simulate risk, which allows them to determine and ultimately monetize risk for their customers. On the other hand, reliable, quantitative approaches to understanding enterprise risk in the IT industry is relatively new. However, due to increasing threats and the massive amounts of data being generated by the sensors and protection devices that are being deployed across an enterprise, government and industry IT must engage these new analytic approaches in order to more effectively secure their environments.
Security risk management is a highly customized approach used to support the mission of each agency’s infrastructure and the government enterprise. Focused analysis must be placed on identifying what an incident actually means for each system and how it will impact its supported mission. With detailed comprehension of what a breach would mean to each specific mission system, the agency can then decide what level of financial resources they are willing to direct toward system defense. In some cases, the costs will outweigh the effects of the incident. In others, cost is subservient to protecting the mission. This is security risk management for mission assurance that includes determining acceptable and unacceptable risks and their potential impact on the agency mission.
As the nascent field of cyber-risk management — a.k.a. security analytics — takes shape, private enterprise has begun to lead the way. For example, scientists at HP Labs and Citicorp worked together to help the financial industry combat cyber-threats by addressing the problem using modeling and simulation to understand the impacts of various security investments. This approach allowed Citicorp to make security investment decisions based on thoroughly modeled outcomes, which ultimately led to tradeoff decisions on vastly different controls (host intrusion prevention systems versus patch automation). This is a real example of investing in security that matters most while working within a specific budget. In support of government IT security, technology companies are using this commercial expertise to help government decision-makers create safer environments.
In the current cyber-environment, one thing is certain: There will be unscrupulous attacks against our government infrastructures and systems. These threats are becoming more sophisticated and persistent. Undoubtedly there will be many vulnerabilities in the enterprise — both known and unknown. Some will be identified and remediated quickly while others will remain undiscovered for months or potentially years. Understanding this dynamic underscores the enormous importance of using a rigorous risk management process to determine which asset and what level of risk is acceptable for the mission owner of the agency. Applying this core management principle of risk versus reward to cyber-security is one of the few methods through which we will see lasting success. Ultimately mission owners and IT leaders must decide for themselves to choose security that matters.
Sam Chun is director of Cyber Security Practice — U.S. Public Sector for Hewlett-Packard.