there are no posts to show...

Helpful Resources


As your organization works toward achieving CMMC compliance, creating your System Security Plan (SSP) and Plan of Action and Milestones (POA&M), are critical steps in the process. The documents both provide a foundation for your remediation efforts as you work to close all of your company’s cybersecurity compliance gaps.

Find the right SSP for your organization

Your SSP will outline how your organization approaches cybersecurity. It is your opportunity to narrate your security controls including discussing your environment and how you meet the intent of your controls. Before you begin drafting your plan, you need to determine which approach to take. Select one of the below to get started.

  • Organizational plan – Sometimes called an enterprise system security plan, these plans represent a system security approach across an organization defining a standard cross-organization adoption of control requirements. Organizational plans work well for less complex organizations where all technology can be represented in a single document.
  • System focused plan – This approach concentrates on security through the lens of a particular system, IT service, or enclave, and fully documents control implementation details from the perspective of a specific system only.
  • Hybrid plan – This plan is between an organizational system security plan and a single system or enclave system security plan. It takes the idea of standardization from the organizational plan, but documents your deviations from your overarching standard in addendums or appendices.
  • Shared compliance – This is a type of hybrid plan that documents the accountability of control implementation that lies with a service provider. The organization should ensure, contractually or through verification, that inherited controls are in place at the service provider and that they are applicable to the systems and/or services in scope for system security planning.


SSP document structure

Regardless of the type of plan you proceed with, here is guidance on how to structure your SSP.  Include the following report elements.

  • System information – In this section it is important to include ownership and accountability for each system you are documenting, as well as a systems environment description, data flows and interconnections, users and roles, and hardware and software components.
  • Control narratives – For each control, note the status, which should be compliant, partially compliant, not compliant, not applicable, or inherited, and provide a narrative about the status. Also include discourse on the control implementation. This is your opportunity to discuss a control requirement. For every control where you are partially compliant or not compliant, provide a summary of planned actions to get you to compliance and direct readers to your POA&M.
  • Other considerations – There are other types of information that can be helpful to include in your SSP including:
    • Diagrams and visual representations to illustrate what your system is and how it works.
    • Assessment guide and supplemental guidance to assist your narratives and show what you need to achieve and how you will meet your objectives.
    • Expected or maintained evidence and artifacts to demonstrate how you will or are implementing the controls.
    • Maturity references including policies, practices, and plans to tie the pieces together and make it easier for a certifier to track down those pieces of evidence that confirm your controls are not newly implemented.
    • CUI authorizations to show the flow of CUI in your environment. This should talk to where CUI should exist, where it is stored, how it should be accessed, and how it flows.


Take the steps to compliance with a POA&M

A POA&M is a corrective action tracking mechanism. Here are the key components to have as you develop your own POA&M to assist with your CMMC compliance efforts.

  • Corrective actions list in the form of actionable tasks – What are the actions that you need to take to implement each control?
  • Milestones and timeline to achieve compliance – When do you plan to have each action completed? Include interim completion dates.
  • Ownership and resourcing of tasks – Who is responsible for managing and completing each action?
  • Prioritization – What is the compliance impact, estimated cost, and risk of each?
  • Weaknesses or deficiency – How was the weakness that requires this action identified?
  • Control mapping – Which control does this action correspond to and address?
  • Status – What is the status? Is this action ongoing or completed?


POA&M process and workflow tips

Start with a template and your assessment data as input. Select your template and aggregate all the information you uncovered in your internal assessment, external assessment, or audit. These will be your two inputs to leverage in building your plan of action and milestones.

Convert assessment recommendations to actionable tasks. Sometimes assessment-speak is at a high level. Make sure you are breaking down each requirement into steps that make sense. Include the necessary detail to address the steps your organization needs to take to bring you into a compliant state.

Populate your POA&M and follow your planned timeline. Note any changes to your targeted dates and make sure that you’re actively using this plan to help you achieve compliance.

Maintain your POA&M as you close out your tasks. Once you complete a task, move the status to complete. If you appropriately maintain your POA&M, it is easy to track your progress and note your outstanding items. It also establishes an audit trail of tasks that you are closing out.


SSP and POA&M Resources

The documents listed below are useful as you build your own SSP and POA&M.


If you have questions about how your organization can craft its SSP and POA&M, contact the experts at CyberSheath. We have helped clients assess and document their cybersecurity state, implement controls, and achieve and maintain compliance. Get started today.


Cybersecurity at small and mid-sized businesses are often under-resourced with an “Army of One” approach to compliance and risk management. Compliance with regulatory requirements like DFARs 252.204-7012, HIPAA, PCI DSS, NERC CIP, Sarbanes Oxley (SOX) and more compete with actual cyber defense efforts to monitor, detect and respond to threats. Doing what you have always done, buying more products and surviving audits, isn’t effective and doesn’t scale. There is a better way and its effectiveness can be measured with contractual Service Level Agreements (SLA’s) that enable cybersecurity to be a force multiplier for your business.

Instead of hiring FTE’s and deploying one-off, point solution products that don’t integrate with existing investments, consider Managed Security Services that deliver:

  • Cloud-based security monitoring platform in one unified solution
  • Integrated security information and event management (SIEM) and log management
  • Asset discovery
  • Vulnerability assessment
  • Intrusion detection
  • Behavioral monitoring
  • Threat intelligence
  • Privileged account management
  • Automated and simplified regulatory compliance management

Just think about your infrastructure today. How many tools and products do you have spread across too few engineers without enough time to deploy, monitor and manage them? Do you feel like a SIEM solution is a luxury that a business your size can’t afford? Small and mid-sized businesses often have to make tough choices between resource allocation, and a SIEM solution rarely makes the cut because of cost and complexity. The irony is that a SIEM solution is a foundational investment that improves your ability to allocate resources, meet compliance requirements and defend your infrastructure. Coupled with Managed Security Services, the return on investment (ROI) for your business is measurable in a variety of ways.

Our partner, AlienVault, commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study that detailed the potential ROI organizations can realize by deploying the AlienVault Unified Security Management ® (USM) platform. The results aligned with our experience delivering managed services in the defense, financial, healthcare, technology and manufacturing industries. Here is what Forrester Consulting found:

Simplified compliance reporting for companies, resulting in nearly 6,000 hours of time-savings each year. Prior to adopting AlienVault USM Anywhere, key pieces of information had to be pulled from many different systems and consolidated into reports for the auditor. This process took nearly four months, but with AlienVault, onsite audits could be completed in one week as the compliance information and reports were readily available in real-time. This resulted in approximately 2,000 hours of time savings per audit and, on average, three audits were being held each year.

AlienVault USM Anywhere reduces the cost of incidents by improving threat detection and incident response time by 80%. Based on a 2017 study conducted by the Ponemon Institute, the probability that an organization will experience a breach greater than 1,000 records is 14%. However, with the deployment of USM Anywhere, the time to detect incidents was dramatically reduced, helping organizations identify and respond to attacks much faster. With 80% faster detection and response time, the impact and probability of a breach could be reduced.

An 80% security operations staff productivity improvement. Prior to adopting AlienVault solutions, organizations didn’t dedicate much time to daily monitoring tasks. On average, two to three investigations arose each week, which took the combined effort of two dedicated resources. After the deployment of AlienVault’s USM Anywhere platform, the security operations team was able to monitor and detect issues in real-time. This reduced the manual effort involved in investigative activities by 80% and allowed the resources to focus their time on more value-added tasks. “We are still responsible for monitoring alerts and logging, but it’s gone from hours per day to minutes. It allows us to focus on things like serving our customers, writing new code, and ultimately bringing more business in the door.”

Threat intelligence saves time and money. With AlienVault Labs threat intelligence, organizations no longer have to dedicate resources to sifting through multiple sources of information and bulletins to keep up with the latest intelligence. Now they can rely on the AlienVault Labs Security Research Team for continuous updates to threat correlation rules and directives. With the added benefit of not having to pay for an alternative threat intelligence subscription, the overall annual cost savings for the composite organization resulted in more than $40,000 per year.

The data from the study was clear, managed services save time and money by enabling more effective regulatory compliance and risk management. You’re probably already intuitively know that managed security services will be a game-changer for your organization and the data from the study only further strengthened your opinion. That said there are often at least two challenges to moving forward that businesses struggle with:

  1. Senior management doesn’t want to spend the money, I don’t care what your fancy study says.
  2. Managed Security Services Providers are like gas stations, there’s one on every corner and they all sell the same thing.

Getting past these barriers to realizing the benefits of managed services requires the same solution, selecting a Managed Security Services Provider that can push past them before you have spent any money. You will know when you have selected the right partner when they invest the time upfront to specifically show you how their services benefit your business. Candidly, management is right. Nobody cares what a vendor study says might happen at your business based on possibility. Your potential MSSP should be spending time documenting and demonstrating how their services will reduce risk and simplify compliance at your business. You will quickly be able to differentiate MSSP’s offering canned reporting and push-button threat detection from those with teams that span CISO through operations analyst level experience. You are buying a service and that service should have real people that can document and articulate the MSSP value specific to your business before you spend any money. Regardless of whether that takes two weeks or six months, you will know you have the right MSSP when they invest the time pre-sales to detail the value to your business.

Managed security services are the answer to your small and mid-sized business cybersecurity needs and selecting the right partner will be a force multiplier for your business.

Contact us today to learn how to save time and money with CyberSheath Managed Security Services.

In the last decade, the way in which nation-states have targeted the U.S. has changed dramatically. Where warfare was once predictably physical in nature, more and more of today’s threats come via virtual and digital channels.

After more than a decade of massive intellectual property theft including the theft of massive amounts of highly sensitive data from a U.S. Navy contractor’s computer systems, allegedly by Chinese hackers, the Department of Defense (DoD) has sought new guidance on how to secure its $100bn supply chain in the face of modern threats.

In the recent report Deliver Uncompromised, researchers Mitre Corp. discuss how the Department of Defense (DoD) and intelligence agencies can adapt to meet the growing threat of cyber warfare. They identify a number of ways in which national security can be compromised remotely, including the virtual hijacking and sabotage of military equipment; the infiltration of software for espionage purposes; and the data theft to which the Navy contractor fell victim.

Beyond Compliance

Up until now, the focus has been on encouraging contractor compliance. A recent example is the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, a framework that lays out how contractors must safeguard sensitive defense information and report cyber security incidents. By December 2017, prime contractors were required to demonstrate exactly how they’d implemented mandatory policies and achieved full compliance.

However, the Deliver Uncompromised report argues for a full cultural shift in the way in which the issue of cybersecurity is framed, with an emphasis on the role of the contractor. Instead of simply requesting or even mandating co-operation in support of their security objectives — a reactive role — the report recommends that defense and intelligence agencies encourage contractors to share ownership of the problem itself and proactively develop solutions.

At present, the DoD chooses suppliers based on cost, schedule, and performance, but the report notes that this can actually encourage suppliers to cut corners on their security provision. Factoring in the price of implementing enhanced security measures makes the supplier less attractive to the DoD in terms of cost, but when the alternative is to eat the cost themselves, most businesses will choose to simply do the bare minimum in order to achieve compliance.

In order to avoid the ‘compliance effect’ and incentivize suppliers to go above and beyond, DoD is attempting to elevate security to a key metric in the procurement process, on par with cost, schedule, and performance. In making enhanced security a competitive advantage and not just a ‘checkbox’, the DoD is essentially leveraging its position as the primary source of revenue for many of its contractors in order to shape their behavior.

That’s not to say compliance is moving down the agenda; quite the opposite, in fact. Deliver Uncompromised identifies a number of major holes in current compliance legislation, noting that they undermine any ‘softer’ attempts by the DoD to influence suppliers.

Financial Liability

First, the report says, it’s unclear what tangible consequences a contractor will face in the event that their non-compliance with DoD mandates leads to a security breach. Because there are so few financial repercussions, the very real risk is that some suppliers will fail to commit the necessary resources to implement their contractual obligations, while others will ignore them altogether.

To address this risk, Deliver Uncompromised recommends that DoD re-examines financial liability processes for suppliers that fail to take reasonable or timely assurance measures to protect the DoD from a threat. It also implores the DoD to consider seeking the legislative authority to hold suppliers liable for gross negligence in circumstances where cybersecurity obligations have not been met.

Software Practices

Software was identified as a major area of vulnerability for the DoD supply chain, especially given the widespread use of open-source software components with uncertain origins. And yet, the report says, the current practice is to absolve users, operators, and even developers from responsibility for security threats arising from software failure.

Deliver Uncompromised calls for an overhaul of this policy and suggests that the DoD demand much higher standards of security throughout the life cycle of mission-critical software. It also recommends placing much greater accountability on users, operators, and developers, which may be achieved by soliciting the help of Congress to change laws surrounding software immunity.

What Does this Mean for You as a Defense Supplier?

If a significant proportion of your revenue depends on government contracts, it’s likely you already know that compliance is becoming an increasingly important deciding factor in the awarding of contracts. However, it’s no longer enough to simply comply.

Deliver Uncompromised is a crystal-clear statement of the DoD’s intent to reward suppliers that go above and beyond in terms of security. In fact, the cultural shift is already happening, with the 2017 case of IPKeys Technologies serving as a prime example.

IPKeys protested to the U.S. Government Accountability Office (GOA) when they lost out on a defense contract to a higher-priced competitor. While both companies met the mandatory cybersecurity compliance requirements, the awardee had demonstrated a proactive commitment to non-mandatory security frameworks, too. Despite their higher cost, the awardee went above and beyond compliance and received a higher value rating — and won the contract — as a direct result.

The GAO denied the protest, strengthening the notion that minimum security compliance is no longer enough to remain competitive. Should the DoD implement the recommendations outlined in Deliver Uncompromised — and they likely will, given the current concerns about foreign interference and cyberattacks — enhanced security will become a legal matter as well as a commercial one.

For you, that means getting ahead of the game and fortifying your cybersecurity now. While other suppliers continue to do the bare minimum in order to check off compliance boxes, your focus should be on strengthening security procedures and adding value wherever possible. Take these measures now, and when the legislative environment inevitably moves forward, you’ll be leading the way — not scrambling to keep up.

Want to Remain a Competitive Defense Supplier?

Then now is the time to start enhancing your security practices with a comprehensive, free cybersecurity evaluation from CyberSheath. Let us help you to make sense of the changing security environment and make sure your business stays one step ahead. Contact us now to arrange your free evaluation.


The U.S. Securities and Exchange Commission (SEC)  issued new guidance for public companies to be more forthcoming when disclosing cybersecurity risks, expanding on previous guidance issued in 2011. In addition to warning corporate insiders not to trade shares when they have information about cybersecurity issues that isn’t public, the guidance advised that internal or law enforcement investigations cannot be used as an excuse for not informing the public. The unanimously approved guidance, was published as “interpretive guidance,” which the SEC uses to publish their views and interpret the federal securities laws and SEC regulations.

The 24-page guidance, provides some clear insight and required actions for public companies to ensure compliance with the new guidance. The full document can be found here:

A clear takeaway from the guidance is that a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks. While this seems like an obvious statement you might ask yourself if this information is flowing beyond the CIO or CISO.

Do you have a documented, repeatable process for informing company directors and officers of such risks or is it ad-hoc and on demand when cybersecurity put on the board agenda as a topic of discussion? One way to be ready for these ad-hoc requests and ideally help the company mature to something more formal is to contract with a 3rd party to execute a comprehensive cybersecurity risk assessment.

Assessments have earned a bad name as they often become shelf-ware that never see the light of day outside of the IT organization. Done correctly these assessments should be the foundation for board level briefings and based on a solid framework like the NIST Cybersecurity Framework. The right vendor will align the assessment with all relevant regulatory requirements or guidance in addition to the framework and provide you with a comprehensive and quantifiable view of your cybersecurity risk.

For more information on information on how to leverage an assessment that can be transformative for your organization, and enable you to comply with SEC guidance, read this blog post:

Getting back to the recent SEC guidance, it states that “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

The “risks” or “negative consequences” highlighted in the SEC guidance included:

  • Remediation costs;
  • Increased cybersecurity protection costs;
  • Lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
  • Litigation and legal risks, including regulatory actions by state and federal
  • governmental authorities and non-U.S. authorities;
  • Increased insurance premiums;
  • Reputational damage that adversely affects customer or investor confidence;
  • Damage to the company’s competitiveness, stock price, and long-term shareholder value.

The Commission stated that it is critical for public companies to take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.

Given that every company should reasonably assume material risk related to cybersecurity and may or may not have yet been the target of a cyber-attack it’s clear that no public company escapes the guidance.

The SEC guidance encourages disclosure controls and procedures to provide a method for understanding the impact that cybersecurity risks and incidents have on the company in addition to a protocol to determine the potential materiality of such risks and incidents.

The SEC describes effective disclosure controls and procedures “as best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”

The following issues were highlighted as important when evaluating cybersecurity risk for disclosure:

  • The occurrence of prior cybersecurity incidents, including their severity and frequency;
  • The probability of the occurrence and potential magnitude of cybersecurity incidents;
  • The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
  • The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks;
  • The costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
  • The potential for reputational harm;
  • Existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
  • Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

As the regulatory drumbeat continues to gain steam, albeit slowly, companies have an opportunity to be proactive in educating their company directors and officers about cybersecurity risk. Start with an assessment and build the foundation for a documented, repeatable way to meet your obligations.

If you need help understanding the latest SEC guidance and are interested in a cybersecurity assessment that can transform your organization, contact us.

There are less than 100 days left until the mandatory compliance deadline for implementing the DFARS required controls of NIST 800-171. Is your organization ready?

If you have been focusing on other strategic business initiatives and have not yet dedicated resources to NIST 800-171 compliance, you still have time. It will take a lot of work, but your organization can have a documented plan in place to guide your efforts and make material gains towards compliance this quarter.

Month-by-Month DFARS Compliance Guide

To remain competitive in your pursuit of new contracts with the Department of Defense, you should:

  1. Assess your current state and create an implementation plan for your needed controls.
  2. Formulate a DFARS-required System Security Plan (SSP).
  3. Achieve DFARS compliance.

Here’s how to accomplish that by the end of 2017.


  • Conduct security assessment – You might be tempted to save time and skip this step – but don’t assume that you already know what work needs to be done. Execute an internally or externally-led gap assessment against the fourteen families of controls in NIST 800-171. Document your compliance with each family of controls. Be sure to record the people, processes, technologies, and related artifacts involved and demonstrate that your security program is implementing the required controls as a part of your day-to-day operations.
  • Unsure of how to proceed? Work with a vendor – If you are struggling with the interpretation of the controls, enlist the help of a skilled outside party to execute the gap assessment.
    • Find a vendor – Look for a services provider with specific NIST 800-171 experience, both assessing compliance and implementing remediation programs to achieve compliance. Get references and make the vendor provide proof of past success in helping defense contractors achieve compliance. Query the vendor about the deliverable from the assessment and be clear that you are looking for more than best practice recommendations – you require information specific to your internal operations.
    • Leverage the third-party vendor to engage your executive team – Have your vendor work with your executives and get answers to the inevitable questions around DFARS compliance. You probably have already had a talented team that has been briefing NIST 800-171 internally for some time. Often the same message from a trusted third party with past experience can jumpstart the conversation at the executive level and secure the support your team needs.

November and December

  • Create a project plan and start implementing controls – Using the results of your gap assessment, create a project plan and start implementing controls that don’t currently exist in your organization and remediating the ones that fall short of meeting the requirements.
  • Be proactive in engaging procurement – If you have to purchase tools or engage a third party to assist in remediation, make sure that your purchasing is streamlined. With less than 100 days left there is little time for delays related to procurement processing. Ideally, you will have already spent time to get executive buy-in on this effort and have created the required sense of urgency around meeting the December compliance deadline.
  • Start writing your SSP – In parallel to your remediation efforts, start writing your SSP. It’s a requirement of compliance – and it will force you to be strategic about long-term compliance and not get lost in the tactical details of getting specific controls implemented before December. Your SSP should be a true reflection of your NIST 800-171 compliance program. You should plan to review and update this document annually.

CyberSheath is skilled at performing security assessments, creating remediation plans, writing SSPs, and most importantly actually implementing the required controls. If you need assistance achieving DFARS compliance before the deadline, Contact Us today.

In less than five months your organization needs to be DFARS NIST 800-171 compliant. If you have already formulated a remediation plan to help you address your deficiencies, continue working through your prioritized roadmap to meet the compliance deadline. If you haven’t yet begun planning, get started today. Don’t jeopardize your ability to secure and execute DoD contracts by being non-compliant.

Three Areas to Focus on as You Craft Your Compliance Roadmap

After you’ve assessed your organization against the 110 security controls in NIST 800-171, you’ll need to build a plan to address your compliance gaps. An effective plan will have components that address these three areas.

  1. Multi-Factor authentication
    • What it is: Multi-Factor authentication (MFA) is a security measure where more than one method of authentication from independent categories of credentials is required to verify the user’s identity for a login or other transaction. It is an important component of any security plan as increasing authentication from a single factor greatly improves the security of your systems.
    • What you need to do: Procure an identification and authentication service that complies with the DFARS security requirements. Make sure the MFA solution is scoped and implemented to address the unique requirements of your environment. Also, work with stakeholders and end-users to conduct use-case and validity testing. Integrate with your authentication management processes to administer the user lifecycle. Make sure you have access to training, maintenance, and support of your solution.
  1. Privileged Account Management
    • What it is: Privileged account management (PAM) is managing and auditing account and data access by privileged users, who are individuals with administrative access to critical systems. Better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.
    • What you need to do: Ensure your PAM solution provides automated, monitored, and controlled privileged access. Elevate administrative access to avoid granting excessive access to privileged accounts. Require the verification of a ticket or an approval to ensure administrative access is only granted when it is required for a specific activity. Work with engineers who are well versed in fine-tuning the configuration of the PAM suite and who can provide technical expertise and customization for your unique project.
  1. Vulnerability Management
    • What it is: Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities in your security infrastructure. It is important that your organization continually be monitoring for vulnerabilities to ensure you stay ahead of potential threats.
    • What you need to do: A DFARS compliant vulnerability management program will continuously assess your environment for vulnerabilities and patch compliance. Make sure your solution performs monthly vulnerability scans, as well as scans after any significant changes are made, of all your internal and public-facing systems. Also, ensure you receive a monthly report detailing new findings and findings from the previous month(s) which have yet to be remediated. Verify implementation of patches or workarounds for each fix with follow-up scans as needed.

Plan, Provision, and Outsource if Needed to Meet the December 31, 2017 Deadline

Determine what you can reasonably accomplish with your internal resources and what you need to outsource to meet the December deadline. Also, as part of your roadmap, make sure you plan for a post-compliance world where you need to maintain the controls you’ve implemented.

Regardless of where you are in your DFARS compliance process, time is of the essence. Continue your efforts or get started now – five months is not much time to affect the change mandated by NIST 800-171 compliance.

If you need support, contact us for a FREE consultation.

As part of an ongoing series on using privileged account management solutions to meet DFARS requirements, CyberSheath’s security consultants have explored technical controls in great detail, providing readers with real-world applications that make a meaningful impact. This week CyberSheath continues to explore NIST control 800-171, “separate the duties of individuals to reduce the risk of malevolent activity without collusion”.

Privileged account management solutions are valuable tools to meet the following NIST 800-171 controls:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  8. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

The fourth control, 3.1.4, is to “separate the duties of individuals to reduce the risk of malevolent activity without collusion”. In layman’s terms, organizations must segregate the duties and tasks that employees complete in order to minimize the chance that they could purposely plan and execute malicious activities.

Real-world examples of this scenario include ensuring an application development team does not have access to production code or compartmentalizing the information individuals on a team have access to, ensuring no one individual has access to everything. Separation of duties would prevent individuals from maliciously impacting production code or limit the fallout of an insider threat.

A privileged account management solution like CyberArk allows organizations to provision access to applications, operating systems, databases and many other devices through the use of the Enterprise Password Vault. Organizations can create a purpose built shared accounts for applications, systems, databases, etc., and grant access to those specific accounts based on the separation of duties. That way, when contractor one needs to access information, they use the shared account they have been provisioned access to, and contractor two uses a different account.


Before a contractor can even check out a credential, organizations have the ability to implement account access workflows. This workflow can require contractors to fill out a form that specifies a reason for access, how many times they will be accessing it, and the time frame they will access it. When the form is submitted, an authorized individual like a manager can approve the request, giving the contractor access to the password. This feature is called Dual Control, and by using this feature, organizations can ensure that managers or authorized individuals can grant access for specific duties or functions. Dual Control can be configured so that authorized individuals are only able to approve, but not access the account, ensuring separation of duties between roles. Dual Control can also be configured so that teammates can approve other teammate’s access ensuring that at least two people are aware of account access. This entire request and approval process leaves a full tamper-proof audit trail.

To further ensure that malicious activity is not taking place, organizations can implement a policy of “one-time-use” passwords, where after a given time period (say 24 hours for example) the password will be changed automatically. In combination with the CyberArk Privileged Threat Analytics (PTA) tool, organizations can detect suspicious credential activity usage, trigger an alert and automatically respond to the unauthorized access in real-time. For example, if contractor #1 normally uses an account between a certain time period or location, using that credential outside of the normal baseline would trigger an alert and response.


CyberSheath’s implementation engineers and security consultants have real-world experience assisting organizations to fulfill their DFARS and privileged account management needs. Download our security assessment datasheet to learn more about how CyberSheath can help your organization get ahead with privileged account management. Subscribe to our email updates to stay up to date with our DFARS series and other security posts.

CyberSheath’s security consultants and implementation engineers have previously written about utilizing privileged account management solutions to meet DFARS requirements, and this week we continue to explore DFARS control requirements in detail.

The latest post in the “In-Depth Look at PAM Controls for DFARS Requirements” series, CyberSheath reviews a third NIST 800-171 control that when utilizing a PAM solution like CyberArk, makes for very effective control. These NIST 800-171 controls include:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  8. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

The third control, 3.1.7, is to “prevent non-privileged users from executing privileged functions and audit the execution of such functions”. In layman’s terms, do not give users who do not need privileged access the ability to execute privileged tasks, as well as the ability to audit privileged tasks.

In CyberSheath’s previous posts, we have discussed the concept of least privilege and using tools like CyberArk’s On-Demand Privileges Manager (OPM) and Viewfinity to technically enforce the least privilege while allowing elevated privileges when necessary. As a refresher, a “least privilege” access model means that end-users are given the bare-bone access required to do their everyday basic job functions. When users need to execute privileged tasks, they can either check-out an account from a Password Vault database, use the OPM or use Viewfinity on their workstation.

The CyberArk Privileged Account Management suite includes the Privileged Session Manager, a component used primarily as a jumpbox to transparently connect to target machines using secured privileged accounts. Since all of the traffic is redirected through the PSM jumpbox, it is also possible to record the sessions and monitor them live.  Auditors and Investigators can search for users that retrieved a password (whether the action was to view or copy the password or connect to a system using the target account).  The audit capabilities can be further bolstered by requiring users to provide reasons as to why they need access to the privileged account, and even requiring correlation to a Service Desk ticket number.  Recordings of the sessions can be searched for titles of specific applications that may have been launched (such as gpedit or regedit) for Windows-type recordings, or any text for UNIX type recordings.


CyberSheath’s implementation engineers and security consultants are well versed in the practical application of NIST 800-171 controls, DFARS, and privileged account management. Download our security assessment datasheet to learn more about how CyberSheath can help improve your organization’s security posture and implement effective security controls. Subscribe to our email updates to stay up to date with our DFARS series and other security posts.

Last week CyberSheath began a new series, “In-Depth Look at PAM Controls for DFARS Requirements”, dedicated to providing a detailed analysis on how privileged account management solutions play an important role for organizations in meeting DFARS requirements.

In the series’ first post we detailed control 3.1.1, one of the eight NIST 800-171 requirements that Privileged Account Management solutions offer well-fitting controls for; these NIST requirements include:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  8. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

The second of these eight NIST 800-171 controls, 3.1.2, is to “limit information system access to the types of transactions and functions that authorized users are permitted to execute”. In layman’s terms, only give access to those that have permission or approval for specific task or purpose. The reason for this control is to ensure that users only access information systems for the specific tasks and functions they are supposed to execute and prevent them from completing transactions or functions they shouldn’t be doing.

Most Privileged Account Management solutions will offer a form of account vaulting that allows organizations to partition account access based on the need-to-know and least privileged access model. For example, with CyberArk, companies can organize safes by the various functional and transactional requirements of the accounts stored in them. An organization could create a safe called “North-America-Unix-Local” which would be used to store accounts for the Unix team based out of North America, and the company’s administrators in Europe wouldn’t be granted access.



While the basic privileged account vaulting model could potentially meet the NIST 800-171 3.1.3 requirement, CyberArk provides two additional solutions to ensure that Federal contracting companies can meet and exceed the NIST 800-171 3.1.3 requirement; the On-Demand Privileges Manager (OPM) for UNIX and Viewfinity for Windows. Both of these products enforce a least-privilege access methodology at the operating system level and allow escalation of privileges for approved actions.

On-Demand Privileges Manager (OPM):

OPM allows organizations to define a policy (a set of rules) that dictate what commands users can or can’t run when connected to a UNIX server. When an end-user connects to a UNIX server with OPM installed, they execute a privilege elevation tool called PIMSU (Privileged Identity Management Switch User, similar to SUDO). The elevation tool will validate that the user logged in as has permissions to perform the elevated task and store a recording of all the elevated commands they execute during the session. This set of rules can be configured to allow or deny various commands that are defined as “privileged”.


For example, there are two contractors that both need access to a UNIX device that contains Covered Defense Information, and both need elevated privileges to complete unique tasks, two different policies can be created for each user that allow or prevent them from executing certain commands. This ensures that the information system access is limited to the transactions and functions a user is permitted to execute.

Viewfinity for Windows:

The Viewfinity application for Windows works in a similar way to OPM for UNIX. Viewfinity allows organizations to remove users’ local admin privileges on endpoints and servers. Like in OPM, organizations can granularly define trusted actions for applications, scripts, and commands which are managed on role-based access. This means that those same two contractors that need access to a Windows device containing Covered Defense Information can both elevate their privileges to run applications when necessary, but also ensure that they are allowed to execute those functions (or deny them).


CyberSheath’s implementation engineers and security consultants are leaders in both DFARS and privileged account management. Download our security assessment datasheet to learn more about how CyberSheath can help enable your organization to meet DFARS requirements. Subscribe to our email updates to stay up to date with our DFARS series.

In previous blogs, CyberSheath security analysts have identified new cybersecurity requirements from the recent changes to DFARS and have provided solution overviews for meeting those requirements and regulations. The series “In-Depth Look at PAM Controls for DFARS Requirements” will expand on previously mentioned regulations and provide a more granular look at how privileged account management solutions can play an important role in meeting DFARS requirements.

Back in March, we identified eight NIST 800-171 requirements where PAM suites can provide an ideal solution. These requirements include:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  8. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

The first of these eight NIST controls is to “limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)”. In layman’s terms, only give access to those people, processes or devices that have permission or approval. As Yanni previously mentioned, this is the most basic functionality and purpose of a privileged account management solution. What may seem basic to some, it may be complex to others, so let’s break down what limiting access to authorized users looks like using the CyberArk Privileged Account Management solution.

In the context of DFARS, all accounts that provide access to “Covered Defense Information” should be considered privileged and be “vaulted” or stored within the hardened CyberArk database. These accounts are stored in various “safes” according to who should have access to them. For example, anyone with access to “Safe 1” in the image below, will have access to all the accounts within the safe. Safes 2, 3 and 4 would be provisioned separately.


With CyberArk, organizations can provision their employees access to these safes and accounts either directly using their preexisting account such as a personal Windows AD account, or provision an LDAP group of users instead, giving the entire group access. Organizations can implement their own internal approval system so that when a request is complete, it would automatically provide access to CyberArk and the credentials, and subsequently, the Covered Defense Information.

Additional controls can be implemented to lock down authorized access further, including ticketing system integration and time-restrictions. Ticketing system integration adds an additional layer of authorization by ensuring that those employees who have access to accounts can only use them when they have a valid ticket or reason (see example 1 below). Time-restrictions can limit the hours in which employees can access privileged accounts. If an employee attempts to access an account outside of the allowed time frame, they will be unable to access it, and a fully auditable event will be logged (see example 2 below).


Example 1: Ticket Integration


Example 2: Time-Restriction


There are advanced features in the CyberArk suite such as privileged session recording and transparent connections (using credentials without ever seeing them), and they all work on the basic foundation of limiting access to authorized users.

CyberSheath’s security consultants and implementation engineers are well versed in DFARS and privileged account management. Download our security assessment datasheet to learn more about how CyberSheath can help enable your organization to stay productive while meeting DFARS compliance. Subscribe to our email updates to stay up to date with our DFARS series.

Recently, Verizon released its 2016 Data Breach Report, which has served to assist the security community in managing risk and avoiding security incidents since 2008. In the report, one can find data on almost all aspects of the current cybersecurity risk landscape. With that being said, I was most intrigued by the findings related to phishing attacks, a form of social engineering that seeks to exploit an organization’s greatest risk – humans.

The motivation behind phishing attacks is no different than any other information security incident. Generally, attackers will be looking to trick the target user into divulging credentials on a pharming website. These sites look and feel like they are genuine websites for banks, enterprise applications, etc. Another common tactic in phishing attacks is having the targeted user click an attached file containing some sort of malware, thus granting the attacker access to the machine and by association, whatever network it connects to. These attacks are troubling because they allow an attacker to simply avoid many of the technical controls an organization may have in place.

The Data Breach Report has included metrics on phishing cases for years, this year the report stated that 30% of users open phishing emails. While this may not be harmful in itself, 13% of users will go on to click on the malicious attachment or navigate to the phony website where credentials are collected. These numbers are somewhat higher than last year, which reported a 23% open rate and an 11% click-through on the attachments. Another important thing to note is how quickly this all happens, the report states that it often takes less than five minutes to see a targeted user click on the attachment or link.

Social Engineering attacks, phishing specifically, are on the rise because the attacks are much easier to execute than technical attacks targeting an organization’s vulnerable assets. It enables an attacker to compromise a network with much less effort than would normally be required, and often times in much less time.

The good news is that phishing attacks can be defeated in multiple ways.  First, two-factor authentication would nearly eliminate all the risk associated with credential-stealing activities. Even if an attacker did acquire the main credentials for an employee, they would still lack the secondary credentials that are required.  Second, and probably the most direct way to decrease human risk, is through a mature security awareness program. While awareness and training programs have been given more attention as of late, several organizations still do not take them seriously. Without training your employees on simple, human targeted attacks like phishing, they cannot be expected to protect your critical assets and data when they become the targets.

Curious how your organization stacks up?  CyberSheath can help, contact us today.

A list recently compiled by the cyber threat intelligence company Flashpoint (via Crain’s Chicago Business) reveals that law firms are not immune to cyber threats and are indeed active targets for today’s cybercriminals. Since January 2016, 48 elite law firms have been targeted by the criminal “Oleras” and his (or her) gang members attempting to access confidential client information for use in insider trading plots. While there has yet to be any indication that the hackers were successful, it raises the question of when law firms will be held to the same (or any) standards that are starting to be applied to other industries.

While the defense industry now has DFARS 252.204-7012 (and the NIST 800-171 control framework) and the financial industry has PCI DSS, no widely applicable or enforceable compliance standard exists for law firms. It’s also not entirely clear when law firms are required to report a breach. A 2014 Law Firm Cyber Survey conducted by Marsh identified some interesting statistics:

  • 79% of respondents in aggregate viewed cyber/privacy security as one of their top 10 risks in their overall risk strategy.
  • 72% said their firm has not assessed and scaled the cost of a data breach based on the information it retains.
  • 51% said that their law firms either have not taken measures to insure their cyber risk (41%) or do not know (10%) if their firm has taken measures.
  • 62% have not calculated the effective revenue lost or extra expenses incurred following a cyber-attack.

This sounds strikingly similar to the defense industry a decade ago. Organizations realize they should do something, but most don’t know how or where to start. They lack in house expertise, and most, 98% according to Marsh, view cybersecurity strictly as a function of IT and the group responsible for the overall management of cyber and privacy risks.

Last year, the American Bar Association reported in its Legal Technology Survey that 1 in 4 firms with at least 100 attorneys have experienced a data breach. It’s unlikely that smaller firms without in-house expertise or security control implementations would even know if a data breach had occurred, much less have the ability to determine what data had been compromised. As an industry that routinely pushes for their clients to protect themselves against risks, the results show that not all firms practice what they preach.

Regardless of your stance on the issue, your data needs protecting.  CyberSheath has experience with applying cybersecurity strategies with law firms and can assist you and your organization in securing your data.  Start with an assessment today, to identify your weaknesses and gaps.

In August and December 2015, the Defense Federal Acquisition Register Supplement (DFARS) received updates that are crucial for the 10,000-plus defense contractors.  If you have been following our blog, we first reported on the changes back in January.  It is important to understand these changes and how they will affect your organization. These next series of blogs will attempt to view the DFARS updates from a high level.  If you haven’t read last week’s post, you can do that here.

This week’s post will attempt to boil down the primary differences between NIST 800-53 r4 and 800-171.  For starters, both documents are a set of standards published by the Nation Institute of Standards and Technology (NIST), a federal government organization that produces standards on a variety of topics, including information security.  Back in 2013, when DFARS 252.204-7012 was issued as a final rule, it relied on NIST 800-53 r4 to be the de-facto standard that contractors must adhere to in order to meet DFARS compliance objectives of safeguarding Controlled Unclassified Information (CUI).   In August of 2015, DFARS was updated and replaced its security control requirements.  NIST 800-53 r4 was swapped out with NIST 800-171.

NIST 800-53 r4

The Department of Defense (DoD) chose NIST 800-53 r4 for its DFARS standard set of controls for a reason.  Its broad set of security controls cover many facets and areas of an organization and relates those areas to protect CUI.  NIST 800-53 r4 is a large set of security controls.  With 303 requirements categorized into 18 control families, it is difficult for any organization to meet all of them.  When DFARS adopted 800-53, they narrowed it down to a set of 51 specific controls sets that would be effective in safeguarding CUI.  I won’t go into each of the 51 questions, but the table below shows the controls families that are specific to DFARS:


Within each control family are several controls.  For example, access control has twelve controls and sub controls.   Each control is very detailed and in order to be compliant, the defense contractor must meet all of the requirements of the control.  In control AC-2, Account Management, there are 11 requirements within the control, from monitoring system accounts to notifying account managers when access is no longer required (see the full NIST 800-53 here).  The point that I am making here is the level of detail in 800-53 tended to be overkill for defense contractors.  Trying to make their current security initiatives fit within the framework of NIST 800-53 left a lot of room for improvement.  800-53 offered a lot of flexibility from the list of security controls, but very little when it comes to using systems and practices defense contractors already had in place.

Because of this and some other issues, such as applicability or overkill of controls, the solution was to streamline the requirements needed to protect CUI.  Not only that but also make them applicable and standard, regardless of the size of your organization.  The result of this is NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, released in June 2015.

NIST 800-171

The primary difference between NIST 800-53 and 800-171 is that 800-171 was developed specifically to protect sensitive data on contractor and other nonfederal information systems.  The set of controls outlined in 800-171 is designed to protect CUI and eliminate the built-in overhead that was geared mostly toward federal agencies.  NIST 800-171 requirements have a total of 109 requirements that are simplified to a basic level of understanding.  The 109 controls are spread across 14 control families:


Additionally, NIST 800-171 has been derived from NIST 800-53 and FIPS 200.  Many procedural elements have been removed altogether to focus on the most applicable moderate baseline controls.

It is important to note that contractors, under DFARS 252.204-7012, can deviate from the 800-171 control requirements.  The only stipulation is that the DoD CIO’s authorized representative must approve the deviation.  This allows contractors to build on or enhance any security programs that are currently in place, without having to re-invent the wheel and not acquire new systems just to process, store or transmit CUI.

NIST 800-171 has also streamlined its control set.  As in NIST 800-171 3.1, Access Control, the following requirement states:

3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

This covers account management and access enforcement.  The contractor will have to show how they limit the access and enforce it.

Aside from the structural differences between 800-171 and 800-53, the intent is the same.  Contractors are required to protect Controlled Unclassified information.  With 800-171, how the organizations protect the information is now a little more clear.  800-53 was incredibly wordy and often made it difficult for non-security individuals to understand what the requirement is, regardless of whether or not you are a security person or an IT person performing a security function.

How can CyberSheath Help Your Organization?

Whatever your security requirements are, CyberSheath can help.  As a leader in helping customers meet DFARS 252.204-7012 compliance requirements, CyberSheath is the place to start.  Begin with a NIST 800-171 assessment to measure your effectiveness and see where to begin.  CyberSheath can help you remediate any controls that are not effective and build out your security program to meet compliance requirements.

Building, maintaining, or transforming a cybersecurity program is hard work.   But all situations need to begin with a plan.  A plan that addresses the strengths, weaknesses, opportunities as well as threats that will transform into the roadmap guiding you in developing a successful cybersecurity program.

To help you begin, here are the elements of a cybersecurity program that in my experience are essential to long term, measurable success.

2 Essential Elements of an Effective Cybersecurity Program

1: Annual Standards-Based Assessments
Of the many challenges security professionals face, the ability to explain what they do and how well they do it is one of the most persistent. It need not be this way. There are several notable standards or frameworks (e.g., NIST, SANS 20 Critical Security Controls, etc.) readily available for you to baseline your security program, explain your success, and create a vehicle for communicating strategically with the executives in your organization. Before you even select a standard it is important to understand and believe in the need for conducting an assessment on an annual basis.

Think about the departments (e.g., Finance, Business Development, etc.) within your business, do they have an annual plan with objectives that are tracked and updated throughout the year? Of course they do, otherwise, they would be mired in day-to-day tactical issues – a Groundhog Day scenario – that never affords the opportunity to grow and mature. The departments at your company have a business plan with the pipeline, revenue, profitability as well as other targets established early in the year and tracked throughout.

The functions supporting those departments have their own unique specific plans to support the business in achieving corporate objectives and they measure using frameworks and principles that are specific to their unique function. Take finance for example.  Finance typically owns the responsibility to forecast effectively and achieve compliance with regulatory requirements like Sarbanes Oxley and therefore must plan accordingly. Those plans are grounded in principles and standards, such as Generally Accepted Accounting Principles (GAAP), so that non-finance observers and analysts have a minimum level of consistency and confidence that finance is operating within the guideline of widely accepted standards. Security should be doing the same.

If you want a comprehensive standard that will map to International Organization for Standardization standards and most federal regulatory requirements adopt NIST Special Publication 800-53. Don’t be misled by its title, “Security and Privacy Controls for Federal Information Systems and Organizations,” and think it doesn’t apply to commercial infrastructure. The NIST controls are customizable and meant to be implemented as part of an organization-wide information security program and are as relevant to commercial infrastructure as they are to federal entities.

If you are a federal contractor you should use the government required framework, NIST Special Publication 800-171, as your standard to measure your compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.  Details on that mandate and December 2017 deadline for compliance are here.

Is NIST too overwhelming or doesn’t seem to be the right fit for your organization? Use the Center for Internet Security (CIS), which presents the CIS Controls for Effective Cyber Defense as your standard to measure yourself against.  It is an excellent set of specific and actionable controls that can facilitate a way to explain and continuously measure and improve your security program.

Now that you have selected a standard and either conducted a self-assessment or selected a third party to lead the effort, it is time to create a roadmap that articulates the cost, schedule, and performance of the proposed improvements.

2: Roadmap Your Journey
Your security program has been assessed against an accepted standard, you will now need a vehicle for telling your story to the executives who fund improvements to the program and interested in the performance of their investment. The vehicle is your cybersecurity roadmap and it will serve many purposes.

In this case, a roadmap is a governing document that articulates at what point previously approved cybersecurity people, processes, and technologies will become operational. This roadmap becomes an actionable timeline.  There is no magic timeline, yours could be 12 months, 18 months or up to 3 years – though anything past 3 years tends to be more aspirational and less practical. If you have a looming companywide compliance mandate like the previously mentioned DFARS, your roadmap should include all of the milestones that lead up to the compliance deadline.

After you complete your assessment it is likely that you will have more work than resources and choosing what to do first can be difficult. Don’t fall into the trap of doing a little bit of everything or you will likely end the year disappointed with little to nothing accomplished.  A helpful hint to avoid that scenario is to prioritize your projects by level of importance.

A helpful hint when prioritizing the level of importance of your projects:


First Priority: Projects that enable regulatory compliance – The business is mandated to achieve compliance with these regulations by a specific date and to a defined degree of precision. These things have to be done for the business to function legally and without friction so these projects have priority.

Second Priority: Projects that enable operation security – These projects are often an endless wishlist that never makes it off of the whiteboard after a brainstorming session. To prevent this, prioritize operational improvements against a recommended set of actions like the CIS Controls for Effective Cyber Defense. View every operational improvement effort through the filter of controls that are most likely to effectively defend your business. If there are controls that can enable both operational security and compliance in parallel push those projects to the top of your list.

Your roadmap should include specific milestones and timetables for implementation of controls and project completion. Ideally, you will be able to capture everything on a single chart so that you have a visual reference to insert into every relevant PowerPoint slide deck to drive home your priorities.

The visual roadmap representation will serve two purposes:


First: The visual roadmap provides you a way to explain the value your team is delivering for the company.

The visual roadmap provides you a way to push back against competing initiatives or priorities. It is a way to say “here is how our resources are committed for the next 12 months. In order to add your requirement/project to the roadmap I need to cancel a planned project or add resources.” The answer might be “figure it out” but at least you have a tool to facilitate a fact-based conversation on what is and what is not possible given current plans and resource allocation.

Creating, maturing, and maintaining a cybersecurity program is hard work under even the most forgiving circumstances. My experience has been that standards-based assessment coupled with a roadmap to plan and prioritize projects centered on resource availability greatly increase your chances for success.

How Can CyberSheath Help Your Organization?

CyberSheath recommends beginning with an assessment to measure your maturity against a standard Cybersecurity Framework.  An assessment will identify your organization’s strengths and weaknesses as well as opportunities and threats within your current program. The assessment results will provide the necessary information to build your roadmap to a compliant and secure environment.

Do a search for video games and information security and you will find countless comparisons to how these two seemingly disparate fields go hand-in-hand.  I really like this article from last summer, as it examined not just video games, but organized sports and their influence on information security experts.  In today’s world, video gaming is a billion-dollar industry, there are professional video gamers, amateur video gamers who record their reviews, critiques, and tips and put them on YouTube, and then there are the professionals (like me) who unwind from their day by playing a few rounds of Turning Point in Star Wars Battlefront.

While video games may heavily influence the world we live in, there are two specific video games that I think will help make your security program stronger.  I will now explore how these can relate to your organization.

First: The Games

There are two specific games that I am going to be referencing.  If these aren’t your cup of tea, no problem; they follow the same basic elements of many of the first-person shooter multiplayer games.  Substitute your favorite.

EA/DICE’s Star Wars Battlefront

This game, released last November is a major hit wit 13 million units sold worldwide by the end of the 2015 quarter,  allows players to play as rebel soldiers or storm troopers who square off against each other in a massive Star Wars environment.

EA/DICE’s Battlefield 4

This game, released in 2013, is one of the more popular military simulation first-person shooter games.  Players assume the role of a soldier and face opponents kitted out with similar equipment.  The in-game environment is set in a fictional conflict between China, Russia, and the US in the near future.

Second: How this Relates to Your Security Program

Both of these games, while simple in concept, require quite a bit of strategy and maneuvering of your in-game character to get a better position, a better vantage point, that puts you in control of the board.   To do that, you need a roadmap and some general tips.  Here are three tips and how they relate to your security program:

Playing the Objective/Security is Everyone’s Responsibility

In multiplayer games, especially Battlefront and Battlefield 4, there is a term that is commonly used: PTFO.  PTFO if you haven’t guessed it, is Play the [EXPLETIVE] Objective.  What this means is work with your team to take over control points to gain a stronger position within the board.
As security professionals, we understand, live, and breathe security.  Our teammates in IT, HR, and accounting might not have that same deep understanding.  Our desire is for everyone to play the objective, ensuring customer data, corporate data, assets and the network are secure.  This is how security programs should be built, with a common objective in mind that all players can strive to capture.
Playing the objective requires teamwork.  It is near impossible to be successful in Battlefront and Battlefield without the support of your team.  Security for your organization is not possible without cooperation and teamwork.  Security is everyone’s responsibility.  As such, it is important to have a robust awareness and training program to drive home the concept of security.  With security awareness, your teammates in HR, IT and accounting will receive the same basic security knowledge, understand what the threats are to your organization and what to do about it when an attempted intrusion occurs.

Know Your Strengths and Weaknesses

In Battlefield 4, you are given the option to play as an assault class, engineer class, support class or recon class.  Each class has its own strengths and weaknesses, but choosing your character should be done for the good of the team.  The assault class has the ability to provide revives and medical kits, while the engineer is great at repairing and destroying vehicles.  Support players have the ability to supply other teams with ammunition and recon provides the ability to play overwatch and spot enemy targets.
In security, it is essential to know your strengths and weaknesses.  Every decision and choice around security has to keep two things in mind: How does it improve security and how does it impact the business?  In Battlefield 4, your character class choice should both benefit the team and draw upon its strengths.  Are you playing a map with lots of vehicles?  Then the engineer is your best choice.  Lots of assault class characters on your team?  Then support class is the way to go so they don’t run out of ammo.  In security, your ability to build a functional security program relies on knowing which tools are weak, who among your personnel are strong in security and how the general corporate populace feels about security initiatives.  To help identify the strengths and weaknesses, it is best to utilize an information security assessment.  This will identify where you stand against a security framework and give you something to work towards and shore up those weaknesses and begin playing the objective.

Avoid Camping and Tunnel Vision/Avoid Security Complacency

Battlefront and Battlefield 4 are extremely active games.  Everyone is moving about.  Stand in one place for too long and an enemy sniper will take you out.  Stare down your scope and get tunnel vision, you are likely to miss the enemy storm trooper sneaking up on your right.  Camping is a term that is used in these games for players who sit in one spot.  It can detrimentally affect the game, especially if the camper is sitting near a spawn location.  In security, organizations have to avoid camping out and becoming complacent.  Complacency is dangerous.  Organizations who only check the box and rely on tools, or focus all their efforts only on meeting regulatory requirements are at risk of developing security complacency.  For example, all of your attention is focused on meeting PCI needs, but you forgot about these two hundred other non-PCI systems that are just as vulnerable.

I see this quite frequently in a game mode in Star Wars Battlefront called Walker Assault.  The premise of the game mode is simple; rebels have to activate uplink stations to call in a bombing run against the AT-AT Imperial Walkers, while the stormtroopers have to shut them down.  Typically what happens in game, all the focus and attention is directed at one uplink station, leaving the other unguarded and vulnerable.  While it may feel like you are playing the objective, in reality, it is only partially playing the objective.  In real life, security should be applied across the board.  While there might be critical systems that get addressed first, every system should initially be treated equally at a base level.  In Walker Assault, players should really team up and defend or attack the uplink stations equally.

Knowing how and when to apply security across your organization is key to having a strong program.  Planning goes a long way, identifying which systems are critical, which tools should be applied and how to implement security tools with minimal impact to business function are issues that security professionals tackle every day.  This keeps your security organization moving and active.  No camping and no complacency.  The security team should be following a daily plan to ensure the success of the program.

Whether you are an active gamer or haven’t picked up a controller, the security principles described in this post apply broadly.  Making security relatable, and accessible will drive home the importance of it.  As I have said, security is everyone’s responsibility.  Your program has to give the teammates the tools to be successful.  Whatever state your security program is in, CyberSheath can help you capture the objective and secure your assets.

How Can CyberSheath Help Your Organization?

CyberSheath will work with your organization, large or small, to help secure your valuable assets. CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards and regulations.

Predictably cyber/data security continues to be a rising concern from within the Healthcare industry, according to Modern Healthcare’s 26th annual Survey of Executive Opinions on Key Information Technology Issues. That being said the percentage of total IT spend devoted to security is still woefully inadequate if the survey numbers are to be believed. You simply can’t be secure on the spend levels highlighted in this survey.

I’m always skeptical of survey numbers because you can’t qualify the data or responses and there is no right answer as to how much to spend on security. However, there are best practices and industry standards that will ensure your organization is spending the money you have wisely.

4 Steps to Ensure a Wisely Spent Cybersecurity Budget

1: Make Security a Line Item in the Budget, Separate from IT

There is no right metric for security spend but you should at least be able to articulate what you are spending annually. With a defined security budget you can slice and dice any way you want, as a percentage of IT spend, cost per employee, as a percentage of revenue, etc.

2: Select a Framework

NIST, ISO, 20 CSC, just pick one! Whatever you select will give you a way to measure your current capabilities and prioritize investments, you can always change your mind later.

3: Assess Yourself

If you don’t take the time to objectively measure what you are doing today against a selected framework you will be doomed to keep doing the same things year over year. Maybe that works for some organizations, but my experience is that a comprehensive assessment against an accepted framework can serve as the burning platform for year over year improvement.

4: Roadmap the Journey

Use your assessment results to create a multi-year roadmap that ties security compliance efforts to operational efforts and tell the story to your business. Share the vision for security and articulate just how much the business is getting for its investment in security so you can have a conversation around outcomes and expectations rather than fear, uncertainty, and doubt (FUD).
Articulating the value of security and defending the budget is hard, but it’s not impossible if you use facts and figures relevant to your business and organization.

Don’t Know Where To Start?

CyberSheath’s Strategic Security Planning service offering can help you plan, build, and manage a strategic information security organization that enables your business. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance.  Our Strategic Security Planning service will assist you in successfully creating a security budget that directly aligns with your business needs and goals.

Recent updates from the FDA on securing network-connected medical devices show that there is a growing concern for security surrounding the medical industry.  Hospital networks, medical devices, and other critical infrastructure are all at risk.  An article from last week covered the Kaspersky Lab Security Analyst Summit, in which a researcher from Kaspersky Lab was able to breach a Moscow hospital network.  What did he find?  According to the article, “…a shocking array of open doors on the network and weaknesses in medical devices and applications crucial not only to the privacy of patients but also their physical well-being.”

While this may or may not be surprising, I do find it concerning that security appears to be an afterthought for the medical device industry.  Protecting patient information, ensuring wearable medical technology is secure and shoring up defenses for medical devices should be paramount.  As FierceMobile Healthcare predicted in late-December 2015, the Internet of Things will play an increased role in healthcare in 2016.  Security should be incorporated at the start of the process, rather than strapping it on at the end and hoping that the security features do their job.  By working security into the process,  medical device manufacturers are taking the time to ensure software and applications within these devices are developed using secure standards, as this one proposed by the IEEE.

In the previous example of the Moscow hospital network, backdoors, vulnerable software, and poorly secured configurations – all can be mitigated with regular vulnerability management.  Instituting scans, remediation plans, mitigating vulnerabilities, and patching out of date software are all part of a robust vulnerability management program.  This type of program makes your organization more proactive, rather than reactive.  Planning for routine updates and fixes to your devices will keep your patient and data safe.

It is good business and best practice to secure medical devices, hospital networks, and patient healthcare information. It is also important for medical device manufacturers to understand their vulnerabilities to know where you stand.  If your organization hasn’t conducted a security assessment to review your security program, that would be the place to start.  With a roadmap in hand, your next step is to begin identifying and remediating the risks.  Where are your gaps?  Do you have a vulnerability management program?  Do you know what medical devices connect to your network regularly?  All of these questions will help you develop a stronger security program.

How CyberSheath Can Help You Manage Your Risk

Taking the defense-in-depth approach to securing your network is effective at managing risks. In order to manage these risks, a picture of your network must first be obtained.  Whatever your security needs are, CyberSheath can assist you along the way.  From conducting an information security assessment to building a security program, let us help you secure your data.

You may have heard about the recent breach involving payment card data from cards used onsite at certain Hyatt-managed locations.  According to Dark Reading, the “at-risk window” may have existed as early as July 30, 2015, with identified fraud being documented from August 13, 2015, to December 8, 2015. The malware responsible captured cardholder data while being transferred from the onsite processing location to the compromised system.

Post-breach, Chuck Floyd, global president of operations for Hyatt, said: “…we want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future.” While we can’t know for sure that statement implies that operational security controls were enhanced as a result of the breach, the question is, beyond the routine PCI-DSS assessments, were operational controls proactively reviewed and strengthened?

Many organizations focus security efforts around passing an audit, which can detract from achieving an actual effective security program.  One of the key takeaways resultant of the Hyatt breach is the importance of aligning security compliance with operational security.

Why Passing a PCI-DSS Audit May Not Be Enough

Compliance with standards and regulations like the PCI-DSS should serve as a baseline for security, but passing an audit does not guarantee effective operational security practices. PCI compliance assessments, in particular, are limited in scope, generally focusing only on computing environments, systems, system components, and processes that are involved in the store-process-transmit territory of cardholder data.

Focusing on the cardholder data alone can leave a business at risk when it comes to applying security in other areas – and a PCI assessor is only obligated to assess the security controls applied to the environment where cardholder data processing occurs.

Great effort is made by organizations to ensure cardholder data is processed in an isolated, segmented environment, ensuring that PCI requirements are only applicable in that narrow scope.  However, if the approach to security is pass-the-audit, any inaccuracy in PCI environment scoping can put cardholder data at risk, along with any other non-cardholder sensitive data that resides outside the audit area of focus.

How to Effectively Secure Your Sensitive Data

Although it’s unknown what caused this particular breach, aligning your compliance efforts with day-to-day operational security efforts to produce an integrated view of risk is the right way to secure sensitive data.  If you are unsure where to begin, check out CyberSheath’s blog post on the 3 Steps to Secure Your POS, which highlights three steps to get you started in the right direction. CyberSheath also offers security assessment services, providing a complete analysis of the strengths and weaknesses present in your current environment.

Modern Healthcare recently reported that “Health insurer Centene Corp. is hunting for six computer hard drives containing the personally identifiable health records of about 950,000 individuals…” While this potential data loss doesn’t come close to the monumental data breaches suffered by Anthem, Blue Cross and Blue Shield and others in 2015; it highlights 5 actions that companies of any size in the healthcare space should be taking now to optimize security.

5 Actions You Should Take to Improve Security

1: Manage and Encrypt Assets

Know what you own, who it’s assigned to and if it’s mobile encrypt it. Wrap these efforts into your existing Governance, Risk, and Compliance efforts for HIPAA Hitech, PCI DSS and any other relevant business requirements around compliance. As a goal measure once, comply many but whatever you do encrypt and track your endpoints.

2: Manage Your Vulnerabilities

Establish a capability to assess the risk of systems, applications, and IT services by evaluating the prevalence of vulnerabilities in your environment. You won’t ever be able to remediate them all but you don’t have to. Focus on the high risk/high probability first and establish a documented, repeatable program to continually address this basic requirement for IT security.

3: Privileged Access Management

Monitor and manage your privileged accounts as these will be the accounts likely exploited in a successful breach. Ignoring this accepted minimum standard of care for information security is akin to not encrypting laptops, it’s a necessity, not a luxury.  For further explanation, we discuss privileged account exploitation more in-depth in our white paper, CyberSheath APT Privileged Exploitation.

4: Protect the Network

Provide protection for your network environment with a set of network security tools to detect, alert, and automatically respond to malicious activities targeting your environment. Prioritize requirements here to fit your budget and make tradeoffs were required to include protection for internally and externally available systems, email platforms, and internet use via browser.

5: Incident Response, Logging, and Monitoring

Build a capability to monitor critical systems, applications, and IT services as well as to detect and respond to incidents and/or breaches when information is improperly handled, accessed, or transmitted as it inevitably will be at some point. Do what you can with what you have as not everyone can afford 24/7 monitoring. Outsource where necessary but do not get caught with no plan or capability or you will spend exponentially more being reactive.

How Can CyberSheath Help Your Organization?

All of these efforts can and should be integrated with the day-to-day delivery of IT operations to maximize your efficiency and effectiveness. CyberSheath will work with your organization, large or small, to help secure your valuable assets. CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards and regulations.

The FDA recently issued draft guidance entitled “Postmarket Management of Cybersecurity in Medical Devices” and once again NIST is setting the standard as a recommended framework, specifically the NIST “Framework for Improving Critical Infrastructure Cybersecurity.” The draft guidance issuance date is January 22, 2016, CyberSheath has expanded on what this guidance means for medical device manufacturers in a recent blog post, below you can review the FDA press release and draft guidance.

Cybersecurity Recommendations for Medical Device Manufacturers:

Official FDA Press Release

Official Draft Guidance Entitled “Postmarket Management of Cybersecurity in Medical Devices”

Submit Comments and Suggestions on Draft Guidance

Interested parties should “submit comments and suggestions regarding the draft document within 90 days of publication in the Federal Register of the notice announcing the availability of the draft guidance. Submit written comments to the Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852 or submit electronic comments. Identify all comments with the docket number listed in the notice of availability that publishes in the Federal Register.”

How Can CyberSheath Help Your Organization?

The FDA guidance continues a trend where the government is using its ability to influence industry and improve cybersecurity across every critical infrastructure sector. CyberSheath will work with your organization, large or small, to understand the NIST framework recommended within the FDA draft guidance. CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards and regulations.

“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.” – Ernest Hemingway

When planning for a security maturity assessment by an independent third party, many organizations often ask if their results can be compared to other companies in their specific industry.   On the surface, this “benchmarking” seems to be a reasonable request.  CIOs want to spend as much on security as their peers;  CISOs want to be “as secure” as their competitors.  Nobody wants to devote wildly more or less resources to the effort than those in their industry.  However, the request to see your company’s security maturity “score” stacked side-by-side with other companies is not attainable for two reasons.

First, the results of an organization’s security maturity assessment is very rarely shared or made public.  The report and its associated gaps are often treated as highly sensitive, with some deficiencies even qualifying as vulnerabilities that are very tightly controlled.  No company, no matter how glowing the results, would readily share the results of a security maturity assessment with competitors without significant legal review. There may be some research reports available that poll CISOs anonymously that might include spending statistics, but the level of detail on control compliance is never meaningful enough to compare security posture.

The second and more important reason to not want to compare your security maturity against competitors is that it is not a meaningful or actionable metric.  Your level of compliance as compared to another company is irrelevant to you, your customers, and your vendors.  It’s the same logic used by a child trying to convince his parents to allow him to do something “because everybody else is doing it”.  Security assessments measure compliance and maturity against a structured control framework such as NIST 800-53, ISO 27001, or the 20 Center for Internet Security (CIS) Controls for Effective Cyber Defense.  Security assessments should strive for excellence, measuring against an industry-accepted set of best practices. Information Security maturity is a journey, measured through continuous assessment, remediation, and improvement. Measurement of that journey is only applicable to you and your organization.

There is value in information sharing consortiums and through CISO networking to get a feel for how other companies in your industry are addressing cybersecurity.  And it is ok to want to be better than our peers.  But the security assessment of your efforts should be your own, measured against a recognized standard of excellence by an independent cybersecurity firm with real-life experience.

Let’s be clear – POS is an ill-termed acronym for Point of Sale.  As the collective giggles fade, it’s time to think about security in the retail industry.  With Black Friday fast approaching, stores preparing for the mad rush of shoppers should ensure their POS systems are secure.  Cardholder data has been a lucrative draw for the cybercriminals seeking to make some serious money selling your stolen credit card data.  Along with cardholder data comes your customers’ personally identifiable information that is now floating around the Internet and could potentially fall into the wrong hands.

Point of sale systems is the catchall term to describe the consumer’s relationship to the store and how the consumer exchanges money for the goods and/or services.  A point of sale system has many different facets operating at different levels.  For the purpose of this blog post, I am only referring to the information technology assets that retailers have control over.  Payment gateways and bank systems are beyond the scope of this post.

The breaches of Home Depot, Target, and Neiman Marcus are prime examples of major retailer organizations that attested to PCI compliance, yet they were still breached.  While PCI compliance is important and ensures your organization has its ducks in a row, it doesn’t necessarily make your POS system more secure.  There are additional steps every organization should take to become proactive about securing your POS, arguably the lifeblood of your store.

3 Steps To Secure Your POS Systems

1: Conduct a Security Assessment

How do you secure your bread and butter?  For starters, I recommend a security assessment.  Conducting a security assessment will not only identify gaps in coverage but will provide your organization with a valuable roadmap to becoming more secure.  A security assessment will measure how your people, processes, and technologies stack up against your chosen security framework (be it NIST, SANS, etc).  The assessment is designed to quickly identify problems, as in the case of the 2014 Neiman Marcus breach where over 60,000 alerts were triggered but ignored or went unnoticed while the thieves moved around the network over a period of months.  An interview with personnel could have identified the problems or concerns personnel may have had with a particular security tool, such as too many alerts, or not enough personnel to monitor the systems.

2:  Invest in a Governance, Risk, and Compliance Tool

Following the assessment, I recommend bringing your metrics and reporting together with governance, risk, and compliance tool.  This will provide your organization with valuable metrics, superb reporting capability, and a single dashboard to give your security team time to respond to incidents.  Your compliance team will love it because they can effectively manage compliance requirements and documentation.  PCI compliance is a major undertaking for any organization.  Having everything in one place for the auditors will make your next PCI audit go smoothly.  Even if you are a small organization with no team in place, having a centralized way to view metrics and spot trends will keep you ahead of the curve.

3: Develop a Continuous Monitoring Strategy

And finally, institute a continuous monitoring strategy.  From the major retailers to the local mom-and-pop shops, some type of system that generates valuable alerts when there is suspicious activity on your network will provide that shift your organization needs to become proactive about security.  Having a strategy in place will allow you to quickly identify events of interest and provide the guidance you need to respond to an incident. Spotting anomalies in your network and making sure your systems are up-to-date will go a long way in preventing a costly data breach.  If you are at a loss as to where to begin, check out CyberSheath’s blog post on vulnerability management to get some helpful ideas.

CyberSheath will work with your organization, large or small, to help secure your valuable assets.

Recently the New York Stock Exchange (NYSE) released a cybersecurity guide for public companies and succinctly captured 5 questions CEO’s should ask to improve security. I have reposted the questions here in addition to some thoughts and context as to the “so what” behind the answers to these questions. 

The Five Questions CEOs Should Ask To Improve Security

1: What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?

Risk is hard to quantify, but you have to try. The effort spent measuring risk can often reveal decisions narrowly made through the filter of budget pressures without the business explicitly accepting the risk resulting from those decisions. We’ve worked with organizations obsessed with management by headcount – don’t go over X number – without understanding the consequences of that broadly applied guidance.

CEO’s should explore and push their teams to quantify the maturity of processes and the number of people in place to support tool investments. More often than not organizations have more tools than can be effectively deployed and supported with the existing staff. The risk discussion has to go beyond tools and delve into the effectiveness of those tools in addressing risk.

Ironically, this is no different than the rest of the business.  Your Enterprise Resource Planning system, for example, doesn’t do anything without the people and processes to make it run effectively. Don’t let the security risk discussion start and stop with the products you have purchased.

2: How is our executive leadership informed about the current level and business impact of cyber risks to our company?

At a mature company, every other business enabling or supporting function has a set of metrics and reporting to inform business decisions. Finance is probably the most mature, measuring among other things return on investment, sales, orders, backlog, profit, revenue – the list goes on. Security should be treated no differently with one caveat, don’t expect the reporting and metrics to be as mature as the other functions on day one.

Security is not finance and truthfully we are all still figuring out the right things to measure and report.  It will vary by the maturity of each individual organization. Be patient and expect an evolution of the value and fidelity of the reporting.

3: How does our cybersecurity program apply industry standards and best practices?

This is critical and again no different from how you measure the rest of your business. Finance may follow Generally Accepted Accounting Principles (GAAP). Other parts of your organization will use Capability Maturity Model Integration (CMMI). Security should be held to the same level of rigor and accountability. Depending on your industry and level of maturity there are several to choose from including NIST Special Publication 800-53 and the recently released Center for Internet Security Releases Critical Security Controls for Effective Cyber Defense Version 6.0. Pick a framework and conduct an assessment against it to measure your maturity.

4: How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?

Again, metrics and reporting are critical here. How do you measure the effectiveness of your incident response? Remediation time? Dwell time? Return to operation for the impacted business? By business line to understand the target?  These questions can all be solved with valuable metrics that make sense for your organization.

5: How comprehensive is our cyber incident response plan? How often is the plan tested?

In mature organizations, the plan gets tested every day by real threats. If you are just beginning to think about building your capability any gaps will be discovered and improvements recommended if/when you conduct an assessment of your entire security program against industry standards and best practices.

How Can CyberSheath Help Your Organization?

CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards.  The value of having an assessment and the data it yields enables your organization to create a roadmap based on metrics that emphasize priorities for your short and long term goals.  Beginning with an assessment of your organization’s security environment will allow you to better evaluate the five questions discussed above and set a mark you can measurably improve upon.

The Wall Street Journal recently published a consolidated set of highlights from recent surveys and reports dealing with risk and compliance issues. The results will hardly be surprising to security professionals, but they are an abysmal reminder of just how much work still needs to be done before boardrooms are really engaged on the issue of cybersecurity. One report by AT&T found, “75% of companies don’t involve their full boards in cybersecurity oversight, saying it is an IT issue and not a core business concern.” That aligns with my experience with the exceptions being companies who suffer a significant breach, not so surprisingly post-breach companies see a substantial increase in board involvement.

How to Engage Your Board in the Conversation

Change has to come from both inside and out. Security leaders inside of companies have to continue advocating for board engagement and navigating corporate politics to effect change. This work is made harder due to the lack of agreed-upon metrics and success criteria in cybersecurity, leaving leaders wondering where to start the conversation with their boards.

First Step:  A Measurable Framework

My answer, start with a comprehensive security assessment against a framework you can explain like the Critical Security Controls and brief your board on the results. The results focus executive attention on the 20 most important things they should understand, support and invest in. Everything else is noise until you are implementing these 20 critical controls effectively, which is conveniently measured by metrics provided in the controls document. Security assessments are an effective way to get the board engagement for a sustained period of time.

Externally, real change will only come with comprehensive legislation designed to enforce investment in people, processes, and tools. I’m not a legislator so I don’t profess to know all of the elements that the policy should entail, but I do know without said legislation investment will continue to be disproportionately allocated toward tools without a long-term plan to sustain those investments with the people and processes necessary to drive success.

Throughout my time as a security practitioner I’ve had the pleasure of working with security conscious customers stretching across almost every vertical market segment. Something I see time and again is small, medium, and large businesses struggling to implement the fundamental basics of cybersecurity. The greatest source I contribute to this problem is that businesses often believe that they are implementing the appropriate protective measures that will effectively managing risk when in fact- they are not.

To ensure the best use of your security resources, you should understand the relative significance of different sets of systems, applications, data storage, and communication mechanisms. This is the very reason security assessments exist in our world today. They enable businesses to objectively evaluate their overall security effectiveness, identify gaps, and ensure that necessary security controls are in place and working as intended. Assessments are essential in determining what risks your businesses is accepting and bringing management attention to security priorities.

If you question the value of security assessments then I would encourage you to read the post “Are Security Assessments of Any Value?” from CyberSheath’s CEO, Eric Noonan. What Eric said then remains true to this day; the actionable data produced from a security assessment is used to prioritize security investments and deliver a foundation on which a sustainable organization can be built. Effective security assessments allow CSO/CISO’s to understand and explain their current cybersecurity posture in business terms, discover and remediate potential weaknesses, demonstrate compliance with regulatory requirements, and measure performance strategically, year over year. In short, security assessments, executed by the right professionals, will tell you where you are and provide the map that will get you to where you want to go.

Security decisions you make today can determine your organization’s security and resilience for years to come. Our comprehensive cybersecurity consulting services will instill confident in the security actions you take by assessing the resources, realities, and culture of your business. We produce prioritized opportunities for improvement that can be implemented to show compliance, reduce cyberattacks, and build a world-class cybersecurity program.

It’s January so lists and predictions abound and most of them are just fun with prognosticators having no real stake in the accuracy of their predictions.  One trend that caught my eye was the prevalence of lists in the security space that was focused on product vendors and “hot” product companies. Dark Reading’s list of “20 Startups To Watch In 2015” and CRN’s list of “Top 10 Security Vendors To Watch In 2015” were both dominated by product companies. The focus on products implies that CIO’s and CISO’s are yearning for even more tools to spread across an already thin staff and that’s not been my experience at all.

I understand the focus on products; they offer a simple way to answer most security questions. Oh, you lost data; you need a Data Loss Prevention tool. Lost a laptop with proprietary data, buy an endpoint encryption product. Having trouble finding incidents on your network; you need a Security Information and Event Management tool. The list goes on and on. This product-focused mindset that dominates our industry is part of the problem.

In fact just last week I was in a CIO’s office who’s views on the rush to buy products summed up in one sentence what I’ve tried to articulate here. He told me “If one more person tells me I need to buy (Vendor Name Redacted) I’m going to throw him out the window.”

The answer, find a security services partner that can integrate and optimize what you already own and enable you to tell the security story in business terms. Take your next meeting with a services company and see how much more focused the conversation is on your problems and possible solutions rather than someone else’s pre-existing solution in the form of a product. Obviously, I believe this because of my personal experience as a former CISO and the weekly conversations I have now with CIO’s and CISO’s as their services provider but I’d invite you to see for yourself.

In the wake of the Sony attack and tens of millions of cases of consumer credit card and personal information being compromised the White House is championing legislative proposals to help address the challenge of cybersecurity.  At the heart of the proposal, and many before this one is “Enabling Cybersecurity Information Sharing” which “promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration and information sharing amongst the private sector.” So, will better information sharing help the vast majority of companies prevent, detect or respond to cyberattacks? Probably not and here are 3 reasons why:

1. No Tools…

The vast majority of companies say under twenty billion in annual revenue, are not equipped to analyze and act on cyber threat data because they have not been resourced for the mission. Actionable intelligence is only useful if the company you provide it to has made the right investments to take appropriate action.

IP addresses, signatures, filenames, MD5 hashes and other actionable cybersecurity intelligence are mostly interesting but irrelevant if you don’t have a person, process, and technology to take the appropriate action. Handing off this kind of intelligence to an organization who has not made the appropriate Security information and event management (SIEM), Intrusion detection system (IDS), or similar investment will only serve to further exacerbate the problem.

2. You’ve Got Tools…

But not enough people to support them and certainly not any documented, repeatable, or ideally automated process to optimize them. This is where the vast majority of organizations find themselves, tool heavy and people and process starved. Sharing threat information with a tool heavy organization will further overwhelm the less than ten security professionals that typically try and deliver security for multinational corporations of twenty billion or less. Yes, less than ten full-timers delivering security is the norm so throwing tools at the problem is not the answer either.

Many readers can remember when you bought a Data Loss Prevention (DLP) tool in response to an internal audit and then another tool in response to something else and so the tool tree grew but few can probably remember resourcing the people and processes to support those tools.

3. No business plan for security…

Be as proactive as you can probably be in security and do an assessment of your entire security organization and its capabilities. This assessment will serve as your business plan for security and facilitate a conversation with your board that educates and informs.

Security assessments are like home inspections in that they give you an expert view of red flags, watch items and things that are in good shape for now. Without a comprehensive assessment and corresponding plan of action to address the findings you’re likely to have more tools than people to support them and when the FBI comes knocking with actionable intelligence you will be in the unenviable position of asking the government for help it likely can’t provide.

Come January 2015, gyms across the country will be crowded with an untold number of people with a renewed commitment to physical fitness. By March the crowds will be getting back to normal and a month or two after that everything will be back to normal. This cycle is similar to what companies go through after a security breach. Initially, it will rain resources and things that have been requested and denied for years will suddenly be approved quickly, too quickly to actually be implemented effectively. Eventually, the business will grow tired of the dire warnings from security and assume that security is “fixed” and the pendulum will swing back to “normal”.

It doesn’t have to be this way and in fact, in some companies, it isn’t. The reason this cycle exists is because of the lack of two things: long term planning and metrics to measure security effectiveness. Breaches cause companies to focus on immediately “losing that extra 15lbs” rather than creating and maintaining a healthy lifestyle that is measured by more than just your waistline. After a breach, the focus is on buying specific tools to address the threat you just experienced rather than creating and maintaining a long term strategy for dealing with a security risk that is measured by more than just the purchase of point solutions.

So in 2015, I’d invite you to decide if you want to lose weight or get healthy. To start with, get a baseline of your current security program, a real baseline that can be mapped to a multi-year strategy. Done correctly assessments are hard work and are as much about communicating gaps and risk as they are a communication tool with which you can engage your business. The follow-through on a good assessment will enable you to both shed that extra 15lbs and address the long term health of your security posture.

Due diligence and fiduciary responsibility for corporate executives is now widely acknowledged to include exercising sound judgment and effective controls in the domain of cybersecurity. There’s no escaping the responsibility to protect corporate information and infrastructure and eventually the law will catch up with this reality. Until it does here’s what you should be doing to right now to exercise due care in managing cybersecurity risk.

1 – Be pragmatic, there are more risks than you can possibly address. If you try to do everything you will end up doing nothing.

2 – Get a baseline of the controls you currently have in place, how effective they are and compare yourself with NIST 800-53 or the Consensus Audit Guidelines. (HINT: Remember step 1 and don’t overthink this, your assessment shouldn’t be a six month exercise.)

3 – Do something! Prioritize your risks and address ONLY the things that can show measurable improvement, i.e. reduced risk. If you’re stuck in analysis paralysis just start with Consensus Audit Guidelines and address the ones that you’ve found to be vulnerabilities in your baseline.

4 – Document and tell your story using words and numbers that matter. Telling the board that SQL injection vulnerabilities have been reduced because you implemented a Web Application Firewall is why security often doesn’t get “a seat at the table”. Talk in term of compliance and risk, they get that.

5 – Stop buying tools and adding complexity until you’ve mastered the ones you already own and have laid in the process (documented) to use them effectively and in an integrated fashion.

As Einstein said, “Everything should be made as simple as possible, but not simpler.” Apply this approach in exercising due care with respect to cybersecurity.

I’ve spent the week here at RSA talking with current and future customers and a great question I get from customers looking for a trusted security partner is “So what exactly is it you do?” It seems like a simple question but what it usually implies is some level of “consultant fatigue”, CISO’s have had enough assessments, reports and outsiders telling them what their problems are. They want solutions and partners who do real work. Here’s what CyberSheath does to add value …guaranteed.

What We Do

We integrate your compliance activities with security activities and measureably reduce your risk.

How We Do It

Set a security strategy, select standards, implement controls, measure effectiveness.

What Results Look Like

A recent engagement for a customer led us to design and deploy an incident response and management plan. This particular security control happens to be Critical Control 18: Incident Response and Management from the CSIS: 20 Critical Security Controls list. Implementing all 20 controls would have been ideal but we are realists not idealists. The customer had suffered a significant attack where the APT had been embedded for over two years and the lack of process to contain and expel attackers directly contributed to massive amounts of data loss.

What We Did

Documented written incident response procedures that included specific roles and responsibilities for both management and technical personnel during each phase on an incident.

Documented and implemented organization wide service level objectives (SLO’s) related to mitigation of an incident.

The Results

Customer has a documented, repeatable and measureable incident response and management plan for cyber-attacks and mitigates attacks on average in less than 2 hours once discovered.

Our focus is on implementing real results that make you more secure, we guarantee it.

The Keynote sessions here at RSA 2013 kicked off yesterday and Art Coviello, RSA Executive Chairman, focused on the importance of big data and the opportunities that it presents security teams from an intelligence perspective. He’s right, the opportunities are tremendous and customers are anxious to better leverage “big data” but documented and repeatable process along with baseline implementation of critical controls are prerequisites for taking advantage of “big data”.

The actionable intelligence that can be gained from big data is only useful if it causes an organization to take the RIGHT actions in the correct sequence with measurable outcomes. Conceptually leveraging big data makes perfect sense but the implementation will yield more of the same firefighting that bogs down security organizations today if it’s not part of a documented strategy with measurable outcomes enabled by rigorous process and a thorough understanding of the controls you currently have in place.

The actionable intelligence that big data can provide could very well enable an organization to quickly and efficiently mitigate an attack by correlating unstructured data in a context that directs an SoC analyst to take appropriate action. Attack mitigated, the good guys win right? Maybe not…are we really still just addressing the symptoms and not the root cause? The attack is a result of a vulnerability that was exploited and resources are being expended on the incident response because resources were not expended on preventative maintenance. Perhaps if the control to prevent the attack in the first place had been documented, implemented and measured the attack would never have happened.

I realize that implementing critical controls won’t stop every attack but there is such a great opportunity to do some fundamental and meaningful work around implementing critical controls to stop attacks that get overlooked.

It’s just good hygiene. Would rather brush your teeth, floss and get regular dental examinations or be really good at getting fillings?


CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO