Current Newsletter
 May 2016

 April 2016
 March 2016
 February 2016
 January 2016
 December 2015
 November 2015
 October 2015
 September 2015
 August 2015
 July 2015
 June 2015
 May 2015
 April 2015
 March 2015
 February 2015
 January 2015
 December 2014
 November 2014
 October 2014
 September 2014
 August 2014
 July 2014
 June 2014
 May 2014
 April 2014
 March 2014
 February 2014
 January 2014
 December 2013
 November 2013
 October 2013
 September 2013
 August 2013
 July 2013
 June 2013
 May 2013
 April 2013
 March 2013
 February 2013
 January 2013

Securezoo Monthly Security Newsletter
3 Good Ways a Cybersecurity Capability Maturity Model Can Help Improve Small Business Security
February 2015

Nearly two years ago, security company Mandiant issued a report titled "APT1: Exposing One of China's Cyber Espionage Units" and included 3000 APT1 indicators, such as domain names and MD5 hashes of malware, to increase defenses against APT1 operations. In the February 2013 report, Mandiant (now a FireEye company), described how the APT1 group ran a sophisticated operation since 2006 to steal terabytes of data from 141 organizations.

The report also triggered controversy in security circles, but some argue increased security threat intelligence and information sharing since then. Countless large scale threats and attacks have materialized since then such as Target, Home Depot, Sony and most recently the Anthem data breach to name just a few. Such attacks have made it much more personal to most consumers and small businesses in recent years.  

It's easy to throw such breach victims under the bus, but such lessons learned teach us that just about any sized company needs to consistently improve in it's security measures. One such way to help organizations of all sizes is a Cybersecurity capabilities maturity model. We'll describe this model and three good examples of how small businesses can easily put this model to immediate use.

Cybersecurity Capability Maturity Model 

Organizations can use a number of models to measure their security controls and show improvements over time. One such model was developed by the Department of Energy (DOE) and energy industry organizations called the "Cybersecurity Capability Maturity Model" (or C2M2), a tool used to help implement the Cybersecurity Framework. The framework was launched by the National Institute of Standards and Technology (NIST) back in February of 2014 to provide a common language organizations can use to assess and manage cybersecurity risk.

We won't go into too much detail here on the C2M2 model, but a nice summary from the Energy Sector Cybersecurity Framework Implementation Guidance describes the model at a high level: "C2M2 includes four maturity indicator levels (MILs): MIL0 (Not Performed), MIL1 (Initiated), MIL2 (Performed), and MIL3 (Managed). Organizations progressively advance in maturity level by improving: (1) the completeness, thoroughness, or level of development of the practices in a given domain; and (2) how ingrained or institutionalized the practices are in the organization’s operations and way of conducting business..."

Long story short, organizations can use this to constantly improve their security program in a continuous cycle of improvement. Even if you start with nothing (i.e., level "0" on the level indicator), you only have one way to move and that's up the maturity scale. 

Even the most experienced and well-staffed companies are constantly striving towards moving up the maturity scale. Many organizations share a consistent desire to improve as perfection in security is notable but probably not a realistic goal. Improve is the key word here. In this article, we describe just three areas small businesses can focus on to continuously improve their security programs. 

1 - Start with a security baseline (via an assessment)

Just like starting a new IT project that requires a good project plan and roadmap to help achieve an objective, companies should start with a security assessment of their security program. An assessment (via a security questionnaire) can be used to evaluate security safeguards in your business and then document gaps and opportunities to address those weaknesses. 

The assessment can help your organization establish a "baseline" or starting point to measure and improve against. Using tools such as a maturity model can help improve their security controls, such as: 

  1. Have you ever done a full security assessment of your business? If no, move to next step. 

  2. Start with an initial security assessment (this would already move you up a notch in maturity scale compared to not doing one at all)

  3. Once an assessment has been initiated, perform and complete the assessment (document weaknesses and areas of improvement)

  4. Continue to monitor and track security controls in all areas of your business on a continuous basis (e.g., at least annual security assessments, daily monitoring)

By moving off of the baseline, your business has already moved to the next level in maturity to help protect your business.

To help get started, launch the Small Business Security Assessment by clicking here.

2 - Security policies and awareness 

Many smaller companies lack information security policies or fail to keep them updated. Often this is caused by a lack of expertise or resources to help develop policies and procedures. Other root causes could be a lack of urgency or false sense of security that small businesses aren't a target. 

Policies are critical, however, to every organization of any size since they are used to document and communicate legal and security requirements that every employee must follow as condition of employment and protect critical customer and employee data. Similarly, it's hard to imagine how a football or basketball game could be played without rules and referees to enforce them. 

Using a maturity model, organizations may strive to mature their security policies and awareness program using the following steps (see where your company stands):

  1. Evaluate and determine whether your business has missing or incomplete security policies and procedures.

  2. Clearly document, communicate and enforce policies and procedures.

  3. Update policies to align with all needed regulations and compliance requirements; make sure employees review policies and take security awareness training annually and upon new hire.

  4. Same as #3, plus monitor and update policies annually in order to align with regulatory changes and new threats.

3 - Vulnerability Management and Application Security

Often hackers breach companies and their data by exploiting vulnerabilities on devices or applications via many different threats -- social engineering, website hacking, and internal threats, just to name a few. Vulnerabilities should be addressed via patching or system upgrades in a timely manner. Your company website should also be free of web application security bugs. Examples of bugs to address may include weak encryption, weak authentication, SQL injection or command injection vulnerabilities just to name a few. 

A sample maturity roadmap that organizations can follow may include the following steps:

  1. Infrequent or ad hoc updates of software or systems in response to public events or as time permits.

  2. Periodic quarterly scans and patch updates of systems and applications; initial website vulnerability scans when first launched.

  3. Consistent weekly vulnerability scans and monthly patch updates; quarterly website vulnerability scans or as new changes to website are made.

  4. Same as #3, plus ongoing real time alerting of new vulnerabilities; emergency remediation process to address critical vulnerabilities (such as 0-days) as soon as they become available. Ensure security is embedded and checked throughout development lifecycle and before new web code launched into production.

Security assessments, security policies and awareness and a solid vulnerability management program are just a few critical areas small businesses can focus on to improve and protect their brand. Even with limited funding and resources, most organizations can still make gradual improvements to increase security controls. It is a journey not a sprint, so document and take a note of security controls used in your business and where improvements need to be made.

Remember, be secure. It's a zoo out there.


Best regards,

Frank Crast