Security by Design | United States Cybersecurity Magazine 21/02/21, 9:36 AM

From the Fall 2017 Issue

TABLE OF CONTENTS
Industry and Business Best Practices

Security by Design United States

Cybersecurity
Je! Spivey, CRISC, CPP, PSP
Magazine
Ret. CEO | Security Risk Management, Inc.
from the {PUBLISHER}

from the {EDITOR-IN-

CHIEF}

Engineering and
Vulnerability
Management

Human Machine Teaming

You Build It, You Secure It

Cybersecurity Morbidity
and Mortality Conferences

Your Web Applications are

A holistic “life cycle” perspective is to prioritize security risk Under Attack: Are You
levels of security for the proper governance and Ready?
management of all security.
Q&A Interview with Zane
Lackey of Signal Sciences
The future is already here — It’s just not evenly distributed yet.
William Gibson, Neuromancer
FEATURE
The complexity of protecting our personal and organizational ARTICLE
value is increasingly di!cult to navigate. Similarly, threats come Feature Article
from so many directions that attaining awareness of important
LMI Practical
security risks to the business is challenging. An incomplete
Government
understanding of how dependent security components are on
Management For An
each other, results in a clouded, partial and inaccurate view of
risks and risk management. As a result, governance and Increasingly Complex
management is less e"ective, leaving vulnerabilities World
unaddressed, some of which may be existential in nature.

https://www.uscybersecurity.net/csmag/security-by-design/ Page 1 of 7
Security by Design | United States Cybersecurity Magazine 21/02/21, 9:36 AM

It’s a Trust Issue LMI Practical Government

Management For An
Enterprises are #nding it increasingly di!cult to trust their Increasingly Complex
security organizations. In part, this is an integration issue. World
Security entities are often siloed from the rest of the enterprise
and operate without su!cient oversight from senior Cybersecurity Policy
management. There are often incomplete or unvetted security
processes that provide, at best, an illusion of security while Opting in to Cyber

permitting risks to continue unmitigated. Vulnerablity Part 2:

Technical Education in

As a result, the enterprise loses trust in its information systems America

and doubts the value added by security organizations and Cyber Deterrence and
activities. Since the value add is unknown or doubted, security Active Cyber Defense
budgets are often de#cient, and the security organizations lack
the capability to provide the protection necessary to enable the Industry and Business
enterprise’s goals and objectives within an acceptable level of Best Practices
risk.
16 Tons of Technical Debt:
An Operational
It’s a Governance Issue
Perspective on Security
Automation
Value creation for business and government is increasingly
dependent technology that connects and digitizes an analog Legacy Modernization as a
world. Over time, the volume and velocity of new technology Cybersecurity Enabler
adoption increases to the point where it overwhelms existing Security by Design
vetting, governance and management structures. Despite good
BUILDING FOR SUCCESS:
intentions, new governance and management structures often
The Importance of Cloud
remain immature and, occasionally, unused due to the pressures
Security
of new technology integration.

Commentary
Business risk therefore increases exponentially in both
magnitude and scope. The problem is compounded by security WHAT THE HASH? Data
gaps where protections and controls were either forgotten or Integrity and Authenticity
never considered. An organization’s failure to understand the in American Jurisprudence
complete security risk life cycle as applied to all its activities,
assets, employees and devices produces vulnerabilities without
the required risk acknowledgement.
ISSUE INDEX
The absence of structured, continually updated security risk
governance, resulting from a lack of holistic and integrated
security risk assessment results in reliance on guesswork and
personal relationships within an ever-changing sta" to hold the
security risk management framework together. This ad hoc

https://www.uscybersecurity.net/csmag/security-by-design/ Page 2 of 7
Security by Design | United States Cybersecurity Magazine 21/02/21, 9:36 AM

security risk management creates an inconsistent and insu!cient

protection regime that is siloed and out of step with the larger
enterprise.

DESPITE GOOD INTENTIONS, NEW

GOVERNANCE AND MANAGEMENT
STRUCTURES OFTEN REMAIN IMMATURE
AND, OCCASIONALLY, UNUSED DUE TO THE
PRESSURES OF NEW TECHNOLOGY
INTEGRATION.

There are dependencies that such a siloed approach simply

ignores. One of the dependencies is the interdependence of
cybersecurity and physical security:

Cybersecurity is dependent upon physical security

providing access control and surveillance. With respect to
information security, physical access control covers data
closets, the data center and any place where network
connections are accessible. Access control also means
maintaining control of all sensors and tokens used to gain
physical access to enterprise facilities. This includes
ensuring that employee records are current and auditing
access control logs. Physical security then controls
physical access to connected devices, mitigating an
important cybersecurity risk. Cybersecurity functions are
thus dependent on physical security. Despite this, in many
organizations, the physical security department reports to
the facilities or real estate department (whereas
cybersecurity reports to the Chief Information O!cer (CIO)
or the Chief Information Security O!cer (CISO)). Between
physical security and cybersecurity there are separate
processes, reporting lines governance structures,
management structures, metrics, goals and audit
structures. These silos create inconsistent recognition of
security related risks and hide important risks that could
be catastrophic to the enterprise.

Physical Security is dependent on a robust and reliable

information technology (IT) infrastructure to communicate
access control data and surveillance information. Physical
security also includes the Internet of Security Things (IoST).

https://www.uscybersecurity.net/csmag/security-by-design/ Page 3 of 7
Security by Design | United States Cybersecurity Magazine 21/02/21, 9:36 AM

IoST is the domain concerned with the protection of

connected devices and networks. These may include:
Cameras at remote sites that are connected by WiFi
or hardwire to the corporate network to stream video
to a Security Operations Center (SOC).
Intrusion or burglary alarm system.
Sensors, such as beacons that provide security
information for the access security triad (i.e., control,
surveillance and territoriality).

A speci#c example of the threat’s possible impact is when Jason

Ostrom and Arjun Sambamoorthy con#rmed how to hijack
network connections to various common video surveillance
systems and extract, record and replace video on their servers,
providing attackers a way to replace video of a physical intrusion
with looped video showing no intrusion1.

“Security by Design” is security “on purpose” and focuses on early

warning and prevention instead of remediation and restoration
after a breach or other security incident. An e"ective security
risk management approach demands a complete life cycle
perspective to maintain appropriate levels of security. Facing
uncertainty, all security risk management stakeholders should
turn to a framework of governance, risk and compliance
combined with enterprise risk management (ERM).

SECURITY BY DESIGN ENSURES THAT

SECURITY RISK GOVERNANCE AND
MANAGEMENT ARE MONITORED, MANAGED
AND MAINTAINED ON A CONTINUOUS BASIS.

Security by Design: Holistic Security Contributes to

Organizational Health

Instead of letting an evolution of good and bad security solutions

occur by chance, enterprises are advised to take a step back and
create a roadmap for managing all of the organization’s security
risk.

The security life cycle is comparable to the product development

life cycle, in that it starts at ideation and culminates in delivery
and support. Security by Design ensures that security risk

https://www.uscybersecurity.net/csmag/security-by-design/ Page 4 of 7
Security by Design | United States Cybersecurity Magazine 21/02/21, 9:36 AM

governance and management are monitored, managed and

maintained on a continuous basis.

The value of this “holistic” approach is that it ensures that new

security risks are prioritized, ordered and addressed in a
continual manner with continuous feedback and learning. It
ensures that all stakeholders know what to expect and when,
with respect to who is doing what and when.

Security by Design requires the user of a proven operating

framework, such as COBiT or NIST (Special Publication 1800-5b)
combined with ISO 31000 to combine security controls with a
robust risk management program.

Core Principles for Security by Design include:

A common governance, management and operational

framework for all stakeholders.
An integrated knowledge management system that is
available to all stakeholders that manage any security risk
for the organization.
Integration of security with the organization’s ERM.
Ensuring that the enterprise risk manager creates a
reliable risk data management and prioritization
mechanism.
Establishment of risk taxonomies, heat maps or other
templates for documenting and reporting risk and
mitigation e"orts.
Achieving consensus as to the controls required for
security risk management.
Integrated real time risk situational awareness that
includes:
risk categories dynamically designed and catalogued,
risk owner name, organizational hierarchy,
de#nition of risk to the business/organization, and
risk metrics for all using a common language. The risk
metrics include:
Risk dependencies and noti#cations to owners of
dependencies, upstream and downstream,
Impact to the organization,
Likelihood or probability of risk occurring,
Alignment of security risk metrics with organization

https://www.uscybersecurity.net/csmag/security-by-design/ Page 5 of 7
Security by Design | United States Cybersecurity Magazine 21/02/21, 9:36 AM

risk measurements,
Relation of technical risk to other risk types or
dependencies, and
Responsibilities for cross functional security risk
management.
Agreed upon internal and external audit mechanisms
and interactions with all stakeholders to:
Ensure understanding of security and controls in a
dynamic #eld. Use and agree to samples from audit
of NIST Special Publication 1800-5b, ISO 31000 and
COBiT 5.
Ensure all relevant stakeholders are members of the
enterprise security governance group.
Ensure management has given clear direction for all
security responsibilities.

THE VALUE OF THIS “HOLISTIC” APPROACH IS

THAT IT ENSURES THAT NEW SECURITY RISKS
ARE PRIORITIZED, ORDERED AND ADDRESSED
IN A CONTINUAL MANNER WITH
CONTINUOUS FEEDBACK AND LEARNING.

Conclusion

All security risks are not equal and should not be governed,
managed or resourced to the same level. It is essential for
enterprises to acknowledge the importance of creating a shared
understanding of security related risks and be able to assign
priorities based on each risk’s impact and potential for mitigation.

Sources

1. ViperLab, Sipera Systems, DEF CON 17, “Advancing Video

Attacks with Video Interception, Recording, and Replay,” by Jason
Ostrom and Arjun Sambamoorthy, July 31, 2009,
<https://www.defcon.org/images/defcon-17/dc- 17-
presentations/ defcon-17-ostrom-sambamoorthy-
video_application_attacks.pdf>
Je" Spivey

https://www.uscybersecurity.net/csmag/security-by-design/ Page 6 of 7
Security by Design | United States Cybersecurity Magazine 21/02/21, 9:36 AM

LEAVE A COMMENT

Home Magazine Contact Us About Cyber Daily Cyber News Calendar Resources
Advertise With Us Write for Us Sign Up Log In

! " # $

© 2021 American Publishing, LLC™ | 17 Ho! Court, Suite B • Baltimore, MD 21221 | Phone: 443-231-7438

https://www.uscybersecurity.net/csmag/security-by-design/ Page 7 of 7