Get started on your cybersecurity degree at American Military University.
By Edward J. Hawkins II
Organizations trust security and cybersecurity professionals to protect their information assets from myriad threat actors and vulnerabilities. But if an organization’s leaders do not understand their internal security environment, they could be bowled over by technical jargon.
Also, they may lend support to some pet project or some new development in the world of technology. However, this practice can lead to unforeseen negative effects. There will always be something new in cybersecurity, but it might have unintended effects or vulnerabilities.
When Security Increases, Functionality Decreases
The goal is to balance a fundamental understanding of cybersecurity with the diametrically opposed relationship between security and functionality. In other words, when security is increased, functionality decreases and vice versa.
It is critical to balance the relationship between improving security and maintaining critical functions while maintaining a secure environment at the same time. Consistent analysis of that security environment is a necessity.
Analyzing Normal Activity for an Organization’s Information Systems
Ideally, organizations should understand what is normal for their information systems over the course of one year. This length of time captures:
- Highs and lows of information system utilization
- Dominant protocols
- Frequency of events (e.g. daily, weekly, monthly, quarterly, etc.)
A shorter analytic period might miss a high-volume event and cascade into a potential security event related to an “abnormally” high volume of network traffic. In his 2004 book, “The Tao of Network Security Monitoring,” information security expert Richard Bejtlich showed how a network protocol allows an everyday user to access his or her favorite website in an abnormal manner without having to remember the Internet protocol (IP) address. In that example, the domain name service (DNS) was used to tunnel BitTorrent files and potentially bypass some security mechanism.
By gaining a level of understanding of what is normal for an organization’s information systems, it is easier to detect what is abnormal and needs investigation. Also, this knowledge allows organizations to balance their risk acceptance with security measures such as firewalls, intrusion detection and prevention systems (IDPS), access control policies, and other technical and administrative measures.
Different Ways to Analyze Operating System Activity
There are two common approaches to apply security controls to an organization:
- Lock down the entire computer system and wait to see what system activity happens.
- Leave the system open and observe what events occur.
Both these approaches have their positive and negative aspects. For example, the concept of locking everything down so tightly that it becomes difficult for workers to do their jobs is based on the “least privilege” principle. That means granting workers only the minimum access to privileges necessary to perform their jobs.
However, this method allows cybersecurity staff to examine why workers need that access or those privileges. The answers will determine justification for or denial of access. In either case, justification for that finding should be provided to workers in writing.
The system-open-and-watch method, on the other hand, allows the monitoring of user activity for behaviors that might run counter to organizational policies. While there may not be any complaining from the workers about their new level of access, it might be possible to identify various forms of institutional fraud as organizational controls are tightened.
Organizations Need to Properly Balance Functionality and Security
Organizational cybersecurity needs to reach the point where its level of effectiveness maintains the proper balance between functionality and security. It is also critical to be aware of personal feelings toward creating this balance. That awareness will determine whether security or functionality is favored. If an organization is unable to determine its stand in the functionality-security equation, then an unbalanced security environment with cascading effects may be created.
Finding this balance for an organization is a long process and no easy task, but it is worthwhile. Over time, the continuous monitoring and analysis of a cyber environment and biases lead to a more secure environment. If either extreme dominates, it becomes impossible to know what is going on in an organization’s cybersecurity environment.
About the Author
Edward J. Hawkins II is a graduate of AMU with a Master of Science in Information Technology with a concentration in Information Assurance and Security and a Graduate Certificate in Digital Forensics. Edward is a former Navy Information System Technician First Class Petty Officer. He also holds numerous certifications in information technology systems. Reach out to Ed on LinkedIn.