Please enter your email below to subscribe
My experience with postmortem assessments of cyber-attacks has taught me a few critical lessons. Foremost among them is that every asset, meaning every user account, every data file and every software process is a potential target. Your sense of what is important to protect may not match what an intruder is interested in, and that gap can have horrific consequences.
Intruders can be incredibly patient. Some malware will gather information about your system over time until it has identified targeted material, designed an exfiltration process and has prepared to conceal its activities. Then it will begin its attack. Facility Management Systems, including any IP-addressable system used for HVAC, physical security, burglar alarms, video surveillance, etc., must be addressed in any security plan. Risk assessment analyses often classify such systems as non-critical. This is a mistake. Any device which has internet access, the “Internet of Things” as it is called, must be given specific attention.
How can we effectively address this in an ongoing manner? Do we need to revamp our security frameworks to account for this? Will the resulting, extra work required to mitigate exposures to more assets be unsustainable? No. But, we do need to include (or include more) “process mappings” into our “asset” evaluation when we are defining risk upfront.
Risk assessments are critical functions that not only frame our corporate security posture but should also enable us to keep an eye on those “out-of-the-ordinary” occurrences that can lead to problematic attack exposures (cyber, social, physical, or any combination). As stewards of our companies’ mission critical technology systems, we need to take steps to ensure that all of our facility support systems are, at a minimum, subjected to the same types of vulnerability scanning, penetration testing and patch management procedures, despite what we have defined in our corporate governance scope and boundaries.
Ron Chandler is vice president of enterprise solutions for Guidepost Solutions. He has more than 30 years of experience designing and implementing enterprise security systems; physical and information technology programs; and security into corporate cultures and infrastructures. He is responsible for cyber security services, global master planning, command and control programs, and managed services programs either as standalone service offerings or as an integrated suite of solutions.