A checklist for people who understand cyber security

By now, it’s pretty much an accepted reality that it’s only a matter of time until an organization – any organization – gets breached by cyber attackers.

But system penetration does not mean game over for the defenders, as attackers still have to do other things to achieve their goal (steal business information, login credentials, intellectual property, etc.). This means there are many other opportunities and ways to stop an attack from succeeding.

How to do it, though?

Independent research institute The U.S. Cyber Consequences Unit (US-CCU) is offering a helpful tool for defenders looking not only to block attackers, but to increase attackers’ costs, i.e. reduce their returns, and to stop them achieving the ultimate goal of the incursions.

It’s called the US-CCU Cyber-Security Matrix and, as Scott Borg (one of the authors) tells me, it’s a cyber security checklist for people who actually understand cyber security.

“Most detailed checklists are designed to be applied mechanically by technically proficient idiots. This one is designed to be applied intelligently and creatively by people who actually know what they are doing,” he points out.

The idea behind the US-CCU Cyber-Security Matrix

The recent history of destructive cyber attacks provides many examples of organizations that had their cyber defenses fail in very costly ways, because they had “checked all the boxes” without thinking through what business operations were defending and what kinds of attacks they needed to stop.

The era of generic, one-size-fits-all cyber security is coming to an end. Organizations today need to customize their security to fit the specific kinds if threats they will be facing and the specific operations they most need to protect.

This is where the matrix comes in, as a “menu” from which to choose adequate and cost-effective defensive measures and policies.

“All the changes we have made to this document during its development are essentially efforts to respond to recent changes in the cyber security environment. In addition to adding many new checklist items, we have gradually eliminated a number of old security measures that we have concluded are no longer cost effective,” he notes.

The change from checklist to matrix has lead to the security measures being arranged in a way that will help defenders to think through what each security measure is supposed to accomplish.

Every security measure is listed under a heading that indicates the kind of attacker action it is designed to foil, as well as a heading that indicates the kind of system it is designed to secure.

“The real power of this tool comes from the way it prompts its users to apply their own intelligence and insight,” Borg adds. “Although this matrix is written in jargon-free language, so that it will be intelligible to a novice, it really comes into its own in the hands of an experienced expert.”

Organizations can use this tool to improve their cyber security to a considerable degree, even before they have spent more money on security tools and services, and the matrix can ultimately be a guide when it comes to shopping for security products.

The basis for the matrix

The content of the matrix comes entirely from real world experiences and observations. None of it is recycled from other checklists, except for the items from the US-CCU’s own previous checklist (released in 2007, adopted across the world, recommended or referenced as a best practice document by the likes of the American National Standards Institute and US-CERT).

That initial checklist was also based on things that the authors have observed first hand.

Although effectively authored by Scott Borg and John Bumgarner, CEO and CTO of the U.S. Cyber Consequences Unit (US-CCU), respectively, this matrix also contains measures suggested by a number of well known and reputed information security specialists.

In fact, as the matrix is still taking shape (the latest draft is available for download here) and is scheduled to be published in 2017, the authors are inviting anyone who has any relevant knowledge, experience, or insights to contribute.

“Some of the people who have helped improve this document are already thanked in the introduction. We are eager to thank anyone by name in the final version who can come up with suggestions for making this tool better or more complete,” says Borg.

“We are trying to collect as many suggestions and ideas as possible before the end of the year, but I imagine we will be making changes right up until the point when we send this document off to be physically printed. We are great believers in the value of printed books, as well as electronic ones, especially when those books are going to be used regularly for reference.”

The publication date has still not been set in stone, as it depends on the quantity of suggestions they receive, as well as what sort of sponsorship they manage to attract (the US-CCU is a non-profit, 501(c)(3) organization).

eBay has already provided some sponsorship, but more is needed to print and translate the document

“If our earlier US-CCU checklist is anything to go by, this new reference tool will be used worldwide, downloaded well over a hundred thousand times, and used constantly as a printed reference by tens of thousand of cyber security professionals. Sponsoring this tool would be a good way for a corporation to draw attention to its commitment to better cyber security,” Borg concluded.