By Mark Chaplin, Head of Strategic Projects and Tools for the Information Security Forum
In the past month or so my daughter has discovered the game of chess. Frequently, on arriving home from work, I am challenged to this 1500 year old popular board game of strategic skill. As is often the case with board games, I find myself looking for the similarities between the game and the activities involved in managing information risk, in the hope we can learn something in the pursuit of better information risk management.
Winning at chess involves putting the opponent's king under a direct attack, leading to checkmate. Achieving and avoiding checkmate requires many qualities in a player, including discipline, planning, adaptivity, anticipation and an eye for error. These same qualities can also help in a number of information risk management activities, including vulnerability management.
Technical vulnerabilities (i.e. those typically associated with flaws in software) play a major role in whether attacks against an organisation's systems and applications are successful - often placing a significant and growing burden on system administrators, application owners and other individuals responsible for maintaining and safeguarding an organisation's critical assets.
At the beginning of a chess game your 16 chess pieces (including the king that needs protecting), and those of your opponent, are arranged in their respective squares on the chessboard. You know their capabilities, strengths and weaknesses, and you understand the scope of the game ahead, as defined by the rules of the game and the 64 squares of the chessboard. At this stage of the game your most prized asset - the king - is more than adequately protected. This will soon change as the game commences.
This simplicity, of course, does not extend to the real world where organisations can face a formidable threat landscape that comprises many unseen threats, many of which are intent on causing harm. Unlike in the game of chess, your organisation faces far more than 16 opponent pieces and probably will not know how many kings need protecting, or where they are. To compound the problem the arena in which your organisation operates has no clearly defined borders, and certainly no rules within which your opponents operate.
Of course there are some principles that we can adopt from the game of chess to help achieve effective management of technical vulnerabilities. For a start, you need a clear picture of your complete technology estate (particularly the most important parts). Beyond the obvious operating systems and business applications this can also include consumer devices, user developed applications (eg spreadsheets), telephony equipment, network printers and industrial control systems.
Over time you need to maintain a strong understanding of the extent to which these systems and applications are exposed, and be able to react quickly to address major vulnerabilities. This is typically achieved through the scanning of your technology estate and identifying vulnerabilities, which can emerge on an almost daily basis. Only then can you take steps to reduce exposure and strengthen the necessary protection. Applying some of the key principles such as these should help you avoid checkmate.
Six key moves to protect your crown jewels against checkmate:
- How many kings are you protecting and where are they? Identify and understand your technology estate, particularly the parts that are critical (ie those that will result in high business impact in the event of a compromise).
- Where and how are your kings exposed? Identify the technical vulnerabilities present throughout your technology estate, as soon as they become known (eg by tracking CERT advisories and subscribing to vulnerability notification services).
- Which kings are subject to the greatest exposure? Determine which known technical vulnerabilities are exploitable and being used in the wild. Vulnerabilities with corresponding exploits often increase the likelihood of being used in an attack.
- Manoeuvre your pieces to minimise exposed kings. Obtain and prioritise patches using a rigorous patch management process that covers all critical systems, applications and underlying infrastructure.
- Maintain an escape route for each king. Be ready to implement emergency fixes, manage difficult patch scenarios such as installation failure, and protect critical systems, applications and underlying infrastructure when patches are unavailable or cannot be installed.
- Continuously monitor your kings, other chess pieces and the board. Scan and review your technology estate regularly to identify exposed systems and applications, and focus on assets that support your organisation's most critical business processes.
These recommendations reflect some of the security arrangements included in the topic CF10.1 System and Software Vulnerability Management taken from the Information Security Forum's Standard of Good Practice for Information Security (the Standard).
Mark Chaplin is Head of Strategic Projects and Tools for the Information Security Forum and Principal Author of the Standard. For more information about the Information Security Forum please visit www.securityforum.org.