Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.
I’ve been actively involved in InfraGard for many years. InfraGard is a public/FBI partnership with a primary mission of protecting critical infrastructure. Because of this partnership, I began to wonder if the U.S government had anything I could leverage in my own business operations. The answer is, “yes.”
I’ve used the guidelines from the National Institute of Standards and Technology (NIST) for many years as a basis for building information security programs around the world. While these are excellent building blocks, they don’t address my training needs in preparing for a cyber attack. So I also leverage resources from the Department of Homeland Security (DHS) and other agencies.
Here’s a look at some of the resources I find useful in testing and training for a data breach:
NIST Computer Security Handling Guide
In the back of this document (special publication 800-61) are table-top exercises to help train your incident response team.
While a bit limited in scope, they are an excellent starting point at no cost to you.
DHS/FEMA Certified Cyber Security Training
The online Domestic Preparedness Campus is a portal for
10 courses that address three demographics of your enterprise: Non-technical, Technical and Business Professional. While they are perhaps a bit broad and general at times, they are an excellent starting point for your enterprise.
The different courses include:
- Information Security for Everyone
- Cyber Ethics
- Cyber Law and White Collar Crime
- Information Security Basics
- Secure Software
- Network Assurance
- Digital Forensics Basics
- Business Information Continuity
- Information Risk Management
- Cyber Incident Analysis and Response
Homeland Security Exercise and Evaluation Program
This program from the DHS provides a standardized method of creating cyber security exercises. You work with a member of the DHS team to create and ultimately execute a testing program. My organization is currently setting up a tabletop exercise with DHS for all 23 of our organizational Information Security Officers next spring. For your company, I expect that the Training Exercises portion will prove the most valuable.
In total, they offer seven exercise types broken down into training and operational exercises.
1. Seminar – A seminar is an informal discussion designed to orient participants to new or updated plans, policies or procedures.
2. Workshop – A workshop resembles a seminar but is employed to build specific products, such as a draft plan or policy.
3. Tabletop Exercise (TTX) – A table top exercise involves key personnel discussing simulated scenarios in an informal setting.
4. Games – A game is a simulation of operations that often involves two or more teams, usually in a competitive environment using rules, data and procedure designed to depict an actual or assumed real-life situation.
5. Drill – A drill is a coordinated, supervised activity usually employed to test a specific operation or function within a single entity.
6. Functional Exercise (FE) – A functional exercise examines and/or validates the coordination, command, and control between various multi-agency coordination centers. A functional exercise does not involve any “boots on the ground.”
7. Full-Scale Exercises (FSE) – A full-scale exercise is a multi-agency, multi-jurisdictional, multi-discipline exercise involving functional and “boots on the ground” response.
Cyber Storm is a biennial exercise that provides the framework for a government-sponsored cybersecurity exercise. It is a combination of international government agencies, national and state government agencies and private industry. Its stated aims are to:
- “Examine organizations’ capability to prepare for, protect from, and respond to cyber attacks’ potential effects
- Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures
- Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information
- Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.”
Cyber Storm III was used to hone and tune the latest U.S National Cyber Incident Response Plan released early in 2011. The 2010 exercise had 60 companies participating across many industry sectors.It also tested the newly formed National Cybersecurity and Communications Integration Center, which is the “boots on the ground” hub for national cybersecurity coordination.
Managing your enterprise security and privacy risk posture can be a daunting task at times. Hackers are more sophisticated and coordinated in their attacks. It’s pretty tough out there right now but new tools, processes and procedures will ultimately gain the upper hand. You are not alone. There are a wide range of resources freely available to help build the skill sets of our teams. I remain encouraged and look forward to the battle with new hope and fortitude.