Know Thyself - An InfoSec Commandment

The aphorism, "know thyself", goes back to ancient Greece, potentially as far back as the Luxor temple of Egypt. It is commonly attributed to conversations on God or gods, but in the world of Information Security, it is particularly relevant in knowing your environment and what is within it.

Many regulatory areas, such as PCI-DSS, NIST or HIPAA, require that an organization know what is part of the specific environment seeking compliance. How does an organization begin to accomplish this?

The red-headed stepchild of InfoSec is the area of Governance, Risk, and Compliance (GRC). It doesn't get much attention in the headlines and isn't "sexy" like penetration testing or Malware reverse engineering. It is, however, critically important in the success of an organization's information security posture.

Those of us engaged in trying to protect our organizations have probably heard the saying, "Secure All of the Things!" Good thought, but what are we supposed to secure? What are "All of the Things"? Without defining what exactly we are trying to do, we are going to fail.

One very small piece of GRC is addressed in the first two activities in the Center for Internet Security's Critical Security Controls. These two items address the inventory of hardware and software, respectively. Simple, right? In reality, not so much! The CSCs are 20 simple concepts that can be easily grasped and understood. As the saying goes though, the devil is in the details.

What devices are physically connected to your network, or things that hold company data, and what is the software that runs on each? Simple to understand and address, from a very small and focused level. There are many available tools that can provide this information, much of it free and open source. "Find All of the Things!" is a much more applicable mantra to use than anything else.

The CIS did a really good job with the CSC 20 but left it up to the practitioner or organization to build upon them so as to better secure their environment. For example, what they did not explicitly mention is an inventory of data within the realm of InfoSec, or finding the components of a detailed threat model.

Accepting that hardware and software need to be inventoried, what else do you need to enumerate within your environment? Data, for one. The lifeblood of nearly every modern business, information is what drives decisions and future business. Another would be your external attack surfaces, such as public IPs and the services that reside upon them. These are all quantifiable things which need to be detailed and monitored for their validity.

Another CSC control pertinent to this area is the fourth, scanning your environment for vulnerabilities so as to perform remediation activities. Rather than pay attention to the number of vulnerabilities though, the focus should be upon the easiest to exploit and those that would have the biggest impact in your environment. The commonly used metric for this is the CVSS score. However, this can be arbitrary without context. A web application with a high impact vulnerability isn't nearly as important as one impacting your firewall if the web app only resides within your internal network. Prioritize with context is a critical component of making a significant impact in securing your organization.

One final aspect that relates to "know thyself" is an organization's risk portfolio. What risks does it face that would have a negative impact on its operations? Climatic, geographic and technological factors should all be taken into account and addressed with a mitigating control. Northern Michigan does not have the same climatic risks as Kansas, New York or California, but does have others.

If an organization can accomplish enumerating these inventories, what are they supposed to do with it? How are they supposed to derive value from those activities and the resources spent?

Those are questions that cannot, and should not, be answered solely by Information Security or IT. Remediation activities could potentially impact operations and the ability to meet organizational goals. It is up to InfoSec to engage leadership and line of business managers to provide the context of the risks and potential repercussions.

This is a fundamental concept and effort in Governance, Risk, and Compliance in any organization's security program. What are the requirements? What are the appreciable risks faced? Who decides what is necessary for business operations?

A simple concept, such as an inventory, can have far-reaching effects that lead to large, complex questions. If an organization can't manage that foundational piece though, other efforts are likely doomed.

Main Image Credit : The awesome piece of artwork used to head this article is called 'Know Thyself' and it was created by graphic designer Ryan Rushing.