Cybersecurity Practices

Incorporating cybersecurity practices into your daily life can prevent the disclosure of critical information (CI) to potential adversaries. If you’re thinking, “But I work in a control system environment; control systems don’t store CI,” then consider our definition of CI:

Information that if disclosed would have a negative impact on an organization. It includes not only trade secrets and technical specs, but also sensitive information such as the process used by systems(e.g., commands and access points), financial data, personnel records and medical information.

CI also refers to the information that protects assets, such as passwords to access systems or passcodes to enter a building or room. Recipes, formulas, and strategies are usually CI. Even information such as your name, phone number, and email address—especially when all three of these information pieces are together—may be considered sensitive, because it helps an adversary launch a social engineering or phishing attack. In control system environments, the result of CI disclosure may be severe economic impact or loss of life.

Note: Your organization's definition of CI may differ somewhat—i.e., it may be more specific or more general. However, the concepts in this course should apply regardless of any differences.

Why Do It?

You probably incorporate cybersecurity practices in your personal life without even realizing it.

For example, when you have prepared to go on a trip, have you ever done any of the following?

  • Stopped newspaper deliveries so newspapers wouldn’t pile up outside, letting people know you aren’t home?
  • Had your mail held by the post office or asked your neighbor to pick up your mail so the mailbox would not fill up?
  • Connected your porch lights and inside lights to a timer or light sensor so they would go on and off to make it look like someone is home?
  • Left a car parked in the driveway?
  • Had someone keep the lawn trimmed?
  • Asked a friend or neighbor to periodically open and close blinds or curtains?

The CI here is obvious - we do not want a burglar or other “bad guy” to know the house is unoccupied. The more clues we provide to an adversary that the house is unoccupied, the more likely it is the house will be robbed. The same holds true at work. We must reduce or obscure indicators to protect our critical information.

What’s the 5 part OPSEC process ?

Part 1: Identify CRITICAL Information

A method for identifying critical information within your company or organization is to first DETERMINE»>

  1. What adversaries might want to do…?
  2. What information willl the adversary need to accomplish their goal?
  • Be sure to analyze from both friendly and adversarial points of view.
  • It’s aggrregation of information that can be gathered on a target that poses the threat.
  • A company’s critical information could include:
    • Network structure
    • Employee data - email addresses & work schedules
    • Lists of user names
  • Social media profiles are often analyzed to aggregate information.
  • We all know the profiles are a goldmine of information for attackers. They provide an idea of »>
    • What people do…
    • Where they work…
    • What types of software are used…
    • Any issues that can be replicated in corporate environments…
    • Profile pics are also useful when gathering information…

Before you post comments or share content forums and social media, ask yourself :»>

Does this give an attacker any information they could use to build a profile {or further build} on me or in my company???

Part 2: Analyze the THREAT

A threat is a potential danger ☠️

It is often defined as any person, circumstance, or event with the potential to cause loss or damage. Threat requires both intent and capability. If one of these isn’t present, there is no threat.

To analyze a threat, you need to identify:

  1. Who are the potential adversaries (e.g., competitors, insiders, terrorists)?
  2. What is the adversary’s intent and what capabilities do they have? For example, a disgruntled employee might have different capabilities than a competitor.
  3. What does the adversary already know? For example, what might they know from researching information published on the Internet or in trade journals.
  4. What does the adversary need to know to succeed (e.g., control system commands, how to gain remote or physical access)?
  5. Where is the adversary likely to look to obtain the information (remember, an adversary is apt to go to more than one source)?

Again, thinking from the adversary’s point of view will help you analyze the threats in your work environment.

Part 3: Analyze the VULNERABILITIES

This part of the five-step process is about determining weaknesses (that is, vulnerabilities) that may be exploited by an adversary to gain critical information. Vulnerabilities include:

  • Inadequate training of employees.
  • Use of unsecured communications.
  • Publishing the control system manufacturer or vendor used.
  • Systems designed without security in mind.

It is important to think like the adversary in this step. One way to discover vulnerabilities is to look for indicators. Indicators are observable or detectable activities or information that, when looked at by themselves or in conjunction with something else, point to a vulnerability regarding your organization’s operations. For an adversary, indicators are clues that a vulnerability exists and can be exploited.

For example, a fence suddenly put up where one did not exist before could tip off an adversary that something valuable is inside the fence. Other examples of indicators include: people in unusual places, unfamiliar cars in an employee parking lot, and late-night meetings. Although indicators are not vulnerabilities by themselves, they can point to or reveal vulnerabilities.

Part 4: Assess the RISK

Assessing risk incorporates using the risk formula and conducting risk assessments.

  • Risk assessment is a process in which you decide if a countermeasure needs to be assigned to a vulnerability based on the level of risk this vulnerability poses to your organization.
  • When you assess a vulnerability, also consider the adversary’s intent and capability—is the adversary willing to exploit your vulnerability, and does he or she have the means to do so? Next, determine the consequences if the vulnerability were successfully exploited. This determines the level of risk. You then decide if the level of risk warrants the application of one or more countermeasures.
  • Looking at risk as a function of consequence (as opposed to asset value) may allow for easier calculations applicable to control system environments. Elements critical to the control domain, such as loss of life, time to recover, and environmental impact, can help in these calculations.
  • Keep in mind that consequences aren’t always something that have an immediate financial impact. The failure of a control system could result in negative media attention.

$RISK = THREATVULNERABILITYCONSEQUENCE$

risk threat vuln

risk threat vulnn

Part 5: Apply the COUNTERMEASURES

  • A countermeasure can be anything that reduces an adversary’s ability to exploit vulnerabilities. Countermeasures don’t need to be complicated or expensive. For example, locking your car door and removing the keys from the ignition are simple, smart ways to make it harder for someone to steal your car.
  • Countermeasures are implemented in an order of priority directly proportionate to the risk posed by different weaknesses (the most significant consequences to your mission, operation, or activity). Often implementing several low-cost countermeasures provides the best overall protection.
  • Consider all possible countermeasures, and then assess the potential effectiveness of each one against a specific vulnerability or multiple vulnerabilities.

Which of the countermeasures below can you implement right away to protect your systems?

  • Controlling Distribution

    • Limiting sharing of information to those who need it.

  • Cyber Protection Tools

    • Implementing anti-virus software, firewalls, and intrusion detection systems can greatly reduce an adversary’s ability to cause damage.

  • Speed of Execution

    • Accelerating the schedule can limit the ability of an adversary to act on the information they have obtained.

  • Awareness Training

    • Educating employees about all aspects of cybersecurity practices is one of the most effective countermeasures.

  • Physical Security

    • While it may be wise to employ security guard patrols, an organization must also ensure that patrol schedules are somewhat randomized, and shift changes are kept secret in order to prevent an intruder from determining a pattern.

    Section Summary 😛

    • Cybersecurity practices can prevent the disclosure of critical information to threat actors. A primary security goal is to control information about your organization’s capabilities and intentions in order to prevent such information from being exploited. The longer it takes an adversary to obtain critical information, the more time you have to discover problems and block access to the information and your assets. In addition, most of us already use cybersecurity practices in our personal lives without even realizing it.
    • Cybersecurity practices include: identifying critical information, analyzing the threat, analyzing the vulnerabilities, assessing risk, and applying countermeasures. In all steps, view the situation from both friendly and adversarial points of view.
    • Practicing cybersecurity is a continuous process, not one that “ends” when you complete the fifth step. In fact, the steps do not necessarily have to be followed in a particular order.

https://images.unsplash.com/photo-1536440136628-849c177e76a1?ixlib=rb-1.2.1&q=85&fm=jpg&crop=entropy&cs=srgb

Lets watch some movie