John Streufert joined the US Department ofState in July 2006 as the Chief InformationSecurity Officer and Deputy Chief InformationOfficer for Information Security. His tenure hasbeen marked by improved grades on informationsecurity as assessed by US Congress and thecreation of a leading continuous monitoring pro-gramme. In 2010, Mr Streufert was named ChiefInformation Security Officer of the Year byGovernment Executive magazine. In 2004 MrStreufert received the Distinguished PresidentialRank award and obtained the highest IT securityscore of the federal government as assessed byCongress. Mr Streufert previously was Directorof Information Resources for the Federal CropInsurance Corporation, Naval Shipyards andNaval Sea Systems Command. Mr Streufertgraduated from of the Maxwell School of PublicAffairs, Syracuse University (MPA) in 1985, andSt. Olaf College (BA) in 1979 with one year atHarris Manchester College, Oxford as anexchange student.

ABSTRACT

Can the same numbers and letters which arethe life blood of modern business and govern-ment computer systems be harnessed to protectcomputers from attack against known informa-tion security risks? For the past seven years,Foreign Service officers and technicians of theUS Government have sought to maintaindiplomatic operations in the face of rising cyberattacks and test the hypothesis that an ounce of

prevention is worth a pound of cure. As eightout of ten attacks leverage known computersecurity vulnerabilities or configuration settingweaknesses, a pound of cure would seem to beeasy to come by. Yet modern security tools pres-ent an unusually consequential threat to busi-ness continuity — too much rather than toolittle information on cyber problems is pre-sented, harking back to a phenomenon cited bysocial scientists in the 1960s called ‘informationoverload’. Experience indicates that the longerthe most serious cyber problems go untreated,the wider the attack surface adversaries can find.One technique used at the Department ofState, called ‘risk scoring’, resulted in an 89 percent overall reduction in measured risk over 12months for the Department of State’s serversand personal computers. Later refinements ofrisk scoring enabled technicians to correct uniquesecurity threats with unprecedented speed. Thispaper explores how the use of metrics, specialcare in presenting information to techniciansand executives alike, as well as tactical use oforganisational incentives can result in strongercyber defences protecting modern organisations.

Keywords: cybersecurity, risk, metrics,change, technology, executive

INCREASING ATTACKSCyber attack incidents recorded at the USDepartment of State increased from 2,104

Page 303

Journal of Business Continuity & Emergency Planning Volume 4 Number 4

Journal of Business Continuity& Emergency PlanningVol. 4 No. 4, pp. 303–316� Henry Stewart Publications,1749–9216

Business continuity strategies for cyberdefence: Battling time and informationoverload

John StreufertReceived (in revised form): 11th August, 2010US Department of State, IRM/IA (SA-27), Arlington, VA 22209, USATel: +1 703 812 25141; Fax: +1 703 812 2547; E-mail: DOSCISO@state.gov

Streufert:JSC page.qxd 14/12/2010 18:41 Page 303

Business continuity strategies for cyber defence

Page 304

in calendar year 2008 to more than 3,000in the first six months of 2010. Attackswere measured by the number of informa-tion security service tickets opened afterincidents reported by 260 embassies, con-sulates and 150 domestic organisations.During the same period, the proportion ofattacks involving malicious software codegrew from 39 per cent to 84 per cent.These trends had the US computer secu-rity team supporting foreign affairs net-work operations across the globe lookingfor answers.

Today, up to three times a day, a steadyrotation of embassies, consulates and pass-port production facilities send the resultsof electronic scans to a security datawarehouse in the eastern USA. Scanningtools have varied over time but currentlythey automatically scour the software andoperating systems on Department ofState personal computers and serversevery one to 15 days. By the end of 2010,the frequency of scans for vulnerabilities,configuration settings, password age,patching and the viability of the scanningsensors themselves will occur every24–72 hours. Other defensive cybersecurity scanning activities beyond thepersonal computers and servers of theDepartment are headed in this directionof full automation.

SCAN THEN SCOREAs the scan results are sorted andrecorded, a story is being written in zerosand ones on the database tables of thesecurity data warehouse. Once every daya new calculation is made that showssecurity teams at the Department of Statetheir progress in correcting known vul-nerabilities and other common cybersecurity problems since the last scan.Answering the call for actionable infor-mation to protect business continuity, adashboard called iPost delivers cus-

tomised snapshots of the worst cyberproblems. From this data source theimmediate staff of ambassadors, assistantsecretaries and their cyber security man-agers alike can learn which among teninitially implemented security factorspose the greatest threats from computerattacks by hackers and adversaries.Overall, thousands of individual tests arecombined into these initial ten factorschosen by the Department of State, butespecially significant are vulnerability,patching and configuration compliance.Armed for preventing the worst attacksthey could face that day on their personalcomputers and servers, the security andsystem managers can fashion a tacticalresponse to specific problems at their sitelocation. Figure 1 provides an example ofthe greatest cyber problems at a particularAfrican embassy in late 2009.

All these calculations are made possibleby assigning previously agreed point valuesbetween 0–10, with ten being the worst,for common security issues that the elec-tronic scanning tools have been designedto reveal. Importantly, the longer the cyberproblem goes uncorrected, the more seri-ous the risk for continuity of businessoperations. As a result, scores for uncor-rected problems increase over time, asappropriate. Point scores of known risksare accumulated for every site and thenconverted to letter grades A+ to F– inways the security managers may have lastseen during their university training. Thestory of cyber problems is different in eachcorner of the globe, but the consequencesof failing grades have never been moreurgent.

TIME AND SEVERITY INCREASE RISKWhen risks increase over time, morepoints are assessed for that correspondingproblem as days elapse until correctiveaction is taken. For example, on the fourth

Streufert:JSC page.qxd 14/12/2010 18:41 Page 304

line of Figure 1, AVR — Anti-virus pro-files for every personal computer olderthan six days are marked as requiring cor-rective active after a grace period, costingthe local security manager six ‘risk’ pointsa day after one week or 42 points(6�7=42). By day eight, that mistakecosts the local information systems secu-rity officer a little more, at 48 points(6�8=48) per personal computer. Riskpoints are added for each deficient devicefound daily to have old anti-virus profilesuntil each specific problem of that kind isfixed. Accelerators of risk in the form of100 points plus ten additional points a dayare added when the scanner for a particu-lar personal computer, tabulated on line

seven of Figure 1, SMS — SMS reporting,is not forwarding data as designed —assuming the worst until information iscollected and updated to the contrary.

But this is not the only way in whichmatters can go quickly wrong for USdiplomats or anyone else concerned aboutinformation security. Cyber attacks cantarget missing operating system and soft-ware patches shown in the summary online two of Figure 1, PAT — Patch. TheDepartment of State scans for missingpatches of all kinds and then assesses threepoints for every personal computer patchfound lacking judged to be of ‘low’ risk.Every missing ‘critical’ patch found byscanners results in an additional ten points

Page 305

Streufert

Scan results in this screen shot call out vulnerabilities (10.9 per cent) and configuration settingweaknesses (71.2 per cent) for earliest corrective action. Similar average risk scores are calculatedfor every embassy, consulate and office every 24 hours using the most recent scanning dataavailable.

Figure 1 TheDepartment of Staterisk scoringdashboardhighlights the worstcyber problems thatday for the securitymanager at anAfrican embassy inlate 2009.

Streufert:JSC page.qxd 14/12/2010 18:41 Page 305

assessed against the local security officerand their team at that embassy. Correctingcritical patches first will offer the greatestreduction of risk points and safety, creatingan incentive for applying one’s time to themost productive benefit.

Continuity for computer security oper-ations also uses the National VulnerabilityDatabase,1 where scoring cyber problemson a scale from 1–10 originated (sum-marised on line one of Figure 1, VUL —Vulnerability). Cyber vulnerabilitiesvalued with eight, nine or ten are amongthe worst known and referenced accord-ing to the Common Vulnerability ScoringSystem.2 But there are many hundreds ofthousands of vulnerability risks rated from1–4 points across the Department of Statenetwork and its 400+ discrete computermanagement operating units. Key to suc-cess against cyber attacks is whether theworst known cyber problems are foundand corrected before it is too late. Earlyattention to security problems dealingwith the ‘worst first’ is part of a plan tominimise cyber disruptions to embassycomputer operations from known threats.

INFORMATION OVERLOAD Harnessing this mountain of metrics forcorrecting known vulnerabilities creates itsown challenge as thousands of potentialweaknesses in every embassy and office areaccumulated into millions of risk pointsacross the enterprise. Drowning in scan-ning information about cyber risk, pro-gram managers responsible forDepartment of State risk scoring drewparallels with descriptions of sensory over-load on people and organisations commonin social science literature in the 1960s.The idea of ‘information overload’ madepopular by Alvin Toffler suggests thatpeople can have difficulty understandingissues and deciding what to do because ofthe presence of too much information.3

For example, numerous studies have seizedon the related problems that pilots face inwar from reading disorganised cockpitinstrumentation. Similarly, New WorldEncyclopedia cites general causes of infor-mation overload the Department of Statewould consider in managing its collectionof cyber security data including:4

• a rapid increase in the production rateof new information;

• an increase in the available channels ofincoming information;

• large amounts of historical information;• Contradictions and inaccuracies in

available information;• a low signal-to-noise ratio (informally,

the ratio of useful information to falseor irrelevant data);

• a lack of a method for comparing andprocessing different kinds of informa-tion.

Mica Endsley and Robert Smith note intheir article ‘Attention distribution anddecision making in tactical air combat’:

‘Even with the handicap of constrainedinformation about the environment,there is a tremendous problem withinformation overload. Piecemeal addi-tion of systems and lack of integrationof information are often cited as majorcontributing factors.’5

To address the problem of informationoverload plaguing the foot soldiers incyber conflict, the Department of Statebegan experimenting with a range of solu-tions that could adjust when, where andhow data on known security problems aredelivered up for action.

SPECIAL THREAT DESIGNATIONS The so-called Google — OperationAurora attack publicised in January 2010 is

Business continuity strategies for cyber defence

Page 306

Streufert:JSC page.qxd 14/12/2010 18:41 Page 306

a good case study.6 The Department ofState, like the rest of the US federal gov-ernment, faced the arduous task of reme-diating two Internet Explorervulnerabilities in succession to protectagainst exfiltration of data and accountinformation. As part of the initial defen-sive response, a Microsoft InternetExplorer patch number MS10-012 neededto be installed on 80,000 computers in 24time zones without delay. To mobiliseagainst this potential attack vector, theDepartment of State set aside the usual0–10 risk point scale and created a ‘specialthreat designation’. Special threat designa-tions vary in point values assigned, but arearrived at by agreement of the 11 organi-sations that collectively manage the spe-cialisation areas of operational cybersecurity for the Department of State as awhole. So instead of ten points chargedfor a missing MS10-012 patch, over thecourse of two months technicians andForeign Service officers were charged 40,then 80, then 120, then 160 then 280 riskpoints each time scanners found MS10-012 missing on a specific computer orserver at a particular embassy.

By early April 2010, a second genera-tion solution emerged for the Google —Operation Aurora threat. Adjusting tactics,the Department of State charged 40 pointswhen scanners discovered the MS010-018patch had not been properly installed.Hearing a mobilisation call from their cus-tomised dashboard, security managers atthe Department of State rapidly refocusedhow they spent their time locally repairingknown cyber problems. With resultstracked by Dr George Moore, supervisorycomputer scientist in the Office ofInformation Assurance, charging 40 riskpoints for uncorrected Google — AuroraMS010-018 problems resulted in increas-ing coverage of patching from 20 per centto 85 per cent complete in six days acrossthe Department of State (see Figure 2).

THE MARKET OF RISK Patching progress on Operation Aurorafollows a pattern of predictable behaviourDr Moore has been statistically trackingfor the past seven years. A ‘market of risk’began emerging first at USAID in 2003and then at the Department of State

Page 307

Streufert

4

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

2-Apr 4-Apr 6-Apr 8-Apr 10-Apr 12-Apr 14-Apr 16-AprDate

ExpeditedMS10-018 InstallationCoverage

Risk scoring moves State Deptfrom 20 – 85 % patched

in six (6) days: April 3–9, 2010

The Department of State increased installation coverage of the Google — Operation Aurora patchnumber MS-10-180 from 20–85 per cent across 24 time zones between 3rd–9th April. The chargeof 40 risk points was assigned for not installing this missing patch as a ‘special risk designation’,four times higher than the ten-point value assigned in the National Vulnerability Database.

Figure 2Increased patchingefficiency using a‘market of risk’ —case example ofGoogle —Operation Auroraattack

Streufert:JSC page.qxd 14/12/2010 18:41 Page 307

beginning in 2008. Risk points estimatethe relative threat value of uncorrectedcyber security problems. Points accumu-late as measured by regular scanning anddisappear from the risk accounts when theproblems are corrected. Risk points have auniversally accepted value across the com-puter management organisations of theDepartment of State, but of course thenumber of devices, cyber problems andassociated risk point totals vary at eachlocation.

Because a chain is only as strong as itsweakest link, for the purposes of enter-prise-level defensive cyber security, theDepartment needed to measure the rela-tive risk per site location. Much like shareprices of a particular company in stockmarkets, the average amount of risk per‘host’ is calculated for each embassy. Theneed has been subsequently found to assessrisk per applicable ‘object’, as some riskaccrues for each user with an old password(for example), rather than for a host. Butthe basic principle is still the same: oneneeds a normalised score to fairly comparehow one site compares with another siteof different size.

By summing risk points measured byscans of their equipment and dividing bythe total number of personal computersand servers, an embassy’s average share ofrisk could be consistently evaluated incomparison with progress in the rest of theDepartment. At the end of each day, theaverage cyber scores for each computerand server at every location across theenterprise are calculated and recorded forreview in the iPost dashboard.

LETTER (GRADE) OF WARNING At this stage, millions of risk points repre-senting hundreds of thousands of discreteproblems in the enterprise are reduced bya little more than 400 letter grades fromA+ to F–. Consistently high (bad) scores

capture the most concern. For all organi-sations with a calculated grade C– andbelow for the previous three months, anautomated letter of warning is deliveredsimultaneously to the lead technicians andto the immediate staff of the ConsulGeneral, Ambassador and the AssistantSecretaries. The once-a-month ritual ofissuing failing grades to a group of laggingorganisations signals a warning that thesecomputer operations are at an especiallyprominent risk to their business in com-parison with their peer consulates,embassies or offices in the Department.

To analyse readiness against knownattacks across the Department of State asan enterprise, Figure 3 shows the gradecurve initially used an average of 40 riskpoints or less per host as the dividing linefor a grade of A+ with a graduated scaleup to F–. Grading on a normal curvebegan in July 2008, with an approximatelyequal number of A and F scores alongwith the expected larger number of Cs.This grade curve had a technical compo-nent, but the approach to business changeis judged to be more instrumental to afavourable outcome over time.

CHANGE Expectations of change in cyber securityneed to be initially achievable and alwaysfair. At both USAID and the Departmentof State it has proven essential to begineach pilot activity with an achievable out-come for some part of the community, nomatter how low or unacceptable the initialgrading standard. Four number ten vul-nerabilities on the CVSS scale or 40 pointsper host is hardly laudable, but if everyonewere rated D and F at the outset the pat-tern of desired progress and stronger secu-rity culture would never emerge.

When the participating managers seethat success is achievable and begin to seefor themselves measurable improvements

Business continuity strategies for cyber defence

Page 308

Streufert:JSC page.qxd 14/12/2010 18:41 Page 308

at the local level, a contagious pattern ofcompetition and continuous improvementbegins to occur. This functions like anengine fuelled by a combination of met-rics and professional competition. Yet,confidence that the measurement systemor market of risk is fair cannot beassumed. Confidence must be earned bythe program managers who sponsor riskscoring and continually be revalidated bythe participating organisations.

As shown in Figure 4, on 28th March,2009 a 250-point drop in risk was assignedto embassies and consulates. Beneath thischange was the culmination of severalmonths of discussion among overseassecurity managers. A headquarters spon-sored administrative software suite wasdetermined by security scanners to beusing a version of Java RuntimeEnvironment (JRE) that was two genera-tions out of date. A range of associatedsecurity problems were showing up in

embassy risk score cards and letter gradeimprovement on cyber security atembassies was stalled.

Embassy security managers argued thatthey could not fix this corporate applica-tion. As such, risk points discovered byscans for JRE problems on that day werereassigned from embassies to the softwaredevelopment executive at corporate head-quarters until the software could beupdated. This process of granting excep-tions is limited to cases where a problemcannot be fixed at a particular site or whenthe scanners consistently and incorrectlyrecord false positives for a particular defi-ciency. The term ‘exception’ means thedefault assumption that all risks belong tothe primary manager(s) of the device isnot valid. Therefore risk must be ‘trans-ferred’ to another manager who is actuallyresponsible for the risk. Managing excep-tions takes time and detailed adjustmentsin the security dashboard, but was judged

Page 309

Streufert

By November 2009, the original grading scale on a curve with an average score of 40 points for anA+ (shown in the oval) was showing its age as Department of State security managers grew inexperience. To re-establish the normal curve during 2010, with the agreement of operationalsecurity managers, the grading curve was made gradually more difficult over six incremental phasespeaking at an average of 13 points per host to achieve the same A+ rating in late 2010.

Figure 3Enterprise-wide riskscore monitor

Streufert:JSC page.qxd 14/12/2010 18:41 Page 309

essential to protect confidence and fairnessin the execution of the risk market. Risksrelated to exceptions are tracked separatelyuntil a technical solution is found to allowlocal security managers to make therepairs themselves.

Sustaining a security market of risk ishardly a ‘fire and forget’ exercise in otherrespects. By late 2009, a disproportionatelyhigh percentage of the Department ofState organisations rated a letter grade Aand B shown on the right half of Figure 3.To re-establish a normal curve of lettergrade distribution, in early 2010 the coali-tion of organisations responsible for defen-sive cyber security at the Departmentbegan re-calibrating the grading scale insix equal increments to make it three timesmore difficult to achieve the same lettergrade shown in the shaded rectangle inFigure 3. By July 2010, only part waythrough the change towards tougher grad-ing standards, the amount of measured riskon personal computers and servers hadmoved from at least 89 per cent to 93 percent overall for the Department of State.

This change represented an improvementof one-third of the remaining risk prob-lems to correct, even after subtracting forsecurity issues which could not berepaired by local system managers due totechnical problems beyond their control.

CHANGE FROM THE TOP A new, stronger defensive cyber securityculture and solutions to protect businesscontinuity necessarily originate from thetop rather than the bottom of modernpublic and private sector organisations. Aselemental as it seems, someone in author-ity must assert that a priority will beplaced on lowering threats to operationaldisruptions from known cyber securityproblems. After that threshold is met, howto go about the change is almost counter-intuitive. Models of strict command andcontrol, and heavy centralisation ofauthority rarely match the way informa-tion systems are deployed or operated inmodern organisations.

At the Department of State in 2007, the

Business continuity strategies for cyber defence

Page 310

0

200

400

600

800

1,000

1,200

01/06/2008 21/07/2008 09/09/2008 29/10/2008 18/12/2008 06/02/2009 28/03/2009 17/05/2009 06/07/2009 25/08/2009

Domestic Sites

Foreign Sites

89% Reduction

90% Reduction

Figure 4 Atechnique calledrisk scoring resultedin an overallreduction of +89per cent ofmeasured risk forknownvulnerabilities onpersonal computersand servers at theDepartment of Statein the 12 monthsending in July 2009

Streufert:JSC page.qxd 14/12/2010 18:41 Page 310

Chief Information Officer was directlyresponsible for only 1,500 of her Bureauof Information Resources Managementpersonal computers among the 100,000devices across all Department bureaus,embassies and consulates. Discussions withother Cabinet departments and privatecorporations indicate that a similar patternof highly decentralised structure of infor-mation systems operations is common-place and therefore creates securitymanagement challenges for coordinationand better results.

When the US Congress began issuingletter grades to US Cabinet departmentsin 2002 under the Federal InformationSecurity Management Act, theDepartment of State accumulated four Fsand one D– grade in the first five years. Toimprove, the Department needed to find away to take the ‘F’ grade off the shouldersof the top technical managers inWashington and push resolution of thecyber problems out to the far reaches ofthe organisation. It was out of this urgencyto match accountability for problems thatcould only be fixed on the local level thatmetrics measuring corrective action, amarket of risk and letter grades for track-ing accountability for improvements insecurity materialised.

HUMAN POTENTIAL Where does the human potential for thissolution come from? Again, the modernorganisational problem of cyber securityin a decentralised organisation needs care-ful thought about employees, their basicmotivation and their role in making theenterprise safer. Douglas McGregor wrotein the 1960s about Theory X and TheoryY applied to managing a workforce.Theory X assumes employees ‘avoid workand are inherently lazy’. In comparison,‘theory Y managers believe that employeeswill learn to seek out and accept responsi-

bility’.7 The conclusion at the Departmentof State was that security managers on thelocal level want their organisation to besafer, but they need timely, targeted and pri-oritised information to be successful.Information overload at every level of theorganisation urged those working cyberproblems at the Department of State tocollectively search for metrics with the mostmeaning.

TIMELY Faith in one’s employees and the annualvolume of information or physical weightof security reports on the shelf are notenough. Earlier generations of securityprogrammes satisfied themselves withoccasional scanning. The Department ofState currently experiences ten differentattack vectors a day and that number isclimbing. Scanning data need to be timelyto be effective. Security managers need toknow if the patches they installed, vulner-abilities they corrected and security set-tings they hardened in the last 48 hourswere successful.

Even more disturbing is the false senseof security that comes from detailed,lengthy narrative reports on compliancewith security controls. To test the volatilityof the security environment, theDepartment of State measured the totalnumber of substantive changes on its net-work, comparing two full configurationscans 15 days apart. This calculationrevealed that 150–200 significant softwarechanges were occurring every week, or astaggering 24,000 changes over a three-year period. The regrettable conclusionwas that written reports based upon com-pliance of security controls which wereprepared by the applicable as infrequentlyas required (once every three years underUS federal regulation),8 were out of datebefore they could be printed and placed inthree-ringed binders.

Page 311

Streufert

Streufert:JSC page.qxd 14/12/2010 18:41 Page 311

TARGETED

Numerous security tool vendors offer awide range of reports, but the flood of datadoes not always distinguish which cybersecurity problems are most threatening tooperational continuity at a particular sitelike an embassy, a particular region, a partic-ular system owner or even performance ofa particular contractor doing security work.‘The One to One Fieldbook: TheComplete Toolkit for Implementing a 1 to1 Marketing Program’ by Peppers et al.,offers a conclusion worth noting.9 Writingfor the Harvard Business Review about theconclusions of their book, these authorssaid: ‘It’s one thing to train a sales staff to bewarm and attentive; it’s quite another toidentify, track, and interact with an individ-ual customer and then reconfigure your

product or service to meet that customer’sneeds’.10 Ironically, the kindest response forthe purposes of business continuity will bethe cold shoulder of metrics to help thecustomer force a precise list of cyber prob-lems away from the forward path andprogress of their organisation. Made action-able, Figure 5 shows how server number1385 (by the length of its bar of risk) ismore than twice as dangerous as the nextnine most serious problems for one Africanembassy on one day last year.

Targeted metrics at the Department ofState mean targeted attention on the worstcyber problems and another tool to dealwith information overload. Techniciansand executives draw their own metricsfrom the same database, but each of thesedistinct audiences views content cus-

Business continuity strategies for cyber defence

Page 312

Information from the Department of State risk dashboard both directs attention of local cybersecurity managers to the ten worst personal computers and highlights the relative risk on eachdevice to allow targeted attention to the greatest threats. Progress for the most recent six monthsfor this African post in late 2009 is shown on the bottom half of the screen.

Figure 5 Samplerisk metrics

Streufert:JSC page.qxd 14/12/2010 18:41 Page 312

tomised to their needs. Executives viewletter grades and ranking within regionand the enterprise. Technicians viewdetails appropriate to the scope of theirresponsibility whether local, regional orenterprise-wide.

PRIORITISED Successful use of metrics for prioritisedattention against cyber security problemstakes several forms that work together. Inevery category, the greater a risk pointvalue is assigned to a particular problem,the worse the security problem is judgedto be, typically worth ten points. Whenadding together problems for a site orenterprise calculation, one might betempted to equate two number four vul-nerability risks with one eight-point risk.In fact, a number eight weakness measuredin the National Vulnerability Database isfar more dangerous.

To avoid this methodological problem,the Department of State cubes all vulnera-bility risk numbers and divides by 100.Such a carefully designed mathematicalstrategy preserves the 0–10 scale which isreadily understood by everyone, butattaches an electronic strobe light to thenumber eight, nine and ten risks. Cubingand dividing by 100 therefore preservessimplicity for those working the problemsand simultaneously offers a practicalapproach to dealing with informationoverload. If special threat designationshighlight the ten worst cyber problems inany particular year, cubing and dividing by100 is the defensive weapon of choice forthe worst 1,000 problems an organisationshould address on a priority basis at anypoint in time.

CONSENSUS AUDIT GUIDELINES(CAG) Priorities are important on the opera-

tional level, but they are equally impor-tant for tactical and strategic decisionmaking when protecting the continuityof business operations. After conducting adetailed analysis of cyber incidentsreported to the Department ofHomeland Security, the Department ofState found that 60 per cent of its inci-dents were associated with the anti-mal-ware defences category of the ConsensusAudit Guidelines.

Also known as the 20 Critical Controls,the Consensus Audit Guidelines weredefined by a consortium of leading secu-rity experts under the auspices of theCenter for Strategic and InternationalStudies.11 In fact, approaching 100 percent of unclassified cyber attacks at theDepartment of State in the 11 monthsending in February 2009 that werereported to the Department of Homelandsecurity covered just five of the 20 CriticalControls. The security dashboard wasdesigned to take these findings intoaccount, moving from the elements ofgreatest risk first and moving outwards inpriority order of risk.

The CAG project is led by JohnGilligan, who served as Chief InformationOfficer for both the US Air Force and theUS Department of Energy and served onthe Obama transition team focusing on ITwithin the Department of Defense and theIntelligence Community. Of the CAGproject, Gilligan says: ‘It is a no brainer. Ifyou know that attacks are being carriedout, you have a responsibility to prioritizeyour security investments to stop thoseattacks.’12

IMPLEMENTATION STRATEGIES As detailed below, several strategies haveproven beneficial to implement in a defen-sive cyber security program grounded incontinuous monitoring on the foreignaffairs community networks.

Page 313

Streufert

Streufert:JSC page.qxd 14/12/2010 18:41 Page 313

Strategy 1: Name standards with special threat designations

Common measurement criteria such aspoint values (0–10) assigned to match theseverity of cyber security risks will guidethe creation of a stronger security culturefor an organisation. Designate higherscores for special threats to mobilise urgentcorrective action. Keep the public-facingscoring standards straightforward and read-ily understandable, such as using lettergrades A to F.

Strategy 2: Narrow aim to securitycontrols under greatest attackAvoid the mistake of treating all potentialways to harm information systems equally.Analyse patterns of attack on an organisa-tion against the 20 Critical Controls.13 Aspart of a continuous improvement pro-gramme, correct the worst problems first,moving down the list of threats in priorityorder. Refocus the aim as attack patternsshift.

Strategy 3: Target specific gains suchas technical control data efficiencyNo organisation has enough resources to‘boil the ocean’. Applied to cyber security,methodically assess what tools an organisa-tion has, the period of scanning and theaccuracy of scanning results. Beginningwith attack vectors of greatest concern,improve the efficiency of identifying andfixing known vulnerabilities and correct-ing configuration setting weaknesses.Invest in data quality.

Strategy 4: Pilot manageable segments of the environmentOne of the author’s first supervisors toldhim: ‘Young man, take care not to try to puttwo bullets into the chamber at the sametime’. Evaluate the capacity of the organisa-tion. Do not dilute the truly critical withthe mundane. Test new security improve-ments on a limited group, applying lessons

and feedback from customers in theprocess. Listen carefully. Encourage changeand continuous improvement up to, but nottriggering, an immune response.

Strategy 5: Pursue metrics with themost meaning — Timely, targeted andprioritisedThe pace and nature of cyber attacks leadsto information overload. Timely, targetedand prioritised metrics should be fash-ioned to the unique needs of customers.By organising information to deal withthe worst problems first, the professional-ism of the workforce will be used to great-est advantage. This strategy will createincentives and accountability when com-bined with letter grades sent to both tech-nical and executive managers for dealingwith the worst problems first.

IN-DEPTH DEFENCEAll strategies of continuous monitoringshould be considered as part of a balancedprogramme of defence and in-depth pro-tection of infrastructure and applications.Department of State experience indicatesthat the best overall results for defensivecyber security come with the simultaneousand interactive use of risk scoring withaggressive intrusion detection, rigorousaccess controls, watchful incident manage-ment, continuous assistance to securitymanagers and diligence in training. Thelong-term strategies of the Department ofState call for increasing the coverage oftools against the 20 most Critical Controls,expanding which elements of infrastruc-ture are covered by fully automated con-tinuous monitoring and integrating allrelevant data into the security dashboard.

CONCLUSIONS Mobilising to lower risk from known vul-nerabilities has proven to be both feasible

Business continuity strategies for cyber defence

Page 314

Streufert:JSC page.qxd 14/12/2010 18:41 Page 314

and fast. With care in structuring the col-lection and display of metrics, the defen-sive cyber security posture can beimproved across 24 time zones withoutface-to-face contact. At the Departmentof State, implementing this combinationof strategies ultimately engaged a broaderrange of the workforce on defensive cybersecurity. These forms of continuous mon-itoring and use of metrics to correct spe-cific cyber security problems offer a higherreturn on investment than earlier attemptsto manage risks to business continuity bycommissioning and reading writtenreports.

Experience over the last seven yearshas shown that the combination of strate-gies mentioned in this paper can result ina reduction in measured cyber security in12 months by up to a factor of ten or 90per cent. An objective of the risk scoringprogramme was to address highest riskfirst, which indicated 60 per cent of allincidents were in the anti-malwaredefence category. The programme issometimes criticised because it did not(from the start) cover all machines and allrisks. Actually, this was a design feature tohelp focus activity and avoid informationoverload (see section above entitled:‘Strategy 4: Pilot manageable segments ofthe environment’). The 90 per centreduction reported is 90 per cent of thescored risks on the servers and worksta-tions covered by the programme. Ofcourse, no claims for such reductions inrisk are made for infrastructure and soft-ware not yet included in the scoring pro-gramme at a particular point in time. Therisk scoring programme is beingexpanded, as capacity allows, to includeadditional areas of the Consensus AuditGuidelines not yet covered. No singlefactor seems to be especially dominant inproducing these results. Instead, steadyattention to a set of practical tools thathelp both technicians and executives col-

lectively improve defensive cyber securityis called for. Everyone working in defen-sive cyber security at the Department ofState searches for ways to improve in therace against time and to better cope withinformation overload. The answers so farhave drawn upon a commitment to bothtechnical and business change. For fur-ther information on the Department’srisk scoring and defensive cyber securityinitiatives, please send an e-mail to:DOSCISO@state.gov.

REFERENCES

(1) The National Vulnerability Database is apublicly provided reference of theNational Institute of Standards andTechnology of the Department ofCommerce in the USA. For moreinformation, see: http://nvd.nist.gov(accessed 3rd October, 2010).

(2) Available at: http://en.wikipedia.org/wiki/CVSS (accessed 3rd October,2010). For information on internationalimplementation for scoring specificcyber vulnerabilities, see:http://www.first.org/cvss/cvss-guide.html (accessed 3rd October, 2010).

(3) Available at: http://en.wikipedia.org/wiki/Information_overload#cite_note-0(accessed 3rd October, 2010).

(4) Available at: http://www.newworldencyclopedia.org/entry/Information_overload (accessed 3rd October, 2010).

(5) Endsley, M. R. and Smith, R. P. (1996)‘Attention distribution and decisionmaking in tactical air combat’, HumanFactors, Vol. 38, No. 2, pp. 232–249.

(6) Available at: http://www.washingtonpost.com/wp-dyn/content/article/2010/01/17/AR2010011700562.html(accessed 3rd October, 2010). Anadditional article citing a diverse set oforiginal sources on Operation Auroracan be found at: http://en.wikipedia.org/wiki/Operation_Aurora (accessed 3rdOctober, 2010).

(7) Kochan, T., Orlikowski, W. and Cutcher-

Page 315

Streufert

Streufert:JSC page.qxd 14/12/2010 18:41 Page 315

Business continuity strategies for cyber defence

Page 316

Gershenfeld, J. (2002) ‘BeyondMcGregor’s Theory Y: Human Capitaland Knowledge-Based Work in the 21stCentury Organization’ paper preparedfor the Sloan School 50th AnniversarySession, Cambridge, MA, 11th October,available at: mitsloan.mit.edu/50th/pdf/beyondtheorypaper.pdf (accessed 3rdOctober, 2010).

(8) Available at: http://www.whitehouse.gov/omb/circulars/a130/a130appendix_iii.aspx, OMB Circular A-130,Appendix 3, Section 3.a.3 (accessed 3rdOctober, 2010).

(9) Available: http://hbr.org/1999/01/is-your-company-ready-for-one-to-one-

marketing/ar/1 (accessed 3rd October,2010).

(10) Peppers, Don, Rogers, Dr. Martha &Dorf, Bob, 1999, The One to OneFieldbook: The Complete Toolkit ForImplementing a 1 to1 MarketingProgram, Capstone Publishing, Oxford.

(11) Available at: http://www.sans.org/critical-security-controls (accessed 3rdOctober, 2010).

(12) Available at: http://www.infosectoday.com/Articles/Consensus_Audit_Guidelines.htm (accessed 3rd October,2010).

(13) See SANS.org (accessed 3rd October,2010).

Streufert:JSC page.qxd 14/12/2010 18:41 Page 316