cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer I

Re: Advice for cybersecurity newbies

Cyber "kill chain" . . . .   from JBPTech

 

    Most think this ("kill chain") comes from the old military usage referring to the Structure of an Attack.

 

    I think it is much better to think of it the way the FAA does.   It is the chain of events that happened leading to an accident.    Each accident is studied to determine the chain of errors/mistakes that lead to the accident.    Break one chain link and the accident doesn't happen.   Each of those failures had to happen or there would have been no accident.   Each link in the chain contributed to the accident, and no specific one "caused" the accident.

 

   And the FAA doesn't let you off easy.   The pilot, weather, and aircraft are stringently reviewed.   Not just we know what happened and let it go.    The light bulb in the "gear up" enunciator was burned out.  The pilot didn't cross-check against different instruments.   The inspection before takeoff didn't catch it.    They talk to witnesses.  If the find a bearing burnout they go backwards to the manufacturer and see if there are other occurrences,   they see if there are service bulletins that havn't been complied with,   they see if the bulletins give a full enough picture to indicate the urgency.  Then they make recommendations.   They LOOK AT EVERYTHING that contributed to the accident, not just the first easiest item.

 

    Would that that was the way done today in cypersecurity.   Once your systems are compromised, that is what the experts do for the court case.    It's much cheaper to do it up front and save all the court costs and embarrassment.

 

    Don't let up once you have fixed an issue on a single system.   Make sure that you understand the ramifications, everything that contributed to the issue3, and that all related or similar systems are not subject to the same issue.    Who built the machine,   is there a pattern?   It maybe time for counseling for that indivicual. Try to understand the issue, what hardware it applies to (all systems with an AMD processor?  ;   all dell 320's;    everything with an Adaptec 2100 controller,  whatever -- there will be a pattern)   what versions and patches of software are involved?    Is it localized to a Rack, UPS supplying multiple systems; a Data Center? 

 

   The better you understand the issue, the better 2 things happen (yep, believe it!) ---- 1)  The quicker the repairs/modifications will be made,  and 2)  the lower the cost of the repairs/modifications (in $, downtime,  man-hours, and generalized stress on the team (the team includes everybody up to the chief executive of your organization)).

 

   And document everything.    It is a teaching tool.

 

jes sayin . . . .

Highlighted
Viewer II

Re: Advice for cybersecurity newbies

Good points!

The kill chain to which I refer is the one put forth by Lockheed Martin: https://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html

This specific one is good, but most adopt their own version of it.