Roger Grimes on Prioritizing Cybersecurity Advice

This is a good point:

Part of the problem is that we are constantly handed lists…list of required controls…list of things we are being asked to fix or improve…lists of new projects…lists of threats, and so on, that are not ranked for risks. For example, we are often given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations. They are all great recommendations, which if followed, will reduce risk in your environment.

What they do not tell you is which of the recommended things will have the most impact on best reducing risk in your environment. They do not tell you that one, two or three of these things…among the hundreds that have been given to you, will reduce more risk than all the others.

[…]

The solution?

Here is one big one: Do not use or rely on un-risk-ranked lists. Require any list of controls, threats, defenses, solutions to be risk-ranked according to how much actual risk they will reduce in the current environment if implemented.

[…]

This specific CISA document has at least 21 main recommendations, many of which lead to two or more other more specific recommendations. Overall, it has several dozen recommendations, each of which individually will likely take weeks to months to fulfill in any environment if not already accomplished. Any person following this document is…rightly…going to be expected to evaluate and implement all those recommendations. And doing so will absolutely reduce risk.

The catch is: There are two recommendations that WILL DO MORE THAN ALL THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most efficiently: patching and using multifactor authentication (MFA). Patching is listed third. MFA is listed eighth. And there is nothing to indicate their ability to significantly reduce cybersecurity risk as compared to the other recommendations. Two of these things are not like the other, but how is anyone reading the document supposed to know that patching and using MFA really matter more than all the rest?

Tags: , ,

Posted on October 31, 2024 at 11:43 AM12 Comments

Comments

Corwin Grey October 31, 2024 12:18 PM

This is one reason I prefer the CIS 20 Critical Controls. They have done a great deal of work at prioritizing and ranking the controls by degree of migitation provided but left enough room for adjustments to order based on business process or requlatory requirements.

Peter October 31, 2024 1:07 PM

Big yawn, the CISA doc is equally pie in the sky as the others, it just spun differently as a different audience. Also the speaker is definitely showing their DHS bias here, NIST 800-53 controls have long had “P” codes (1-3) which align to implementation priorities based on value and they supercede the CAT levels (i.e. sort by P code first, then fix based on CAT level within that P code grouping). The problem is like all government regulation, it can just get ignored by the agency heads and so it is, CISA didn’t fix that.

As for “OMG CISA has an effective fix doc”, big yawn. The Australian CISA equiv has been publishing that for two decades, https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight …I believe you yourself Bruce noted that 15 or so years ago on this very blog.

Roland Turner October 31, 2024 9:40 PM

In the category of things infosec folks are terrible at (I’m not excluding myself)…

We all “know” that risk treatment must be on the basis of a risk evaluation and candidate-control cost/impact evaluation, prioritised to maximise bang for buck, but it’s hard to explain adequately in a soundbite, or even in a several-page guide. The result is pre-digested lists of baseline controls against common risks.

The difficult problem is that the overwhelming majority of organisations are too small to have the expertise available to perform a realistic evaluation. Historically organisations that small were not a significant target population, but today they are. There’s a really awkward gap between individual/consumer-grade systems (secured directly by tech giants) and medium-large organisation systems where the expertise to evaluate and prioritise is available. Grimes’ point is valid, but is perhaps not addressing the problem that many [current] non-evaluated controls lists are aimed at.

Paul Sagi November 1, 2024 5:05 AM

Regarding

https://www.schneier.com/blog/archives/2024/10/roger-grimes-on-prioritizing-cybersecurity-advice.html

The reason for ‘blanket’ lists of advice is that the purveyors of such advice can’t know the particular setup of each entity.

MFA and patching do have their place, although there are caveats:
1) Patches are often rushed, may have bugs and the patch can then cause a problem.
2) Beware the unauthenticated patch that may be (or contain) malware.
3) Be very careful what MFA is used, if another device is used (typical) the attack surface is increased.

Very important security safeguards are:
A) Anti-malware secure DNS (DoH, DoT, DNSSEC and Rebind protection). Note that not all secure DNS is anti-malware, most secure DNS offers no or little protection from malware. The best anti-malware secure DNS blocks 96% of malware.
B) A good bidirectional firewall, one which allows creation of custom rules.
C) Network segmentation
D) Air-gaps
E) Last (and least) is antivirus software, if malware is caught in your system by AV software you have already lost the war. (What other malware is in your system that the AV software did not detect?)

Keyloggers and RATs are a constant threat, keep them out of your network.

Depending on who you are, adversaries can be script kiddies, opportunistic scammers or nation-state actors.

The point of the above advice is to keep out threats as much as possible and isolate and contain the threats that do get in.

Peter Galbavy November 1, 2024 5:20 AM

On first glance I agree with the sentiment, but then thinking a bit more I am not so sure. The other problem with lists, ranked or not, is people just follow them blindly without understanding what they mean or what the impacts are. This is sadly all too common throughout society and target / tick-box culture and all that.

If people can be expected to review lists of tasks, can be expected to put effort into understanding why they exist then they may be better prepared to rank the items themselves for their circumstances. Maybe not as well as a more experienced professional, but still better than someone just going down a page of tasks to perform.

Amit November 1, 2024 6:36 AM

It seems like a non-trivial task. Priority of risks is highly context dependent and varies over time as well – trying to force an order on a list that serves multiple organizations is challenging at best, if not simply impossible.

Chris November 1, 2024 9:15 AM

While I agree with the point and conclusion, I think the problem lies here:

“For example, we are often given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations.”

HIPPAA and SOX aren’t really “cybersecurity guidelines,” they’re sets of regulations. Someone telling you “thou shalt” isn’t primarily interested in your particular threat environment or prioritizing your risks; compliance is binary, risk is scalar.

Roger November 1, 2024 9:34 AM

I’m a huge fan of the Center for Internet Security. Under Tony Sager’s leadership, they are among the first guidance organizations to strongly and aggressively push risk-ranking when using their recommendations and tools. They do it right.

Keith Douglas November 1, 2024 3:50 PM

As a special case of Peter Galbavy’s worry – defense in depth. In many organizations it would be too easy to say one had done just the two and thus had “done most of what we need”. But that might not be true – one may have not done enough of the two.

For example, “patching” (can we get rid of this obsolete term, please?) – one cannot declare that complete, ever. This is even more the case if one does any large volume of software acquisitions, never mind even more so if one does in house development. Realistically, it would include to support this idea an entire, modern, SDLC – and that’s a lot more work.

Eric November 1, 2024 8:30 PM

I would include ad blocking to make an easy top 3 with the most impact along with MFA and patching.

Paul Sagi November 3, 2024 12:31 AM

Eric reminded about blocking ads. I missed mentioning ads, thank you Eric.

At the least ads reduce useful bandwidth, ads may also lead to dodgy unsafe code.

Some Secure DNS does ad blocking.

Ad blockers, such as uBlock Origin, are available.

Some ad blockers do a fairly good job and are updatable, a good feature because web advertising is an arms race.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.