As the 2016 Republican and Democratic National Conventions are about to begin, Security Current has challenged me to reflect on an assignment I was given when I was an IT security executive at a major cable, telecommunications and Internet Service Provider.
Over four years ago, I was given the opportunity to build from the ground up the cyber defense of a globally televised major event: the 2012 Republican National Convention (RNC) in Tampa, FL. It was a tremendous task to plan, build, deploy and run an entire cyber defense program and Fusion Center, let alone do it in only 22 weeks.
We were the cyber eyes and ears for 140+ local, state and federal law enforcement and government agencies for an event that was expected to attract a lot of attention. We were not disappointed. Wanting to disrupt, draw attention to their own causes and messages, and/or take advantage of a national event to steal data (and intelligence), and perform other nefarious activities where hacktivists, hackers, activists/protesters, nation-states (China, Russia, etc.), curiosity seekers, organized crime groups, and even Anonymous made several appearances on our radar.
Our Mission:
Media covering the event, attendees, and the aforementioned 140+ agencies relied on the Internet access and telecommunications that we were providing for the entire RNC event. Telecasts and communications had to occur in real-time. Moreover, it had to occur securely without interruption, distraction, or compromise. The event drew as many as 100,000 people converging on Tampa.
The nation and the international community were going to watch. Unbeknownst to all participants and viewers, we achieved our mission: they were able to take for granted that messages, video, and data would flow seamlessly. They were not aware of the behind-the-scenes near hits/misses, blocked attempts, and the heightened cyber drama between attacker and defender. In essence, we did our job. Oh, and did I mention that we had to ensure business-as-usual service and security for our own company, and residential and business customers?
The Game-Plan:
The approach to planning was simple: assess, plan, design, build, test, deploy, test again and run. The defense of this event required a team of over 400 personnel, comprised of technical and management employees and third-party vendors.
All roles, procedures, processes, technology and plans had to be implemented from inception to deployment. Although we were standing this program up for the big event, this is the same approach that any organization needs to implement security and risk programs. It is simply a matter scale, tempo, and impact.
Your organization may have a smaller budget but you will have time and size on your side, without millions of eyes watching your every move and Anonymous and China breathing down your neck.
First, we had to identify our threats and attack vectors, both physical and cyber, across the organization and the various event sites. The national convention was highly dependent on technology and widely connected. Correspondingly, the variety of attack vectors included Distributed Denial of Service (DDoS) attacks, Slow Post attacks using sophisticated tools (low and high orbit ion cannons), exploits on web servers and network vulnerabilities, and social engineering among others.
There also were physical attack vectors from activists and hacktivists on the ground looking for ways to break into communication facilities, power stations, and any place providing an opportunity to steal, cut wires, create distractions, and even blow things up! We used security monitoring extensively in the cyber realm but we also relied on good ol’ fashion surveillance cameras to detect and prevent incidents, as well as help law enforcement apprehend attackers and thieves.
Other challenges we had to overcome included transforming unsecured and open locations into secure spaces and even protecting various modes of travel and routes for the workforce supporting the event and attendees. (Did you know there is an Amtrak police force?) Even Hurricane Isaac decided to swing by just as the event started to add to the fog of war.
Often overlooked by organizations developing their own security and risk plans are the internal threats. It is an unfortunate fact, but hardening systems and procedures was required as we had to monitor attacks from the inside.
While there were customers, employees, and other trusted entities with political agendas, many were from external entities that had already infiltrated their way in, long before the event. Remember, once an attacker gets in he/she is now an internal threat!
Top 10 Fundamentals:
The following are the Top 10 fundamentals I relied on for the RNC but also are applicable to enterprise security and risk programs:
- The Internet is a catalyst: The Internet has provided the catalyst for risk-based change in terms of time and velocity. Things can happen with intense speed and frequency over the web. Just as businesses can use this to their advantage, so can attackers. Hackers, hactivists, and nation-state aggressors find it useful to conduct asymmetric cyberwarfare to take on large targets they would otherwise not be effective against. Do not make the mistake of thinking a threat is too small to defend against.
- Communication and coordination: Successful defense of the RNC would not have been possible without swift communication and coordination with the security team and the 140+ law enforcement and government agencies. The Fusion Center was the lifeline that made this happen. Regardless of what form it takes in your organization, there needs to be a security entity where planning, monitoring, communication, incident response, and coordination can be centralized and led effectively. Involvement with various business and IT stakeholders is essential — security cannot occur in a vacuum. All need to work together based on identified common ground – protecting corporate resources.
- Plan and then plan some more: Know where you want to go and plan on how to get there. As effective project managers know, success is often based on 80% planning and 20% execution. Do not underestimate the importance of planning. Security and risk management cannot be done through brute force or ad hoc methods (in other words, “winging it.”) Without planning, you will be in continual reaction and unplanned firefighting mode, which wastes valuable time and resources.
- Monitoring is as important as prevention: Although prevention is part of the plan, the primary defense posture for any security operations program is monitoring. This surprises most IT professionals as we are all conditioned to regard prevention as the ultimate goal therefore monitoring is the consolation prize. With quickly evolving technology and corresponding threats, you cannot prevent everything that can happen security-wise. However, monitoring can detect and alert you to potential problems so you can respond quickly. Even preventative systems become part of the network of sensors to be monitored. As the adage goes, “You don’t know what you don’t know.” Monitoring means having situational awareness because security incidents are occurring even if you are not aware of them.
- Unity of command: Although there were many moving parts and 140+ entities, defending the RNC was successful because we had Unity of Command and Mission. It was clear what had to be defended and we acted on this common ground. All too often I see organizations lose sight of this because of lacking or diffused leadership, conflicting agendas or the organization has tied an effective leader’s hands. A CISO (or equivalent) without the necessary authority, budget, and visibility has his/her ability to be a security leader for the company severely hindered.
- Diligence and persistence: The cybercriminals and terrorists don’t sleep and they are good at evolving; just ask any BOTNET! Defending your environment has to be around the clock and comprehensive. There are many of them and only a few of you. It is worth repeating that you have to be successful all the time, while they only have to be successful some of the time to get what they want.
- Information and access is the new digital age currency: Speaking of getting what they want… they may want your information and access so they can use it but mostly because they want to monetize it. In addition to user accounts and passwords, there is an active market for personally identifiable information (PII), financial data, credit card data, medical data, and even secondary information that can be used to answer security challenge questions such as your mother’s maiden name, the city you were born, and your favorite sport, etc.
- Physical and cybersecurity are two sides of the same coin: Defending the RNC was successful because we monitored both cyber and physical security, your security and risk program should not neglect either of these elements. Your strategy, tools, and tactics need to cover both sides. Physical security may seem mundane but it is an essential foundation for other components of your security and risk program.
- Know your battle space: Being aware of your “battle space” or entire environment is essential. This requires clarity of your mission and reducing the fog of war, but also knowing that you need to defend from threats internally, as well as externally. In addition to hunting for external entities that have infiltrated their way in, an internal cyber hunting team can identify and counter threats from trusted entities inside the organization. Corporate espionage is a feasible reality that is not relegated to the movies anymore. Organized crime rings, for example, can infiltrate companies by working as call center representatives with the goal of exfiltrating credit card numbers and other valuable information. Disgruntled employees may want to take as much data, software, and intellectual property as they can on their way out and there are those who are simply unethical or opportunists inside the organization.
- Surround yourself with the right people: Successful defense of the RNC was possible because we had a diverse team of highly technical security experts. Some were employees while some were consultants and vendors. Our success was ultimately due to having the right people in the right place at the right time. Based on a unity of command, clear and achievable mission objectives, well-trained subject matter experts and a flexible management team providing the guidance necessary for cohesive team dynamics, we were able to take on each challenge with confidence.
In closing, it is clear that companies, government agencies, and event planners must develop a unity of command and know their battle space to be successful. To achieve this they need to plan and communicate extensively and have the right people, processes, and tools in place.
While you may not be called upon to defend a high-profile event, the same fundamentals can be applied in building and running any size security and risk program effectively. Lastly, organizations should give themselves the benefit of time.
Do not wait until the last minute to involve security and risk in your projects or regard them as a checkmark on your project plan after everything has been built or written. Inviting them to the table early in the design phase enables security and risk management to be baked-in as opposed to bolted-on or even omitted in order to keep the schedule. Building security in saves the risk of having to redo work or code but more importantly, it ensures that corporate assets and customer data are properly protected.