The steps taken by the federal government are just starting points, and much work is yet to be done to improve the security of IT systems, data and critical infrastructure. Jim Richmann, Study Director of Cybersecurity Research, Institute of Defense Analyses, recently spoke during a GovLoop webinar, Combating the Cyber Landscape. Richmann’s presentation focused on how agencies can establish cyber metrics to improve security strategies. Prior to identifying potential metrics for agencies to adopt, Richmann provided an overview of the foundational elements needed to create metrics at an agency. Four areas he focused on were:
Foundational Elements Needed to Create Metrics
Understand Your Cybersecurity Foundation: This foundation includes hardware and software assets, including, routers, switches, physical point-to-point circuits, SANs, management tools, satellite links and wireless hubs.
Know Your Dedicated Defense Assets: These assets are designed only to provide cyber defense. These elements include enterprise virus scanning software, intrusion detection systems, firewalls and PKI.
Identify Your Unique Cyberspace Assets:
These assets exist only in cyberspace. Some examples include end-user hardware clients, application servers, web servers, mobile devices, web servers, ERP systems, printers, scanners and application software.
Assets that Leverage Cyberspace: These assets utilize cyberspace, but their primary existence and function is in other domains. Some examples include weapons systems, related platforms, support systems and infrastructure.
In the presentation, Richmann identified 19 potential metrics for agencies to use, but cautioned that agencies must
tailor their metrics to meet their needs. The examples he presented were:
1. Percentage of source traffic covered by foundational cyber defense assets in DMZs
2. Currency of enterprise virus signatures
3. Percentage of client systems that have current enterprise virus signatures
4. Percentage of desktops with automated patching
5. Percentage of desktops with automated integrity checking
6. Volume of traffic blocked at border router (segmented by type)
7. Blocked port scan volume at border router
8. Currency of firmware patches for foundational cyber defense assets
9. Known zero day export exposure (publicly known)
10. Uptime and availability for assets
11. Number of cyber attacks that are detected: Viruses, spam, phishing attacks, etc.
12. Assets not patched to current standard
13. Firmware not updated to enterprise standards
14. Assets failing integrity check
15. Non-standard software installations detected
16. Known zero-day exploit exposure (publicly known)
17. Currency of required administrator training
18. Vulnerability scan statistics
19. Source code scan results (where available and applicable)
Cybersecurity is only effective when agencies can baseline and measure success. In order to do so, agencies must place an emphasis on defining metrics that fit organizational need, and work diligently to identify risks, assess vulnerabilities and create a robust set of metrics to measure success.