by Chelsey Donohoe, M.A., Operations Specialist
Note: This post was originally a talk presented at BSides Austin 2019 as “An epidemiological approach to creating an information security prevention framework.”
The executive management team guides a company’s mission, objectives, and strategy, including making many of the risk management decisions and determining how budgets should be spent. However, most CEOs, COOs, and CFOs don’t have a highly technical background, and it can be difficult for people outside of the information technology/ data privacy sphere to fully understand why an information security program needs so many resources and controls in place. One company’s binder of security policies could easily have twelve or more sections that each address different subtopics, which can be mind-boggling if it isn’t your day-to-day job. My formal education is in the social sciences (psychology for undergrad and criminal justice for grad school), which gave me a different framework for interpreting the scope of security and privacy controls. I like to think of information security in epidemiological terms, using an extended metaphor that borrows heavily from the prevention frameworks used in public health. Generally speaking, epidemiology involves studying how many people have a specific disease/disorder, whether those rates are changing over time, which factors are associated with its occurrence, and what steps can be taken to prevent new cases.
In this model, there are three tiers of prevention (primary, secondary, and tertiary), each with different aims. A well-rounded information security program will include a combination of administrative, technical, and physical security controls across all three tiers of this prevention model, assuming that a security incident (e.g., lost or compromised data, exploited vulnerabilities in a system, policy violations leading to noncompliance) is the “disease/disorder.”
Primary prevention is what we typically think of when we hear the word “prevention”: it’s something you do before health effects occur so that you avoid getting the disease/disorder in the first place. This includes promoting protective factors (e.g., regular exercise, healthy eating habits, and timely vaccinations) as well as reducing or eliminating harmful factors, such as changing unhealthy or unsafe behaviors (e.g., quitting smoking), preventing exposures to hazards (e.g., wearing gloves around blood, or avoiding lead paint and other harsh chemicals), and building up your resistance so you’re less likely to get sick or injured if you are exposed (e.g., wearing your seatbelt in case you crash). For information security, this could include initiatives such as:
- Establishing strong, well-documented policies and procedures, ensuring all relevant parties are aware of these expectations and have the appropriate infrastructure and resources to enact those procedures as intended;
- Background checks and identity verification for personnel and third parties prior to authorizing access to facilities or systems (physical or remote);
- Security awareness training during onboarding, annually, and after major changes, with additional tailored training for developers, cyber and physical security personnel, and executive management;
- Conducting due diligence assessments for all vendors/service providers, data recipients, and business partners before entering into a contractual relationship, including steps to manage supply chain cyber risks on an ongoing basis;
- Setting up identity and access management controls (e.g., access control lists, password managers, single sign-on or federated IDs), encryption and key management, firewalls, application whitelisting or blacklisting, configuration management (including hardened baseline configurations for all connected devices), and mechanisms to enforce technical policies (i.e., remote asset management/ mobile device management, patch management, centrally-controlled anti-malware software); and
- Enforcing data governance practices, such as data labeling and classification, appropriate information/media handling practices to protect data-at-rest and data-in-transit, and authorized destruction methods only at the end of the retention period.
These day-to-day prevention and preparation mechanisms can be viewed as a way to intervene before negative security or operational effects occur, with the intention of avoiding the occurrence of a breach (confidentiality/privacy), compromised data or systems (integrity), lost data or system outages (availability), exploited vulnerability, noncompliance with regulatory or contractual obligations, or other information security incident. All such preventative controls are examples of primary prevention.
Secondary prevention involves early screening for diseases/disorders so that the issue can be identified and treated before symptoms begin. These early detection processes target individuals who are exposed or have known risk factors. If you find out that you do have the disease/disorder, intervention at this point may be able to stop or slow down its progress, reduce the impact, and/or keep it from getting worse. Examples of public health initiatives could include blood tests for sexually transmitted infections for individuals with multiple partners or who use drugs intravenously so that antibiotics or antiretrovirals can be administered, tests for diabetes and heart conditions for those with a genetic predisposition or weight problems to identify a need for insulin or other medications, and cancer screening (e.g., colonoscopies, mammograms, blood tests) for individuals with a family history or who engage in high-risk behaviors like smoking or heavy alcohol use. With an information security program, secondary prevention interventions could include:
- Continuous security monitoring (e.g., security operations center/managed security service provider handling log correlation and analysis and alerting) via a Security Information and Event Manager (SIEM) and/or File Integrity Monitoring (FIM) system;
- Blocked or quarantined files via antivirus/anti-malware or other threat protection solutions;
- Vulnerability management, including regular vulnerability scans (which should detect “Shadow IT”) and documented remediation activities or risk acceptance decisions;
- Blue team exercises, red teaming, routine penetration testing, and static and dynamic application security tools to check for problems with secure coding practices;
- Intrusion detection/intrusion prevention systems (IDS/IPS, NIDS/NIPS, WIDS, etc.);
- Regular scans for rogue wireless access points;
- Data Loss Prevention (DLP) solutions;
- Internal phishing campaigns;
- Threat hunting and monitoring threat intelligence feeds; and
These screening/monitoring and security testing interventions are detective controls that aim to identify potential security incidents in the earliest stages, before critical systems and processes are affected, with the intention of mitigating the impact that has already occurred.
Tertiary prevention involves intensive intervention and rehabilitative efforts, not only to slow the progression and reduce impact after diagnosis but also with the aim to restore them to their previous state, or at least maximize ability to function, quality of life, and life expectancy. Ideally, tertiary prevention will mitigate harm, correct the issue, and take steps to prevent recurrence/relapse. Chemotherapy and radiation, inpatient drug rehab programs, and physical and occupational therapies are examples of tertiary prevention in public health. For information security, this includes:
- Incident response planning, including escalation, investigation, kill chain, breach notifications, post-mortem and incorporating ”lessons learned” into updated playbooks; and
- Business continuity planning (BCP)/continuity of operations planning (COOP) and disaster recovery planning.
These tertiary prevention activities are corrective controls that focus on restoring the company’s business units, IT infrastructure (and accompanying security controls), and operations to previous levels and/or maximizing remaining capacities.
Just like a flu shot would not be an appropriate response to a gunshot wound, security awareness training alone is not a sufficient replacement for an incident response plan. Companies should seek to build up protective measures and avoid exposure to unnecessary threats (primary prevention), enact ongoing early detection mechanisms to initiate timely remediation (secondary prevention), and have capabilities in place to respond to business disruptions and cyber incidents (tertiary prevention).