Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
02:15 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly

Breach Defense Playbook: Reviewing Your Cybersecurity Program (Part 1)

How does your cybersecurity program compare to your industry peers?

Most organizations are involved in a cyclical process of enhancing their cybersecurity posture focused around their sensitive data and processes. While enhancement involves roadmaps and milestones, a key element should also be evaluating your cybersecurity people, processes, and technology with the purpose of making transitional changes from a current state to a more secure future state.

To begin, you should leverage the NIST Framework for Improving Critical Infrastructure Cybersecurity, as well as defense-in-depth methodologies, as foundations for your assessment. Accompanying this foundation, you should include intelligence and information from other organizations within your industry that may have suffered a breach.

The goal of reviewing your cybersecurity program is to quantitatively ensure that a secure enterprise network exists within your business environment. To do so, you should perform a gap analysis of your security framework that results in a roadmap for enhancements.

Program Gap Analysis

Your gap analysis should include assessing your current security infrastructure with the goal of developing a roadmap for implementing enhancements. The first step is a questionnaire that you should use to help define and understand the physical and virtual location of critical data assets. Never assume that you know everything about your own organization. In fact, the best practice when performing assessments is to assume you know nothing. Therefore, you should spend time reviewing the pre-assessment questionnaire prior to conducting the actual assessment and interviews. Examples of data you will want to review include network drawings, security devices, firewall configurations, security policies, planned security enhancements, and any existing cybersecurity roadmaps.

Leverage your questionnaire to define and understand the network architecture, design, systems, and software used, and how and what data is stored and manipulated. Identify the systems on which the data resides, how the data is transported, and the security and controls around those systems. Encourage respondents to provide complete and detailed answers whenever possible, which will greatly facilitate the entire process. Then use the results of the initial questionnaire to focus the gap analysis.

While your goal is only to understand the security associated with the systems that are identified as containing critical data elements, interconnectivity between systems holding critical data and other resources and security measures is also likely. When performing your analysis, keep in mind that you are going to be collecting and analyzing sensitive information that could place your organization at risk. So keep the data secure, communicate only in encrypted channels, and ensure that you properly dispose of all sensitive data at the conclusion of your assessment.

The Interview Phase

After the questionnaire review, you should conduct a round of in-person or virtual interviews that include security personnel and IT management. The interviews will allow you to gain an understanding of your security practices, culture, and network and cybersecurity capabilities. The on- and off-site interviews and results will help drive the rest of the assessment and ensure that you identify potential gaps.

When performing your assessment, you should leverage the NIST Framework for Improving Critical Infrastructure Cybersecurity (2014) as a basis for assessing gaps. You should focus on the five areas listed below, but not all areas are applicable to all organizations. Since you would be using the NIST Framework, note in your analysis the areas that are not applicable; in the future, if they do become applicable, you have a paper trail describing why they weren’t assessed prior.

The following five sections map directly to the NIST Framework Core. These five concurrent and continuous functions are identify, protect, detect, respond, and recover. According to the Framework, these functions “aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities. The functions also align with existing methodologies for incident management and help show the impact of investments in cybersecurity.” The bullets within each function are categories that are “groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.”


  • Asset Management – The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
  • Business Environment – The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk-management decisions.
  • Governance – The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
  • Risk Assessment – The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
  • Risk Management Strategy – The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.


  • Access Control – Access to assets and associated facilities is limited to authorized users, processes, or devices and to authorized activities and transactions.
  • Awareness and Training – The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
  • Data Security – Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
  • Information Protection Processes and Procedures – Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
  • Maintenance – Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.
  • Protective Technology – Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.


  • Anomalies and Events – Anomalous activity is detected in a timely manner, and the potential impact of events is understood.
  • Security Continuous Monitoring – The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
  • Detection Processes – Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.


  • Response Planning – Response processes and procedures are executed and maintained to ensure timely response to detected cybersecurity events.
  • Communications – Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
  • Analysis – Analysis is conducted to ensure adequate response and support recovery activities.
  • Mitigation – Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
  • Improvements – Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.


  • Recovery Planning – Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
  • Improvements – Recovery planning and processes are improved by incorporating lessons learned into future activities.
  • Communications – Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.

Your gap analysis may not culminate in a formal report but rather in a spreadsheet outlining individual areas, your findings, analysis, and notes. You should then take the gap analysis spreadsheet to prepare your cybersecurity roadmap, which I will cover in more detail in Part 2 of this series.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a service.