“Cyber Baboon” Methodology for Asset Classification, Weakness Identification, Assessment, and Improvement of Information Systems Security
INFORMATION SECURITY & RISK ASSESSMENT
Aleksandr Zhuk
July 13, 2019

 In August 2008, Netflix infrastructure experienced a major failure. As a result, the rapidly growing streaming services provider completely redefined its systems architecture model by moving from a vertically stacked Windows servers infrastructure to the highly distributed highly available Amazon AWS cloud. Netflix also leveraged its lessons learned by introducing Chaos Monkey, a daring rigorous approach to infrastructure resilience testing, analysis and improvement. According to its current description on Github, Chaos Monkey is a set is software scripts (and supporting organizational processes) “responsible for randomly terminating instances in production to ensure that engineers implement their services to be resilient to instance failures.”

At the time of Chaos Monkey introduction, I was responsible for resilience and security of global Microsoft Active Directory infrastructure at one of the largest financial services organizations in the world. The level of organizational commitment to making its systems resilient, which is required to let Chaos Monkey go loose on one’s production infrastructure, is truly remarkable—the rare “real stuff” that separates the multitudes of talkers from committed doers and is a powerful source of inspiration and continuous learning for anyone whose job entails making systems secure and resilient.

 

Another source of learning and inspiration for this post comes from the sobering insights summarized in the 9/11 Commission report on the key failures that made the tragic events possible and the crucial lessons that, if reflected in corrective actions, could help prevent such tragedies in the future. For me, the phrase that is forever tattooed in my memory and a constant guide in my work is “…and above all—failure of imagination.”

9/11 tragedy was a result of failure “of policy management, capability and above all imagination; on that September day we were unprepared. We did not grasp the magnitude of a threat that had been gathering over a considerable period of time.”Tom Kean, the Chairman of the 9/11 Commission

With the shortage of qualified information security personnel being a persistent theme in the daily industry news, those charged with protecting their organization’s information systems and other digital assets find themselves busy fighting the endlessly escalating war with the increasingly resourceful, determined, and cunning adversaries. In such an environment, the rapidly evolving threat landscape and the escalating pressure to stay a step ahead of the threats make it all too tempting to want to fall back onto a set of “proven” technologies and numb one’s mind to the ringing questions: “Did we miss something? Did we fail to imagine a threat that our adversaries have long been developing?” When daily news unfailingly bring stories of new multi-million dollar breaches, keeping the balance between bottomless paranoia and a healthy dose of precaution is hard! To do that, we must rely on proven frameworks and rigorous risk assessment methodologies that help us navigate through multitudes of threats all the while making sound risk-driven decisions on what’s possible, what’s necessary, and what is essential.

Enumerating even the most relevant existing sources of wisdom and guidance would be far beyond the intended scope and size of this post. Luckily, before moving on to the topic of this post, I can simply point to a couple of books that currently top my “must read” list: CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers by Todd Fitzgerald and How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen.

Baboons are arguably the most dangerous, strongest, and aggressive monkeys.

Image credit Pixabay

Inspired by the Chaos Monkey approach to infrastructure resilience assessment and improvement, I propose Cyber Baboon (CB) methodology for assessment, analysis and, improvement of organizational cyber resilience. Unlike the commonly used internal and external penetration and vulnerability testing techniques, CB can be implemented without delay and at no additional cost. CB is an intuitive and logically sound way to test one’s underlying assumptions, measure potential exposure, and provide a robust foundation for risk-informed investments in countermeasures and other improvements. To get started, one should already have an accurate map of the organization’s digital assets, but using Cyber Baboon methodology can also help uncover the yet-to-be-discovered system components. The three-step CB process is:

1. Randomly select one or more components of your infrastructure, digital assets inventory, or/and personnel and mark them as “fully compromised.”

2. Evaluate implications of each compromised asset/resource on:

a. Sensitive data, digital assets, and confidential or proprietary knowledge directly hosted or associated with the compromised asset/resource

b. Changes in the vulnerability/risk profile of adjacent/connected assets

c. Changes in the vulnerability/risk profile of the overall system

3. Evaluate collective implications of the compromised assets and resources and relationships among them on:

a. Sensitive data, digital assets, and confidential or proprietary knowledge directly hosted or associated with the compromised asset/resource

b. Changes in the vulnerability/risk profile of adjacent/connected assets

c. Changes in the vulnerability/risk profile of the overall system

 This simple yet effective assessment methodology is effective for a wide range of different scenarios. For example, Cyber Baboon can be used to assess the effectiveness of a Zero Trust Security system.

 

Share This