I was considering another debate about appropriate cybersecurity measures and I had the following thought: not all networks are the same. Profound, right? This is so obvious, yet so obviously forgotten.
Too often when confronting a proposed defensive measure, an audience approaches the concept from their own preconceived notion of what assets need to be protected.
Some think about an information technology enterprise organization with endpoints, servers, and infrastructure. Others think about an industrial organization with manufacturing equipment. Others imagine an environment with no network at all, where constituents access cloud-hosted resources. Still others think in terms of being that cloud hosting environment itself.
Beyond those elements, we need to consider the number of assets, their geographic diversity, their relative value, and many other aspects that you can no doubt imagine.
This made me wonder if we need some sort of easy reference term to capture the essential nature of these sorts of diverse environments. I thought immediately of the term “class M planet,” from Star Trek. From the Wikipedia entry:
[An] Earth-like planet, the Class M designation is similar to the real-world astronomical theory of life-supporting planets within the habitable zone… Class M planets are said to possess an atmosphere composed of nitrogen and oxygen as well as an abundance of liquid water necessary for carbon-based life to exist. Extensive plant and animal life often flourishes; often, a sentient race is also present.
In contrast, consider a class Y planet:
Class Y planets are referred to as “demon” worlds, where surface conditions do not fall into any other recognized category. Such worlds are usually hostile and lethal to humanoid life. If life forms develop on these worlds they usually take on many bizarre forms, like living crystal or rock, liquid or gaseous physical states, or incorporeal, dimensional, or energy-based states.
Given their work providing names for various offensive security activities in ATT&CK, I wonder if MITRE might consider creating a naming scheme to capture this idea? For example, a “class M” network might be an enterprise organization with endpoints, servers, and infrastructure, of a certain size. Or perhaps M1 might be “small,” M2 “medium,” and M3 “large,” where each is associated with a user count.
Perhaps an environment with no network at all, where constituents access cloud-hosted resources, would be a class C network. (I’m not sure “network” is even the right term, if there is no “network” for which the organization is responsible.)
With such a scheme in place, we could begin a cybersecurity discussion by asking, “given a class M network, what defensive processes, people, or technology are appropriate,” versus “given a class C network, what defensive processes, people, or technology are appropriate.”
This is only an idea, and I’d be happy if something was already created to address this problem. Comments below are welcome (pending moderation to repel trolls and spammers.) Alternatively, reply to my announcement of this post via @taosecurity on Twitter.