Why most people get Cyber Security wrong and what really needs to be done? (Part B)

Foreword: In an attempt to ensure that this article does not get too lengthy, I will try and summarize “well known” concepts and try to focus on what I believe are pain areas. 

There is no single silver bullet to have an effective cyber security program. I have, as part of this article, tried to provide some recommendations.

It is basically a SIX step process in my opinion:

Step 1: IDENTIFY

1. Set the boundaries of your Cyber Space well. The organization you are working for is in the process or has already shifted all of it’s critical functions and critical information online/electronic medium/digital format (depending on the way you want to define it). Among these functions/information are :

• Physical access to your facilities – log data is stored and processed in a digital format and transmitted over IP.
• The way your employees work that includes: communicating with fellow employees, friends and peers (whatsapp, facebook etc ), store work related information (smart phones, tablets, laptops, cloud) etc
• The way critical functions in your company are run, I gave the example of a financial system in my previous article, all HR related functions, business transactions – for instance if your company offers e-commerce services or online transaction facilities etc.
• Your company’s website, network infrastructure, IT systems (billing systems, emails etc.) all are a part of the cyber space that needs to be protected
• Primary and secondary dependencies of all services offered by your company over the cyber space.
• All infrastructure/locations where your company's information is located and is accessible over the cyber space.

A hacker looks at all these as entry points into your network and on to your information so you would be well served to have at least as holistic an approach as the bad guy.

2. Based on the inputs from the above, develop an appropriate cyber security organization structure. This is probably at the heart of everything that happens henceforth. If you get the cyber security org. structure wrong, you are setting yourself up for inefficiency, rework, and conflicts at best, and for failure at worst. Many organizations are set up in a way where IT security, network security, information security (standards and compliance – usually) , CERT, security governance are working in SILOs, further more fraud in financial systems, unauthorized access to payrolls any many such functions are considered as fraud but not considered under cyber security. How different is an insider trying to hack the company’s email from the one who intentionally manipulates the financial system to steal money. Today both of them are using the same digital medium!!!

3. Identify all assets and services that matter to the organization and ensure they are covered in the scope of cyber security

4. Fourth part is really taking the hacker’s view, understanding what applicable threats can affect my systems and services over the cyber space.

STEP 2 PROTECT:

This step includes having comprehensive, layers and in depth protection of every element identified under step 1. It includes having the right policies and standards (ISMS) , IT and network protection controls (system patching, application security, FWs, IPS, WAF etc.), secure business logics (for instance if your e-commerce website should have a four step buying process, it needs to protect this business logic accurately against any violations and exceptions), user awareness, remote access, mobile devices with corporate information, securing physical access ( the first steps to most sophisticated cyber hacks recently began with exploiting simple vulnerabilities along physical access).

STEP 3 DETECT:

The old cliché – it is not a matter of whether you would be hacked, it is a matter of when you will be hacked – a stat reveals that over 90% of large companies in the UK were effected by a cyber-attack during 2015. And detecting a cyber-attack or infiltration is extremely difficult as industry average tells us that it takes years in most cases for organizations to find out that they were hacked. Consider the following:

• Yahoo hack was revealed after two years (admittedly the company did know about it a lot earlier but the effected users found out after two years)
• Stuxnet – considered to be world’s first digital weapon was identified in 2014 despite being used in cyber-crime for years.
• During the investigation of SWIFT hack - one that cost banking industry 100s of millions of dollars worldwide – the investigators found that the hackers were still in the network!
• A company I know of, lost over 5 million USD in a 4 year period due to misappropriation of an employee who managed to find a flaw in a business process. There were several audits (protective controls) of the process during these years and yet they found no flaws until a whistleblower report (points of detection), had they managed to detect this in time, the loss could have been reduced drastically. That is exactly the point behind timely detection.

One of the most important things in cyber security is to be able to detect something that has bypassed your protection controls. A comprehensive detection system is at the heart of the modern day cyber security program (CERT). An effective detection system needs to have the following at the very minimum:

• Points of detection –It is extremely important to have any many points of detection as possible. Since most if not all of this information is logged in a digital format – network logs, application logs, database logs, access control logs, logs of business logics, system/service/application uptime logs, email logs, DNS logs. The list goes on and on, the more detection points you have, the more visibility you have with in your cyber space.
• Threat Management System – The modern day SIEM is not only a central log collector, it correlates all information it receives from the various points of detection. The more information it correlates, the more comprehensive picture it can provide.

Consider the following example: A person walking into a company office is a very routine thing. But if this person is a known criminal and he is walking into your CEO’s office at 9 pm and copies some information and leaves with some papers, then you know you have a trouble. If the same thing happens over a cyber space, this sequence of events would be captured by different monitoring systems. It is the integration of these systems that would complete the picture and the correlation rule would set the alarm bell ringing that there may be a reason for concern.

We call these rules to provide indicators of compromise.

STEP 4 RESPOND:

It is exactly what you would think it is, a well-defined incident response process.  

STEP 5 RESOLVE:

In my opinion, response to an incident completes when the cause of the incident is removed and the service is restored along with the revised security controls. “Resolve” on the other hand is basically resolving the real cause. For instance response to a website hack would include bringing back the website to its restoration point, whereas resolution would be to find out if the hack was related to a series of a targeted/motivated campaign and if so, to be able to map it to the kill chain or TTPs (tools techniques and procedures) of the campaign. In short, this step is about identifying whether the incident was a one of or part of a sophisticate cyber-attack against your business.

STEP 6 SUPPORTING ACTIVITIES:

     Supporting activities would include

• Governance – A central body with representatives (Subject matter experts) from all relevant functions
• Assurance – Certifications, audit, drills (PT, Vulnerability management, iCAST , cyber war games etc)
• Threat intelligence (List of all indicators of compromise worldwide, bad actors, worms, virus database etc.) - Local threat intelligence, global threat intelligence
• Risk management
• Reporting – Cyber security reports

To summarize all of the above: