JOHAN DU PLOOY, MTECH (UNISA), CFE, CPP FIS(SA)
Achieving total security in any organisation is simply not possible as experience has shown. It is thus better that time, effort and financial resources are spent on limiting the threats in an organised manner while also establishing a plan to recover from an incident as quickly as possible.
Organisations rely on people, technology (including information), and systems to support their business goals. It is important that organisations apply a similar level of rigour to assessing the risks to its technology, systems and information assets as it would to other risks that might have a material business impact, such as regulatory, financial or operational risks. The economic threats to an organisation in the technology sphere are not only due to cybercriminal threats, but include implementation and planning for the cost of improved legislation and regulations which set legal parameters for implementation and maintenance of IT systems.
The cost of implementation and in case of a breach, the investigations thereof, is becoming more and more expensive and not every organisation can warrant the expense of the investigation itself or even implementing the required security measures to protect itself. Not all businesses and organisations can carry these types of costs, with the result that some of them will take short-cuts and leave themselves and those linked to their system, vulnerable. The question is, where do we start?
Taking risk is a necessary part of doing business to create opportunities and help deliver business objectives. To operate successfully, any organisation needs to address risk and respond proportionately and appropriately to a level which is consistent with what risks it is willing, or not willing, to tolerate. If an organisation does not identify and manage risk it will lead to its demise. The introduction of the 2016 Symantec Internet Security Report, Volume 21 Dated 26 April 2016, states: Symantec discovered more than 430 million new unique pieces of malware in 2015, up 36 percent from the year before. Perhaps what is most remarkable is that these numbers no longer surprise us. As real life and online become indistinguishable from each other, cybercrime has become a part of our daily lives. Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.
MyDoom is considered to be the most expensive virus in the world and in cyber security history, having caused estimated financial damage of $38.5 billion!
MyDoom was first spotted in January 2004 and it became the fastest-spreading email worm ever, exceeding all previous records. The virus’s origins are believed to be in Russia, but its author was never discovered.
It is thus critical that the implementation of a Risk Based Security Strategy (RBSS) to assist with the application of an organised approach to the various threat elements should be considered as this will ensure greater focus on the areas which need to be addressed. Inter alia saving time, effort and cost while providing focus on that which is important.
Organisations face new threats every day. Many of these threats and attacks are derivatives of similar previous pressures but remain devious and dangerous in any event. In many instances, it is not possible to design a system from the start as many systems have been in operation for years and thus have to be maintained and upgraded from time to time to protect the organisation from the myriad of threats out there while ensuring that the organisation is connected to its supply chain and clients. The size of the organisation does not matter as the perpetrators do not discriminate against organisational size or structural complexities. They see the more complex systems as a challenge and the smaller less protected systems as “easy pickings”. The Symantec 2015 report indicates that it is estimated that in 2014 there were approximately 3.9 billion “Things” connected to the internet. In 2015 this grew to 4.9 billion and 2016 to 6.4 billion. They estimate that by 2020, there will be 20.8 billion “Things” connected. The security implications are mind blowing.
The process to stay ahead of the threat curve, creates many challenges for the security manager who is responsible for creating security systems and barriers to protect the organisation against the many types of cyber-threats. There is no way that any one individual, anywhere in the world, will ever have all the knowledge to personally understand or be able to deal with the estimated 230,000 new malware samples produced daily according to Panda Security Labs.; threats that are being developed every day. This requires a team approach and support from Board level to be able to establish a Risk Based Security Strategy to facilitate the implementation and constant monitoring thereof. This team will consist of internal and external resources and partners.
The establishment of a Risk Based Security Strategy is an out-and-out requirement if an organisation hopes to make any headway in protecting itself from not only external threats, but also from the myriad of threats which it must contend with from within the organisation itself.
As cyber security risks increase in number and sophistication, organizations need to switch from responding to incidents, to implementing preventative measures by identifying the in threats.
The building blocks start with an understanding of what needs to be protected. The development of a robust risk-based approach to security needs to focus on supporting organisations to prioritise information and other security threats. The techniques that may be employed as part of the attack need to be understood. An evaluation of the capability of controls to prevent, detect and respond to an attack must form part of the strategy. Without this knowledge and a proper understanding of the intimidatory actions, an organisation will struggle to determine the level of exposure to particular threats. Cyber incident response plans need to be structured and ready to address these threats when they arise. How do we get to this point?
Governments have developed specialist agencies who have to deal with cybercrime as they realise that without knowledge and what the impact could be on a country’s economy. The economic effect will be catastrophic for itself and its global trading partners. Although many of these government projects have been functional for a number of years, the threats against the world’s major economies have not reduced but have actually increased. The governments have also not tried to fight the battle alone but have formed alliances with other like-minded governments and businesses who focus on special elements of cybercrime.
Another aspect which governments and businesses are including in their strategy is how they will react if an attack is successful. They have prepared plans around the RESILIENCE of their organisations. The chances are quite high that somewhere, the adversary is going to have some form of success. The system is going to be adversely affected and steps are going to have to be taken to get the organisation back in business again as soon as possible with the least amount of damage to its economic viability, reputation and infrastructure.
In the Unites States of America, the Strategic National Risk Assessment (SNRA) defines numerous threats and hazards to homeland security in the broad categories of adversarial/human-caused, natural, and technological/ accidental threats. Critical assets, systems, and networks face many of the threats categorized by the SNRA, including terrorists and other actors seeking to cause harm and disrupt essential services through physical and cyber-attacks, severe weather events, pandemic influenza or other health crises, and the potential for accidents and failures due to infrastructure operating beyond its intended lifespan.
The potential for interconnected events with unknown consequences adds uncertainty in addition to the known risks analysed as part of the SNRA. Growing interdependencies across critical infrastructure systems, particularly reliance on information and communications technologies, have increased the potential vulnerabilities to physical and cyber threats and potential consequences resulting from the compromise of underlying systems or networks. In an increasingly interconnected world, where critical infrastructure crosses national borders and global supply chains, the potential impacts increase with these interdependencies and the ability of a diverse set of threats to exploit them.
In addition, the effects of extreme weather pose a significant risk to critical infrastructure—rising sea levels, more severe storms, extreme and prolonged drought conditions, and severe flooding combine to threaten infrastructure that provides essential services to the American public, and by extension to all countries. Ongoing and future changes to the climate have the potential to compound these risks and could have a major impact on infrastructure operations.
Vulnerabilities also may exist as a result of a retiring workforce or lack of skilled labour. Skilled operators are necessary for infrastructure maintenance and, therefore, security and resilience. These various factors influence the risk environment and, along with the policy and operating environments, create the backdrop against which decisions are made for critical infrastructure security and resilience.
In the UK, the government has developed the following set of principles to support management of cyber security risks when making technology decisions.
According to them, the following security risk management principles are applicable to how people and organisations use and make security decisions about technology. The amount of effort that is applied, and the approach which is taken to the application of these principles is of course dependent on what the organisation is planning to do and how it is going to be done. There is no ‘one size fits all’ and sensible decisions will have to be made as to how the plans are applied within the context of the organisations’ strategy.
- Accept that there will always be uncertainty – Risks are not always predictable and cannot be eradicated. Accepting this will help people to know that they can ask for help, admit mistakes, and seek advice from trusted sources and colleagues.
- Make security risk management ‘business as usual’ – Managing risk is not a one-off activity. In order to make sensible decisions about what is being done to protect the things that matter, risk needs to be managed all the time, and must be integral to what is constantly happening in the organisation and with what you are doing.
- Know what you care about and why – Understand what needs to be protected and why. This understanding can then be reflected in the approach you take to managing risks for yourself and the organisation.
- Understand what risks you are taking – It is important that you identify and understand any risks you are taking. This includes achieving a clear view of:
- how the things you care about could be compromised
- what impact a compromise would have on you
- how likely it is to happen.This will help you to prioritise the things you need to do in response.
- Appreciate fully how risks are being managed – Once you have a clear view of the risks you face, you need to decide how they are going to be dealt with. It is important that you understand what you are doing (and what you are notdoing) in response to risks that you have identified.
- Recognise the limitations of your risk management approach– All approaches to analysing and managing risk have limitations. You should understand any limitations that exist in the way you are identifying, analysing, assessing and managing risks.
- Control and direct the things you do to manage risk– The actions you take (and the decisions you make) in response to identified risks need to be governed to ensure they are consistent with the things you care about, your objectives and your priorities.
- Ensure systems are secure and usable– Unusable systems encourage users to find workarounds, resulting in systems that are unproductive and insecure. Your approach to risk management should recognise that technology systems and solutions need to be both usable and secure by design.
- Make sensible and timely risk management decisions – You need to make risk management decisions all the time. It is important that the people making decisions are accountable for them, and that you help them to make good decisions by ensuring that they have the right security and business skills, knowledge, information and tools.
- Get assurance that security is working as you expect it to – You need to have confidence (or assurance) that the things you are doing to manage risks are working as you expect them to. You should seek assurance from:
- the people that work for you
- the people you work with
- the technology you use
- the processes you rely upon to do something.
The US Department of Homeland Security (DHS) has also prepared information which not only provides insight into aspects that should be covered during the design phase of technology infrastructure but are also helpful to other interested parties around the globe. Their focus is not only on issues of cybercrime but rather a bigger picture which includes Critical Infrastructure.
Their document describes the following concerns: The risk environment affecting critical infrastructure is complex and uncertain; threats, vulnerabilities, and consequences have all evolved over the last 10 years. For example, critical infrastructure that has long been subject to risks associated with physical threats and natural disasters is now increasingly exposed to cyber risks, which stems from growing integration of information and communications technologies with critical infrastructure operations and an adversary focus on exploiting potential cyber vulnerabilities.
The Italian government, through UNI, their local standards body, commissioned a Standard to provide guidelines for the protection of its National Infrastructure.
The Member States of the EU are in the process of applying the Council Directive 2008/114/EC, which establishes the procedures for the identification and designation of European Critical Infrastructures, and a common approach to the assessment of the need to improve the protection of such infrastructures in order to contribute to the protection of people and relevant assets.
The Directive, as part of the European Programme for European Critical Infrastructure Protection, has presented a number of actions to be implemented and adhered to.
They designed the document to be applied to owners or operators, that is to say those organisations owning or managing Critical Infrastructures in the energy sector and its sub sectors (electricity, oil, gas) and the transport sector and its sub sectors (road transport, rail transport, air transport, inland waterways transport, ocean and short-sea shipping and ports), as listed in the Council Directive; but it can also be applied to other sectors which a Critical Infrastructure might operate in. These other sectors include:
- communications and information technology;
- finance (banking, securities and investment);
- health care;
- water (dams, storage, treatment and networks);
- production, storage and transport of dangerous goods (e.g. chemical, biological, radiological and nuclear materials);
- government (e.g. critical services, facilities, information networks, assets and key national sites and monuments).
The document was designed to be integral to the Directive 2008/114/EC in supporting a resilience management system that will assist national authorities, Critical Infrastructure sectors and sub sectors and individual owners or operators in responding to the requirements of the Directive for both European Critical Infrastructures and Critical Infrastructures, in general.
The thoughts that have been presented here, form but a very small glimpse at the reasons as to why it is critical to start with a plan during the design phase. It does not matter in what space we operate and if we are covering only aspects of cybercrime or infrastructure threats, the two are so intertwined and the threats stay the same although at different levels. This requires specifically focussed countermeasures and remedies in each instance.
The following are good pointers to remember but are only minimal points that should be considered when planning:
- Understand the business context.
- Decide on the risk management approach.
- Understand key risk components.
- Understand what risks exist.
- Undertake a gap analysis.
- Develop a workable risk management strategy.
- Communicate risk consistently.
- Make informed risk management decisions.
We cannot operate in a vacuum or in isolation and need to constantly research and be aware of new threats which present themselves each day.
Without a proper strategy and understanding of the threats, things can easily go wrong and the organisation could land up with costly countermeasures which are not applicable to its size or operational environment.