Protecting Businesses from Complex Cyber Attacks

avinash

Technology has brought many blessings to the mankind. However, technology in the wrong hands is a global nightmare. Advances in aeronautics made intercontinental flights possible but the same technology was used to attack WTC. Similarly, Information technology and Internet of things (IoT) have made life easier for the common man but their use by cybercriminals can lead to all kinds of cyber attacks – from identity theft to murder by remote control by stopping a pacemaker or shutting down an insulin pump of a patient.

So, how to make life safer for law-abiding citizens and organizations? We have to look beyond technology for a solution. The answer lies in improving our cybersecurity.

How should an organization improve its cybersecurity and strengthen its defense?

- First, study the published cyberattacks on a similar organisation and categorize them.

- Identify your own weaknesses.

- Try to foresee whether your weaknesses would allow similar attacks to succeed in breaching your defenses.

- If so, strengthen your defenses by removing the weaknesses.

This advice is simple to give but difficult to follow because of the complexity of the technical problems.

It needs a two-pronged scheme to address this issue. One is to adopt a good cybersecurity framework, and the second is to have good, qualified and competent personnel to implement it across the organisation.

Recently NIST (National Institute for Standards and Technology) published the ‘Framework for Improving Critical Infrastructure Cybersecurity’. It is applicable to even ‘non critical’ areas. This framework identifies the five core functions.

1. Identify – We should anticipate what the cybercriminal may want. Understand the business context, the resources that support critical functions and the related cyber security risk. This will enable an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

2. Protect – Put controls in place that ensure safe delivery of critical infrastructure services and safety of critical assets. These are access control; awareness and training; data security; information protection processes and procedures; maintenance; and protective technology.

3. Detect – Raise the alarm as soon as something out of ordinary is noticed. We must discover cybersecurity incidents as soon as they happen. This requires detection of anomalies and events; continuous security monitoring and detection processes.

4. Respond – Have action plans ready for each type of the cybersecurity incident. This will involve response planning; communications; analysis; mitigation and improvements.

5. Recover – Restore any capabilities or services that were impaired due to a cybersecurity incident. This will involve recovery planning; improvements; and communications.

Each Function is comprised of one or more Categories and numerous specific Subcategories that provide process assessment to determine current state and target goals.

The Framework is technology neutral.  It relies on a variety of existing standards, guidelines, and practices to enable critical infrastructure providers to achieve resilience. NIST provides informative references to cross-sector, internationally recognized guidance that assists in accomplishing each Subcategory.

Informative references mentioned in the framework are:

1. Critical Security Controls for Effective Cyber Defense from Cyber Security Council,

2. COBIT 5: A business framework for governance and management of IT from ISACA,

3. NIST’s Special Publication 800-53,

4. International Society for Automation Cyber security ISA/IEC 62443 standard for Industrial Automation and Control Systems (IACS) and

5. ISO 27002 – 2013 for Information Security Management System (ISMS).

The list of references looks overwhelming. But the task at hand is also overwhelming.  Just remember that a chain is only as strong as its weakest link. The cyber attacker has to attack only that weak link to succeed but, we have to protect every link, every component of the entire infrastructure.  The open attacks are still easier to repulse but the insidious “persistent threats” that go unnoticed for a long time, may eat away at the foundation of your security silently but lethally. We need to find effective cyber controls for both kinds of threats. The Framework gives us the option of selecting the right tool for the right job.

Finally, to ensure that these measures can be effectively implemented, we need well trained cybersecurity professionals. NIST has suggested cyber security workforce framework - NICE: National Initiative for Cybersecurity Education. It defines the knowledge, skills and attitude for cyber security. This ranges from information security assurance, software engineering, enterprise architecture to cyber threat analyses, incident response, vulnerability assessment and management — more than 30 distinct areas of specialization.

Unfortunately, there is a global shortage of skilled cyber security professionals. Resources such as Cyber security Nexus (CSX) are good steps forward and more needs to be done. It is imperative that we follow a structured, framework based approach to fight this battle against cyber terrorists with a proper plan and well trained manpower.