A Framework to Measure Cyber Resiliency

“Pain is inevitable, suffering is optional”

The above phrase has endured through the ages, conveying the notion that while challenges are an unavoidable part of life, our response to them can determine the extent of our distress.

In a similar vein, not too long ago, security breaches were infrequent, primarily driven by a quest for fame rather than financial gain. However, the landscape has shifted dramatically. Companies across the spectrum, from hot startups to Fortune 500 giants, from those meticulously adhering to ISO 27001 and PCI DSS standards to unregulated entities, spanning industries such as healthcare and fintech, find themselves vulnerable to cyber threats.

Given the inevitability of breaches, a fundamental question emerges: What should organizations prioritize? I posed this question to peers, friends, and numerous professionals within our industry, and a singular response echoed throughout:

“Resilience”

But what exactly is Cyber Resilience?

Cyber resilience denotes an organization’s capacity to anticipate, endure, recover from, and adapt to adverse circumstances, stresses, attacks, or compromises on systems reliant on or enabled by digital resources. In essence, it revolves around preparedness for the inevitable breach.

Can we quantify resilience?

The answer is Yes, and various frameworks exist to assist in this journey. Several months ago, I had the privilege of conducting a Cyber Resiliency Assessment for a large financial institution in the Middle East. Instead of solely concentrating on detection and incident response capabilities, I sought to ascertain whether any frameworks could aid in the process. It was during this quest that I encountered the Cyber Resiliency Review (CRR).

The CRR is derived from the CERT Resilience Management Model (CERT-RMM), a process improvement model developed by Carnegie Mellon University’s Software Engineering Institute for managing operational resilience. Although CRR is meant to be an instructor lead or self assessment module based on series of Questions and Answers, the process in itself generates thought provoking questions and answers.

The principles and recommended practices within the CRR align closely with the Cybersecurity Framework (CSF) developed by the National Institute of Standards and Technology (NIST). After performing a CRR, you can compare the results to the criteria of the NIST CSF to identify gaps and, where appropriate, recommended improvement efforts.

The CRR is based on the premise that an organization deploys its assets (people, information, technology, and facilities) to support specific critical services or products. Based on this principle, the CRR evaluates the maturity of your organisation’s capacities and capabilities in performing, planning, managing, measuring and defining cybersecurity capabilities across 10 domains.

The CRR Domains:

Asset Management: Asset management is critical for cyber resilience because organizations need to understand what assets they have and where they are located. This information is necessary for effective risk management, vulnerability management, and incident response.
Controls Management: Controls management involves the implementation, monitoring, and maintenance of security controls that protect an organization’s assets. Effective controls management can prevent, detect, and mitigate the impact of cyberattacks.
Configuration and Change Management: Configuration and change management are important for ensuring that systems and applications are configured and updated securely. Changes to system configurations and applications can introduce new vulnerabilities, so effective configuration and change management is necessary to maintain cyber resilience.
Vulnerability Management: Vulnerability management involves identifying and prioritizing vulnerabilities in an organization’s systems and applications. By addressing vulnerabilities, organizations can reduce the risk of cyberattacks and minimize the impact of any successful attacks.
Incident Management: Incident management is critical for responding to cyberattacks and minimizing their impact. Effective incident management includes incident detection, response, containment, and recovery.
Service Continuity Management: Service continuity management involves planning for and responding to disruptions to an organization’s services. By planning for disruptions and developing contingency plans, organizations can maintain critical services during and after a cyberattack.
Risk Management: Risk management involves identifying, assessing, and prioritizing risks to an organization’s assets. Effective risk management can help organizations understand the likelihood and potential impact of cyberattacks and prioritize their resources accordingly.
External Dependency Management: The purpose of External Dependencies Management is to establish processes to manage an appropriate level of controls to ensure the sustainment and protection of services and assets that are dependent on the actions of external entities.
Training and Awareness: The purpose of Training and Awareness is to develop skills and promote awareness for people with roles that support the critical service.
Situational Awareness: Situational Awareness involves monitoring the cyber threat landscape and understanding the potential impact of emerging threats. By maintaining situational awareness, organizations can proactively respond to emerging threats and maintain their cyber resilience.

cyber risk resiliency domains explained — CRR Domains

Methodology

Although CRR is meant to be an instructor lead or self assessment module based on series of Questions and Answers, you can use it as a reference and conduct your own assessment. You may or may not use it as is, rather refer only the high level methodology and customise it based on your needs. Having said that, lets move on.

There are 10 domains and each domain has its own set of goals. Each domain is composed of a purpose statement, a set of specific goals and associated practice questions unique to the domain, and a standard set of Maturity Indicator Level (MIL) questions.

cyber resilience review domain composition — Cyber Resiliency Domains and Goals

The MIL questions examine the institutionalisation of practices within an organisation. The Maturity indicator levels (MIL) are scored from 0 to 5. and are classified as Incomplete, Performed, Planned, Managed, Measured, Defined.

As shown in picture below, the number of goals and practice questions varies by domain, but the set of MIL questions and the concepts they encompass are the same for all domains. All CRR questions have three possible responses: “Yes,” “No,” and “Incomplete.”

cyber resilience review domain architecture — CRR Architecture

All the QnA is on a Portable Document Format (PDF) and after filling in the answers you can generate a report with the results that can also map to NIST CSF Framework. Note: This requires Adobe Acrobat PDF Reader and will not render in Preview in mac.

However, you can use this PDF as is or leverage it to understand the domains better and include a more hands on review of the existing architectures, practices and make it more comprehensive through an offline report.

Key Takeaways

The Cyber Resiliency Review (CRR) offers a great insight into an organization’s cybersecurity stance. This assessment enhances the collective awareness across the organization regarding the necessity of effective cybersecurity management. It evaluates the critical capabilities essential for upholding vital services during periods of operational challenges and emergencies. Additionally, it serves as a validation of managerial achievements and stimulates constructive discussions among participants representing various functional areas within the organization.

Furthermore, the CRR delivers a comprehensive final report, charting the relative maturity of resilience processes across the ten domains. It also presents potential improvement options for consideration, drawing upon established standards, best practices, and references to the Computer Emergency Response Team – Resilience Management Model (CERT-RMM).

cyber resilience review performance summary — Sample Performance Summary:

In summary, while breaches remain an inevitable aspect of the digital landscape, the degree of suffering they inflict is a matter of choice. By focusing on cyber resilience, organizations can fortify themselves to emerge stronger in the face of adversity.

How are you assessing the resiliency? Feel free to comment and let your thoughts and feedback.

Link to CRR Resources is here – https://www.cisa.gov/resources-tools/resources/cyber-resilience-review-downloadable-resources

Digital Lending Guidelines Quick Overview

Concerned with increasing frauds and issues in the digital lending space, India’s central bank – Reserve Bank of India (RBI) had released digital lending guidelines sometime late last year covering various aspects. These are targeted for Banks, Non Banking Financial Companies (NBFC), Co-operative banks and other financial institutions.

It focuses on digital aspects around various areas like Technology standards, Privacy policy, Grievance redressal, Loan disbursal, servicing, repayment

Here is a quick overview of the digital lending guidelines, If you seek any guidance on this topic, please do not hesitate to get in touch with me here:

Protecting Your Brand’s Online Identity: Safeguarding Your Social Media Accounts from Hacking and Misuse

Social media handles of organisations they represent are often associated with the company’s brand and identity itself. If someone else gains control of the handle, they can damage the company’s reputation by posting inappropriate or misleading content.

It is said that nearly 20% of small and medium businesses have had their social media accounts hacked.

Here are some interesting incidents from the past:

Concerned about fake news and hate speech, Sweden’s public radio closes Twitter accounts LINK
Prime Minister Narendra Modi’s Twitter account was hijacked in 2021
Popular Gaming Company PubG’s official YouTube account was hacked
Union Ministry of Information and Broadcasting’s Twitter account was hacked last year
Elon Musk’s twitter account has been hijacked repeatedly in the past to pump and dump Bitcoin scams.

Recent incidents targeting the accounts of the brands and large organisations have prompted regulators to call for additional measures to safeguard social media accounts.

In fact, In India Reserve Bank of India (RBI) in its master directives for NBFCs has explicitly called out for its safeguard:

What should you do to safeguard your Organisation’s Social Media Accounts ?

If you are managing company’s social accounts, here’s a checklist to ensure they are secure:

Use official company email IDs to manage and map social accounts. I have seen personal email accounts used for managing brands. This could also lead to problems once the employee quits. Also, as these non-company email IDs are un-managed it is difficult to enforce security controls around them.
Enable multi-factor authentication (MFA) to require two components for login. Even in case of password leak or theft, the hackers would still need the MFA to gain access.
Do not reuse passwords across different accounts. Hackers often try to see if a password found in a leak can be reused elsewhere.
Get company’s official accounts verified for assurance and credibility. Prioritize and get this done as too many fake listings are causing a great loss for the customers.
- Google Maps has a fake business listing problem – https://www.theverge.com/2019/6/20/18693144/google-maps-fake-business-listings-investigation-report
- Of late there have been numerous incidents of fake listings of customer support in the name of the companies, especially Fintechs. Many customers have lost money by calling up these numbers for their queries and have paid their loan amounts, penalties only to realise later that these are fake listings adding to their burden. Fraud Alert: Social media outreach for customer support can get you scammed https://www.medianama.com/2023/02/223-fraud-scam-social-media-customer-care-bots/
If your company is using third-party tools or plugins, routinely review them for any vulnerabilities. A common phenomenon I have encountered during web security audits is that websites hosted using CMS like WordPress, Drupal etc often use the plugins which are integrated for social shares, marketing, analytics etc. If these plugins are not updated, chances are they can be hacked and gain entry into the websites. If your corporate website is hosted separately from the web applications, the damage is limited. If not this could lead to much serious data breaches.
If you engage third-party agencies, or consultants, ensure you review their security practices and is in line with all the regulatory requirements. Regulators like RBI, SEBI mandate that even the Third-Parties should have the same security practices outlined for regulated entities.
Regularly monitor accounts for any suspicious activity or unauthorized access.
Backup all social media account data regularly to minimize the impact of any security incidents or data loss.
Limit access to social media accounts to only authorized personnel and use role-based access controls. Managing multiple email accounts for social media channels can be challenging sometimes. You can create a distribution list if multiple people log in to the account and then set different passwords.
Consider using social media management tools to help manage and secure accounts more effectively.
If you are a CISO / Security professional for your company, please do spend some time with Marketing and Customer Support teams on they handle these channels with regards to logging in, content review. Please also pay attention on they handle sensitive information shared by customers over these channels.
Create a crisis communication plan to prepare for any potential security incidents, including who to contact, what to do, and how to respond to the public. You can write Standard Operating Procedures on these and share internally so that its easier in the event of a data breach.

Brand verification

Brand Verification is essential to confirm that social accounts truly represent your company. All platforms offer the option for brands to verify their accounts as official. Brand verification provides multiple benefits:

Assures customers that they are interacting with official company accounts
Adds credibility to information shared through verified accounts
Prevents rouge accounts from creating channels using our company name
Makes it easier to take down spam and unauthorized accounts

Verification Process Links:

Verification links for popular social media accounts are listed here:

Twitter – https://help.twitter.com/en/managing-your-account/about-twitter-verified-accounts
Instagram – https://help.instagram.com/369148866843923
Facebook – https://www.facebook.com/help/1288173394636262
LinkedIn – https://www.linkedin.com/help/linkedin/answer/125300/verify-your-work-email-address-on-linkedin?lang=en
YouTube – https://support.google.com/youtube/answer/3046484?hl=en

If you found this useful, please like and reshare.

About Me: I help fast growing startups, fintechs and other companies in the areas of Cyber Security. If you need pragmatic guidance or help in this regard, do not hesitate to get in touch with me: email@vprasanna.com

Black Friday and Cyber Monday Deals for Cyber Security Tools

Image courtesy: Unsplash

Black Friday and Cyber Monday are around the corner. Over the years, I have bought discounted multi-user, multi-year packs of VPN software, a perpetual license for Shodan, and fancy domain names that are sitting idle (the ideas remained ideas!), Antivirus, WiFi cards, USB devices with encryption and many more.

This is a great time for buying some geeky stuff including security tools and services at discount for yourselves, family, friends and your employees. I have listed some of my favourite stuff that can enhance your cybersecurity posture:

Password Managers

like I mentioned here, I think password managers are still the most underrated tool when it comes to cyber security. We still have not transitioned from “remembering your password” to “passwords are not meant for remembering” mode.

Use the password manager in conjunction with a key or a token and then all you need to remember is just one password and the rest should be in a password manager on system or a browser. If not for a paid one, you can also opt for some good open source ones like Keepass.

If you are on Mac and iPhone, the inbuilt KeyChain acts as a multi-device password manager when used with Safari Browser.

VPNs

One of the first step to minimize your personally identifiable information is to encrypt and route all your traffic through a notable VPN service provider so that your local ISP is blind to your network activities and do not gather information about your browsing habits. Most vendors discount their products during Black Friday / Cyber Monday sales.

Privacy Filters

A gadget like Privacy Filter narrows the viewing angles and prevents shoulder surfing or snooping by others. This is a great addition for the sales and marketing teams and CXOs who are on the road and working out of cafes, airports, and other crowded places.

Hardware MFA tokens

It is been published that hardware MFA tokens (those that comply to the FIDO framework) are phish-resistant. You can popularise these in your offices instead of traditional soft MFAs. If not for all the staff due to pricing concerns, you can limit it to critical folks.

Webcam covers and stickers

I use a simple tape to cover my webcam and there are some stickers with toggle options. However, there were some screen breakage issues on macbooks when using the slightly thicker webcam covers. This even prompted Apple to issue an advisory

Software and Hardware Tools

I remember having paid a dime for Shodan in one of the black friday deals few years back and its a great tool to get some intel on IP addresses. Similarly, some great hardware tools like Alfa wireless cards, pineapple express pentesting tools also shower great discounts during this time

Do comment and let me know what’s been your best Black Friday or Cyber Monday purchase. I have added few data privacy tools like onedelete, onerep, wearables in the forked repo:

https://github.com/gravityfuel/InfoSec-Black-Friday/

#blackfriday #cybermonday #blackfridaycybersecuritydeals #cybersecuritydeals #cyberweek #cyberdeals