Tag Archives: cyber

A Framework to Measure Cyber Resiliency

“Pain is inevitable, suffering is optional”

The above phrase has endured through the ages, conveying the notion that while challenges are an unavoidable part of life, our response to them can determine the extent of our distress.

In a similar vein, not too long ago, security breaches were infrequent, primarily driven by a quest for fame rather than financial gain. However, the landscape has shifted dramatically. Companies across the spectrum, from hot startups to Fortune 500 giants, from those meticulously adhering to ISO 27001 and PCI DSS standards to unregulated entities, spanning industries such as healthcare and fintech, find themselves vulnerable to cyber threats.

Given the inevitability of breaches, a fundamental question emerges: What should organizations prioritize? I posed this question to peers, friends, and numerous professionals within our industry, and a singular response echoed throughout:

“Resilience”

But what exactly is Cyber Resilience?

Cyber resilience denotes an organization’s capacity to anticipate, endure, recover from, and adapt to adverse circumstances, stresses, attacks, or compromises on systems reliant on or enabled by digital resources. In essence, it revolves around preparedness for the inevitable breach.

Can we quantify resilience?

The answer is Yes, and various frameworks exist to assist in this journey. Several months ago, I had the privilege of conducting a Cyber Resiliency Assessment for a large financial institution in the Middle East. Instead of solely concentrating on detection and incident response capabilities, I sought to ascertain whether any frameworks could aid in the process. It was during this quest that I encountered the Cyber Resiliency Review (CRR).

The CRR is derived from the CERT Resilience Management Model (CERT-RMM), a process improvement model developed by Carnegie Mellon University’s Software Engineering Institute for managing operational resilience. Although CRR is meant to be an instructor lead or self assessment module based on series of Questions and Answers, the process in itself generates thought provoking questions and answers.

The principles and recommended practices within the CRR align closely with the Cybersecurity Framework (CSF) developed by the National Institute of Standards and Technology (NIST). After performing a CRR, you can compare the results to the criteria of the NIST CSF to identify gaps and, where appropriate, recommended improvement efforts.

The CRR is based on the premise that an organization deploys its assets (people, information, technology, and facilities) to support specific critical services or products. Based on this principle, the CRR evaluates the maturity of your organisation’s capacities and capabilities in performing, planning, managing, measuring and defining cybersecurity capabilities across 10 domains.

The CRR Domains:

Asset Management: Asset management is critical for cyber resilience because organizations need to understand what assets they have and where they are located. This information is necessary for effective risk management, vulnerability management, and incident response.
Controls Management: Controls management involves the implementation, monitoring, and maintenance of security controls that protect an organization’s assets. Effective controls management can prevent, detect, and mitigate the impact of cyberattacks.
Configuration and Change Management: Configuration and change management are important for ensuring that systems and applications are configured and updated securely. Changes to system configurations and applications can introduce new vulnerabilities, so effective configuration and change management is necessary to maintain cyber resilience.
Vulnerability Management: Vulnerability management involves identifying and prioritizing vulnerabilities in an organization’s systems and applications. By addressing vulnerabilities, organizations can reduce the risk of cyberattacks and minimize the impact of any successful attacks.
Incident Management: Incident management is critical for responding to cyberattacks and minimizing their impact. Effective incident management includes incident detection, response, containment, and recovery.
Service Continuity Management: Service continuity management involves planning for and responding to disruptions to an organization’s services. By planning for disruptions and developing contingency plans, organizations can maintain critical services during and after a cyberattack.
Risk Management: Risk management involves identifying, assessing, and prioritizing risks to an organization’s assets. Effective risk management can help organizations understand the likelihood and potential impact of cyberattacks and prioritize their resources accordingly.
External Dependency Management: The purpose of External Dependencies Management is to establish processes to manage an appropriate level of controls to ensure the sustainment and protection of services and assets that are dependent on the actions of external entities.
Training and Awareness: The purpose of Training and Awareness is to develop skills and promote awareness for people with roles that support the critical service.
Situational Awareness: Situational Awareness involves monitoring the cyber threat landscape and understanding the potential impact of emerging threats. By maintaining situational awareness, organizations can proactively respond to emerging threats and maintain their cyber resilience.

cyber risk resiliency domains explained — CRR Domains

Methodology

Although CRR is meant to be an instructor lead or self assessment module based on series of Questions and Answers, you can use it as a reference and conduct your own assessment. You may or may not use it as is, rather refer only the high level methodology and customise it based on your needs. Having said that, lets move on.

There are 10 domains and each domain has its own set of goals. Each domain is composed of a purpose statement, a set of specific goals and associated practice questions unique to the domain, and a standard set of Maturity Indicator Level (MIL) questions.

cyber resilience review domain composition — Cyber Resiliency Domains and Goals

The MIL questions examine the institutionalisation of practices within an organisation. The Maturity indicator levels (MIL) are scored from 0 to 5. and are classified as Incomplete, Performed, Planned, Managed, Measured, Defined.

As shown in picture below, the number of goals and practice questions varies by domain, but the set of MIL questions and the concepts they encompass are the same for all domains. All CRR questions have three possible responses: “Yes,” “No,” and “Incomplete.”

cyber resilience review domain architecture — CRR Architecture

All the QnA is on a Portable Document Format (PDF) and after filling in the answers you can generate a report with the results that can also map to NIST CSF Framework. Note: This requires Adobe Acrobat PDF Reader and will not render in Preview in mac.

However, you can use this PDF as is or leverage it to understand the domains better and include a more hands on review of the existing architectures, practices and make it more comprehensive through an offline report.

Key Takeaways

The Cyber Resiliency Review (CRR) offers a great insight into an organization’s cybersecurity stance. This assessment enhances the collective awareness across the organization regarding the necessity of effective cybersecurity management. It evaluates the critical capabilities essential for upholding vital services during periods of operational challenges and emergencies. Additionally, it serves as a validation of managerial achievements and stimulates constructive discussions among participants representing various functional areas within the organization.

Furthermore, the CRR delivers a comprehensive final report, charting the relative maturity of resilience processes across the ten domains. It also presents potential improvement options for consideration, drawing upon established standards, best practices, and references to the Computer Emergency Response Team – Resilience Management Model (CERT-RMM).

cyber resilience review performance summary — Sample Performance Summary:

In summary, while breaches remain an inevitable aspect of the digital landscape, the degree of suffering they inflict is a matter of choice. By focusing on cyber resilience, organizations can fortify themselves to emerge stronger in the face of adversity.

How are you assessing the resiliency? Feel free to comment and let your thoughts and feedback.

Link to CRR Resources is here – https://www.cisa.gov/resources-tools/resources/cyber-resilience-review-downloadable-resources

Making Cyber Security Awareness Less Boring

October, as we all know, was celebrated as National Cyber Security Awareness Month. While it is good to emphasize the importance of security with a month dedicated to it, Security Awareness is an ongoing activity.

According to this survey, only 45% of the participants said their employer offers formal cybersecurity training.

IMG SOURCE

Remember that our teams and employees need to be aware of security best practices all around the year and not just for a month. A hacker needs one successful chance while we need to be right 100 % of the time, 365 days a year.

Over years I have conducted numerous workshops and awareness sessions for employees as part of induction, periodic training, sent countless emails & presentations, and conducted phishing simulations. However, it is difficult to hold attention for longer periods and them to be aware of the threats all the time. I think that there is fatigue associated with the traditional way of sending presentations, forcing wallpapers, screensavers, and email blasts.

Most people usually relate to movies, books, songs and other visual content better than usual presentation slides. In addition to existing modes, you can plan to have movie streaming or a book reading activities as a monthly or quarterly event and integrate them with ongoing company events/town halls.

During the COVID days, one of our HR organised monthly book reading events on zoom and it was a big hit. We would pick a chapter and read and review it. It also brought lot of people together!

Screen a movie in your office cafeteria, give out some goodies and swags for those who turn up or throw in a simple pizza party. As an event organiser both at workplace and amongst societies I have found out that a secret to increase attendance to any event is food!

If someone asks you how screening movies is contributing to awareness, don’t worry, throw in a Security Quiz at the end of the movie. This would even suffice your audit requirements too. You can also talk about some cool software and hardware gadgets that can safeguard both professional and personal lives too from a cyber security perspective. Some are listed down in the article.

Here are some suggestions:

Movies:

Snowden

Snowden is a biographical thriller released in 2016 and based on the life and events surrounding Edward Snowden’s whistle blowing. Snowden is considered a hero by some, and a traitor by others. No matter what happened, the epic story of why he did it, what he risked, and how he pulled it off makes for one of the most compelling films. This movie provides great insights into the inner workings of surveillance programs at the Nation-State level and what it means to the privacy of the general public. While I hate to reference it, the movie also showcases the risks of insider threats.

LINK: https://www.imdb.com/title/tt3774114

Sneakers:

If you are a pentester or red team engineer and wanted to explain what you do for a living to your friends and family, then this is it, apart from some useful security tips and geek stuff. For a movie released in 1992, the plot had cutting-edge hacking and pentesting skills way ahead of its time including some cool social engineering tricks. A team of penetration testers become embroiled in a turf war between Government agencies and rogue hackers over a device that can crack all encryption (quantum cryptography anyone?). This movie has some prophecies too! Considering we have had multiple whistle blowing incidents in the recent past, as a security practitioner both the above movies emphasis one thing: Do the right things or walk away. CISOs are you listening ?

Wargames

Have you wondered about the worst case scenarios around automation, or lack of segmentation between your dev and production environments? Or even the implication of a red team exercise going wrong and causing downtime to your production environments? This movie has many of it…

This movie was released in 1983 and starred Mathew Broderick as a lead character. A young computer whiz kid accidentally connects into a top secret super-computer which has complete control over the U.S. nuclear arsenal. It challenges him to a game between America and Russia, and he innocently starts the countdown to World War 3

LINK: https://www.justwatch.com/us/movie/wargames

The Matrix

If there was ever a movie that brought to life the concept of hacking, simulation through its characters, that has to be matrix. There is a hacker, there’s a character called cipher. How do machines get access to the rebel network? they compromise cipher 😉 Matrix is a story of a computer hacker who joins a group of underground rebels fighting the vast and powerful computers that have taken over the earth. This movie was released in 1999 and also features a very popular security tool (let me know in the comments)

LINK: https://www.justwatch.com/us/movie/the-matrix

Mr. Robot

This is an award-winning web series released in 2015 and is now in its seventh season. This is a story of a hacker by the name of Elliot Alderson. He is a brilliant introverted young programmer who works as a cyber-security engineer by day and a vigilante hacker by night. He and his group are out to erase the credit history for all.

This series features all the things that are talked about in the world of cyber security: Tactics, Techniques, and Procedures (TTPs). You name it and the series has it including Social Engineering, using Raspberry Pis to discretely connect to networks, throwing malware loaded USB sticks in parking lots and lot more

LINK: https://www.imdb.com/title/tt4158110/?ref_=ttmi_tt

Gultoo

Do you remember this Apple’s Privacy ad which created quite a stir when released on how we are tracked? That ad has a stark resemblance to a song in this movie called Gultoo, released a couple of years earlier. This underrated Kannada movie captures the journey of a hacker who is a part-time instructor in a computer training institute and the skills he uses capture the biometrics of a colleague and use it to find real identity, or use shoulder surfing and snooping in coffee shops to access passwords. This is a great movie that appeals to the younger generation and since it is made in India, folks here may be able to relate to it.

https://www.imdb.com/video/vi3980900633/?ref_=ext_shr_lnk

Books:

Many companies that I know of have a tie up with library chains where books are delivered to your offices. Here are some good books that talk about various aspects of cybersecurity and are fun to read:

Cult of the Dead Cow

Cult of the Dead Cow is the tale of the oldest, respected, and most famous American hacking group of all time popularly called Cult of the Dead Cow or cDc. This book chronicles the journey of Hacker Culture, the origin of various conferences like DefCon, Blackhat. How hacktivism started, the journey of various security tools like l0phtcrack, nessus, etc.,

Many of the hackers in this group have become well-known names in the technology and security field like Peiter Zatko and Beto O’ Rourke. Peiter Zatko, popularly known as Mudge was in the news recently as the whistle-blower of improper security practices at Twitter. He had earlier served as Head of Security at Twitter. Beto O’Rourke is former Texas Congressman and was a presidential candidate LINK

Permanent Record

Although this is an auto-biography on Edward Snowden, this book provides great insights into the inner workings of surveillance programs at the Nation-State level and what it means to the privacy of the general public. LINK

Cuckoo’s Egg:

Who doesn’t like mystery and thriller novels? This is a true story written by Cliff Stoll in1989. Cliff Stoll was an astronomer turned systems manager at Lawrence Berkeley Lab. An accounting error alerted him to the presence of an unauthorized user on his system. Stoll began a one-man hunt of his own: spying on the spy. It was a dangerous game of deception, broken codes, satellites, and missile bases. His hunt finally gained the attention of the CIA…and ultimately trapped an international spy ring fuelled by cash, cocaine, and the KGB.

LINK

Gadgets

You can talk about the benefits of gadgets like Privacy filters, webcam stickers, Hardware MFA keys that are phish-resistant etc.,

A gadget like Privacy Filter narrows the viewing angles and prevents shoulder surfing or snooping by others. This is a great addition for the sales and marketing teams and CXOs who are on the road and working out of cafes, airports, and other crowded places.

We have recently learned from the Uber hack about the MFA push notifications alert, which led to fatigue and employee selecting Yes after a barrage of requests. This is a worrying aspect as I have encountered a couple of similar attempts and I dread what if I pressed Yes or clicked on checkmark instead of an X!

This is where a hardware MFA token comes to the rescue. It is been published that hardware MFA tokens (those that comply to the FIDO framework) are phish-resistant. You can popularise these in your offices instead of traditional soft MFAs

I think password managers are still the most underrated tool when it comes to cyber security. We still have not transitioned from “remembering your password” to “passwords are not meant for remembering” mode.

Use the password manager in conjunction with a key or a token and then all you need to remember is just one password and the rest should be in a password manager on system or a browser.

How are you tackling the awareness fatigue of your employees? Please do comment and share your thoughts.