Tech Bytes: Cyber Security Assurance Planning
Notes from my recent talk at ISACA Bangalore 21st Annual Conference 2018
Backdrop – how vulnerable are we?
Human Beings have always existed with vulnerabilities which have changed as we evolved. As our lives depend more on to a significantly digital mode with several products and services being accessed, transacted, digital records stored and retrieved online, cyber security takes on a significant role for us to protect our everyday digital engagement, digital assets & records and intellectual property.
Vulnerability levels also change as we access these services from the access device we are carrying or using be it mobile, laptop, desktop or tablet. This article takes a look at how to prevent cyber security incidents at our workplace through proactive assurance programs. The same discipline, concepts and tools can also extend to our personal space as well.
Let us first accept the reality at the workplace around us be it increased malware / ransomware, increased vulnerability in security products, loss / leakage of data and more organized threat actors in play. The vulnerable areas still remain the same such as phishing of emails (60%), lack of privileged access rights for data security controls, increasing DDos attacks (45%) and lack of adequate training and orientation to employees on early detection / prevention of such threats.
Other factors that has created apprehension are varied e.g. gap in understanding clear migration path to cloud based environments which do not often have adequate levels of security and left to the imagination of users’ e.g. Serverless deployments; vulnerability in IOT devices (safety and efficiency); data governance standards that are not mature; lack of secure document trails; lack of cyber risk insurance and lack of alignment between technology and laws.
What are the causes of Cyber Security incidents?
Cyber security incidents can be caused by Natural Disasters, Malicious Attacks (internal / external), Human Error / Malfunction or an Abuse of Rights and Privileges. Our entire approach to going digital has been on the tenets of trusting the technology, people and systems / software itself. While we know fully well that a system or a person can exploit us anytime or security levels can deteriorate, we still make the choice to trust technology, people, devices and systems over time despite the vulnerability factor more so because we are all creatures of habit.
It comes as no surprise that almost all of us would have been exposed to some kind of digital fraud / malware attacks especially over the last 5 years – one the reasons could be the increasing speed of innovation and cross usage of systems which can create new vulnerabilities e.g. using a mobile app for banking, keeping money in digital wallets now knowing when the provider would debit us, instant storage and sharing of data, pictures, insecure transmission of documents, social media posts etc.. Each new innovation creates new vulnerabilities for us as we allow these intelligent software and apps to access our private data sometimes partially sometimes more.
Technology and human habits
Our habits do not change easily – one may want to check password habits, email and social media habits and many other services to which we always stay connected. We have a pattern to using these services and as these digital services change and evolve, the threat landscape changes rapidly.
To quote an example CCTV, Laptop cameras and Mobile cameras bring in new vulnerabilities of being remotely watched by potential hackers – it just takes some malicious code from a random website visited by the device owner to access a device[RI1] ! IOT is another area with a potential to create new threats for us e.g. controlling cars / appliances remotely – all this is happening as we speak!!. White collar crimes are also on the rise and many of these involve employees who either are threat actors themselves or have been compromised by external threat actors for money. For staff who have low paid technology jobs or organizations who have weak links and dependencies on IT suppliers especially for hardware support, can often find themselves unprepared to deal with such threats that can wipe out a lot of critical data.
Where are the controls – with the business or the technologists?
The technology subsystem is often hierarchically positioned under three other layers – the boundary layer is the regulatory subsystem which defines laws, standards and controls. These are then applied to the business subsystem which has stakeholders like markets, consumers, suppliers, partners and employees who are end users of technology services. Then comes the third boundary which is the organizational subsystem i.e. Products and Services, Policies and governance, Risks & compliance, Information systems technology and People processes. This layer is the catchment for all the output of the organization produced either by people or systems. Below all of this is the Technology subsystem which is driven by the IT function and has components of software, hardware, frameworks, networks, communication infrastructure and data.
Thus we have various stakeholders who aim to ‘control’ various aspects of cyber security either directly or indirectly – the business stakeholders enforce rules, laws and controls based on risk assessment while the technologists ‘harden’ and secure the environment using a combination of hardware, software and network features. However, like any other system, cyber security if not checked regularly often weakens over time especially with so many stakeholders.
Cyber Security – extending the role of Management Assurance
One of the interesting trends noticed is that organizations are increasingly extending the scope of Management Assurance / Risk Management teams to include specific actionable programs on cyber security. The broader scope of engagement could include aspects like formal Cyber security assessments, Cyber security training to employees, specific compliance programs and test checks and making proactive investments in Cyber security initiatives such as tools, compliance programs and other resources such as testing.
However, to ensure that Cyber Security is ‘Assured’ proactively rather than responded to, it needs a layer of specialist staff called ‘Risk Champions’ who work in tandem with Risk owners and proactively engage in bringing in solutions to create countermeasures. Obviously this needs budgets, small teams and focus. Most important, it needs focus on ‘actionable threats and vulnerabilities’.
Cyber Security frameworks – the reality check
Cyber Security Assurance programs can work if there are well established frameworks to adopt – in reality across countries, industries and even states within a country, there are diverse challenges – case in point is GDPR which has set a good precedent but also caught several countries and organizations completely by surprise.
While industries have attempted to come up with specific Cyber Security Assurance (CSA) practices, there is still the lack of a common framework across countries, industries and states – common areas of practice include Regulations, Risks, People, Process and Technology directed programs as areas of overlap between standards. Today, most of the conversations and white papers are at best positioned as ‘meta models’ which have 3 broad layers – Foundation elements which include People & Organization structures, Application vendor access, CSA tools and monitoring technologies and technology infrastructure which include BYOD and hybrid clouds both of which present big challenges. The other layer is the Enterprise Security Framework which consists of Security Operations, Governance and Incident Response programs whereas the top layer consists of the Drivers / Influencing stakeholders which include Business, IT, Compliance and Environmental aspects.
Most companies today are moving towards working a baseline CSA scope using existing IT/IS standards and frameworks (e.g. ITIL, ISMS, COSO, COBIT, TOGAF, SABSA etc. or a combination thereof. To this they add industry standards such as ISO26262, AS9100, PCI-DSS etc. and at a business level work towards concurrence on risk objectives & priorities and clarify metrics on cyber security. From an implementation standpoint, multi-level effectiveness checks include self-assessments, compliance with standards, cross functional and external assessments.
Example cyber security assurance frameworks and practices
A good example is when we consider cloud adoption – here the core tenets for the CSA program are Balance, Accountability and Transparency (e.g. ENISA Cloud Computing Assurance framework) wherein the information assurance requirements scope span several diverse areas such as Personnel Security, Supply Chain Assurance, Patch management, Network Architecture controls, Identity and Access for customers and suppliers, Asset management, Business continuity etc.
The other example is when we look at a program framework that is relevant to the CIO or CTO – a good example framework is the one published by the UK government on Cyber Assurance for implementation and certification. This interestingly also includes aspects such as FISMA and FIMIA compliance, site specific authorizations and a much wider coverage of monitoring activities which could include Vulnerability Scanning, Bro Logs, Application controls monitoring etc. This approach bring in the business and technology stakeholders and risks into a common accountability platform.
At the industry level, Assurance programs are being reinforced by Industry standards coupled with renewed focus on verification to complement software testing, software failure analysis and labs designed for stage level witnessing which are quite radical in terms of customer involvement in software testing and release. Healthcare industry is addressing vulnerabilities like hard coded embedded passwords, remote code execution and unsigned firmware whereas banks are now sharing threat information through common platforms.
Cyber insurance is also getting more relevant both in terms of measurement and underwriting. Other practices include banks educating their customers on cyber security and also frequent KYC checks, more secure document trails, better authentication even for areas like Net banking etc.
Summing it up
There are several topics on the watch list for CSA today some preventive and some detective – e.g. preventing volumetric breaches on IOT devices, addressing socially engineered threats, using block chain to reduce vulnerabilities, data localism, boosting cyber defence, GDPR assurance etc.
The four pillar strategy to work on is Board / governance focus on active policy changes and identifying risk owners for accountability; People focus through gatekeeper roles at C levels, identify risk champions for deployment, research, adoption and feedback; Technology and tools based active monitoring, standards and a 3 point focus (end users, developers and operations); business teams who manage and update the risk register and cross functional engagement to ensure that integrity between devices and data is maintained.
Last but not the least, cyber security assurance is also about orienting employees and other stakeholders and putting in adequate maker checker controls to ensure proper compliance and governance as people are always the weakest link in the chain.
Research Input Credits: Wipro, CohnReznik and Nexia International, NSTIR, Infotran