Cyber Security & Incident Response

With the increase in cyber attack vectors and exposures, the list of cyber security services and products has in recent years also become longer. In the following we give a non-exhaustive overview of the current cyber security landscape. Cyber Security measures can broadly categorized into technical and organizational services and products.

With the advent of mobile endpoints, the internet of things, cloud computing, and other recent developments in the varierty and exposure of modern IT, the number of offered software to secure firms has also increased. Common technical cyber security solutions are:

  • Firewall
  • Anti-Virus Software
  • Multi-Factor Authentication (requiring two devices to login to sensitive accounts)
  • Intrusion Detection Systems
  • Patch Management Tools
  • Cloud Security
  • Access Control
  • Penetration Testing (Pentesting)
    • Pentesting is a simulated hacker attack by a third (ethical) party to find vulnerabilities. These vulnerabilities can be technical, like misconfigured or outdated databases, weak passwords, or DDOS-protection, but also organizational, when a social engineering, for example, phishing attack is conducted within this. Besides additional modules like social engeerining, pentests differ in the scope and the information that the attackers receive, ranging from purely external without prior knowledge to internal attacks behind the firm’s firewall.
  • Security Information and Event Management (SIEM) Software
    • SIEM is used to continuously scan the logs of the company’s end points and provide real-time insights into suspicious and correlated behavior.
  • Security Operations Center (SOC)
    • A SOC manages the operational day-to-day cyber security business of large organizations. Often based on the input of SIEMs and monitoring tools, a SOC is manned by cyber security professionals that continuously monitor the IT-landscape for aberrations of normal operations. Besides ringing the alarm and coordinating the incident response in minor cases, the SOC usually takes over the overall management of major cyber security incidents.
  • Governance, Risk, and Compliance (GRC) Tools
    • GRC-Tools are used especially by large organizations to be compliant with regulatory requirements, facilitate continuous risk analysis and management, and provide the basis for annual audits. IT risks are usually addressed in the GRC-framework by business and IT service continuity continuity management (BCM & ITSCM) modules. These modules gurantee that during and in the aftermath of a cyber incident IT-assets have a sensible recovery sequence in place that, according to beforehand defined recovery time and point objectives, explicitly takes the inter- and intradependencies between IT-assets and systems into account.

The primary function of an IT audit is to evaluate the ability of the tested organization to protect its information asset’s confidentiality, integrity, and availability (the so called CIA-Triad of information security). The most widely used standard is ISO 27001, which establishes requirements for implementing, maintaining, and continually improving an internal information security management system (ISMS). ISMSs are used to systematically manage an organization’s data by incorporating people, processes, and technology within it. Besides a general framework and requirements for an ISMS, ISO 27001 also has 114 questions, so called controls, to ensure that a given ISMS is compliant and to identify gaps in the handling of data. The controls of ISO 27001, which are given in Annex A, can be divided into 14 domains (cf. ):

  • Information Security Controls
  • Organization of Information Security 
  • Human Resource Security 
  • Asset Management 
  • Access Control
  • Cryptography 
  • Physical and environmental Security
  • Operations Security 
  • Communications Security
  • System Acquisition, Development and Maintenance 
  • Supplier Relationships
  • Information Security Incident Management
  • Information Security Aspects of Business Continuity Management
  • Compliance 

For most IT-Audit standards, it is possible to get a certification, showcasing to regulatory agencies and business partners that the organization adheres to cyber security standards.

In the context of cyber insurance, audits are often performed for medium and large sized clients during the underwriting process. Small businesses seeking to get cyber insurance more often fill out a shortened self-assessment, consisting, for example, of 10 to 15 security questions that cover most of the control domains of ISO 27001.

As can be seen by the components and controls of ISO 27001 (s. previous box), cyber security is not solely a technical endeavor, but has a significant organizational component. Even a technical 100% secure IT-environment is, for example, easily breachable if a malicious third party gains access to an employee’s account via a stolen pasword. Typical organizational cyber security measures are:

  • Business & IT Service Continuity Management (BCM & ITSCM)
    • Business continuity management develops strategies, plans, actions, and fallbacks to protect interruption of businesses activities or processes that would cause serious damage or devastating losses to the organization. The most important BCM standard is ISO 22301, which defines a plan, do, check, act (PDCA) lifecycle, to holistically implement and improve an BCM within an organization. The main components of an BCM include the (1) business impact analysis (BIA), which classifies the criticality, recovery point, and recovery time objectives of business processes within the organization, (2) creation of emergency recovery plans for the previously defined crisis scenarios (earthquakes, pandemic, etc.), and (3) tests and exercises of a crisis.
    • ITSCM is business continuity management for IT services. As most firms are dependent on their IT and financially couldn’t survive a loss of data or outage of systems for more than a few weeks, the continuity and recovery of IT services requires special attention. Especially the (inter-) dependencies of IT services can make a return to normal operations difficult. If, for example, a cloud database is not responding to queries of another IT service within the organization, both processes are not working correctly. An important concept within ITSCM is the heredity of criticality and recovery time objectives. If the second process in the previous example is rated as critical, then the cloud service for it to function properly is also critical.
  • Incident Response
    • While preparation and prevention can decrease the probability and severity of cyber incidents, even with careful measures in place, a cyber incident can still strike an organization. In these cases, a swift technical and organizational response is necessary. In larger organizations the computer emergency response team (CERT), consisting of internal stakeholders, like the IT and/or cyber security team, management stakeholders, and departmental heads, and hired external cyber security and forensics specialists, takes over to identify, contain, and eradicate the threat and return, according to the (hopefully) previously defined BCM and ITSCM recovery plans, to normal operations. Small firms usually do not have a dedicated CERT or BCM/ITSCM in place, which makes cyber insurance especially attractive.
  • IT Forensics
    • When a cyber incident has been discovered, IT forensics come into play to identify, preserve, recover, analyze, and present information about the cause and extent of the incident. IT forensics aim to establish a legal audit trail, which can, for example, be used in courts to prove an inside perpetrator.
  • ISMS (s. box before)
  • Awareness & Employee Trainings (s. next box)

Unsuspecting and un- or not sufficiently trained employees are often involved, cause, and/or worsen a cyber incident. Sensibilizing and training the stakeholders of an organization in basic cyber hygiene is, therefore, a sensible and necessary measure to achieve a holistic resilience against cyber crime. The typical products and services are:

  • Awareness Trainings
    • Cyber awareness training are often held online on-demand videos or in seminars. The stakeholders of the respective organization are schooled on the basics of cyber security best practices. Typical topics that are covered are social engineering, e-mail safety, handling usb devices, password guidelines, and data handling.
  • Phishing Tests
    • Often integrated in awareness trainings, phishing tests are used to simulate a phishing or spear phishing (targeted phishing) attack on stakeholders of the organization via e-mail. The fake malicious mails sent by service provider, often coming from highly suspect e-mail accounts (e.g. WarrenBuffet1913@gzasd.com), ask to click on a suspicious link, provide their password, or open an e-mail attachment. The user’s clicking behavior is tracked and evaluated over time.

References

Irwin, Luke. 2020. “ISO 27001: The 14 Control Sets of Annex A Explained.” IT Governance UK Blog. https://www.itgovernance.co.uk/blog/iso-27001-the-14-control-sets-of-annex-a-explained (December 1, 2020).