Cyber Security & Incident Response

With the increase in cyber attack vectors and exposures, the list of cyber security services and products has in recent years also become longer. In the following, we give a non-exhaustive overview of the current cyber security landscape. Cyber Security measures can be broadly categorized into technical and organizational services and products.

With the advent of mobile endpoints, the internet of things, cloud computing, and other recent developments in the variety and exposure of modern IT, the number of offered software to secure firms has also increased. Common technical cyber security solutions are:

  • Firewall
  • Anti-Virus Software
  • Multi-Factor Authentication (requiring two devices to login to sensitive accounts)
  • Intrusion Detection Systems
  • Patch Management Tools
  • Cloud Security
  • Access Control
  • Penetration Testing (Pentesting)
    • Pentesting is a simulated hacker attack by a third (ethical) party to find vulnerabilities. These vulnerabilities can be technical, like misconfigured or outdated databases, weak passwords, or DDOS-protection, but also organizational, when social engineering, for example, a phishing attack is conducted within this. Besides additional modules like social engineering, pentests differ in the scope and information the attackers receive, ranging from purely external without prior knowledge to internal attacks behind the firm’s firewall.
  • Security Information and Event Management (SIEM) Software
    • SIEM is used to continuously scan the logs of the company’s endpoints and provide real-time insights into suspicious and correlated behavior.
  • Security Operations Center (SOC)
    • A SOC manages the operational day-to-day cyber security business of large organizations. Often based on the input of SIEMs and monitoring tools, a SOC is manned by cyber security professionals that continuously monitor the IT landscape for aberrations of normal operations. Besides ringing the alarm and coordinating the incident response in minor cases, the SOC usually takes over the overall management of major cyber security incidents.
  • Governance, Risk, and Compliance (GRC) Tools
    • GRC-Tools are used especially by large organizations to be compliant with regulatory requirements, facilitate continuous risk analysis and management, and provide the basis for annual audits. IT risks are usually addressed in the GRC-framework by business and IT service continuity management (BCM & ITSCM) modules. These modules guarantee that during and in the aftermath of a cyber incident IT assets have a sensible recovery sequence in place that, according to beforehand defined recovery time and point objectives, explicitly take the inter-and interdependencies between IT assets and systems into account.

The primary function of an IT audit is to evaluate the ability of the tested organization to protect its information asset’s confidentiality, integrity, and availability (the so-called CIA-Triad of information security). The most widely used standard is ISO 27001, which establishes requirements for implementing, maintaining, and continually improving an internal information security management system (ISMS). ISMSs are used to systematically manage an organization’s data by incorporating people, processes, and technology within it. Besides a general framework and requirements for an ISMS, ISO 27001 also has 114 questions, so-called controls, to ensure that a given ISMS is compliant and to identify gaps in the handling of data. The controls of ISO 27001, which are given in Annex A, can be divided into 14 domains (cf. ):

  • Information Security Controls
  • Organization of Information Security 
  • Human Resource Security 
  • Asset Management 
  • Access Control
  • Cryptography 
  • Physical and Environmental Security
  • Operations Security 
  • Communications Security
  • System Acquisition, Development, and Maintenance 
  • Supplier Relationships
  • Information Security Incident Management
  • Information Security Aspects of Business Continuity Management
  • Compliance 

For most IT-Audit standards, it is possible to get a certification, showcasing to regulatory agencies and business partners that the organization adheres to cyber security standards.

In the context of cyber insurance, audits are often performed for medium and large-sized clients during the underwriting process. Small businesses seeking to get cyber insurance are required to fill out a shortened self-assessment consisting, for example, of 10 to 15 security questions that cover most of the control domains of ISO 27001.

As seen by the components and controls of ISO 27001 (s. previous box), cyber security is not solely a technical endeavor but has a significant organizational component. Even a technical 100% secure IT environment is, easily breachable if a malicious third party gains access to an employee’s account via a stolen password. Typical organizational cyber security measures are:

  • Business & IT Service Continuity Management (BCM & ITSCM)
    • Business continuity management develops strategies, plans, actions, and fallbacks to protect interruption of businesses activities or processes that would cause serious damage or devastating losses to the organization. The most important BCM standard is ISO 22301, which defines a plan check, act (PDCA) lifecycle, to holistically implement and improve BCM within an organization. The main components of BCM include the (1) business impact analysis (BIA), which classifies the criticality, recovery point, and recovery time objectives of business processes within the organization, (2) creation of emergency recovery plans for the previously defined crisis scenarios (earthquakes, pandemic, etc.), and (3) tests and exercises of a crisis.
    • ITSCM is business continuity management for IT services. As most firms are dependent on their IT and financially couldn’t survive a loss of data or outage of systems for more than a few weeks, the continuity and recovery of IT services require special attention. Especially the (inter-) dependencies of IT services can make a return to normal operations difficult. If, for example, a cloud database is not responding to queries of another IT service within the organization, this could affect both processes and prevent them from working correctly. An important concept within ITSCM is the heredity of criticality and recovery time objectives. If the second process in the previous example is rated as critical, then the cloud service for it to function properly is also critical.
  • Incident Response
    • While preparation and prevention can decrease the probability and severity of cyber incidents, even with careful measures in place, a cyber incident can still strike an organization. In these cases, a swift technical and organizational response is necessary. In larger organizations the computer emergency response team (CERT), consisting of internal stakeholders, like the IT or cyber security team, management stakeholders, and departmental heads, and hired external cyber security and forensics specialists, takes over to identify, contain, and eradicate the threat and return, according to the (hopefully) previously defined BCM and ITSCM recovery plans, to normal operations. Small firms usually do not have a dedicated CERT or BCM/ITSCM in place, which makes cyber insurance especially attractive.
  • IT Forensics
    • When a cyber incident has been discovered, IT forensics come into play to identify, preserve, recover, analyze, and present information about the cause and extent of the incident. IT forensics aims to establish a legal audit trail, which can, for example, be used in courts to prove an inside perpetrator.
  • ISMS (s. box before)
  • Awareness & Employee Training (s. next box)

Unsuspecting and not sufficiently trained employees are often involved and could cause, or worsen a cyber incident. Sensitizing and training the stakeholders of an organization in basic cyber hygiene is, therefore, a sensible and necessary measure to achieve a holistic resilience against cybercrime. The typical products and services required are:

  • Awareness Trainings
    • Cyber awareness training is often held online on-demand videos or in seminars. The stakeholders of the respective organization are schooled on the basics of cyber security best practices. Typical topics that are covered are social engineering, e-mail safety, handling USB devices, password guidelines, and data handling.
  • Phishing Tests
    • Often integrated into awareness training, phishing tests are used to simulate a phishing or spear-phishing (targeted phishing) attack on stakeholders of the organization via e-mail. The fake malicious emails sent by the service providers, often coming from highly suspected e-mail accounts (e.g. WarrenBuffet1913@gzasd.com), ask to click on a suspicious link, provide their password, or open an e-mail attachment. The user’s clicking behavior is tracked and evaluated over time.

References

Irwin, Luke. 2020. “ISO 27001: The 14 Control Sets of Annex A Explained.” IT Governance UK Blog. https://www.itgovernance.co.uk/blog/iso-27001-the-14-control-sets-of-annex-a-explained (December 1, 2020).