Cyber Resilience: Is Your Business Wearing Suitable Armor?
Updated: May 4
From being an 18-year old RAF Police dog handler, patrolling the airfields and sensitive areas of RAF airbases, to writing books on PCI DSS and Protective Security, I have understood and valued the importance of focusing on protecting the assets that are valuable to the establishment/organization's mission/objective.
Focus Your Efforts
In my first published book on PCI DSS, I included a chapter on how to adopt approach of Proactive Security through a focus on 5 main pillars (the backbone), as depicted in figure 1, and in the second book on Protective Security, I introduced the readers to the BRIDGES acronym, as depicted in figure 2.
Figure 1: The 5 Pillars of Proactive Security
Figure 2: BRIDGES Acronym
Both of these concepts were to provide the benefits of having focused efforts so that any mitigation measures were afforded against the things that were important to the organizations. With PCI DSS, the focus is on the effective protection of the assets that are involved with a business' payment card operations (the processing, storage & transmission of cardholder data), and with Protective Security, the focus is on applying proportionate protective measures to safeguard those assets that are valuable to the business/organization.
Prioritize on what is important
All your defensive efforts should be aligned with the interests of your business and be focused on protecting those assets that support the business's essential services. Think of it as being like the way that the human anatomy has evolved, so that the vital organs (Brain, Heart, Lungs, Liver, Kidneys) are provided additional protective measures (Skull, Ribcage, etc.) and a centralized monitoring system (e.g. Nervous system).
It's only after you understand and appreciate the anatomy of your business and what your valuable/critical services (vital organs) are, that you will be able to design and develop an appropriate business life support system.
If you think about the human body, some parts of the body are more important than others and the body is able to respond in a prioritized manner. For example, in the event of suffering severe trauma, the body will respond by prioritising its vital organs. However, the ancilliary body parts can be connected and provide important support services for life.
The Preservation of Life
Much as it is important for the human body to have a natural capability to preserve itself, a business needs to understand how to preserve itself.
This is what is called 'Cyber Resilience' or 'Business Resilience'.
The ability to 'Bounce Back' or 'Carry On', in the event of a traumatic or adverse event!
What is Cyber Resilience?
Many of the components of my 5 Pillars and BRIDGES concepts are elements of the 10 domains of Cyber Resilience (as detailed by Cybersecurity & Infrastructure Security Agency (CISA) and the CERT Resilience Management Model (CERT-RMM) Version 1.2).
1. Asset Management (AM): The Asset Management guide focuses on the processes used to identify, document, and manage the organization’s assets.
2. Controls Management (CM): The Controls Management guide focuses on the processes used to define, analyze, assess, and manage the organization’s controls.
3. Configuration and Change Management (CCM): The Configuration and Change Management Guide focuses on the processes used to ensure the integrity of an organization’s assets.
4. Vulnerability Management (VM): The Vulnerability Management Guide focuses on the processes used to identify, analyze, and manage vulnerabilities within the organization’s operating environment.
5. Incident Management (IM): The Incident Management Guide focuses on the processes used to identify and analyze events, declare incidents, determine a response and improve an organization’s incident management capability.
6. Service Continuity Management (SCM): The Service Continuity Management Guide focuses on processes used to ensure the continuity of an organization’s essential services.
7. Risk Management (RM): The Risk Management Guide focuses on process used to identify, analyze, and manage risks to an organization’s critical services.
8. External Dependencies Management (EDM): The External Dependencies Management Guide focuses on processes used to establish an appropriate level of controls to manage the risks that are related to the critical service’s dependence on the actions of external entities.
9. Training and Awareness (TA): The Training and Awareness Guide focuses on processes used to develop skills and promote awareness for people with roles that support the critical service.
10. Situational Awareness (SA): The Situational Awareness Guide focuses on processes used to discover and analyze information related to the immediate operational stability of the organization’s critical services and to coordinate such information across the enterprise.
Priority No.1 - Asset Management
Common to all of these concepts is the need to start with Asset Management. Within the NIST SP800- 160, volume 1 (SYSTEMS SECURITY ENGINEERING A Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems), confirms the importance of building a defensive strategy from a business perspective (with the asset at the center of any strategy (as depicted in figure 3)) and defines an asset as being:
"An item of value to achievement of organizational mission/business objectives.
Note 1: Assets have interrelated characteristics that include value, criticality, and the degree to which they are relied upon to achieve organizational mission/business objectives. From these characteristics, appropriate protections are to be engineered into solutions employed by the organization.
Note 2: An asset may be tangible (e.g., physical item such as hardware, software, firmware, computing platform, network device, or other technology components) or intangible (e.g., information, data, trademark, copyright, patent, intellectual property, image, or reputation)."
Figure 5: FACTORS IN SECURITY REQUIREMENTS ANALYSIS
Consequently, it would make sense to take a more detailed look at what is required to meet the objectives for priority 1 (an effective Asset Management process (as depicted in figure 6):
Figure 6: The Asset Management Process
Before you begin planning to develop your asset management practice, you should familiarise yourself with the checklist, detailed at figure 7:
Figure 7: Asset Management Checklist
As with any effective strategy, Asset Management starts with the 6 Ps:
Prior Planning Prevents P*** Poor Performance
1. Plan for Asset Management.
Asset management gives an organization a snapshot of all the assets within the infrastructure at any given time. Developing and following a plan is essential to efficient and effective asset management. Planning for asset management includes obtaining support from higher-level management to ensure that the process is funded, staffed, and performed.
Key activities include identifying all the mission-critical services the organization performs or provides and prioritizing them according to their potential to disrupt operations should they fail. The organization can then focus its resources to appropriately protect and sustain its assets.
Finally, planning for asset management requires the organization to establish a common definition of what constitutes an asset within its infrastructure
Important activities while planning for asset management covered in this guide include the following: • Obtain support for asset management planning. • Identify services. • Prioritize services. • Establish a common definition of assets.
Note. A service is a set of activities that the organization carries out in the performance of a duty or in the production of a product.
2. Identify the Assets
A key component of this effort involves identifying the critical services and the assets that support them. Responsibility for this effort should be delegated to a level appropriate for the critical service being considered.
Assets are organized into the following categories:
It is important to note that these assets may be internal to the organization or reside within a business partner or other external entity.
Important activities while identifying assets include the following: • Assign responsibility for identifying assets supporting critical services. • Identify people assets. • Identify information assets. • Identify technology assets. • Identify facility assets.
3. Document Assets
Once these assets have been identified, it is important to document them in order to understand their relationship to the organization (e.g., internal, external), who is responsible for the asset, how well the asset is protected from disruption, how important the asset is to the critical service, and any changes or updates that may affect the asset throughout its lifecycle.
This documentation typically includes the following:
Asset type (people, information, technology, or facilities).
Categorization of asset by sensitivity (generally for information assets only).
Asset location (typically where the custodian is managing the asset).
Asset owners and custodians (especially if assets are external to the organization).
Format or form of the asset (particularly for information assets that might exist on paper or electronically).
Location of asset backups or duplicates (particularly for information assets).
Services that are dependent on the asset
Value of the asset, either qualitative or quantitative.
Asset protection and sustainment requirements.
Important activities while documenting assets include the following: • Create an asset inventory. • Document the relationships between assets and critical services. • Analyze dependencies between assets supporting multiple services. • Update the asset inventory
4. Manage Assets
The organization will need to manage its assets and inventories and takes steps to improve the process of asset management.
The organization should select tools and methods (configuration databases, drawings, change control) to manage the assets and also determine how these tools are applied within.
Important activities in the asset management process include the following: • Identify change criteria. • Establish a change schedule. • Manage changes to assets and inventory. • Update asset inventory when changes occur. • Improve the process.
All of these aforementioned concepts are agnostic (but common) to most security controls frameworks that a business might use for reducing their risks or meeting their particular compliance objectives.
However, if you treat the 5 pillars, BRIDGES or the 10 Cyber Resilience Domains as being the anatomy for building your defensive strategies, you will ensure that your approach is focused on defending the vital organs of the business and yet can easily be used in support of any compliance obligations.
Whether or not you have compliance obligations, it is highly likely that you have services that your business value and which your key stakeholders will want to ensure that they remain healthy and appropriately protected from harm. Consequently, you should look at evaluating the health and resilience of each critical service, so why not look at evaluating your business against the 5 Pillars, Building BRIDGES or 10 Domains of Cyber Resilience?
Asset Management (AM):
Goal 1 – Services are identified and prioritized.
Goal 2 – Assets are inventoried, and the authority and responsibility for these assets is established.
Goal 3 – The relationship between assets and the services they support is established.
Goal 4 – The asset inventory is managed.
Goal 5 – Access to assets is managed.
Goal 6 – Information assets are categorized and managed to ensure the sustainment and protection of the critical service.
Goal 7 – Facility assets supporting the critical service are prioritized and managed.
PCI DSS Case Study
One of the critical services of a business involves payment card data operations. The payment card data is one valuable asset (blood) that needs to be processed, stored and transmitted through the business (body). Those systems that support these operations are the body's vital organs and need to be appropriately protected.
1. AM: The assets need to be identified and documented.
1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2, 1.3, 1.4 2.4, 2.6.
2. CM: Annual and Quarterly internal audits against the PCI DSS controls, applied against this critical service.
3. CCM: Systems (supporting this critical service) need to be securely configured and subject to formal change management.
1.1, 1.2, 1.3, 1.4, 2.1, 2.2, 2.3, 2.4, 2.6.
4. VM: The systems that support this critical service need to be maintained.
6.1, 6.2, 6.3, 6.5, 6.6, 11.2, 11.3.
5. IM: In preparation for when things may go wrong with this critical service, the business shall be 'First Aid' trained.
10.2.5, 10.4, 10.8, 11.1.2, 12.5.3, 12.8.3, 12.10.
6. SCM: The focus of PCI DSS is on maintaining the Confidentiality and Integrity of the payment card data (blood), so as long as a critical service fails secure (so that no blood is leaked) everything remains PCI DSS compliant. However, it makes good business sense to have plans for keeping the vital organs capable of continuing to circulate the blood.
7. RM: Have you assessed the potential risks to this critical service?
8. EDM: Where you transfer the risks to a 3rd party organisation, how are you effectively managing those risks?
9. TA: How are you maintaining the skills and awareness of the supporting People assets?
6.5, 9.9, 12.6, 12.10.4.
10. SA: How do you identify potential threats to this critical service?
It does not make sense for any business to have apathy for the Confidentiality, Integrity and Availability of the services that are valuable to the success of their organization. However, often businesses will try to focus on securing everything or on securing nothing.
Often the reason for this is that they've failed to understand their business anatomy and what and where their vital organs are. As a result, maintaining a healthy business can become extremely difficult. It is very important to understand your business anatomy so that you can appreciate the importance and fragility of the organs.
If you treat all your business systems as being equal, so that all the assets require an equal amount of protection, it will be like a person having to live their life, wearing a suit of armor (as depicted in figure 8).
Figure 8: Armored Up
Your defensive efforts need to be proportionate to the perceived value of the assets. When the local threats and environmental conditions change, you adapt the protective measures to match.
When the weather gets colder, you put on some warmer clothes.
Grazing your skin is an acceptable risk, as it has minimal impact. However, grazing your brain, heart or lungs is significantly more impactful and presents a significantly greater risk.
IT IS IMPORTANT TO REMEMBER THAT:
NOT ALL BUSINESS ASSETS ARE EQUAL AND NEED TO BE CATEGORISED, BASED UPON THEIR PERCIEVED VALUE TO THE BUSINESS.