Protective Security: Building BRIDGES
Whilst carrying out the research and ideas development for my second book (Protective Security: Creating Military Grade Defenses for Your Digital Business), I came up with the BRIDGES acronym.
The objective of this acronym is to help business leaders and Cyber/InfoSec managers to breakdown specific scenarios that could impact their valued operations.
We start by engaging the business key stakeholders to identify and prioritise the parts of the business that are the most important to them. In this example, we are looking at a Bank, who have identified that their customer accounts, payments and mortgage operations are their most concerning part of the business.
Risk and Resiliency
Following the recent of threat intelligence, the Bank has identified that ransomware as being a significant risk for 2021 and the key stakeholders want to ensure that sufficient investment is being made to minimise the risk and improve resiliency to a ransomware attack, affecting their Mainframe computer.
As a result a Quantitative Risk analysis was carried out to identify the potential financial impact of a successful ransomware attack impacting the central Mainframe computer.
Identify and Isolate
Based on the need to ensure that the Mainframe computer is adequately protected from the Ransomware threat, a network diagram needs to be created showing all the assets that are connected to the Mainframe computer, to categorise these as high risk assets within the asset inventory and to create a group/add tags within the vulnerability scanning platform.
Next, the current state is confirmed and additional additional mitigation measures are identified that can help to reduce the ransomware risk, to within acceptable tolerances.
Segment the network so that only the essential and approved IT systems have a connection to the Mainframe computer.
Create a specific group/suite of tags to monitor and quickly identify missing updates for the Mainframe assets and connected IT systems.
Ensure all these IT systems are securely configured, to ensure that only required services, ports and protocols are enabled.
Augment the automated patching process with enhanced vulnerability management processes, whereby a critical patch report is generated (post automated patching has been actioned) to identify any software updates that may have been missed.
Implement endpoint protection software to reduce the potential of users clicking on malicious links.
Ensure antivirus software is receiving regular updates.
Ensure regular backups are being effectively carried out to a secure off-site location.
Tokenise any sensitive data to help protect from Ransomware attacks, where data assets are exfiltrated, during the attacks.
Carry out refresher security awareness training, with specific coverage of the Ransomware threat, so that the end users are aware of how this threat presents itself and how they should respond to suspicious events.
Having identified the mitigation methods, follow up risk analysis can be carried out to show how these measures will help to reduce the risks and to show their Return On Investments (ROI). Below is an example of the changes to the risk profile that can be realised, after all the mitigation measures have been applied.
Having established a secure silo, it is essential that any new/emerging vulnerabilities are quickly detected, all changes are subject to formal and documented change reviews (risk, impact, rollback, etc.) and that the logs from this secure silo are centrally monitored.
The operation and maintenance of this secure silo requires human support and interaction with these IT assets. Consequently, this needs a formal Command and Control structure to ensure that all authorised personnel understand the rules and receive period refresher security training for their roles and responsibilities.
7 Characteristics of an effective Command & Control Structure:
Chain of Command.
Evaluate Security Controls
Now that you have confirmed the mitigation controls that need to be implemented to ensure that the Ransomware threat is reduced, to within acceptable tolerances, it is essential that these controls be subject to periodic reviews, to ensure that these mitigation controls remain effective risk reduction measures.
To provide additional assurance, suitable performance metrics should be periodically communicated to the key stakeholders.
Survive To Operate
Despite the best laid plans and embedded processes, for a Command and Control structure to be deemed effective, you need to ensure that you have effective plans in place to respond and deal with occurrences, before they have the ability to significantly impact or damage your organisation.
Consequently, you need to be thinking of what contingencies you need to have implemented to ensure that you can quickly respond to, contain and 'Bounce Back' from a Ransomware style attack, e.g.
A competent security incident response process.
A suitable disaster recovery plan.
A practical business continuity plan.
Terms like Protective Security, Cyber-Security and Information Security can often be regarded as providing a limited ROI, with them being:
Extremely expensive. and Virtually invisible.
However, in the event that the defensive measures fail, suddenly these terms become very visible and significantly more expensive. The BRIDGES approach seeks to provide an alternative way of changing this.
Consequently, it is essential that organisations understand any emerging threats and carry out risk scenario-based analysis, against their business valued assets/processes/operations to quantify the potential impacts to their organisation.
Based upon this analysis, your key stakeholders will be better placed to understand the risks they are currently facing and the level of investments needed to bring them down to a level, with which they are comfortable with.
Suddenly, through the application of the BRIDGES approach, the key stakeholders start to gain a better appreciation of how their investments are helping to reduce their risks, against the areas of the business that they feel are the highest priority to the longevity of the organisation.
How do you quantify how well your defensive efforts mitigate against the Ransomware threat?
How well do you demonstrate your ROI?