Establishing and Evolving Systemic Security

6. Establishing and Evolving

Systemic Security

As described in chapter 3. Security Governance, cybersecurity is part of an overall complex system that continuously transforms from one stable system state to the next. Like information security in general, cybersecurity governance, management and assurance are iterative and evolving processes aiming at further improvement and constant adaptation to vulnerabilities, threats and associated risk. From an end-to-end perspective of the enterprise, cybersecurity will transform the organizational, technical, process, social and behavioral context as well as the relative risk position with regard to attacks, breaches and incidents.

The underlying security model37 _{addresses all of the aspects listed in the previous} paragraph as systemic rather than “flat” or linear, and it acknowledges and integrates the multiple dependencies among them. Attacks, breaches and incidents caused by cybercrime and cyberwarfare are nonlinear, often unpredictable and highly variable in terms of what happens when and where. Cybersecurity needs to accommodate this variability and address the weakest link in the chain by various means.

The following subsections explain the systemic view of cybersecurity and its application to governance, management and assurance. This includes the transformation aspect influenced by actual cybersecurity-related occurrences and managerial or technical input to the system. The links to COBIT 5 are shown in appendix B. Intelligence, Investigation and Forensics in Cybersecurity.

The Cybersecurity System

Cybersecurity, as a system, is distributed across all parts of the enterprise. It includes the enterprise, its people and processes, and technology in the widest sense. These elements are connected in a dynamic way, e.g., by linking organizational strategy to people by way of the organizational and individual culture, or linking people to technology by human factors in using IT. Decisions, activities and controls in cybersecurity always relate to one or more elements and to one or more of the dynamic connections between the elements. In this way, the systemic view is helpful in

understanding how detailed cybersecurity measures create multiple dependencies and may lead to complex outcomes that would not be visible in a more linear (flat) view. The targeted enterprise receives internal and external feedback about the quantity and quality of attempted or completed attacks and breaches. The result is an ongoing and dynamic (transforming) cycle of changes to cybersecurity arrangements and corresponding changes to the external threat and attack landscape. In the interest of 37 _{See ISACA, The Business Model for Information Security, USA, 2010, www.isaca.org/bmis.}

142

the enterprise, the strategic objective should obviously be to decrease attractiveness and to increase resilience by various means. This may be represented as a system dynamics diagram showing the dependencies between among attacks, security measures and the resulting state of the system. Figure 52 shows an example.

In this example, the total number of attacks (in red) is the sum of all external and internal attacks and breaches that may occur. These are, in turn, subject to many influences, such as the predisposition of internal employees and the background of external attackers. Obviously, a higher detection rate will both discourage perpetrators and improve the identification of vulnerabilities (including threats and associated risk) by the enterprise. As a result, the overall attractiveness of the enterprise and its associates may increase or decrease, depending on any or all of the preceding elements of the system. Target attractiveness is the key influencing factor in terms of the cybersecurity system dynamics at work. It will subsequently determine the window of opportunity for attacks or breaches. An unattractive target may take a lot more time and effort to infiltrate, and the motive needs to be strong enough to invest the time and effort, to prepare at the technical level needed to deliver a successful attack, and to obtain the necessary tools or exploits (e.g., zero-day exploits on the black market) to make it all work. In total, the upper half of the diagram circle leads to the factual probability of attack, which is a function of both motive and opportunity and target attractiveness.

52

System Dynamics

representation:

Attacks and Breaches

Figure

Exploit availability Time and resources Technical level Motive and opportunity Target attractiveness Decreased attractiveness Vulnerabilities identified Attacks detected Internal attacks Internal associates External attacks Attack probability CHANGE IN ATTRACTIVENESS TOTAL ATTACKS Increased attractiveness

Chapter 6. Establishing and Evolving Systemic Security

Figure 52 is a comparatively simple example, and other influencers may come into

play. “Attacks detected” might be complemented with “attacks successfully averted,” and “vulnerabilities identified” might be extended to “vulnerabilities and actual threats identified” based on intelligence and risk assessment. However, the example is an illustration of how enterprises should develop their understanding of the system dynamics happening within cybersecurity.

Within this context of system dynamics, cybersecurity strategies should address the key influencing factors to maximize the desired outcome—in this case, a significant decrease in attractiveness of the target. To achieve this outcome, investments and resources need to be allocated in a way that brings the overall system to a local38 _optimum:

• Attractiveness to cybercrime and cyberwarfare and related attacks/breaches is as low as reasonably possible.

• Investments are directed at influencing factors that shift the overall system toward the current/local optimum state.

• Indicators of cybersecurity efficiency and effectiveness show that further improvement will be marginal, thus indicating a comparatively stable overall system state.

This “local” or current optimum is obviously transient and temporary. As the enterprise changes its cybersecurity strategies and arrangements, the external developments in cybercrime and cyberwarfare are likely to bring new challenges and increases in attacks and breaches. The system dynamics shown in figure 52 will then indicate that, given an

increase in the number of attempted or actual attacks, the stable state of the system has come to an end and further transformational activities are needed.

The systemic view of cybersecurity goes beyond the questions addressed by standard indicators and measurements used in monitoring. In a systemic world, a question about why the system is reverting to a suboptimal state is answered using both measurements and the known dependencies among various elements of the system dynamics circle.

Attack Anatomy

Defending against attacks relies on understanding their nature and extent. While there are vast numbers of possible attack vectors, points of entry and means of entry, the security model is ideally suited to identify common characteristics of attacks or breaches. Even APT attacks distributed across enterprises and involving multiple targets often share some basic truths about the approach, steps and vulnerabilities exploited.

38 _{The term “local” in this context refers to the fact that it is not the overall optimum that may be reachable. In systems}

theory, this overall state would be called the global optimum, and it is obvious why this cannot be reached or maintained for longer periods of time.

144

A typical spear phishing attack, as shown in figure 53, targets people on an

individual basis, with the appropriate background. Examples might include fake meeting requests apparently sent by colleagues (exploiting culture) or forged service instructions convincing users to allow remote access (exploiting human factors). Systemically, the spear phish initially makes contact with a person—more rarely, a small team of people—carrying a socially correct payload that will enable access to the cultural and human factors interconnections. Emergence is less of a target, considering that the phisher is aiming for a predictable (not a spontaneous) response.

53

Spear Phishing:

Systemic View

Figure

2. Processes 3. Organisational_Structures

1. Principles, Policies and Frameworks

6. Services, Infrastructure and Applications 7. People, Skills and Competencies Resources 5. Information 4. Culture, Ethics and Behaviour

In contrast, technical attacks using zero-day exploits usually follow a different route. As shown in figure 54, the initial point of entry leverages technology (often in

popular applications or browsers) to gain a foothold within the enterprise. This may not even be known or visible to users or administrators, and attackers are in a position to exploit the enabling and support function that technology has for processes and, ultimately, the business. Subtle changes in these processes, e.g., through obtaining and secretly forwarding certain types of documents, cause emergence in the processes affected. They no longer function normally, but, depending on the sophistication of the zero-day exploit itself and the patience of the attacker, there may be a time window of several days or weeks before it is noticed. In using and executing the emergent process, people become a target for any interesting information to which they have access.

Chapter 6. Establishing and Evolving Systemic Security

Combined social and technical attacks, as shown in figure 55, may take various

routes, ranging from technology through people to the organizational design and structure itself. Typical examples include technical preparatory attacks with subsequent (architectural) modifications in patch and systems management, thus establishing a persistent set of back doors affecting all people. Depending on the organizational security culture, it is questionable whether people (in this case, end users) will be able to identify such modifications. Conversely, a sociotechnical attack may initially be directed at individuals, exploiting cultural values or personal dispositions to gain quasi-legitimate access to the entire enterprise. Typical examples are found in collusion attacks. As a third common variant, the organizational structure may be targeted via a third party, e.g., where compromised vendor software is used to piggyback into the enterprise via a seemingly trusted channel.

When the anatomy of various attacks is known, their influence on system dynamics (figure 52) may be estimated using known vulnerabilities, threats and risk as

described in chapter 2. Threats, Vulnerabilities and Associated Risk.

54

Zero-day exploit:

Systemic View

Figure

2. Processes 3. Organisational_Structures

1. Principles, Policies and Frameworks

6. Services, Infrastructure and Applications 7. People, Skills and Competencies Resources 5. Information 4. Culture, Ethics and Behaviour

146

Mapping Vulnerabilities, Threats and Risk

To map the types of attacks to the risk analysis, given their anatomy as described in the previous section, a few simple steps are needed using the information already obtained as part of the risk analysis process:

• Analyze incident history (if any) in terms of attack anatomy and categorize accordingly (e.g., spear phishing, high-level technical attacks using zero-day exploits).

• Apply the systemic view and highlight the exposed elements and dynamic interconnections. Assess the degree of exposure, e.g., where attacks and breaches are very likely to target the People element.

• Map against known weaknesses (see chapter 2) and assign priorities in terms of motive, opportunity and attack probability.

• Link back to the system dynamics diagram to see which key influencers and nodes are most likely to be involved.

These steps will assist in forming an initial picture of where the primary

vulnerabilities, threats and risk are in a systemic context. In practice, this mapping exercise will have to be repeated on a regular basis given that the attack and breach landscape changes, as do the actual threats. Readjusting the view on the cybersecurity system by including new attack types, observing any particularly exposed parts of the enterprise, and continuously incorporating any known risk and weaknesses is a crucial part of cybersecurity transformation.

2. Processes 3. Organisational_Structures

1. Principles, Policies and Frameworks

6. Services, Infrastructure and Applications 7. People, Skills and Competencies Resources 5. Information 4. Culture, Ethics and Behaviour

Socio-technical Attack:

Systemic View

55

Figure

Chapter 6. Establishing and Evolving Systemic Security

The increasing accuracy of mapping the cybersecurity system in this way will enable early recognition of potentially attack-prone or high-risk areas within the organizational IT environment, including the technical infrastructure.

In contrast to more traditional models of information security, the systemic approach is better suited to adapting to evolving threats and risk resulting from the weakest-link-in-the-chain principle, which is applied by external and internal attackers alike. Understanding the steps discussed in the previous subsections is also a prerequisite to applying targeted and effective measures in terms of governance, management and assurance.

Systemic Governance, Management and Assurance

While there are many available governance, management and assurance measures and solutions, they need to be prioritized and applied in line with business priorities as well as considerations of efficiency and effectiveness, including both the expected improvement(s) and the corresponding business case(s). The systemic approach combines the available cybersecurity steps and measures with the detailed view on dependencies among them.

Identifying Potential Security Improvements

To identify the potential impact and improvements of various security measures, as well as the required investment, the same approach used for determining the anatomy of an attack should be used. This ensures that there is consistency in terms of risk vs. benefits of any proposed security investments. Strategic, tactical and operational improvements in cybersecurity should address two questions:

• Which elements and dynamic interconnections of the overall security model does the improvement address?

• What are the resulting risk and benefits in the system dynamics view? As an example, an enterprise might consider the use of extended logging and monitoring for security-related events and incidents. Figure 56 shows how the

elements and dynamic interconnections are affected by introducing new monitoring steps and measures. The monitoring processes are enabled and supported by technology, and other processes and people are the targets of monitoring. Process- or people-side emergence will be recognized very early by the indicators built into the monitoring solutions. Conversely, human factors and culture are difficult or impossible to monitor using technical means (assuming there is no surveillance of people and their behavior). However, it is clear from the systemic picture that monitoring is likely to impact the attack probability at the technology end as well as the user end. Figure 56 also shows that investing in improved or more

148

breaches. “More of the same” for this type of cybersecurity solution will deliver only limited benefits up to a point that more monitoring will become a disadvantage because of its high cost and effort.

Similar mechanisms apply to other cybersecurity steps and measures. In practice, one of the most frequent responses to security-related incidents and violations is the call for more stringent policies and procedures.

Figure 57 shows that written policies are primarily driven by organizational design

and strategy, as a typical governance instrument deployed in a top-down manner. Investing in policies impacts the Governing interconnector and influences the People element through Culture. The IT and business processes are then readjusted in line with what the policies and procedures prescribe. In real life this is what should happen and usually does happen. Again, the systemic picture immediately reveals that technology and its interconnections to other elements of the model are not covered.

It follows that introducing policies may be beneficial in terms of security culture and individual behavior, but the likelihood of unpredictable technology-based attacks and breaches will not decrease. Likewise, people may wish to behave in line with policies and procedures, but human factor issues in using new or complex technology may make it difficult or impossible to do so—a fact that is often exploited by attackers. The popular practice of asking for more controls and better policies and procedures is subject to the same limitations as monitoring. At a certain point, overcontrol will set in and make an impact on business process efficiency, but attack probability will not decrease given that technology is still vulnerable and people who do not intend to follow any rules are unlikely to adhere to stricter rules and controls.

Security Monitoring:

Systemic View

56

Figure

2. Processes 3. Organisational_Structures

1. Principles, Policies and Frameworks

6. Services, Infrastructure and Applications 7. People, Skills and Competencies Resources 5. Information 4. Culture, Ethics and Behaviour

Chapter 6. Establishing and Evolving Systemic Security

In line with these examples, any strategic, tactical or operational improvement in cybersecurity should be carefully weighed in terms of benefits and residual risk as well as visible gaps in terms of coverage. Transforming cybersecurity and reaching an improved state of the overall system always requires a larger set of individual security steps and measures in order to adequately cover all vulnerabilities, threats and risk. Targeting Cybersecurity Investments

Once the individual cybersecurity solutions, steps and measures have been identified and assessed with regard to their impact on the underlying security model, they should be tested against the dependencies and overall dynamics of the cybersecurity system. This is illustrated in figure 58.

For all of the security measures, there are direct and indirect dependencies within the system dynamics picture. The policy investment discussed previously obviously targets internal associates and similar individuals (vendor representatives, contractors, visitors, etc.), but not external people with no relationship to the enterprise. Policies are depicted on the left hand side of the diagram. Technical monitoring, logging and intrusion detection systems (IDSs) are targeted at recognizing and identifying as many attacks and breaches as possible, thus influencing the number of detected attacks.

2. Processes 3. Organisational_Structures

1. Principles, Policies and Frameworks

6. Services, Infrastructure and Applications 7. People, Skills and Competencies Resources 5. Information 4. Culture, Ethics and Behaviour

Policy investment:

Systemic View

57

Figure

150

For each potential investment, the influence on one or more parts of the system dynamics picture should be mapped as shown in figure 59. This is less difficult

than it appears at first sight considering that the steps described in the previous subsections usually yield a fairly large number of potential investments competing for scarce resources and funding. The steps and measures suggested in appendix A. Mappings of COBIT 5 and COBIT 5 for Information Security also serve as a source of potential security steps at all levels.

The mapping against the system dynamics picture assists in determining relative priorities and finding out where best to place the investment. The risk analysis described in chapter 2 will provide additional input on justifying each investment in terms of IT-related and business risk.

Once the cybersecurity system has been populated with the various steps and measures (including the investment needed), and the business case has been established in terms of risk appetite, the results should be mapped in tabular format, as shown in figure 59.

Targeted

Cybersecurity

investments

58

Figure

Exploit availability Policy Investment IDS event logging, incident response Awareness investment Systems hardening Architecture and technology Forward intelligence Information asset classification Scanning, monitoring Time and resources Technical level Motive and opportunity Target attractiveness Decreased attractiveness Vulnerabilities identified Attacks detected Internal attacks Internal associates External attacks Attack probability CHANGE IN ATTRACTIVENESS TOTAL ATTACKS Increased attractiveness

Chapter 6. Establishing and Evolving Systemic Security

Investment/Security

Improvement System Dynamics Remarks

Awareness investment • Targets internal associates and equivalents (temps, contractors, etc.) • Complements organizational

measures for governing and processes

Awareness works only if

corresponding policies, procedures and controls are well designed (the things to be aware of). Awareness without protection may backfire by producing fear and inhibition among users.

Policy investment • Targets internal associates and equivalents as well as third parties and business partners

• Complements awareness measures

Policies and procedures work only when people are reasonably aware of security risk and the need for rules. If overcontrol sets in, processes will

In document Personal Copy of: Dr. Sarwono Sutikno (Page 141-153)