• No results found

Cyber security exposure

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cyber security exposure"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

B

SI

p

ub

lic

at

io

ns

o

n

cy

be

r

se

cu

ri

ty

Cyber security exposure

Given the highly dynamic development of the threat situation in cyber space, as exact a knowledge as possible of what aspects concern you is a prerequisite for efficiently pro­ tecting networks and IT systems in companies, government agencies, and other organ­ isations. The cyber security exposure forms a pragmatic approach for determining what you are concerned by based on comprehensible standards.

1 Goal

The determination of the cyber security exposure described within the framework of this document is intended to support the management in identifying the real concerns, in determining the protection requirements, and, building upon the these to define the level of cyber security to be aimed at.

Based on the management's decision regarding the cyber security exposure, it is then the task of the persons responsible for IT and IT security (CIO and CISO) to derive the type and extent of reasonable and appropriate safeguards and to implement these. For this, the basic safeguards for cyber security provide pragmatic recommendations for ac­ tion, the observance of which forms the basis for robust networks and resistant IT sys­ tems. This provides the prerequisites for efficient protection against attacks using the Internet.

This approach is intended to ensure that, given the wealth of necessary detailed safe­ guards, the essential basic safeguards for cyber security can always be taken into consid­ eration.

2 Determination of the cyber security exposure

Determining the cyber security exposure of the infrastructure to be protected forms the prerequisite for planning and implementing appropriate safeguards and for sub­

sequently evaluating these safeguards with regard to necessity, adequateness, and eco­ nomic viability. The individual infrastructure elements and the data stored and trans­ mitted therein, as well as the processing processes themselves must therefore be subjec­ ted to a holistic cyber threat analysis. As a guide to common cyber attacks, the register of current cyber threats and forms of attack of the BSI1 may be used.

The IT infrastructure to be protected, as well as its individual elements are exposed to a broad range of attack methods. The resulting cyber security exposure of the stored and transmitted data and processes can be summarised systematically by considering the interaction of different factors.

(2)

Possible values for the cyber security exposure include normal, high, or very high and there­ fore the values are based on the protection requirements determination according to BSI standard 100-2 IT-Grundschutz Approach. These values are determined by several factors: the

attractiveness of the infrastructure to be protected, the characterisation of the attackers, the

value of the attacked data and processes, the level of targeting of the attacks, and whether there are already empirical values regarding attacks performed in the past. The cyber security expos­ ure exists regarding the confidentiality and the availability, as well as the integrity. Then, the cyber security exposure must be weighted regarding the transparency of the infrastructure for attackers.

This results in the following central questions for determining the cyber security exposure:

Value of the information and processes

◦ Which data constitutes the highest value both regarding confidentiality and availability and

integrity?

◦ Which processes constitute the highest value both regarding confidentiality and availability and integrity?

◦ To which extent do business-critical processes of the organisation depend on the data? • Attractiveness for attackers

◦ How attractive is gaining access to the confidential data for attackers?

◦ How attractive is limiting the availability of the data and processes for attackers?

◦ How attractive is violating the integrity of the data and processes by manipulations for attackers? • Characterisation of the attackers

◦ Who comes into consideration regarding attacks against the confidentiality, availability, and/or integrity?

➢ Perpetrators acting in their spare time or out of sheer curiosity (hobbyists)?

➢ IT security researchers initially pursuing an academic interest with regard to possibilities of attack, but who also publish their results publicly (full disclosure)?

➢ Cyber small-time criminals focusing particularly on the monetary usability of stolen data? ➢ Professional, organised cyber criminals, or professional competition espionage?

➢ Hackers pursuing political and social goals with their attacks?

➢ Official authorities, e.g. intelligence services, capable of relying on comprehensive resources for planning and implementing their attacks?

Level of targeting of the cyber attacks

◦ Should it be assumed that the organisation will be exposed to wide-area attacks, the goals of which are selected rather randomly in a large number by these groups of attackers?

◦ Or should it be assumed that the organisation will be attacked in a targeted manner, which allows for better preparation and implementation of an attack?

Empirical values regarding attacks in the past

◦ Have cyber attacks to the organisation been detected in the past? ◦ Where there successful cyber attacks in the past that led to damage?

This analysis can then be used to determine the cyber security exposure regarding the protect­ ive goals of confidentiality, availability, and integrity oriented on the calculation bases defined in tables 1, 2, and 3. Here, an individual value must be assigned in each line to the degree of threat to confidentiality, availability, and integrity with regard to the criteria specified that is then used to determine the maximum value for every basic value.

(3)

Determination of the degree of threat Confidentiality Availability Integrity

Value of the data and processes

low 0 normal 1 high 2 very high 4 low 0 normal 1 high 2 veryhigh 4 low 0 normal 1 high 2 very high 4

Attractiveness for attackers

low 0 normal 1 high 2 very high 4 low 0 normal 1 high 2 very high 4 low 0 normal 1 high 2 very high 4 Type of attackers Hobbyists 0 Researchers 1 Small-time criminals 2 Professional criminals 4 Hackers4 Governmental players 5 Hobbyists 0 Researchers 1 Small-time criminals 2 Professional criminals 4 Hackers4 Governmental players 5 Hobbyists 0 Researchers 1 Small-time criminals 2 Professional criminals 4 Hackers4 Governmental players 5

Level of targeting of the attack Wide-area attack1 Targeted attack 5

Wide-area attack1

Targeted attack 4

Wide-area attack1

Targeted attack 5

Attacks in the past unknownrepelled3 1

successful 5 unknown 1 repelled3 successful 5 unknown 1 repelled3 successful 5 Maximum  Maximum  Maximum 

Degree of threat max. value1 5 max. value1 5 max. value1 5

Table 1: Determination of the degree of threat

In order to successfully perform a cyber attack, the attacker needs as much information as possible about the organisation being attacked. The level of transparency of the organisation regarding the attacker is decisive:

What information about the structure of the infrastructure to be protected is publicly available?

◦ Can conclusions about the IT infrastructure be drawn from the website of the government agency or company?

◦ What information is disclosed in job offers for technical personnel?

◦ Do publications of the government agency or company such as the financial statement or (particularly in public administration) completed procurements contain direct or indirect information on the IT infrastructure?

(4)

◦ How do employees of the government agency or company behave in social networks, both professionally and privately? What information about the technical equipment do they disclose deliberately or inadvertently in so doing? What conclusions can be drawn about key roles within the organisation and possible technical and human gateways?

Are attackers able to reconnoitre details of the infrastructure using technical methods?

◦ What technical data is disclosed to the outside by the systems connected to the Internet, e.g. by web servers of an organisation?

◦ Is it possible to obtain details of the software installed by analysing the information transmitted by Internet browsers of the organisation when opening external websites?

◦ Do the data fields of emails of the government agency or company contain information on the groupware used and its structure, for example?

◦ Do government agency or company documents contain open or hidden metadata which accidentally discloses further information?

Do third parties collect information about the government agency or company in semi-public or private forums on the Internet that may be useful to attackers reading these forums?

For the subsequent determination of the cyber security exposure, the values for the transpar­ ency aspect must now be classified.

Determination of the transparency Confidentiality Availability Integrity

Transparency for the attacker lowmedium –10

high +1

Table 2: Determination of the transparency

Now, the cyber security exposure is determined based on the sum of the degree of threat and the transparency value

Cyber security exposure = degree of threat + transparency

and may adopt values between 0 and 6 resulting in a normal, high, or very high cyber security exposure.

Determination of the cyber

security exposure Confidentiality Availability Integrity

Cyber security exposure

Normal max. value 0 … 1 max. value 0 … 1 max. value 0 … 1

High max. value 2 … 3 max. value 2 … 3 max. value 2 … 3

Very high max. value 4 … 6 max. value 4 … 6 max. value 4 … 6

(5)

Here, the cyber security exposure is always represented separated according to confidentiality, availability, and integrity:

Cyber security exposure = (confidentiality | availability | integrity)

Example for a fictitious industrial company:

• Governmental players must be taken into consideration as attackers of the confidenti­ ality of corporate data within the framework of industrial espionage.

• However, it is not to be expected that there are attackers for whom adverse effects on the availability constitute an interesting goal regarding this company (for example, in the form of distributed-denial-of-service attacks). Short-term non-availability of ser­ vices does not constitute a particular risk for the company either.

• Likewise, the amount of damage incurred after attacks on the integrity of the data would have to be estimated as high, based on their value for the company.

• The transparency of the company from the attacker's point of view is medium.

• In this case, this results in a maximum value of 5 for confidentiality, 1 for availability, and 2 for integrity. This results in the following formal exposure:

Cyber security exposure = (confidentiality very high | availability normal | integrity high)

• The cyber security exposure determined this way summarises the threat situation for the reviewed infrastructure with regard to the transparency and attractiveness for at­ tackers, the type and targeting level of the attackers, possible amounts of damage, as well as findings regarding previous attacks and therefore forms the decisive criterion for the decision as to which safeguards must be taken with which intensity in the key areas of cyber security.

By means of the BSI publications, the Federal Office for Information Security (BSI) publishes documents about current topics in the field of cyber security. Comments and advice from readers can be sent to [email protected].

Figure

Table 1: Determination of the degree of threat
Table 3: Determination of the cyber security exposure

References

Download now ( PDF - 5 Page - 243.12 KB )

Related documents

Three-dimensional black-blood multi-contrast carotid imaging using compressed sensing: a repeatability study

The results showed that wall area, lumen area and wall thickness is reproducible in a CS accelerated multi-contrast protocol, using a productised reconstruc- tion with

Is a loose monetary policy still appropriate for the Eurozone?

The second question focuses on the other claim of the German Council of Economic Experts that ECB’s expansionary policy is masking structural problems in Eurozone countries..

Investigation of the effect of hot water and water vapour treatments on the strength of thermally conditioned E-glass fibres

It was shown that the strength of single E-glass fibres, previously thermally conditioned at 500 °C for 1 hour, could be recovered by application of a liquid water, or

Insurance for Data Breaches in the Hospitality Industry

Summary of Cyber Exposures Summary of Cyber Exposures Exposure Category Description

Aging in the Town of Weston: A community needs assessment

The goals of this project are to identify the characteristics and needs of Weston residents age 55 and older; to identify specific concerns of community members related

FOR28

But when a permanent fort was established nearby, it consisted of a group of 19 brick buildings, with “new and comfortable quarters for officers and men,” arranged so close

FlorNExT®, a cloud computing application to estimate growth and yield of maritime pine (Pinus pinaster Ait.) stands in Northeastern Portugal

Research highlights : This application has been designed to make it possible for any stakeholder to easily estimate standing vol- ume, biomass, and carbon content in maritime

Personal emergency response system (PERS) alarms may induce insecurity feelings

This study reveals that older people living fairly independently in senior housing are in need of a PERS with a built-in positioning system that would allow them greater