16 March, 2021: New Delhi
Defending networks isn’t a new concept. We’ve known how to implement prevention, detection, and response controls for years. The challenge we face is the lack of will to do what’s required to deal with the increasing threats from nations, terrorists, and others. Relying on the Indian government to protect us is simply finger pointing. The fingers need to come down while organizations start assuming responsibility for their own defense.
Cyberattacks related to warfare differ little from those associated with criminal activity. The main difference is in the effort expended. Cybercriminals tend to walk away when the cost of reaching their objectives exceeds expected revenue. Cyberwarriors take a different approach. Using advanced persistent threats (APTs), cyberwarriors use any means necessary (including time) to achieve political or social objectives. However, the basic defense for both financial and sociopolitical attacks is the same.
Management acceptance of defense as a cost of doing business. Once C-level management accepts security in general, and cyberwarfare defense in particular, as a necessary part of doing business, an organization’s culture begins to change. As executive management approves and supports security policies and their expected outcomes, all levels of management tend to integrate information-safe business practices into their employees’ day-to-day processes.
Development of a security program/framework. Security programs contain policies, standards, and guidelines required for consistent compliance with management expectations of risk. In addition to program- and issue-level policies that provide general guidance, system-level policies should exist for probable cyberwarfare targets.
Risk management. Risk management processes identify gaps between management’s expectations and reality. In general, a risk assessment provides a roadmap to achieving a reasonable and appropriate defense by identifying
o Critical systems, including targets of interest to cyberwarriors
Intellectual property
National defense technology
Critical national public services delivery components
System interdependence
o Threats
o Vulnerabilities
o Impact if critical systems or data are compromised
o Overall risk associated with each identified probable target
o Metrics
Change management. Every time an organization changes an application, adds a system, or makes an adjustment to a network device, the potential for increased risk exists. A solid change management program helps prevent acceptable residual risk from crossing the line to high risk.
Risk management supports change management by requiring risk assessments as part of the software/system development lifecycle (SDLC). Integrating security into every facet of IT projects is a necessary component in cyberwarfare defense.
Monitoring. The most basic monitoring controls are alerts from various devices if something questionable occurs. However, this approach requires time to track down the cause and delays response. Understanding how the reported event fits into the overall state of the network requires time and effort: time used by an attacker to accomplish additional steps leading to the target.
A better approach is a comprehensive log management solution. Commonly known assecurity information and event management (SIEM), this type of solution gathers information from across the network. Once information is aggregated, a correlation engine looks for patterns. When a pattern falls outside what is expected for an organization’s unique network/device operations, the SIEM sends an alert. At this point, responders have a clear picture of the overall activities involved in a possible attack.
Incident response. It’s unrealistic to believe an organization will never be successfully attacked at some level. Monitoring helps detect unwanted behavior, and it’s supported by quick and effective response to probable attacks. Incident response requires policy, processes, and team training to be effective. The quality of any response directly affects the impact of an attack.
Controls implemented and managed due to the above processes must include prevention, detection, and response elements. Within each of these, controls related to physical, logical, and administrative security are necessary.
No organization is truly immune from cyberwarfare activities. If attacking a network provides sociopolitical value, that network is a probable target. Relying on government intervention or cooperation to protect private and public industry infrastructure is unreasonable. It’s up to each of us to take steps to secure our information resources and the processes they support.
We don’t have to look far to find guidance for achieving reasonable and appropriate protection. Mature standards of best practice already exist. It simply takes a shift in perspective at the management level to begin integrating security into every facet of business operations. The perspective needed is one of accepting cyberwarfare as a growing reality and defense as a cost of doing business. (Courtesy: Tech Republic)