Introducing a Holistic Cyber Security Program
Taken from our Ascot CIO Event, October 12th 2017
Matthias Muhlert, CISO, HELLA
Cyber Security Axiom
Cyber resilience is becoming a critical business and social issue for any organization with its continuous growths and modern IT
As more and more business value and personal information rapidly migrates to digital form, the risks from cyberattacks grow ever more daunting. Cyber resilience systems and controls to protect intellectual property, information assets and business continuity must be continuously on the agenda and a vital strategy for any organization.
Also the idea of cyber resilience in strongly supported by regulators who develop the policies to facilitate and defend technology, law enforcement agencies, and industry associations that work to share information and improve institutional security (IT-Sicherheitsgesetz).
- An intelligent attacker will at a certain time defeat all defensive measures
- Design defense to detect and delay attacks so you gain time to respond
- Put layers in your defenses to contain attacks and provide redundancy in protection
- Use an active defense to catch and repel attackers after they start, but before they succeed
Therefore the general goal for a Cyber Security Program is to improve the Cyber Resilience, meaning to improve on the ability of your organization
- to prepare for and adapt to changing conditions
- and withstand and recover rapidly from disruptions.
Process for the Setup
Obtain support of the Management Board
- Making Information Security a strategic topic
- Transferring the competences to the responsible
- Granting enough resources
Treat it as a project
- Cyber Security Program implementation is a complex issue involving various activities and various people from different departments
Define the scope
- Define the Legal Entities to be in Scope
- Define the organizational parts of the Legal Entities in Scope
- Define the Processes to be in Scope of the organizational parts
Design the key areas of the Cyber Security Program
- Define Key areas including objectives of the Cyber Security Plan
Design the controls supporting the key areas
- Define controls including capabilities for each key area
Assessment of the key responsibilities and stakeholders
- Identify the main stakeholders in your organization
Determine Status of Key areas and prioritize
- Determine together with the stakeholder the status of the key areas using a risk based approach
Determine project organization
- Set up and organize a project management
Agree on Road Map
- Determine with the responsibilities, the milestones, work packages, and time schedule
Coming up with the key areas and associated controls
- Definition of Cyber Security Program with Key Areas selectively adopting controls/measures from international information security frameworks
- Design of standard controls
- Implementation of controls to all Legal Entities in Scope of the Cyber Security Program
- Audit of sustainable use and implementation of controls
The Cyber Security Program should consist of 10 - 15 key areas. Topic/Key Areas definitely to consider:
- Privilege Access
- Network Security
- Application Security
- Endpoint/Server/Device Security
- Asset management and Supply Chain
- Data Protection and Cryptography
- Monitoring/Vulnerability management
- Incident Response
- Identity and Access management
Topics/Key Areas possible to consider:
Key Area Objective and related Controls Capabilities (example)
Within the Cyber Security Program each Key Area has an objective that needs to be used as a guidance for the realization of the controls associated with the Key Area. To follow the information security controls characteristics, objectives should be compound of a preventive, detective, audit and forensic aspect. Each key area has a set number of controls associated with it. The controls are defined in terms of capabilities. Each control has to be put in place so that the associated threats with the key area are counteracted.
- Attackers enter the enterprise through outbound network connections from servers or clients on the internal network.
- Attackers enter the enterprise through the network connections of Internet-facing servers.
- Attackers use internal networks to move laterally between computers inside the enterprise.
- Attackers use enterprise networks to extract data and remove it from the enterprise.
- Attackers take control of network infrastructure components and then leverage them to gain entry to the enterprise or to bypass other security measures.
- The preventive objective is to block malicious traffic passing from one part of the network to another, or channeling that traffic so that is can be detected through other means
- The detective objective is to monitor and analyze network traffic in order to detect malicious traffic while it is in transit
- The audit objective involves analyzing network traffic in order to identify malicious activity or to generate artifacts indicating the lack of malicious activity
- The forensic objective is to log information about network traffic, or possibly all of the network traffic itself, so that the network can be analyzed by detective controls, or to support investigations and audits
Controls with Capabilities
Switches & Routers- Switches and Routers must be hardened, monitored and controlled physically and logical
Software defined Networking- Software based network control in place to virtually steer the network
Network Time Protocol- Synchronized record timestamps in all systems to enable correlation of events
- Step 1: High-level assessment, that focuses on key areas using expert judgment. Evaluating the risk associated with the key areas (Risk = Impact * Likelihood * Last Assessment)
- Step 2: Detailed assessment on capabilities of security controls in regards to completeness
- Step 3: Detailed analysis of the necessary technology to meet the
- capabilities of the security controls
- Step 4: Detailed analysis of the Impact from Legal Entities on your organization