Cyber risk controls

When If started looking into offering cyber security insurance, we carefully considered how our clients currently use IT in their businesses and how it has evolved over time, the risks threatening IT, and the controls available to mitigate the risks.

The use of IT systems has increased to automate processes

In the last 10 to 15 years, organisations have been using IT systems at an ever-increasing rate to automate business processes, make staff more effective and efficient, and provide new services to customers. Examples are enterprise resource planning systems, industrial control systems, logistic systems, e-commerce websites, autonomous vehicles, and smartphones.

IT systems have also become increasingly interconnected, not only within a given organisation, but also with systems in external networks that can be controlled by third parties.

Organisations have also shifted from buying equipment and having it serviced by its own employees or contractors to increasingly buying that capability from specialised suppliers. This includes using outsourcing or cloud service providers delivering their services from remote locations, or leasing maintenance and equipment placed at their own premises in order to maintain operational control.

What are also included here are mission-critical operational capabilities like logistics systems, and the monitoring and servicing of engines. Business drivers such as growth, profitability and competition drive this change to an ‘extended enterprise as it makes organisations better, faster, and cheaper.

However, this change also opens up organisations to new risks as they become increasingly  dependent on interconnected IT systems and infrastructure exposing the organisation to new threats and vulnerabilities.

For instance, industrial control systems (e.g., SCADA, PLC), originally designed to operate in networks physically separated from all other systems, can, in the present day, be connected to various support systems for resource planning or logistics. These interconnected systems may be located in-house or in the cloud, have connections with remote systems managed by other providers, and be accessible from remote networks for remote monitoring and maintenance.

The tools and techniques used in cyber attacks, as well as the threat actors behind them, have also evolved. Nowadays, security breaches in high profile organisations are frequently headline news.

One of the most frequently used tools in cyber attacks is malware.

Tools

One of the most frequently used tools in cyber attacks is malware (computer viruses, worms, Trojans, backdoors) which have been around since the 1980s. The destructive capabilities of malware have evolved to corrupting organisations by implanting remotely accessible backdoors into their IT systems, encrypting their files, or stealing their information.

Therefore, today, it is a basic requirement to have up-to-date anti-malware programs for systems commonly affected by malware. The analysis process of early anti-malware used to only require a fairly simple check of any executable file's unique ID against a threat database of known bad files. This may still be quite effective, however, in the present day, malware is designed to be unique and is often tested to avoid detection by even the best anti-malware software.

This means that in order to be effective, modern anti-malware software needs to have more advanced detection capabilities like behavioural analysis of what software running in a system is actually doing.

Techniques

The techniques used in cyber attacks have also evolved from malware planted in pirated software to employ increasingly sophisticated cyber attacking software and social engineering tactics. For instance, phishing e-mails with malicious
attachments or links, have evolved into watering hole attacks, where the attacker guesses or observes which websites the users of an organisation visit.

It infects one or more of these websites with malware and simply waits until a user inside the targeted organisation is infected. Computers of compromised users can become remotely controlled in so-called ‘bot networks’, and used as a stepping
stone to further penetrate the compromised organisation, for instance to steal information or plant remotely accessible backdoors in sensitive systems, or launch denial of service attacks towards internal or external targets.

As these new techniques often target employees, partners or vendors with a low awareness of security, they have developed into serious hazards even for security-conscious organisations.

Threat actors

Nowadays, the level of cyber skills and funds available for criminal and state sponsored organisations are high and rapidly increasing. This is driven by a good Return on Investment, while having a low risk for detection and attribution to who’s behind the attack.

For example, Ransomware is currently a criminal industry with a global turnover of more than one billion USD where separate and highly specialised criminal groups often collaborate to reach their objectives. State sponsored actors can have almost unlimited skills, funds and patience. They may target anything that can provide an advantage to their sponsors, for example, by stealing secret information or infiltrating critical national infrastructure.

As seen in the last year’s cyber threat intelligence reports, they have the capability to penetrate systems deep within strategic high value targets and critical infrastructure, and stay undetected for several years.

Cyber risk management

Every organisation should understand that, in addition to basic security controls, like anti-virus and firewalls, their cyber risks may require a whole range of additional cyber security controls to protect applications, systems, devices, and their organisation. Even if systems are separated and placed behind firewalls, and regardless of whether they are private, outsourced, or happily out in the cloud, all systems may be vulnerable to cyber attacks.

In a cyber risk management system, all possible risks to the organisation, partners, and suppliers need to be considered. Examples are financial loss, process disruptions, failure of information technology systems and reputation loss. In the risk assessment, the organisation must consider the perspective of possible attackers and assess which of their assets may have a value to those attackers.

Cyber security is a board responsibility

Cyber security is a board responsibility and managing it has become a profession in itself with strategic, tactical, and operational requirements to consider. The IT department is not the most likely candidate to handle cyber risk management as it could cause a conflict of interest (e.g., availability vs integrity).

Appointing a Chief Information Security Officer (CISO) responsible for overseeing the whole organisation's information and IT security posture is a good first step, but may only be the beginning of the journey. For boards and executives, it is important to include cyber risks in the enterprise risk management framework and regularly assess the impact and likelihood of cyber risks, as well as provide sufficient resources and support to implement cyber security controls protecting the organisation from loss.

The operational parts of the organisation must understand its responsibility to properly design, maintain and monitor cyber security controls, regardless of whether the control is located within their own or a provider's direct control.

As cyber attacks regularly prove their disruptive character, authorities are also stepping in and setting out requirements for the protection of Critical Infrastructures (CI), National Defence Capabilities (NDC), Personal Identifiable Information (PII), and other key assets.

Recent regulatory requirements have expressed that the security controls must be 'state of the art' in order to be compliant, which means that organisations must regularly review and assess whether the controls are adequate and be prepared to have their security controls challenged by authorities.

Cyber control frameworks and baselines

To help organisations implement risk driven security controls, security standards have been developed to control cyber risks. One of the most well-known is the ISO/IEC 27001¹ standard, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of an organisation's defined scope.

The latest version of this standard now applies the 'High-Level Structure' used in other ISO standards, for example, in ISO 9001(Quality Management) and ISO 22313 (Business Continuity Management). Alternatives exist such as the NIST (United States) and COBIT (ISACA) frameworks, and there are also frameworks developed for healthcare and financial institutions.

Having a framework helps organisations to identify their risks and then design, manage and review controls to mitigate the risks, but it does not tell the organisation what they are and how to deal with them. If one takes a phased approach when implementing a standard
focusing on key business processes as the first step, it is usually not a lengthy process to assess risk and establish the level of security controls already in place.

Organisations that are in a hurry, or for some reason cannot implement a cyber security standard or framework, should consider adapting a baseline describing a set of concise, prioritised cyber practices to stop the current most pervasive and dangerous cyber attacks.

Baselines defined over time especially for critical infrastructures are often available from national Computer Emergency Response Teams (CERT). As the risks to applications, systems, devices, and operators are more or less common risks, any organisation can profit from them. You can find your national CERT on the internet for example at; cert.dk, cert.fi, cert. no, and cert.se. Baselines and frameworks are also available from (state) sponsored non-profit organisations.

One of the most well-known control baselines is provided by the Center for Internet Security (cisecurity.org). They promote their CIS Critical Security Controls. And for operators of critical infrastructure, the NIST Cybersecurity Framework provides private sector organisations with a structure for assessing and improving their ability to prevent, detect and respond to cyber incidents.

The value of cyber controls

Did you know, that by applying just the first five (!) of the CIS Controls as 'hygiene', organisations can reduce the risk of a cyber attack by around 85 per cent!

Those top 5 controls are:

  • CSC 1: Inventory of Authorized and Unauthorized Devices
  • CSC 2: Inventory of Authorized and Unauthorized Software
  • CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • CSC 4: Continuous Vulnerability Assessment and Remediation
  • CSC 5: Controlled Use of Administrative Privileges

Regardless of the chosen approach to implement cyber security controls, they must be regularly assessed or tested in order to provide assurance that they work and that current risks are properly mitigated. It’s vital to conduct regular audits and tests, preferably by using skilled security penetration testers that simulate a cyber attack. Security penetration testers are trained to use the same kind of mindset, methodology and tools as cybercriminals, but in a controlled and non-destructive manner.

¹ ISO/IEC 27001:2013, an information security management system (ISMS) standard initially published in 2005, revised in 2013, by the International Organisation for Standardization (ISO) and the International Electrotechnical Commission (IEC)

Article by

Erik van der Heijden

Senior Risk Engineer, If

Peter Granlund photo.

Peter Granlund

Cyber risk specialist, If

Article published in Risk Consulting Magazine 2/2017