Cybersecurity: A Holistic And Systemic Approach – Part 1

By /

With the coming of the National Institute of Standards & Technology (NIST) Cybersecurity Framework 2.0, it is about time that NIST pays attention to the Risk Management Strategy that Executive Management should be taking care of within its Governance of Information Security along with the management of other Enterprise Risk Factors.

Throughout the years, we have all gotten used to the NIST’s idea that within our security processes we need to take into account that one must:

  • Identify IT assets, vulnerabilities, threats and finally the controls against unauthorized access;
  • Protect IT assets against vulnerabilities and threats by providing training and awareness, generating a skilled work force to implement a tight security;
    • This includes selecting Service Providers that comply with your Information Security Policies and Procedures. Your skilled work force needs to be paying attention to this.
  • Detect of all network, system and application traffic to identify anomalies and threats through monitoring tools and capabilities;
    • Think of implementing Security Incident Event Management (SIEM) systems that incorporate Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).
    • Think of implementing End-Point-Detection-Response (EDR), Extended-Point-Detection-Response (XDR)
  • Respond against cyber attacks through incident management to mitigate and help recover from the impact of a cyber attack;
    • Think of classifying incidents to implement the correct eradication approach.
    • Think about contacting all IT Security stakeholders within and outside the organization. If you have outsourced your Cybersecurity Incident Monitoring, you mut definitely pull their resources to help you manage the cyber incident.
    • Think of triaging and doing a root-cause study through Forensic Analysis. Do not forget to do a Business Impact Analysis to determine the scope of the damage caused by the attack on the service and product delivery levels.
    • Think of containment, remediation and recovery aspects of cyber attack and discovered weaknesses in your infrastructure
    • Evaluate on the cyber incident management process went and improve based on lessons learned, safeguarding yourself through the implementation of more rigid controls.
  • Recover: Enhance resilience by recovering all systems, applications and networks by following a specified recovery plan;
    • Think of planning and implementing Recovery Playbooks with root-cause analysis and containment strategies.
    • Think of Service Level Agreements with Service Providers.
    • Think of authorities delegated within the internal and external Recovery team.
    • Think of Communication Plans with critical IT Security stakeholders.
    • Think of physical facilities recovery, and details regarding access to infrastructure, hardware and software to provide intermediary services during the recovery process.
    • Think of validating the integrity of the recovered data from backups to restore your systems and re-establish trust in your infrastructure.

What you see in the table below are general activities and actions that every enterprise and government organization should be establishing within its organizational processes. However, within this article I will be pointing out a few steps in between that will sharpen any organization’s approach towards security.

Through the existence of an enterprise, the inventory of assets that the organization invests in can change over time, which is leading in determining the changes in risks the organization is exposed to within the levels of:

  • Executives (Strategic)
  • Business Process
  • Operations

At Curinovis Digital Agency (CDA) we believe that every approach to security must be holistic, and that is simply because within cybersecurity we are dealing with systems and programs that are connected to each other, speak to each other, and are dependent on each other to perform certain tasks and functions that they are not always able to do independently, but are most definitely doing these in relation with one another. One needs to dissect the network, system and application architectures to understand how to best assess security issues threatening the IT infrastructure of the organization.

By using a Threat Modeling approach, one can assert that:

  1. All the IT assets on the network are identified and profiled. Questions that should arise when profiling systems and applications are for example:
    • Where the system will be deployed.
    • Who the users are, what their roles are and what their rights will be.
    • What are the data elements that should be classified (think of data types, data criticality/availability and data sensitivity security requirements).
    • What technologies will be used to meet these security requirements.
  2. The vulnerabilities known about the IT assets are enumerated.
  3. The risks and existing threats to the IT assets are identified, how likely it is to happen and the potential damage they could cause.
  4. What countermeasures should be put in place in your IT assets to prevent and reduce damage where costs of implementation are compared and evaluated.
  5. Where the best controls are implemented, evaluated and improved in an unending cycle.

The Threat Modeling approach is an iterative (continuous) process that takes the CI4AM security objectives in perspective, which are:

  • Confidentiality
  • Integrity
  • Availability
  • Authentication
  • Authorization
  • Auditing
  • Management

The Threat Modeling approach follows a few simple iterative steps that can be applied on a software application level, system level and also on a network level:

  1. Identify Security Objectives
    • Prior to this the organization must define what the business objectives are
    • Consequently one must define the security and compliance requirements looking at specific Best Practice Security Standards & Guidelines, including Regulatory Compliance.
    • In line with the previous steps, it is absolutely necessary to do a preliminary Business Impact Analysis (BIA) is necessary to determine the risk levels to which the IT assets are exposed to.
  2. Create an overview of the Technical Scope regarding Application/System/Network
    • When it comes to software applications you need to identify application boundaries followed by the identification of the application’s dependencies from the network environment. Consequently one must also have identified the application dependencies from the servers and the rest of the infrastructure
    • It is also pertinent to also identify application dependencies from other software interfaces, services and specific.
  3. Decomposition of Application/System/Network
    • Generate diagrams of data flows and trust boundaries
    • Identify user roles and permissions
    • Identify assets, data, services, hardware and software that communicate with each other through interfaces and network level layers
    • Identify data entry points and trust levels
  4. Threat Analysis and Identification
    • Analyze threat scenarios that are probable
    • Analyze incident management reports
    • Analyze application data traffic and security events logs
    • Correlate incidents and fraud with Threat Intelligence
  5. Identification of Vulnerabilities
    • Correlate vulnerabilities to application assets
    • Map threats to vulnerabilities through the use of threat trees
    • Map threats to security flaws through the utilization of Use Cases
    • Enumerate and score the vulnerabilities that have been identified using an established vulnerability scoring methodology
  6. Do a Risk and Impact Analysis
    • Qualify and quantify business impacts
    • Identify gaps in security controls
    • Calculate risks and identify risk mitigation strategies

Curinovis Digital Agency (CDA) recommends all medium to large enterprises, no matter to which industry they belong, to follow the STRIDE Threat Modeling Process and the PASTA Attack Simulation Threat Analysis Process. Using these methodological processes, the organization ensures that the following controls are gradually and securely implemented if done correctly, which are:

  • Data Protection Controls
  • IT Assets Secure Configuration Baseline Controls
  • Vulnerability Management Controls
  • Application Security Controls
  • Network Infrastructure Monitoring and Defense Management Controls

Safeguarding your IT infrastructure has never become more important than now, and must be tackled jointly with other aspects of Enterprise Risk Management. Stay tuned for the articles that follow this, as we will highlight every step of these processes to explain why these controls and safeguards are necessary for your business.

About the author

Jordan Emanuelson is a knowledgeable Certified Information Systems Auditor (CISA) that has gained comprehensive experience working at KPMG, Ernst & Young (EY) and a Central Bank acting as a Regulatory Supervisor. Jordan’s focus and expertise lies in Cybersecurity, Business Continuity, Software Testing and other Change Management safeguards. Jordan helps contribute to Curinovis Digital Agency’s (CDA’s) knowledge-base with the newest and most refined insights about security and business continuity frameworks as times change, technologies innovate and threats and vulnerabilities evolve. You can get in touch with Jordan for workshops, trainings and lectures by emailing us at info@curinovisdigital.com.

Scroll to Top