Cybersecurity: A Holistic And Systemic Approach – Part 1

With the coming of the National Institute of Standards & Technology (NIST) Cybersecurity Framework 2.0, finally NIST pays more focused attention to the Risk Management Strategy that Executive Management should be taking care of within its Governance of Information Security along with the management of other Enterprise Risk Factors.

Throughout the years, we have all gotten used to the NIST’s idea that within our security processes we need to take into account that we must:

  • Identify IT assets, their vulnerabilities, the threats that they face and finally the controls against unauthorized access. These assets are to be identified during a Risk Assessment that you must coordinate.
  • Protect IT assets against vulnerabilities and threats by:
    • Providing training and awareness, generating a skilled work force to implement a tight security.
    • Selecting Service Providers (and Vendors) that comply with your Information Security Policies and Procedures. This is becoming increasingly more important given your organization’s higher dependency on 3rd party providers.
  • Detect of all network, system and application traffic to identify anomalies and threats through monitoring tools and capabilities;
    • Think of implementing AI-enabled Security Incident Event Management (SIEM) systems that incorporates Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).
    • Think of implementing End-Point-Detection-Response (EDR), Extended-Point-Detection-Response (XDR) technologies. If you can’t implement these yourself, then contract a Managed Services organization that can manage your Cyber Incident Management Process for you.
  • Respond against cyber attacks through incident management to mitigate and help recover from the disruptions caused by cyber attacks;
    • Think of classifying incidents to implement the correct corrective controls.
    • Think about contacting all IT Security stakeholders within and outside the organization. If you have outsourced your Cybersecurity Incident Monitoring, you must pull their resources to help you manage the cyber incident.
    • Think of triaging and doing a root-cause study through Forensic Analysis. One must not forget to do a Business Impact Analysis to determine the scope of the damage caused by the attack on the service and product delivery levels.
    • Think of containment, remediation and recovery aspects based on the weaknesses that have been exploited by the cyber attackers.
    • Evaluate on the cyber incident management process went and improve based on lessons learned, safeguarding yourself through the implementation of more rigid controls.
  • Recover: Enhance resilience by recovering all systems, applications and networks by following a specified recovery plan;
    • Think of planning and implementing Recovery Playbooks with root-cause analysis and containment strategies.
    • Think of improving the legal liability clauses and specify Service Level Agreements with Service Providers.
    • Think of authorities delegated within the internal and external dependencies of the Recovery team.
    • Think of Communication Plans with critical IT Security stakeholders.
    • Think of physical facilities recovery, and details regarding physical and logical access to infrastructure, hardware and software to provide intermediary services during the recovery process.
    • Think of validating the integrity of the recovered data from backups to restore your systems and re-establish trust in your infrastructure.

All these are based on the extensive framework that NIST CSF v 2.0 has summarized in the table here below.

Through the existence of an enterprise, the inventory of assets that the organization invests in can change over time, which determines the changes in risks the organization is exposed to from an operational, tactical and strategic perspective.

At Curinovis Digital Agency (CDA) we believe that every approach to security must be holistic, and that is simply because within cybersecurity we are dealing with systems and programs that are connected to each other. These systems are dependent on each other to perform certain tasks and functions that they are not always able to do independently, but are most definitely doing these in relation to one another due to their interconnected interfaces (APIs). One needs to dissect the network, system and application architectures to understand how to best assess security issues threatening the IT infrastructure of the organization.

By using a Threat Modeling approach, one can assert that:

  1. All the IT assets on the network are identified and profiled. Questions that should arise when profiling systems and applications are for example:
    • Where the system will be deployed.
    • Who the users are, what their roles are and what their rights will be.
    • What the data elements are that should be classified (think of data types, data criticality/availability and data sensitivity security requirements).
    • What technologies will be used to meet these security requirements.
  2. The vulnerabilities known about the IT assets are enumerated.
  3. The risks (existing threats) to the IT assets are identified, determining how likely it is to happen and the potential damage they could cause.
  4. What countermeasures should be put in place in your IT assets to prevent and reduce damage where costs of implementation are compared and evaluated.
  5. Where the best controls are implemented, evaluated and improved in a repeating cycle.

The Threat Modeling approach is an iterative (continuous) process that takes the CI4AM security objectives in perspective, which are:

  • Confidentiality
  • Integrity
  • Availability
  • Authentication
  • Authorization
  • Auditing
  • Management

The Threat Modeling approach follows a few simple iterative steps that can be applied on a software application level, system level and also on a network level:

  1. Identify Security Objectives
    • Prior to this the organization must define what the business objectives are
    • Consequently one must define the security and compliance requirements looking at specific Best Practice Security Standards & Guidelines and Regulatory Compliance requirements are.
    • In line with the previous steps, it is absolutely necessary to do a preliminary Business Impact Analysis (BIA), and also to determine the risk levels to which the IT assets are exposed to. By now, it should ring a bell in your mind that a BIA and Risk Assessment (RA) go hand in hand.
  2. Create an overview of the Technical Scope regarding Application/System/Network
    • When it comes to software applications you need to identify application (trust) boundaries followed by the identification of the application’s dependencies from the network environment. Consequently one must also have identified the application dependencies from the servers and the rest of the infrastructure. It is also pertinent to identify application dependencies from other software interfaces.
  3. Decomposition of Application/System/Network
    • Generate diagrams of data flows and trust boundaries
    • Identify user roles and permissions
    • Identify assets, data, services, hardware and software that communicate with each other through interfaces and network level layers
    • Identify data entry points and trust levels
  4. Threat Analysis and Identification
    • Analyze threat scenarios that are probable
    • Analyze incident management reports
    • Analyze application data traffic and security events logs
    • Correlate incidents and fraud with Threat Intelligence
  5. Identification of Vulnerabilities
    • Correlate vulnerabilities to application assets
    • Map threats to vulnerabilities through the use of threat trees
    • Map threats to security flaws through the utilization of Use Cases
    • Enumerate and score the vulnerabilities that have been identified using an established vulnerability scoring methodology

Curinovis Digital Agency (CDA) recommends all medium to large enterprises, no matter to which industry they belong, to follow the STRIDE Threat Modeling Process and the PASTA Attack Simulation Threat Analysis Process.

Safeguarding your IT infrastructure has never become more important than now, and must be tackled jointly with other aspects of Enterprise Risk Management. Stay tuned for the articles that follow this, as we will highlight every step of these processes to explain why these controls and safeguards are necessary for your business.

About the author

Jordan Emanuelson is a knowledgeable Certified Information Systems Auditor (CISA) that has gained comprehensive experience working at KPMG, Ernst & Young (EY) and a Central Bank acting as a Regulatory Supervisor. Jordan’s focus and expertise lies in Cybersecurity, Business Continuity, Software Testing and other Change Management safeguards. Jordan helps contribute to Curinovis Digital Agency’s (CDA’s) knowledge-base with the newest and most refined insights about security and business continuity frameworks as times change, technologies innovate and threats and vulnerabilities evolve. You can get in touch with Jordan for workshops, trainings and lectures by emailing us at info@curinovisdigital.com.