Policies are in place many purposes; for cyber security they define your defense posture in the event of an incident.
Policy: A policy is a statement that should have clear delineation points that clearly specify its intent. For example, a Policy on Encryption would read “The Board of Directors will ensure that all electronic information that is communicated outside of the business, are encrypted.”
Tip: Many businesses make the mistake of trying to fit in as much as they can into their cyber policy statements. The problem with putting multiple subjects into a policy is that it reduces the effectiveness and makes the policy difficult to understand. It is important to keep policies current and to build the policies into companywide training on a consistent basis.
Procedures: Procedures are very specific as to how employees will work, what they will do, and when they will do it. It is important to see the difference between a policy and a procedure; a policy is more of a “here is our rule and why it is our rule” compared to a procedure, which is, “Here is how we will carry out a specific action within our business.” Many times companies will lump together the policy and procedure statements, overall reducing the effectiveness of the actual policy. Procedures change. Policies rarely change.
Standards in cybersecurity are based on industry guidelines. For example these guidelines may be established by the National Institute of Standards & Technology (NIST), the International Organization for Standardization (ISO), or using Control Objectives for Information and Related Technology (COBIT), a framework created by the ISACA (Information Systems Audit and Control Association) for IT governance and management to name only 3.
For example, if a business were to develop a policy noting that all electronic information sent outside of the network environment will be encrypted, they could use NIST guidelines on electronic encryption. A business could search for NIST guidelines and use these to document the guidelines for each department. Best practices could use a blend of the guidelines noted above as each have different approaches regarding best practices. These guidelines generally do not change on a regular basis, but they should be checked on a periodic basis for industry guideline updates.
What are the differences between a Business Resumption Plan, a Disaster Recovery Plan and an Incident Response Plan?
Many times these critical documents are jumbled together and become ineffective.
A non-technical incident may one where the employees don’t not show up for work. How is your business going to resume operations?
A technical incident may be a hardware failure that effects IT systems or perhaps the email server or internet is down. How will the IT department handle these situations?
These are examples of both technical and non-technical incidents.
A goal of a business resumption plan is to get your business up and running safely and to make sure that the most critical client needs and resources can be met until operations have been restored. A business resumption plan will almost always go hand in hand with the disaster recovery plan. This means that before you can establish a business resumption plan, you must first identify certain aspects of the disaster recover plan to ensure that is possible for the business to be operational before you can begin to recover.
Disaster recovery involves a set of policies, tools and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. (Wikipedia)
The primary goal of this plan is not to get the business fully operational again, but it establishes procedures to be used during an event. The procedures should be structured to allow the business to get back to a point where the most important tasks can be completed to keep the company afloat. This plan is the step to be enacted after a “disaster” for any company, these the emergency steps a business will use after an event.
As we discussed in the previous section, policies and procedures are designed to protect the company. When discussing the various threats that impact a business it is easy to focus on the major threats, the most common one’s you might see that have the biggest impact. In reality, Cyber is a vast world with all kinds of different threats. A perfect example of this is the “Cyber Risk Iceberg” (see below). Think of the tip of an iceberg as the “threat”. While we know that the threat is present, we may not be able to see just how much of a threat it really is, like the rest of the iceberg under the water. In this section we will go into each “layer” of the iceberg and assess just what kind of a threat each poses for your company.
Surface Web: You can see that the surface web of risk can begin with applications that do have inherent risk. Some major websites that seem protected actually have had cybersecurity issues and are not bullet proof, putting you at risk. At this level, we are looking as risks that may include items such as:
So Why Hack?
How about the Deep Web and those risks that we cannot see but know they lurk just under our line of sight?
It is estimated that ninety percent of information on the internet is within the middle of the iceberg. Not accessible from the Tip of the Iceberg!
Some Different Types…
So Why Do it?
Insiders Tip: Trust but Verify! For the safety of your company meet with your Cybersecurity expert to cover your questions and concerns. A second set of eyes with no vested interest could save you from an incident. Protect your reputation, ask questions. More than likely, the cyber professional has worked with situations that are similar to yours and can provide you with assistance to help your company to stay secure.
The Dark Web:
Very rarely do companies delve into this layer of the internet or the risks associated with this part of the iceberg. However, understanding this layer is still critical for any company. This data is hidden. To access it you need browsers and communication services that offer complete anonymity. This is where data can be bought and sold to the open market.
So Why Do it?
As you can see each layer of the iceberg presents new and increasingly dangerous threats for any business. The example of the iceberg is to show that even the most common place things, like a simple website on the internet, can actually host a long list of risks to the security of any company/individual. This does not only apply to websites, but also even to services such as email. In the graphic below is a chart that assesses many of the ways in which emails can be hacked and used against an individual.
Anatomy of the Value of Data: “Your Email Account May be More Valuable Than you think! Take a Look”
**This following chart is provided from Krebs, a Security Researcher.
If we look as the various values of an email we can see the 6 value points for one email:
SPAM: Why SPAM? What is its purpose? SPAM has morphed in its value. Today, Facebook and Amazon to name a few examples use SPAM to target social media accounts that you use. It is targeted marketing. In the past, SPAM was infected with bad intentions. However, as SPAM has grown in value to clients like Facebook, Yahoo, Microsoft and Amazon – SPAM is no longer used as it once was. It still is used as an infection point but there may be more value in selling SPAM to high paying customers that are in the social media industry.
This is all of the information that can be taken even from just one email, let alone the thousands of hacks that occur on a daily basis. The more we dive into the threats that arise from the use of the internet the more it becomes apparent that protection and caution is vital in order to keep your business safe and operating.
Now that we have reviewed many of the threats that arise from the internet we will cover some of the ways in which you can protect yourself from these risks.
In today’s world, the easiest way to stay protected is to have an offensive approach to security. Do everything in your power to prevent an attack. With an offensive approach you stay ahead of the threats that are coming your way, increasing the odds that you won’t have to deal with the messy clean up that comes after an attack.
In today’s companies the IT Department is the defensive team. The CIO or IT Director is also on the defensive team.
Reducing risk from a defensive posture is focused on traditional controls. Defensive controls include the thought process that:
An offensive posture is polar opposite. Due to the ideas of traditional management and IT relationships, the offensive concept can be difficult to introduce into your culture.
A Chief Information Security Officer (CISO) is hired. The CISO doesn’t report to the CIO, rather they report to the Audit Committee or designated Committee. The primary reason is simple. The two IT roles are diametrically opposed to business goals and how technology is deployed and managed. If a CISO falls under the CIO, they are subordinate. Hence, CISO goals can be over ruled. This is very common and increases friction and maybe animosity within the “camps.” A progressive CISO that reports to the designated Committee will improve the offensive security posture by offering fulltime and devoted resources to technology projects, current security labeled devices such as firewall and intrusion prevention controls.
Monitoring software produces an overwhelming number of logs that come into a typical business that must be evaluated and reacted upon, 24×7. Time devoted to being offensive is spent in correlating attacks on your business, which can take months of investigation and correlation and making changes to the technical environment that may not be popular. They may make decisions that reduce availability to resources as dictated by the threats that have been identified. The primary mission statement for a CISO is simple: CIA which stand for the Confidentiality of data, Integrity of data and Availability of data. Associability of data is also an important goal.
When considering the introduction of an offensive security posture you will want to fully explain the shift. There will be friction. Change can be difficult. The shift can also threaten existing technical staff as they may feel they are giving up some authority. Encourage team-work and empower the CIO and CISO to work together but respect the main concerns that arise throughout the day, week or year.
We would love to hear from you.Simply fill out the form below and we will be in touch shortly.
7650 Dean Martin Drive, #101
Las Vegas, NV 89139
104 East State Street, Suite J
Redlands, CA 92373
Office (702) 659-9901
Office (909) 793-3456
© COPYRIGHT 2023 BenchMark Website Design FIND US