Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Cyber security and regulatory compliance are frequent bedfellows. If compliance standards aren’t specifically driving security adoption, they are affecting wider areas, such as GDPR and privacy, which significantly impacts on security.
In 2020 we are seeing wider regulatory compliance and audit requirements shaping approaches to risk management more generally. We often find standards are adopted freely, not because they are mandated; but because in the face of outside scrutiny, a formal third-party framework provides an accessible yardstick against which to align security polices and controls.
In the US, the Public Company Accounting and Oversight Board (PCAOB), is responsible for setting audit standards. These audit standards apply to all listed organisations and are much broader than cyber security. However, there are requirements that cyber security audits and governance need to comply with just as financial audits must.
One requirement is that organisations must obtain timely information around the performance of their security controls. If it takes 6 weeks to compile the data and report on the activity, performance or metrics of security controls, it makes it very hard to say you are obtaining timely information.
In cyber security, operating system patches come out routinely and falling victim to an attack can take seconds or minutes. Knowing that 4 weeks ago it took 5 days to deploy a critical patch doesn’t really provide senior executives much of an opportunity to manage risk.
Another area coming under scrutiny is the degree of manual intervention or interference between the audit evidence being identified and the reporting on it occurring. Something that provides its own telemetry is always going to be more objective and reliable than anything that needs a chain of humans to identity, gather, interpret, summarise, analyse and report on.
The Cybersecurity Maturity Model Certification (CMMC) is a US Department of Defense (DoD) initiative. Contractors who handle Controlled Unclassified Information are already required to self-certify compliance with the NIST SP 800-171 standard of cybersecurity best practices. However, with self-certification now being acknowledged as unreliable, CMMC will require contractors to undergo a third-party audit and certification starting in 2020.
This process echoes similar initiatives around the UK’s Defence Cyber Protection Partnership (DCPP), which is based on Cyber Essentials Plus and a separate questionnaire, and the Australian Government’s Essential Eight which underpins the Australian Defence Industry Security Program (DISP) supply chain approach.
With these three standards already closely aligned, it is likely that the most commonly uniform approach with the biggest defence market behind it will predominate over time…… the CMMC approach.
The Australian Cyber Security Centre (ACSC) “Essential Eight” remains a lynchpin of the Australian government’s approach to cyber security hygiene in the governmental and defence sectors.
A key requirement of the Australian Signals Directorate’s Information Security Manual, the Essential Eight will continue to be adopted and audited to oversee government bodies and their supply chains as 2020 progresses. Including, as referenced above, within the DISP programme.
The UK Cyber Essentials scheme provides two levels of assurance, a self-assessment questionnaire-based certification (Cyber Essentials) and a consultant-supported onsite review (Cyber Essentials Plus). This forms a major cyber hygiene baseline for the UK public sector supply chain and has been in use for a while.
Although no changes to the scheme are imminent in 2020 one thing that is emerging is a business need to monitor the effectiveness of security controls on a continuous basis, rather than just “checking” them on an annual audit cycle as part of the annual re-certification process.
At the end of the day, if these security controls are “essential”, then as with the Australian Essential Eight, they should be monitored all the time, not just used as the basis of an annual questionnaire or audit.
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It can be used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cyber security product and service community.
Although it is not a standard, or in any way enforced, at a technical level it provides a useful repository of techniques. The trick is in finding combinations of security controls that can address as many risks as possible, as cost-effectively as possible – such as application whitelisting to control the execution of unauthorised code and hence providing coverage against any attack technique that requires the attacker to install (or dupe a user into installing) an executable.
The GDPR EU regulation on privacy and data protection has been covered in depth and breadth both before and since its adoption. We have blogged about it on several occasions. The emergence of the first fines levied on BA and Marriot have brought the need for good cyber security risk management and hygiene into sharp focus for boards.
The drivers for cyber security in enterprises and supply chains are underpinned by very real financial impacts. Even in the wider public sector and recent breaches that have not yet had time to fully sink in – like the UK new year’s honours list breach – the financial ramifications are very real.
There seems to be two types of compliance requirements emerging in cyber security.
One is the drive to make comprehensive and all-encompassing standards that span the management, people, process and technological issues at length and aim to leave no security stone unturned. The MITRE ATT&CK framework follows this approach for technical attacks; while management systems standards like ISO and COBIT aim to address the broader non-technical requirements.
The second compliance requirement recognises that a smaller set of basic “cyber hygiene” security controls is both easier for businesses of all sizes to work with and will cover a large proportion of the methods of attack that are used to compromise networks. This is the ethos behind The UK’s Cyber Essentials and Australia’s Essential Eight.
Somewhere in the middle is the US defence department supply chain approach to cyber maturity. This is not a long standard, but it’s not a short one either. What it does epitomise however is the need for cyber security controls to be measured and monitored rather than being self-assessed or self-asserted.
As with the added vulnerability scanning and firewall reviews of Cyber Essentials Plus, CMMC will require an audit of the supply-chain business to which it relates. This prevailing view that cyber security cannot be left to chance and must be “measured” in an objective, repeatable and trustworthy way has now taken root.
The reliability of audit processes, systems and evidence – around cyber or otherwise – has been in the focus of bodies like the PCAOB for good reason!
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.