In my last blog post, I discussed the five levels of preparedness for cybercrime and remarked on the sad fact that the majority of enterprises are at the reactive or compliant levels. I also discussed that reacting to cybercrime is driven by attempting to deliver security, which is predominantly built upon an over-reliance on prevention capabilities. After all, being compliant results in over-reliance on regulatory or legal requirements that cover just a subset of the enterprise’s most critical information – only that which is deemed to be in scope for compliance. Each of these falls far below resilience, but why is it that so many enterprises have failed to move beyond reactive and compliant preparedness levels to proactive or resilient? That is the topic of this blog post. The truth is that most enterprises have not considered the entire spectrum of what allows cybercrime to make the move from possible targets to real exploits. To understand what I mean by this, allow me to elaborate. For cybercriminals to achieve their objectives, it all begins with an asset that the enterprise is reliant upon. That asset must exhibit a vulnerability that has not been remediated and is exposed to a threat that cannot be prevented. The threat then becomes an attack that cannot be detected and responded to and in time manifests as a breach that can not be recovered from quickly enough. Finally, the breach results in a number of undesirable impacts. The cybercrime spectrum thus includes six key elements that you need to pay close attention to:
- Assets
- Vulnerabilities
- Threats
- Attacks
- Breaches
- Impacts
For your enterprise to become cyber resilient, it needs to understand what these elements consist of, so I’ll delve into these in more detail now.
- Assets clearly begin with information, but information does not live in a vacuum. It is stored, processed, or transported by other assets that fit neatly into three categories: digital, physical and social. Yes, that does mean that you not only need to know about the data and technology but also there is a need to understand the people in your enterprise and even those that interface with your enterprise as a customer or partner in your supply chain.
- Vulnerabilities apply to each of the three asset categories, and can be divided into vulnerabilities in design, implementation, operations, or ongoing maintenance and management. Those vulnerabilities discovered in the design phase are the most cost effective to deal with but implementation and operational vulnerabilities are the most common.
- Threats target each of the four vulnerability categories, and include political, economic, social, technological, environmental and legal. It is important to think beyond just the technological threats, which is where most enterprises focus. Environmental threats may ebb less commonly but lead to more devastating impacts. Social threats are low in cost and highly successful, hence a great deal of attention should be given to this category.
- Attacks are created by threat actors that fit into one of the six threat categories, and include the following: access, copying, theft, modification, disruption and destruction. Whilst copying and theft may be similar, copying applies to digital assets in which a copy is stolen and the original still exists. Theft would apply to physical assets in which if stolen, it is highly visible.
- Breaches are the end result of one or more of the six attack categories, and are best known as the CIA triad, or confidentiality, integrity and availability. Availability breaches are the most visible but confidentiality and integrity breaches are typically more sinister.
- Impacts are the effect that is created when one or more of the three breach categories has unfolded. Impacts can be best summarized with six categories: operational, physical, personal, legal, reputational, and financial.
Chances are your enterprise is at a reactive or compliant level of preparedness because it has not explored each of the categories and understood all of the elements that allow cybercrime to perpetuate. This leads to incomplete information, poor decision-making, and the increased cost of reacting to security or compliance breaches rather than the more cost effective planning ahead for a nimble recovery from resilience breaches.
About the Author: With more than two decades of cyber security experience, Andrew Bycroft has provided design, implementation, advice and thought leadership to some of the largest organizations throughout the Asia-Pacific region, Andrew has a strong grasp on what makes every organization different, yet can appreciate the common challenges organizations face regarding cyber security. Having had the luxury of being able to communicate with a range of audiences, from those who think and speak in ones and zeroes to those who prefer to think and speak in dollars and probabilities, Andrew, in his role of CEO of The Security Artist, is in the unique position of being the leading authority on helping IT, executives, and directors complete the journey to cyber resilience. Andrew is a member of the Australian Institute of Company Directors, a member of the Risk Management Institute of Australasia, member of the Australian Information Security Association and a member of the Information Security Audit and Controls Association. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
