Cyber Resilience: Defence-in-depth principles

INTRODUCTION

This book has been divided into two parts:

•Part 1: Security principles

•Part 2: Reference controls

Part 1 is designed to give you a concise but solid grounding in the principles of good security, covering key terms, risk management, different aspects of security, defence in depth, implementation tips, and more. This part is best read from beginning to end.

Part 2 is intended as a useful reference, discussing a wide range of good-practice controls (in alphabetical order) you may want to consider implementing. Each control is discussed at a high level, focusing on the broader principles, concepts and points to consider, rather than specific solutions. Each control has also been written as a standalone chapter, so you can just read the controls that interest you, in an order that suits you.

Together, the book will give you a good understanding of the fundamentals of cyber security and resilience, without tying them to specific standards, frameworks or solutions, and provide an excellent starting point for any cyber resilience implementation project.

Part 1: Security principles

CHAPTER 1: THE CYBER THREAT LANDSCAPE

We live in a world where technology and vast quantities of data play a considerable role in everyday life, personal and professional. For the foreseeable future (and perhaps beyond), their growth and prominence show no signs of slowing down, even if the technology in question will likely change in ways perhaps unimaginable today. Naturally, all this innovation brings huge opportunities and benefits to organisations and individuals alike. However, these come at more than just a financial cost.

In the world as we know it, you can be attacked both physically and virtually. For today’s organisations, which rely so heavily on technology – particularly the Internet – to do business, being attacked virtually is the far more threatening of the two. The cyber threat landscape is complex and constantly changing. For every vulnerability fixed, another pops up, ripe for exploitation. Worse, when a vulnerability is identified, a tool that can exploit it is often developed and used within hours – faster than the time it normally takes for the vendor to release a patch, and certainly quicker than the time many organisations take to install that patch.

The cyber criminal’s point of view

The nature of the cyber world means that cyber attackers can attack anyone, anywhere, from the comfort of their home. You might say that they were ahead of the game in terms of taking advantage of the benefits and opportunities offered by working remotely.

Furthermore, from an attacker’s perspective, there is often a very good reward-to-risk ratio: for the victim, it can be hard enough to detect that an attack happened at all, never mind trace who was behind it. It is in the very nature of the digital information that we are trying to protect that it is easy to copy. In fact, stealing the information does not require removing it from its original location at all, meaning that the owner of that information may never realise that the theft happened.

Unfortunately for us, committing crimes over the Internet can also be very lucrative. Physical pickpocketing may earn a thief cash and credit cards (that will likely be blocked very quickly, and probably can only be used up to the contactless limit per transaction anyway), but digitally targeting someone gives them a chance to steal that person’s identity and get credit cards issued in the victim’s name. Upscale that, and a criminal might think about targeting organisations that hold databases with thousands or even millions of payment card details and personal information about their owners. Whether they then directly use that information for themselves or sell it on the dark web (where you can buy virtually anything, from drugs and human organs to hacking software and stolen credentials), the profits are certainly far greater than those of a physical crime conducted in the same timescale and with the same manpower.

Moreover, cyber criminals are spoilt for choice when it comes to deciding who to target. Because virtually every organisation holds valuable information, and often in huge quantities, essentially anyone will do. In fact, criminals often do not target specific businesses at all, but specific vulnerabilities. Attackers tend to use automated tools to identify those vulnerabilities, and therefore their victims, for them.

Securing your assets

The information that attackers target is often vital to the organisations that hold it. More often than not, you cannot do business if you lose access to that information, making it one of your most important assets. At the same time, the fact that criminals can extract significant value from this information means that it is an asset to them too. There is good reason to refer to them as information ‘assets’ – by definition, someone wants to get hold of them. Many a time, that ‘someone’ is a business partner that will go through the proper channels – but not everyone will take the legal route.

With all this in mind, it should not come as a surprise that cyber attacks are – and will probably continue to be – on the rise. Such attacks can vary widely, ranging from simple phishing emails to complex, detailed operations masterminded by skilled criminal gangs. However, even the simplest attack, if executed successfully, can wreak havoc if you are not prepared.

Clearly, it is in your organisation’s best interests to protect yourself. While this might cost, it will prove far cheaper than experiencing a breach and having to deal with the operational, financial and reputational damages that follow.

Is security affordable?

Despite the clear value of implementing security measures, given the frequency of data breaches and cyber attacks in the press, many of them large-scale, you could be forgiven for thinking that it is impossible to defend your organisation against the predations of cyber attackers. After all, if massive multinationals cannot stay secure, what hope is there for small businesses?

The truth is that you can achieve far more, and on a far smaller budget, than you think. Particularly if you take a strategic approach and aim for the lower-hanging fruit first, becoming secure – and even becoming cyber resilient (more on that distinction in Chapter 3) – does not have to cost vast amounts of money or take years to implement. And it is a worthwhile investment: no matter the size of your organisation, improving your security helps protect your data and that of your clients, improving business relations and opening new business opportunities.

CHAPTER 2: LEGAL AND CONTRACTUAL REQUIREMENTS

Although the best mindset towards implementing security is to think of it as a business investment, it can take hard legal and/or contractual requirements to secure the necessary commitment and resources from your organisation. (Making a tight budget stretch is one thing; doing so without organisation-wide commitment is quite another.)

Data privacy laws

As far as legal requirements are concerned, data privacy laws have been widely updated in recent years. The most well-publicised one was the EU General Data Protection Regulation (GDPR), enforced in 2018, which marked a major milestone for data protection and privacy laws across the world. The EU GDPR places a wide range of security and privacy obligations on organisations that process the data of EU residents and is supported by a regime of significant financial penalties (up to the greater of 4% of annual turnover or €20 million).

Following the introduction of the EU GDPR, other updated privacy laws have emerged around the world, including the UK GDPR and Data Protection Act (DPA) 2018 in the UK, and the California