Blogs - CyberPal
CYBERPAL

Blogs

Key insights from the cyber security industry, trends, analysis and perspectives

A Risk-Based Approach to Security

Businesses tackle cybersecurity from several perspectives and end up adopting different strategies for identifying and fulfilling cybersecurity control goals. Some small and medium businesses enter the security arena simply with a focus on meeting a compliance obligation, while others only commence a renewed security effort in the wake of a breach or after interest from a senior executive. These are all ad hoc ways to approach cybersecurity which often work in the short term to fill the immediate gaps and need, but more often than not fail to take a long-term strategic approach that leaves the organization well positioned to handle future threats. The business only adopted these approaches to security, while failing to follow any type of coherent strategy thereby leaving them vulnerable.

It is known that compliance requirements drive the security programs at businesses of all sizes when technology and compliance teams scramble to meet legal, regulatory or

contractual requirements. For instance, obligations under the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and other regulations push most organizations to only out in place security controls in “check-the-box” mode. Even though overall security may improve because of this, it fails to look at the operation in a comprehensive manner. The regulatory and compliance institutions have narrow scopes of interest, and so, design regulations specifically to protect the confidentiality of certain pieces of regulated information.

Although compliance with these regulations may be mandatory, it is usually not enough to protect an organization against cybersecurity risks.

A better approach and more effective option for businesses is to adopt a risk-based approach to security that performs a holistic assessment of the threats facing an organization and the vulnerabilities in its current operating environment. Risks happen when there is a crossing of an existing (or potential) vulnerability and an identified (or possible) threat.

Therefore, when performing a thorough cybersecurity risk assessment, organizations evaluate all the possible risk and then assign it a risk score. These scores are based on a combination of the likelihood that a risk will materialize and the impact on the organization should the risk occur. This risk-based approach allows the organization to focus its efforts on the risks that are more significant to its business operations.

A risk-based approach to security recognizes that risks do not fit into organized buckets of high and low. It recognizes that risk fit along a spectrum ranging from risks that are so low that the organization may accept the risk without adverse impact, to those that are so severe they must be avoided at all costs. The vast majority of risks facing an organization dwell in the region around those two extremes, and the goal of a risk-based security program is to appropriately prioritize and mitigate those risks to an acceptable level.

Therefore, adopting a risk-based approach to information security requires the involvement of numerous stakeholders from all over the business. Information Technology teams should never pursue such assessments in isolation, because security risk is more than just a technology risk; it’s an operational risk as well. Risk mitigation decisions more often have a serious negative impact on operations, and IT leaders often lack the context, subject matter expertise or scope of authority to make these decisions in isolation. Rather, other leaders must be engaged in the process and create a forum for a comprehensive risk discussion.

The bottom line is that a risk-based security program must be very closely aligned with the goals of the organization. IT groups exist to facilitate the operations of the rest of the organization so that the entire operation succeeds. The technical decisions made within a security program may have a vivid effect on the ability of the business to achieve its goals, and a risk-based program must take consider this. Not all risks are technical. Strategic, operational and financial risks may justify accepting a higher level of technical risk than might seem otherwise appropriate. So, it is essential to balance these considerations. This can be done when all the departments and actors in the business are involved in the process.

Benefits of a Risk-Based Strategy

There are several benefits that a risk-based security strategy brings businesses of all sizes. The first advantage is that a risk-based approach to cybersecurity allows the organization to understand the value achieved from their security investments. The next benefit is that it provides the business organization with a comprehensive view of risk; and finally, they fill in the gaps in an organization’s security strategy, providing a robust, defense-in-depth approach to cybersecurity.

Small and medium businesses must acknowledge that security is not cheap. According to CDW.com (2020), 60% of healthcare organizations responded to a 2017 survey by the Healthcare Information and Management Systems Society that they spent at least 3% of their budgets on security, while 11% reported that they spent 10% or more of their budgets on this category of expense. This means that when organizations invest significantly on security, business leaders and owners must understand the return on that investment. Using a risk-based approached to security gives justification for specific security investments by allowing the organization to tie the investments directly to the risks that they mitigate and the value that this brings to the business. In addition, risk-based approaches allow an organization to adapt to changes in the threat landscape, by moving the investment of time and money to areas that pose the greatest risk.

Furthermore, adopting a risk-based approach to security also helps organizations adopt a broader risk-based approach to business because the concepts of risk management discussed in cybersecurity conversations apply equally to many other areas of an organization. These include other technology matters, such as disaster recovery and fault tolerance, as well as issues that do not involve technology, such as media relations and industrial compliance.

Finally, a risk-based approach leads a business toward a robust set of security controls that are designed to meet the specific business needs of the organization. Rather than indiscriminately adopting a regulatory framework or industry standard, the business can customize a set of controls to their unique technical and operational environment. Thorough risk analysis can provide the information required to adopt a defense in-depth approach to cybersecurity. Such an approach uses overlapping controls to mitigate the most serious risks in a manner that is not dependent on any single control.

Make the Move to Risk-Based Security

Small and medium businesses that currently approach security using outdated ad-hoc approaches or a compliance focused method will benefit from moving to a more comprehensive, risk-based approach. Following the conduct of a thorough risk assessment, IT and business leaders must come together to develop an approach to cybersecurity that appropriately balances security needs and business requirements. Subsequently, security professionals will then work to implement a set of controls that align with this business-focused security strategy and develop an ongoing approach to security monitoring. Organizations that decide to adopt this strategy will benefit from seeking broad leadership support, benchmarking with other organizations, and changing the mindset of technical staff and other users.

One place to get technical support and compare solutions is CyberPal, the world’s first Cyber Security Marketplace that enables end-users to compare, review, ask peers, buy research reports for all your Cyber Security requirements. Locate and connect with nearest Resellers for all Vendor solutions. End-users can post a project and Independent cyber experts can send proposals to these end-users and buyers can simply purchase it via the cyberpal platform and award the vendors / contractors the contract. It’s a secure payment platform and endusers benefit from private communication as well. This can help you to drive your cyber security strategy for your business rather than it being a non-starter.

Next

Adopting the MITR ATT&CK Framework by SMBs

For small and medium businesses who typically do not have large cybersecurity departments or budgets, mitigating security vulnerabilities is difficult. It is true that attackers need to exploit just one vulnerability to breach your network, but defenders have to secure everything. This the reason why security programs have been shifting resources toward detection and response: detecting when the bad guys are in your network and then responding to their actions efficiently to gather evidence and mitigate the risk.

Categorizing the threat behaviours in a clear and easily understandable manner is always a challenge for cybersecurity professionals. To understand the specifics of an attack, professionals normally need to analyse indicators, search for findings from other security researchers, and read reports, articles, and papers describing similar threats. This can also be a daunting task for small businesses.

Analysis and investigation can be overwhelming and resource intensive for cybersecurity professionals, especially if a threat shows a high sophistication level and several components. This is further complicated by the fact that a threat actor can modify these components (hashes, command-and-control (C&C) servers, IP addresses) making threats not only more efficient but also more difficult to detect and analyse. However, attacks and campaigns typically display certain patterns depending on the attacker’s motivations and targets. The challenge is how to cross-check findings against data from various sources.

The MITRE ATT&CK is a knowledge base which can be accessible from anywhere in the world that contains adversary tactics and techniques based on real-world observations of cyberattacks.

ATT&CK stands for adversarial tactics, techniques, and common knowledge. In recent times, tactics and techniques are the default way of assessing cyberattacks. Security analysts no longer investigate the results of an attack, such as an indicator of compromise, but look at the tactics and techniques that signify an attack is in progress. Tactics are the why of an attack technique while techniques represent how an adversary achieves a tactical objective by performing an action. In addition, common knowledge refers to the documented use of tactics and techniques by adversaries. Common knowledge may also be called procedures.

MITRE is not an acronym, but a government funded organisation with a well-developed cybersecurity practice that is funded by the National Institute of Standards and Technology (NIST). Together, the MITRE ATT&CK has a goal to assemble a thorough list of known enemy tactics and techniques used during a cyberattack. It is available to government, education, and commercial organizations, thereby making it be able to collect a wide, and hopefully exhaustive, range of attack stages and sequences. MITRE ATT&CK also intends to create a standard taxonomy for easier communications between organizations more specific.

The framework is divided into 12 categories of tactics for Enterprise. These include initial action, privilege access, and lateral movement. Beneath these are specific techniques observed with these attack activities. There is also a list of pre-attack activities such as pre-purchasing domain names and obtaining third-party software defences as well as 64 tactics observed through mobile attacks.

The MITRE ATT&CK framework is a popular template that business organisations can use for building cybersecurity detection and response programs. It is very useful because all the tactics, techniques and procedures (TTP) are based on what has been observed by actual attacking groups in the real world. Many of these groups use the same techniques. It is almost as if the hacking groups have their own playbook when attacking systems and they use this playbook to get new members productive quickly. The TTP of an attacker is like a behaviour and behaviours are much harder to change. Unlike evading a signature-based detection tool which only requires the attacker changing the attack method. Yet, finding an account that eventually becomes an administrator is much difficult for the attacker to avoid and hide. The malicious actor is forced to change their behaviour.

Business organisations are faced with the challenge associated with traditional threat intelligence because it is often a time-consuming effort that requires scrutinising through reports, articles, news stories, and even social media posts to find and analyse indicators as well as determine which information is useful for a current investigation or worth adding to an internal knowledge base. Given enough time, a dedicated security researcher would probably be able to piece together the details of the story. But in cybersecurity, time is always of the essence. Threat investigation needs to be as quick as possible to properly categorize a threat and identify where the security gaps are and how they can be addressed.

Thus ATT&CK can aid in threat investigations because it allows cybersecurity teams to narrow down their search to specific tactics and techniques, reducing the time needed to map out the details of an attack. The eventual goal, with the help of ATT&CK, is not only to tell the story of the why, how, and what of an attack but also to help pinpoint security weaknesses within the system that a security team can work on strengthening.

Cyberpal, is the world’s first Cyber Security Marketplace that enables end-users to compare, review, ask peers, buy research reports. It is where providers of MITR ATT&CK can be assessed and engaged to safeguard your business. CyberPal, the world’s first Cyber Security Marketplace that enables end-users to compare, review, ask peers, buy research reports for all your Cyber Security requirements. Locate and connect with nearest Resellers for all Vendor solutions. End-users can post a project and Independent cyber experts can send proposals to these end-users and buyers can simply purchase it via the cyberpal platform and award the vendors / contractors the contract. It’s a secure payment platform and endusers benefit from private communication as well. This can help you to drive your cyber security strategy for your business rather than it being a non-starter.

Next

Data Backup – A Security Assurance

Data backup is important for securing your business’s continuity. Backup goes beyond making copies to a single desktop/laptop computer or mobile device because when it is compromised, lost or stolen, your business data is gone. Even maintaining hardcopies on paper is not adequate data protection; because of natural disasters and human errors or sabotage.

A backup is a representative copy of data at a specified time. The phrase “backup and recovery” usually refers to the transfer of copied files from one location to another, along with the various operations performed on those files. Thus, a good backup strategy is essential for data security. Businesses of all sizes have backup as the last defense against data loss, by providing a way to restore original data. It has the following advantages:

  • Protecting you in the event of hardware failure, accidental deletions or disaster.
  • Protecting you against unauthorized changes made by an intruder.
  • Providing you with a history of an intruder’s activities by looking through archived, older backups.

Data loss can occur in many ways. For instance, stolen computers or mobile devices from break-ins; desktop/laptop hard drive crash or damage to mobile phones may also lead to irrecoverable data; deliberate or otherwise deletion of data; hijacking of computer systems by malware; and ransomware attacks.

Backup business data regularly

Create backups on reliable media or in the cloud. When using media for backups, the devices should be kept in a secure, off-site location. The basic rule businesses must follow for data protection is that if losing the data will interfere with doing business, back it up. Most desktop software programs can be reinstalled if required but recovering the details of transactions or business correspondence is impossible if those files are lost or damaged beyond repair.

Data Archive vs Data Backup

Backups are normally periodic, short term images of data for disaster recovery purposes. Archiving, meanwhile, generally refers to long-term storage of data that is no longer in regular use but can be restored if need be (for example, a finished project or data from a former client).

Backup Critical Business Data

The following are ways to successful data backup –

It is essential to implement backups of the data on a regular schedule and the first step is by identifying what needs to be backed up. All files that were created and/or modified should be regularly backed up. For many businesses, this includes everything from accounting files through email.

More and more business applications are available through the cloud. However, if you are using desktop (non-browser) applications, these can be reinstalled from media or downloaded, so don’t need to be backed up. Either way, for ease, businesses can use CyberPal, the world’s first Cyber Security Marketplace that enables end-users to compare, review, ask peers, buy research reports for all your Cyber Security requirements.

Cloud Storage

The use of online backup services makes backing up your data easy – which is just one of the reasons cloud computing is ideal for small businesses. However, cloud services are also vulnerable to data loss via hacking or employee sabotage (consider the recent case of the Indianapolis-based American College of Education who, after firing an information technology employee discovered that before leaving he had changed the administrative passwords to the online accounts, preventing the college from accessing their data). It is not a bad idea to take occasional local backups of cloud data (Ryckaert, 2017).

Local Data Backups

Businesses can simplify their backups by keeping all the files that will need to be archived on a single drive on a computer. Examples of such files for back up include accounting files, word-processing documents, spreadsheets, photos, and email. Naming the folders in a simple format like Accounting, Microsoft Office (including Outlook) etc. all on a separate drive or under a separate folder makes it easier to archive all the created files or modified using those programs. What is required next is to back up the drive or folder. Next is to select the critical data to be archived, it’s a simple matter to install and use a backup software program to archive your business data on a regular schedule.

Nightly back up is recommended. There are many backup software programs and vendors available on cyberpal.io that can allow you to set a schedule that will automatically backup your data. Backup software that also zips and encrypts files saves disk space and increases data security are also available.

It is recommended to only keep business data backups on-site if they are stored in a fire-proof, indestructible safe. Investing in a tape drive or external hard drive and meticulously adhering to a regular data backup schedule would be futile if all your data backup copies are in one place and that place is struck by disaster. For true security, business backups must be stored off-site. Another trend is for businesses to keep their data backups in security boxes at banks. Other small business owners keep multiple data backup copies of their records at the homes of different friends or family members. Wherever you choose to keep the backup copies of your data does not really matter, as long as the site you choose for off-site data backup is secure and you have regular access to it.

Online Backup Services

When a business opts for an online backup service, the best security is assured with the use of strong passwords which should be regularly changed. Furthermore, the backup files should be encrypted. Normal practice in shared services is for client data to be encrypted.

USB (Thumb) Drives

USB sticks are constantly increasing in capacity and are ideal for quick data backups. While not having the capacity of external hard drives they have fast data transfer rates and are highly portable. You can easily backup data to a USB drive and take it offsite. USB drives have no moving parts making them quite reliable.

External Hard Drives

For small and medium businesses, buying and using an external hard drive for data backups is the recommended method. External hard drives are inexpensive compared to tape drive systems. External HDs are also easy to use; simply plug the hard drive into your computer’s USB port. Most external hard drives come with a software for backup.

Local Area Network (LAN) Storage

Where there is a local area network (LAN) files can be also be backed up to another computer or server. However, if the backup machine resides in the same location it may be vulnerable to theft or damaged by fire or flood. To prevent theft a server can be installed in a locked cage, cabinet, or closet.

Tape Storage

If you have large amounts of data to backup (or wish to make and retain regular complete data archives for long-term storage) tape backups are the best option. They are highly reliable and can store massive amounts of data.

Back It Up or Risk Losing It

Don’t run the risk of losing your business data. The best defense against such a disaster is proper data protection. By creating a backup system that includes archiving and backing up your business data regularly and properly, you’ll ensure that your business will be able to weather whatever storm it faces and carry on. Remember – you can never have too many data backups! Backup and DR Vendors can now be sourced from cyberpal.io. CyberPal is the world’s first Cyber Security Marketplace that enables end-users to compare, review, ask peers, buy research reports for all your Cyber Security requirements. Locate and connect with nearest Resellers for all Vendor solutions. End-users can post a project and Independent cyber experts can send proposals to these end-users and buyers can simply purchase it via the cyberpal platform and award the vendors / contractors the contract. It’s a secure payment platform and endusers benefit from private communication as well. This can help you to drive your cyber security strategy for your business rather than it being a non-starter.

Reference

Ryckaert, V. (2017). Retrieved 11 March 2020, from https://www.usatoday.com/story/tech/nation-now/2017/01/17/password-lawsuit/96667974/

Next

Softino With Awesome Colors

Sign up to receive insights from the CyberPal team.

Get all of our upcoming content on Cyber Security Providers and Business Cyber Strategy sent directly to your inbox!

SIGNUP
X