Security leaders have been talking about the need of achieving cyber resilience for quite some time. And now it is becoming a new paradigm for organizations to think beyond just prevention of breaches but to invest in building capabilities to keep operating in the aftermath of attacks – be they major or minor.
We’ve noticed that the initiatives taken by regulators and standard setters are aligned. In January 2020, the Department of Defense (DoD) traditionally the trendsetter for cybersecurity, published the Cyber Maturity Model Certification (CMMC) as a new, uniform set of requirements for Department of Defense contractors and sub-contractors. The key innovation in CMMC is the focus on resilience, specifically the inclusion of process requirements that are derived from the CERT Resilience Management Model (CERT-RMM). In 2018, the European Central Bank (ECB) launched the european framework for threat intelligence-based ethical red teaming (Tiber-EU). It is the first cross-border, multi-jurisdictional, multi-regulator initiative, and has raised the standard of cybersecurity testing across Europe. It is fair to assume that the Department of Defense will lead again and that resilience management becomes more central to cybersecurity across all industries.
3 Organizations today are making cyber risk decisions based on fear, uncertainty, and doubt (FUD) or compliance mandates to drive their security programs. Chasing the latest threat or reacting to the latest risk may not be the best use of your limited resources. CERT-RMM is a collection of best practices for a holistic risk-based approach for:
The model is a comprehensive source for measuring and maturing your resilience processes, in the context of business mission and strategy.
Traditionally organizations have focused on processes and tools to protect them from cyber-attacks and have invested less in the capabilities needed to recover and respond to the breaches that are likely to occur.
Leveraging regulations and frameworks like CMMC, Tiber-EU, CERT-RMM organizations are broadening their perspectives towards achieving cyber resilience i.e. balancing cybersecurity investments in order to achieve both, protection against attacks and build capabilities that allow them to operate in the aftermath of successful attacks.
CERT-RMM achieves cyber resilience as a part of cyber hygiene. Today, no organization can presume that it can prevent any possible cyber-attack. The central goal is to keep operating properly when under attack and to recover as fast as possible from a breach.
Achieving cyber resilience is not a one-time activity, it’s a continuous improvement journey in this ever-changing cybersecurity landscape. Organizations need to have a robust cybersecurity program with the right balance of three supporting pillars – People, Processes, and Technologies.
Some of the biggest challenges can be:
The Department of Defense has frequently been pioneering advances in cybersecurity and, obviously, the Internet more broadly. Cyber resilience is going to be a new paradigm for cybersecurity as many government bodies are pushing towards robust cybersecurity which is necessary to secure their critical infrastructure. CERT-RMM is a set of practices for managing the most common and pervasive cybersecurity risks faced by organizations today.
It includes 11 cyber hygiene areas, which comprise 41 CERT-RMM practices that can be the starting point for organizations willing to achieve cyber resilience: These cyber hygiene areas are an excellent staring point.
Identify and prioritize key organizational services, products and their supporting assets.
The first principle of risk management is to focus on the critical few: find out what is most important to the organization, figure out where it resides, and build the cybersecurity risk management strategy around it
Identify, prioritize, and respond to risks to the organization’s key services and products.
The organization must identify and assess the risks to its operations, assets, and individuals (including mission, functions, and reputation). The response to the identified risks typically includes mitigation or acceptance, and monitoring to reduce the probability of occurrence and/or to minimize impact
Establish an incident response plan.
Document and exercise response procedures and plans that include escalation, employee roles and responsibilities, and external partner coordination for handling disruptions.
Conduct cybersecurity education and awareness activities.
Employees and partners are provided ongoing cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities.
Establish network security and monitoring.
Utilize secure network design principles when configuring perimeter and internal network segments and ensure all network devices are configured consistently and appropriately. Filter all traffic at the network perimeter to limit traffic to what is required to support the organization and monitor traffic for unusual or malicious incoming and outgoing activity that could indicate an exposure, attack, or attempted attack. Conduct regular testing of the network for potential vulnerabilities and exposures.
Control access based on least privilege and maintain the user access accounts.
Limit access based on the classification level (e.g., confidential, secret, public) of information in documents or data stored on servers. Locate sensitive information in secure areas and on systems that limit access to only individuals who need it. Ensure user access information is current and accurate.
Manage technology changes and use standardized secure configurations.
Ensure configuration and change control processes are in place and managed. Establish standard secure configurations for hardware, operating systems, and software applications. These configurations should be regularly validated and refreshed to update them in line with recent threats, vulnerabilities, and attack vectors
Implement controls to protect and recover data.
Information and records (data) must be managed in line with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Ensure that each system is automatically backed up at least weekly, and more often for systems storing sensitive information. Perform an assessment of data to identify sensitive information that requires the application of encryption and integrity controls. Regularly test/audit the efficacy of controls, backups, and continuity procedures to ensure they are functioning as intended.
Prevent and monitor malware exposures.
Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and intrusion protection functionality. All malware detection events should be sent to enterprise and event log servers for analysis.
Manage cyber risks associated with suppliers and external dependencies.
Ensure that supplier and third-party dependencies are identified, prioritized and managed. The organization should establish processes to manage threats, vulnerabilities, and incidents that may result from supplier and third-party dependencies throughout the lifecycle of those relationships. Wherever possible and appropriate, collaborative cybersecurity risk management processes (e.g., information sharing and controls testing) should be utilized.
Perform cyber threat and vulnerability monitoring and remediation.
Collect threat and vulnerability data from information sharing forums and sources. Establish a process to risk-rate threats and vulnerabilities based on their probability, exploitability, and potential impact. Mitigate the highest risk threats and vulnerabilities using leading practice controls. Establish expected controls implementation and patch timelines based on the risk rating level.