Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Transcription

1 Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

2 An analogue approach to a digital world What foundations is CDCAT built on? The world is more connected, users are relying on organisations to protect their digital lives and cyber criminals are becoming more adaptable than ever. Are organisations responding to these trends by covering the basics to form adequate cyber defences? Are organisations achieving this through proactive development of their systems, whilst utilising best practice and security measure deployment? Worryingly, in a majority of cases the answer is no. Cyber Crime remains one of the top four priority risks identifi ed in the UK national security strategy. Cyber attacks have become common occurrences, with organisations in 2013 experiencing an average of 48 successful attacks per week. This represents a 16% increase from 2012 when organisations reported 41 successful attacks on average per week¹. Simplifying cyber defence response 81% of large organisations and 60% of small businesses reported they were the victim of a cyber-security breach from In fi nancial terms the worst of these security breaches has an average cost of 600, million for large organisations and 65, ,000 for small businesses². So what can an organisation do to help identify and rectify their cyber defence weaknesses? CDCAT fuses multiple cyber security controls and inputs from commercial, military, and intelligence operations around the world, including; NATO, ISO series and the NIST Cyber Security Framework - together with leading independent bodies such as the Council on Cyber Security. CDCAT combines them to provide a list of standards associated with one of 145 different aspects of cyber defence. These are mapped to the cyber defence lifecycle categories Assess, Deter, Protect, Detect, Respond/Recover. Each control (e.g. patch management) has a defi nition which describes different levels of compliance based on the Organisation s risk appetite. An organisation is then able to understand where any gaps in defence capability may exist. Each control maps mitigating behaviours to enable an organisation to improve its capability in a given area. Stage 4: DETECT RECOVER Stage 5: RESPOND/ Stage 3: PROTECT Stage 1: ASSESS Stage 2: DETER The Cyber Defence Capability Assessment Tool (CDCAT ) was developed by the Defence Science and Technology Laboratory (Dstl), which is a trading fund of the MOD. Dstl is dedicated to the defence and security of the UK through the development of innovative science and technology. It provides impartial scientifi c and technological advice to the UK Armed Forces and British Government. This unique assessment process is built on key principles to: Establish a converged risk mitigation framework for Information Assurance, Computer Network Defence and Service Management to enable decision development and superiority; CDCAT captures risk control objectives in one single operational activity consistent framework supporting the fusion of: PROTECT - covering Information Assurance DEFEND - covering classic computer network defence OPERATE - covering end to end service management CDCAT is a way for businesses to assess their own cyber defence preparedness, understand where any gaps in defence capability may exist and what mitigations can be applied. CDCAT delivers: A common operational framework and taxonomy Defi nition of control objectives and their maturity levels with their use in assessment and audit Defend Computer Network Defence Defi nition of what good looks like in what controls are more effective based on Computer Emergency Response Team evidence from around the world. Protect Information Assurance Enable Decision Superiority Diagram: Service Operation Operate Service Management Establish the scope for cyber defence against the known scope of the implementation related to the current network environment for that organisation; Provide a common taxonomy for more effi cient discussion, coordination and communication of cyber defence activities across environments; Provide a framework for evolution of organisational developments and partner or community cooperation on the development of cyber defence capabilities; Provide a framework for providing interoperability interfaces at various levels and various capabilities, in order to apply a federated approach to cyber defence (with industry, partners and other environment actors) Provide a framework for business strategy and planning in the context of cyber defence Service Management needs with visualisation for assessment results. Page 2 Page 3

3 81% of large organisations and 60% of small businesses reported they were the victim of a cyber-security breach from Cultivating your cyber environment Why your organisation needs CDCAT The principle benefi t of fused situational awareness is to Enable Decision Superiority in the Cyber Environment. Where vulnerabilities are built-in during the design phases, inadvertently or deliberately, cyber protections set the baseline for the security protection of the system. Defence activities then actively manage potential or on-going exploitation of these vulnerabilities, reactively or proactively. Computer Network Defence and Service Management are designed to show business perspectives in CDCAT so that stakeholders recognise their traditional activities in the now fused model. Each of these control perspectives represent the overlapping Protect, Defend, and Operate respectively of the Cyber Environment and combine effectively to Enable Decision Superiority. Cyber Defence encompasses many components and touch points as shown. CDCAT directly builds out operational risk control activities supporting an organisation s operating strategy. Whilst immediately applicable to wide area networking, local area networking and mobile IT, much of CDCAT is applicable to managing cyber risks in any digital technology in the other domains shown in the fi gure Cyber Environment Applied Scope. Cyber defence activities are mapped to one of the ITIL and cyber defence categories. Each of the different controls (e.g. patch management) has a defi nition which describes different levels of compliance. An organisation is then able to assess its own performance to understand where any gaps in defence capability may exist. Each control maps mitigating behaviours to enable an organisation to improve its score, and therefore capability in a given area. The scope of the Cyber Environment in terms of its physical and logical systems can be described by the following diagram: Cyber Environment Applied Scope Human Interaction (Vetting, Social Media, Compliance etc) Collaboration Industry General IT (e.g. WAN/LAN, Mobile, Cloud etc) CYBER DEFENCE Process Control Systems (e.g. SCADA) Embedded Systems (e.g. Vehicles, Platforms) Microelectronics Supply Chain Organisations in 2013 experiencing an average of 48 successful attacks per week. Physical (e.g. idam, Attribution, Safety) Page 4 Page 5

4 You have piqued my interest, is there a quick start version? Yes, CDCAT has a lightweight capability maturity questionnaire (<1 hour) which supports the production of risk treatment plans from many detailed best practice resources and incident evidence. This process reviews the top group of most effective security controls within an organisation or environment. Based on evidence, these controls have been proven to address 85% of known risks and threats in the cyber environment. By 2015 the UK Government s vision is to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions - guided by our core values of liberty, fairness, transparency and the rule of law - enhance prosperity, national security and a strong society³. CDCAT helps drive this vision by providing organisations with tailored, ongoing assessments which enable proactive cyber defence strategies. CDCAT is the most comprehensive tool on the market, drawing from Government and military standards which are not available anywhere else. Cyber threats are dynamic. Regardless of how many precautions are taken or how much money is invested in this area it is not possible for an organisation to be 100% safe. Technology moves too fast and there will always be someone out there to exploit weakness. However rapid CDCAT assessment and re-assessment over time ensures the door is not left wide open for them to stroll in. Future Cyber Defence: A bright tomorrow or a mist of uncertainty CDCAT uses multiple cyber security controls and inputs from commercial, military and government organisations around the world, including ISO 27000, NATO, the UK Ministry of Defence (MOD) and the National Institute of Standards and Technology (NIST), together with those from leading independent bodies such as the Council on Cyber Security. These are used to create a list of key cyber defence controls against which an organisation s capabilities can be measured alongside the protection strategies it has in place to show where there might be gaps and what mitigations can be implemented. The tool and its scoring system can be used on an ongoing basis if business risk demands, or when a company is looking to reassess its cyber defence strategy. - Martin Huddleston, Principal Cyber Solutions Architect at Dstl Who we are APM Group is a global business providing accreditation and certifi cation services. It has been assessing and certifying practitioners around the world in a variety of different professionalisms since Providing a wide range of cyber security training and certifi cation schemes, APMG aims to provide individuals and organisations alike with the necessary tools and skillsets to effectively police and protect vital, and often sensitive information. Follow us on Ploughshare Innovations was formed in 2005 to commercialise and exploit Dstl s intellectual property generated from its research. Since its establishment, Ploughshare has commercialised more than 110 technologies and launched eleven spin-out companies, principally for civilian applications. Ploughshare has also negotiated licences in the defence fi eld resulting in research being pulled through into defence products to meet defence requirements. References ¹(Source: Ponemon Institute 2013 Cost of Cyber Crime Study: United Kingdom) ²(Source: BIS information security breaches survey 2014) ³(Source: The UK Cyber Security Strategy 2011) The Defence Science and Technology Laboratory (Dstl) maximises the impact of science and technology (S&T) for the defence and security of the UK, supplying sensitive and specialist S&T services for the Ministry of Defence (MOD) and wider government. Dstl is a trading fund of the MOD, run along commercial lines. It is one of the principal government organisations dedicated to S&T in the defence and security fi eld, with three main sites at Porton Down, near Salisbury, Portsdown West, near Portsmouth, and Fort Halstead, near Sevenoaks. Dstl works with a wide range of partners and suppliers in industry, in academia and overseas. Around 60% of the Defence Science and Technology Programme is delivered by these external partners and suppliers. Follow us on (ITIL is a registered trade mark of AXELOS Limited.) (CDCAT is subject to Crown Copyright and Crown Database Rights. The work was sponsored by the MOD ISS NTA) Page 6 Page 7

5 Why should I invest in CDCAT? CDCAT is the unique decision support system which allows a company to dynamically and proactively tackle its cyber security needs through business risk appetite analysis. CDCAT is updated on a quarterly basis with information drawn from multiple international sources not readily available to the private/public sector. CDCAT makes it easier for an organisation to manage their own cyber risk strategy and provides simple steps to improve cyber defence capabilities. CDCAT provides cyber professionals with the tools to build effective business cases for vital updates. Worst case scenario modelling outlines the potential cost to an organisation of not implementing the recommended change and suffering a breach. This is measured against the costs of enacting the change. These forecasts are based on the data provided during the assessment. CDCAT supports continuous security improvements for organisations and supply chains - as threats, consequences and risk appetites change. Through integrating multiple evolving reference standards, e.g. ISO series, it provides a framework for the assessment and integration of new technologies, e.g. cloud, mobile, digital applications, etc. supporting an up-to-date assessment. CDCAT provides organisations with a way to report back to key stakeholders that they are addressing sector based vulnerabilities and proactively targeting cyber defence weak spots. CDCAT calculates the overall business preparedness scores and defi nes a number of reports to support the analysis and assessment of the business improvements required. Cost savings can be driven through adopting an effi cient risk management approach utilising the recommendations made in the CDCAT report. Visible, effective cyber security is an enabler for a thriving business. Would you like to know more? Please contact: E: [email protected] T: +44 (0) APM Group Ltd All Rights Reserved