Cyber security exposure



Similar documents
GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

How To Manage Risk On A Scada System

Data Security Incident Response Plan. [Insert Organization Name]

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

Regulation for Establishing the Internal Control System of an Investment Management Company

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Understanding Professional Liability Insurance

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

ISO/IEC Safeguarding Personal Information in the Cloud. Whitepaper

MCOLES Information and Tracking Network. Security Policy. Version 2.0

ICASAS505A Review and update disaster recovery and contingency plans

Cyber Security for audit committees

Whitepaper on AuthShield Two Factor Authentication and Access integration with Microsoft outlook using any Mail Exchange Servers

5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council

Protecting your business interests through intelligent IT security services, consultancy and training

Privilege Gone Wild: The State of Privileged Account Management in 2015

A Structured Comparison of Security Standards

Cyber Risks in Italian market

An Information Security and Privacy Perspective for Procurement Services Projects

Data Management & Protection: Common Definitions

Mitigating and managing cyber risk: ten issues to consider

Cyber Security key emerging risk Q3 2015

IRIS Report Commercial Espionage: The Threat from Chinese Cyber Attacks Executive Summary

Clarifications of EPSRC expectations on research data management.

Protect Your Connected Business Systems by Identifying and Analyzing Threats

CYBERSTRAT IS PART OF GMTL LLP, 26 YORK STREET, LONDON, W1U 6PZ, UNITED KINGDOM

FACT SHEET: Ransomware and HIPAA

The potential legal consequences of a personal data breach

Application Security Testing. Jesper Kråkhede

Data Protection Breach Management Policy

ONLINE RECONNAISSANCE

Acceptance Criteria for Penetration Tests According to PCI DSS

2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee , Bonn

Introduction to Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing

ESKISP Conduct security testing, under supervision

An effective approach to preventing application fraud. Experian Fraud Analytics

Data Loss Prevention Program

ITAR Compliance Best Practices Guide

DATA PROTECTION AND DATA STORAGE POLICY

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

Cyber Liability. What School Districts Need to Know

Information Security Management System Information Security Policy

NHS Commissioning Board: Information governance policy

1 (a) Audit strategy document Section of document Purpose Example from B-Star

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Outsourcing and third party access

Cyber and Data Security. Proposal form

So the security measures you put in place should seek to ensure that:

Security and Control of Data in the Cloud with BitTitan Data Encryption

Cyber Security Strategy

Guide Cyber Security Check

Declaration of Internet Rights Preamble

Cyber Security Recommendations October 29, 2002

DAMAGE CONTROL: THE COST OF SECURITY BREACHES IT SECURITY RISKS SPECIAL REPORT SERIES

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Cyber Security - What Would a Breach Really Mean for your Business?

Securing Critical Information Assets: A Business Case for Managed Security Services

Secure by design: taking a strategic approach to cybersecurity

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Defensible Strategy To. Cyber Incident Response

Learning Outcome 1 The learner will: Understand the meaning of Information System and related terms. Indicative Content

Developing a robust cyber security governance framework 16 April 2015

DATA PROTECTION POLICY

white SECURITY TESTING WHITE PAPER

Addressing Cyber Risk Building robust cyber governance

HMG Security Policy Framework

Information Governance Policy

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking

Privilege Gone Wild: The State of Privileged Account Management in 2015

The Danish Cyber and Information Security Strategy

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Cyber Threats: Exposures and Breach Costs

State of Security Survey GLOBAL FINDINGS

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Medical Devices. Safe, but are they secure? Dan Stoker, Consultant Professional Services, Coalfire

INFORMATION TECHNOLOGY POLICY

Transcription:

RECOMMENDATION: MANAGEMENT Cyber security exposure Given the highly dynamic development of the threat situation in cyber space, as exact a knowledge as possible of what aspects concern you is a prerequisite for efficiently protecting networks and IT systems in companies, government agencies, and other organisations. The cyber security exposure forms a pragmatic approach for determining what you are concerned by based on comprehensible standards. BSI publications on cyber security 1 Goal The determination of the cyber security exposure described within the framework of this document is intended to support the management in identifying the real concerns, in determining the protection requirements, and, building upon the these to define the level of cyber security to be aimed at. Based on the management's decision regarding the cyber security exposure, it is then the task of the persons responsible for IT and IT security (CIO and CISO) to derive the type and extent of reasonable and appropriate safeguards and to implement these. For this, the basic safeguards for cyber security provide pragmatic recommendations for action, the observance of which forms the basis for robust networks and resistant IT systems. This provides the prerequisites for efficient protection against attacks using the Internet. This approach is intended to ensure that, given the wealth of necessary detailed safeguards, the essential basic safeguards for cyber security can always be taken into consideration. Determination of the cyber security exposure Determining the cyber security exposure of the infrastructure to be protected forms the prerequisite for planning and implementing appropriate safeguards and for subsequently evaluating these safeguards with regard to necessity, adequateness, and economic viability. The individual infrastructure elements and the data stored and transmitted therein, as well as the processing processes themselves must therefore be subjected to a holistic cyber threat analysis. As a guide to common cyber attacks, the register of current cyber threats and forms of attack of the BSI 1 may be used. The IT infrastructure to be protected, as well as its individual elements are exposed to a broad range of attack methods. The resulting cyber security exposure of the stored and transmitted data and processes can be summarised systematically by considering the interaction of different factors. 1 https://www.bsi.bund.de/contentbsi/themen/cyber-sicherheit/analysen/grundlagen/bsia001.html BSI-CS 013 Version 1.00 1/10/01 Page 1 of

Possible values for the cyber security exposure include normal, high, or very high and therefore the values are based on the protection requirements determination according to BSI standard 100- IT-Grundschutz Approach. These values are determined by several factors: the attractiveness of the infrastructure to be protected, the characterisation of the attackers, the value of the attacked data and processes, the level of targeting of the attacks, and whether there are already empirical values regarding attacks performed in the past. The cyber security exposure exists regarding the confidentiality and the availability, as well as the integrity. Then, the cyber security exposure must be weighted regarding the transparency of the infrastructure for attackers. This results in the following central questions for determining the cyber security exposure: Value of the information and processes Which data constitutes the highest value both regarding confidentiality and availability and Which processes constitute the highest value both regarding confidentiality and availability and To which extent do business-critical processes of the organisation depend on the data? Attractiveness for attackers How attractive is gaining access to the confidential data for attackers? How attractive is limiting the availability of the data and processes for attackers? How attractive is violating the integrity of the data and processes by manipulations for attackers? Characterisation of the attackers Who comes into consideration regarding attacks against the confidentiality, availability, and/or Perpetrators acting in their spare time or out of sheer curiosity (hobbyists)? IT security researchers initially pursuing an academic interest with regard to possibilities of attack, but who also publish their results publicly (full disclosure)? Cyber small-time criminals focusing particularly on the monetary usability of stolen data? Professional, organised cyber criminals, or professional competition espionage? Hackers pursuing political and social goals with their attacks? Official authorities, e.g. intelligence services, capable of relying on comprehensive resources for planning and implementing their attacks? Level of targeting of the cyber attacks Should it be assumed that the organisation will be exposed to wide-area attacks, the goals of which are selected rather randomly in a large number by these groups of attackers? Or should it be assumed that the organisation will be attacked in a targeted manner, which allows for better preparation and implementation of an attack? Empirical values regarding attacks in the past Have cyber attacks to the organisation been detected in the past? Where there successful cyber attacks in the past that led to damage? This analysis can then be used to determine the cyber security exposure regarding the protective goals of confidentiality, availability, and integrity oriented on the calculation bases defined in tables 1,, and 3. Here, an individual value must be assigned in each line to the degree of threat to confidentiality, availability, and integrity with regard to the criteria specified that is then used to determine the maximum value for every basic value. BSI-CS 013 Version 1.00 1/10/01 Page of

Determination of the degree of threat Confidentiality Availability Integrity Value of the data and processes Attractiveness for attackers Type of attackers Hackers Hackers Hackers Level of targeting of the attack Targeted attack Targeted attack Targeted attack Attacks in the past Degree of threat Table 1: Determination of the degree of threat In order to successfully perform a cyber attack, the attacker needs as much information as possible about the organisation being attacked. The level of transparency of the organisation regarding the attacker is decisive: What information about the structure of the infrastructure to be protected is publicly available? Can conclusions about the IT infrastructure be drawn from the website of the government agency or company? What information is disclosed in job offers for technical personnel? Do publications of the government agency or company such as the financial statement or (particularly in public administration) completed procurements contain direct or indirect information on the IT infrastructure? BSI-CS 013 Version 1.00 1/10/01 Page 3 of

How do employees of the government agency or company behave in social networks, both professionally and privately? What information about the technical equipment do they disclose deliberately or inadvertently in so doing? What conclusions can be drawn about key roles within the organisation and possible technical and human gateways? Are attackers able to reconnoitre details of the infrastructure using technical methods? What technical data is disclosed to the outside by the systems connected to the Internet, e.g. by web servers of an organisation? Is it possible to obtain details of the software installed by analysing the information transmitted by Internet browsers of the organisation when opening external websites? Do the data fields of emails of the government agency or company contain information on the groupware used and its structure, for example? Do government agency or company documents contain open or hidden metadata which accidentally discloses further information? Do third parties collect information about the government agency or company in semi-public or private forums on the Internet that may be useful to attackers reading these forums? For the subsequent determination of the cyber security exposure, the values for the transparency aspect must now be classified. Determination of the transparency Confidentiality Availability Integrity Transparency for the attacker low 1 medium 0 high +1 Table : Determination of the transparency Now, the cyber security exposure is determined based on the sum of the degree of threat and the transparency value Cyber security exposure = degree of threat + transparency and may adopt values between 0 and 6 resulting in a normal, high, or very high cyber security exposure. Determination of the cyber security exposure Confidentiality Availability Integrity Normal 0 1 0 1 0 1 Cyber security exposure High 3 3 3 Very high 6 6 6 Table 3: Determination of the cyber security exposure BSI-CS 013 Version 1.00 1/10/01 Page of

Here, the cyber security exposure is always represented separated according to confidentiality, availability, and integrity: Cyber security exposure = (confidentiality availability integrity) Example for a fictitious industrial company: must be taken into consideration as attackers of the confidentiality of corporate data within the framework of industrial espionage. However, it is not to be expected that there are attackers for whom adverse effects on the availability constitute an interesting goal regarding this company (for example, in the form of distributed-denial-of-service attacks). Short-term non-availability of services does not constitute a particular risk for the company either. Likewise, the amount of damage incurred after attacks on the integrity of the data would have to be estimated as high, based on their value for the company. The transparency of the company from the attacker's point of view is medium. In this case, this results in a maximum value of for confidentiality, 1 for availability, and for integrity. This results in the following formal exposure: Cyber security exposure = (confidentiality very high availability normal integrity high) The cyber security exposure determined this way summarises the threat situation for the reviewed infrastructure with regard to the transparency and attractiveness for attackers, the type and targeting level of the attackers, possible amounts of damage, as well as findings regarding previous attacks and therefore forms the decisive criterion for the decision as to which safeguards must be taken with which intensity in the key areas of cyber security. By means of the BSI publications, the Federal Office for Information Security (BSI) publishes documents about current topics in the field of cyber security. Comments and advice from readers can be sent to info@cyber-allianz.de. BSI-CS 013 Version 1.00 1/10/01 Page of

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information