In case you missed out on attending CyberCon aka AISA Cyber Security Conference in Melbourne, the country's biggest cyber security conference? If so, don't worry, we've got you covered. This is the first in our series of posts of the lessons we learned. In it, we will go through the some of the ways that you can go about protecting your company, and the data it stores. Firstly, I would like to convey my thanks to all the speakers, who shared some of their wealth of knowledge and to AISA for organising such a fantastic event.
During a number of different talks and panel sessions on how to address security, the consensus was that the best way to approach protecting your company and data it stores from cyber-attack, is to start by understanding the context of your business. This is, to identify all the data that you store, and where it is located.
Once you have worked this out, prioritising work is best done through the lens of a chosen risk framework and threat intelligence, or evidence-based information about cyber attacks. This is basically done by asking questions like “Who is targeting my business?”, and “How are they going to go about attacking it?”
Threat Intelligence
Threat intelligence is the process of understanding a threat actor’s (also known as a TA or hacker) motives, targets and attack behaviours by identifying and analysing the data collected, processed and analysed. This can be obtained by building connections with security groups, professional associations and regulatory bodies such as the OAIC (Office of the Australian Information Commissioner) to understand the current vulnerabilities that are out there and how the threat actors are taking advantage of them.
Choosing a Risk Framework
Choosing a risk framework or standard should be done based on the context of your organisation, and understanding the regulatory requirements and choosing a standard which fits best. We are somewhat biased and recommend ISO 27001. Controls to best protect your data and environment can be chosen from a number of different sources. ISO 27001 has a list of controls in Annex A, however, there are also other, more specific controls which can be used. These can be chosen from places like the Australian ISM (or NZ ISM in New Zealand), and the NIST 800 series controls such as SP 800-53 - Risk Management Framework.
As hinted at earlier in this article, it is important to consider the context of your organisation. A compliant solution doesn't make a secure solution. Often companies will blindly implement and follow controls and miss the relevance to their organisation.
Implementation
When implementing controls, it is important to document controls and reasons for choosing them. Most importantly, there will also be exemptions to the controls. The saying goes, that the exemption proves the rule! Any exemptions should also be documented or managed along with the risks associated with them. This is important for understanding why the controls were initially implemented, and why the exemptions were made. This will help in the future when you are re-assessing the risks and controls, and things have been forgotten.
While on the topic of exemptions, often automated tools are used to check risks, such as vulnerability checkers in a Continuous Integration / Continuous Deployment (CI/CD) process within software development. Frequently, these can not be tailored to the risk appetite, or exemptions made to rules where you may not want the rule to be applied. As a result the enforcement of some features are disabled as a whole. Like the exemptions to controls, these should also be documented so that the reasons for the exemptions can be found later or when looking to reassess the implementation.
When you are assessing the cyber risks to your business, consider using a risk hierarchy. This will allow for risks to be inherited, and potentially mitigated at higher levels, so that impacts can be properly assessed, and fixes can be appropriately prioritised. It also allows all risks to recorded, including the insignificant risks or others with small impacts, which gives visibility that they have been considered.
Conclusion
So, this can be summarised by taking approach using the following steps
- Understanding your business - that is how and where the critical information is stored, and who might want access to it, and how they might go about getting it. Threat intelligence can help with this.
- Choose a risk framework which is best aligned with your business. Based on your business needs, you can select specific controls from a range of other sources to further protect your assets.
- When implementing the controls, be sure to document the how and why you are implementing them. Don't forget to include any exemptions to rules or controls. This will make things much easier to understand and enhance / change in future as the threat landscape evolves.
I hope that this has been informative, and prompted some thought into how you can address cyber risks within your business. The most important point to remember is to think about the risks and controls in the context of your business, and how they might affect your specific circumstances. Also, remember to document how and why controls are implemented, with details of any exemptions. Stay tuned for the next blog which will cover topics on preventing cyber attacks.
Check out our other learnings from CyberCon
- Post 1: A certificate doesn't guarantee security.
- Post 2: Insider the mind of a hacker.
- Post 3: Are you really ready for a critical incident?
- Post 4: Cyber security of the future.
DQS Newsletter
Stay informed and subscribe to our newsletter!
Author
Brad Fabiny
DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.
Loading...