Detection and Prevention in Information Security Management

• Cyber attacks remain undetected for too long
• The new ISO/IEC 27001:2022 - key changes
• Three new controls for detection and prevention
• Technical summary
• What does the update mean for your certification?
• State-of-the-art ISMS with the expertise of DQS

Cyber attacks remain undetected for too long

The eminent value of information and data in the 21st century business world is increasingly forcing companies and organizations to focus on information security and invest in the systematic protection of their digital assets. Why? In dynamic threat landscapes, attackers' tactics are becoming increasingly sophisticated and multi-layered - resulting in serious damage to the image and reputation of affected companies and billions of dollars in annual economic losses worldwide.

Experts agree that there is no longer complete protection against cyberattacks - if only because of the human factor of uncertainty. This makes early detection of potential and actual attacks all the more important in order to limit their lateral vector in corporate networks and keep the number of compromisable systems as low as possible. But there is still a huge amount of catching up to do in this area: research conducted as part of IBM's"Cost of a data breach 2022" study shows that it took an average of 277 days to detect and contain an attack in 2022.

The new ISO 27001:2022

To assist companies and organizations with a contemporary, standardized framework for information security management systems, ISO published the new ISMS standard ISO/IEC 27001:2022 on October 25, 2022. Annex A provides controls/measures that can be used on a company-specific basis to address information security risks.

Implementation of the measures from Annex A in the current version is supported by the identically structured implementation guidance of ISO/IEC 27002:2022, which was already updated in February. Generic controls for strategic attack prevention and faster detection are newly included.

Three new controls for detection and prevention

The now 93 measures in Annex A of ISO/IEC 27001:2022 are now reorganized under the update into four topics

• Organizational measures,
• Personal measures,
• Physical measures and
• Technological measures.

Three of the eleven newly introduced information security controls relate to the prevention and timely detection of cyber attacks. These three controls are

• 5.7 Threat intelligence (organizational).
• 8.16 Monitoring activities (technological)
• 8.23 Web filtering (technological).

Below we will take a closer look at these 3 new controls.

Threat intelligence

Organizational control 5.7 deals with the systematic collection and analysis of information about relevant threats. The purpose of the measure is to make organizations aware of their own threat situation so that they can subsequently take appropriate action to mitigate the risk. Threat data should be analyzed in a structured manner according to three aspects: strategic, tactical and operational.

Strategic threat analysis provides insights into changing threat landscapes, such as attack types and the actors, e.g., state-motivated actors, cybercriminals, contract attackers, hacktivists. National and international government agencies (such as BSI - German Federal Office for Information Security, enisa - European Union Agency for Cybersecurity, U.S. Department of Homeland Security or NIST - National Institute of Standards and Technology), as well as non-profit organizations and relevant forums, provide well-researched threat intelligence across all industries and critical infrastructures.

Tactical threat intelligence and its evaluation provide assessments of attackers' methods, tools, and technologies.

Operational evaluation of specific threats provides detailed information on specific attacks, including technical indicators, e.g., currently the extreme increase in cyber attacks by ransomware and its variants in 2022.

Threat analysis can provide support in the following ways:

• Procedurally to integrate threat data into the risk management process,
• Technically preventive and detection, e.g. by updating firewall rules, intrusion detection systems (IDS), anti-malware solutions,
• With input information for specific test procedures and test techniques against information security.

The data quality from organizational control 5.7 for determining the threat situation and analyzing it directly affects the two technical controls for monitoring activities (8.16) and web filtering (8.23) discussed below, which are also new to ISO/IEC 27002.

Monitoring activities

Detective and corrective information security control 8.16 on technical monitoring of activities focuses on anomaly detection as a method for averting threats. Networks, systems, and applications behave according to expected patterns, such as data throughput, protocols, messages, and so on. Any change or deviation from these expected patterns is detected as an anomaly.

In order to detect this unusual behavior, relevant activities must be monitored in accordance with business and information security requirements and any anomalies must be compared with existing threat data, among other things (see above, requirement 5.7). The following aspects are relevant to the monitoring system:

• Inbound and outbound network, system and application traffic,
• Access to systems, servers, network equipment, monitoring systems, critical applications, etc...,
• System and network configuration files at the administrative or mission-critical level;
• Security tool logs [e.g., antivirus, intrusion detection systems (IDS), intrusion prevention system (IPS), web filters, firewalls, data leakage prevention],
• Event logs related to system and network activities,
• Verification that executable code in a system has integrity and authorization,
• Resource usage, e.g., processor power, disk capacity, memory usage, bandwidths.

The basic requirements for a functioning monitoring of activities are a cleanly and transparently configured IT/OT infrastructure and properly functioning IT/OT networks. Any change against this basic state is detected as a potential threat to functionality and thus as an anomaly. Depending on the complexity of an infrastructure, implementing this measure is a major challenge despite relevant vendor solutions. The importance of systems for anomaly detection was recognized almost simultaneously with requirement 8.16 of ISO/IEC 27002:2022 for operators of so-called critical infrastructures. Thus, in the national scope of relevant, legal regulations, there is an obligation for these to effectively apply so-called systems for attack detection with deadlines.

Web filtering

The Internet is both a blessing and a curse. Access to dubious websites continues to be a gateway for malicious content and malware. The information security control 8.23 Web filtering has the preventive purpose of protecting an organization's own systems from malware intrusion and preventing access to unauthorized web resources. Organizations should establish rules for safe and appropriate use of online resources for this purpose - including mandatory access restrictions to unwanted or inappropriate websites and web-based applications. Access to the following types of websites should be blocked by the organization:

• Websites that have an upload feature - unless this would be necessary for legitimate, business reasons,
• Known or even suspected malicious websites,
• Command and control servers,
• Malicious websites identified as such from the threat data (see also measure 5.7),
• Websites with illegal content.

The web filtering measure only really works with trained personnel who are sufficiently aware of the safe and appropriate use of online resources.

Technical conclusion

The new detection and prevention controls described here have a key role to play in defending against organized cybercrime, and they have rightly found their way into the current versions of ISO/IEC 27001 and ISO/IEC 27002. With the continuous updating and analysis of available threat information, extensive activity monitoring in their own IT infrastructures, and securing their own systems against dubious websites, companies are sustainably strengthening their protection against the intrusion of dangerous malware. They also put themselves in a position to initiate appropriate response measures at an early stage.

Companies and organizations now have to implement the three presented controls/measures accordingly and integrate them consistently into their ISMS in order to meet the requirements of future certification audits. DQS has more than 35 years of comprehensive expertise in the field of impartial audits and certifications - and is happy to support you in the change management of your information security management system in accordance with ISO/IEC 27001:2022.

What does the update mean for your certification?

ISO/IEC 27001:2022 was published on October 25, 2022. This results in the following deadlines and timeframes for users to transition:

• Readiness for certification to ISO/IEC 27001:2022 expected from February - May 2023 (subject to our accreditation body DAkkS, Deutsche Akkreditierungsstelle GmbH).
• Last date for initial/re-certification audits according to the "old" ISO 27001:2013 is October 31, 2023 After October 31, 2023, DQS will perform initial and recertification audits only according to the new ISO/IEC 27001:2022 standard
• Conversion of all existing certificates according to the "old" ISO/IEC 27001:2013 to the new ISO/IEC 27001:2022: A three-year transition period will apply from October 31, 2022. Certificates issued according to ISO/IEC 27001:2013 or DIN EN ISO/IEC 27001:2017 will be valid until October 31, 2025 at the latest or must be withdrawn on this date.

State-of-the-art ISMS with the expertise of DQS

When transitioning to the new version of ISO/IEC 27001, organizations still have some time. Current certificates based on the old standard will lose their validity on 31.10.2025. Nevertheless, you are well advised to deal with the changed ISMS requirements at an early stage, initiate suitable change processes and implement them accordingly.

As experts for audits and certifications with the experience of more than three decades, we support you in the implementation of the new standard. Find out from our numerous experienced auditors about the most important changes and their relevance for your organization - and put your trust in our expertise. Together, we will discuss your potential for improvement and support you until you receive the new certificate. We look forward to hearing from you.