Cyber resilience

Last updated

Cyber resilience refers to an entity's ability to continuously deliver the intended outcome, despite cyber attacks. [1] Resilience to cyber attacks is essential to IT systems, critical infrastructure, business processes, organizations, societies, and nation-states. A related term is cyberworthiness, [2] which is an assessment of the resilience of a system from cyber attacks. It can be applied to a range of software and hardware elements (such as standalone software, code deployed on an internet site, the browser itself, military mission systems, commercial equipment, or IoT devices).

Contents

Adverse cyber events are those that negatively impact the availability, integrity, or confidentiality of networked IT systems and associated information and services. [3] These events may be intentional (e.g. cyber attack) or unintentional (e.g. failed software update) and caused by humans, nature, or a combination thereof.

Unlike cyber security, which is designed to protect systems, networks and data from cyber crimes, cyber resilience is designed to prevent systems and networks from being derailed in the event that security is compromised. [4] Cyber security is effective without compromising the usability of systems and there is a robust continuity business plan to resume operations, if the cyber attack is successful.

Cyber resilience helps businesses to recognize that hackers have the advantage of innovative tools, element of surprise, target and can be successful in their attempt. This concept helps business to prepare, prevent, respond and successfully recover to the intended secure state. This is a cultural shift as the organization sees security as a full-time job and embedded security best practices in day-to-day operations. [5] In comparison to cyber security, cyber resilience requires the business to think differently and be more agile on handling attacks.

The objective of cyber resilience is to maintain the entity's ability to deliver the intended outcome continuously at all times. [6] This means doing so even when regular delivery mechanisms have failed, such as during a crisis or after a security breach. The concept also includes the ability to restore or recover regular delivery mechanisms after such events, as well as the ability to continuously change or modify these delivery mechanisms, if needed in the face of new risks. Backups and disaster recovery operations are part of the process of restoring delivery mechanisms.

Frameworks

Resilience, as defined by Presidential Policy Directive PPD-21, is the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. [7] Cyber resilience focuses on the preventative, detective, and reactive controls in an information technology environment to assess gaps and drive enhancements to the overall security posture of the entity. The Cyber Resilience Review (CRR) is one framework for the assessment of an entity's resiliency created by the Department of Homeland Security. Another framework created by Symantec is based on 5 pillars: Prepare/Identify, Protect, Detect, Respond, and Recover. [8]

The National Institute of Standards and Technology's Special Publication 800-160 Volume 2 Rev. 1 [9] offers a framework for engineering secure and reliable systems—treating adverse cyber events as both resiliency and security issues. In particular 800-160 identifies fourteen techniques that can be used to improve resiliency:

Cyber Resiliency Techniques [10]
TechniquePurpose
Adaptive ResponseOptimize the ability to respond in a timely and appropriate manner.
Analytic MonitoringMonitor and detect adverse actions and conditions in a timely and actionable manner.
Coordinated ProtectionImplement a defense-in-depth strategy, so that adversaries have to overcome multiple obstacles.
DeceptionMislead, confuse, hide critical assets from, or expose covertly tainted assets to, the adversary.
DiversityUse heterogeneity to minimize common mode failures, particularly attacks exploiting common vulnerabilities.
Dynamic PositioningIncrease the ability to rapidly recover from a non-adversarial incident (e.g., acts of nature) by distributing and diversifying the network distribution.
Dynamic RepresentationKeep representation of the network current. Enhance understanding of dependencies among cyber and non-cyber resources. Reveal patterns or trends in adversary behavior.
Non-PersistenceGenerate and retain resources as needed or for a limited time. Reduce exposure to corruption, modification, or compromise.
Privilege RestrictionRestrict privileges based on attributes of users and system elements as well as on environmental factors.
RealignmentMinimize the connections between mission-critical and noncritical services, thus reducing the likelihood that a failure of noncritical services will impact mission-critical services.
RedundancyProvide multiple protected instances of critical resources.
SegmentationDefine and separate system elements based on criticality and trustworthiness.
Substantiated IntegrityAscertain whether critical system elements have been corrupted.
UnpredictabilityMake changes randomly and unexpectedly. Increase an adversary's uncertainty regarding the system protections which they may encounter, thus making it more difficult for them to ascertain the appropriate course of action.

See also

Related Research Articles

Security through obscurity is the reliance on secrecy as the main method of providing security to a system or component, specifically in security engineering, whether on design or implementation.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP. SCAP is a suite of tools that have been compiled to be compatible with various protocols for things like configuration management, compliance requirements, software flaws, or vulnerabilities patching. Accumulation of these standards provides a means for data to be communicated between humans and machines efficiently. The objective of the framework is to promote a communal approach to the implementation of automated security mechanisms that are not monopolized.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Resilience, resilient, or resiliency may refer to:

A resilient control system is one that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature".

NIST Special Publication 800-53 is an information security standard that provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

<span class="mw-page-title-main">Risk Management Framework</span>

The National Institute for Standards and Technology's (NIST) Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.

Control system security, or industrial control system (ICS) cybersecurity, is the prevention of interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

<span class="mw-page-title-main">Resilience (engineering and construction)</span> Infrastructure design able to absorb damage without suffering complete failure

In the fields of engineering and construction, resilience is the ability to absorb or avoid damage without suffering complete failure and is an objective of design, maintenance and restoration for buildings and infrastructure, as well as communities. A more comprehensive definition is that it is the ability to respond, absorb, and adapt to, as well as recover in a disruptive event. A resilient structure/system/community is expected to be able to resist to an extreme event with minimal damages and functionality disruptions during the event; after the event, it should be able to rapidly recovery its functionality similar to or even better than the pre-event level.

Cyber threat intelligence (CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

Active defense can refer to a defensive strategy in the military or cybersecurity arena.

<span class="mw-page-title-main">External dependencies management assessment</span>

The External Dependencies Management Assessment is a voluntary, in-person, facilitated assessment created by the United States Department of Homeland Security. The EDM Assessment is intended for the owners and operators of critical infrastructure organizations in the United States. It measures and reports on the ability of the subject organization to manage external dependencies as they relate to the supply and operation of information and communications technology (ICT). This area of risk management is also sometimes called Third Party Risk Management or Supply Chain Risk Management.

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

References

  1. Björck, Fredrik; Henkel, Martin; Stirna, Janis; Zdravkovic, Jelena (2015). Cyber Resilience - Fundamentals for a Definition. Advances in Intelligent Systems and Computing. Vol. 353. Stockholm University. pp. 311–316. doi:10.1007/978-3-319-16486-1_31. ISBN   978-3-319-16485-4.
  2. Roland L. Trope (March 2004). "A Warranty of Cyberworthiness". 2 (2, pp. 73-76). IEEE Security and Privacy. doi:10.1109/MSECP.2004.1281252.{{cite journal}}: Cite journal requires |journal= (help)
  3. Ross, Ron (2021). "Developing Cyber-Resilient Systems: A Systems Security Engineering Approach" (PDF). NIST Special Publication. 2 via NIST.
  4. "Cyber Resilience". www.itgovernance.co.uk. Retrieved 2017-07-28.
  5. Council, Editors, Forbes Technology. "Cybersecurity Is Dead". Forbes. Retrieved 2017-07-28.{{cite news}}: |first= has generic name (help)CS1 maint: multiple names: authors list (link)
  6. Hausken, Kjell (2020-09-01). "Cyber resilience in firms, organizations and societies". Internet of Things. 11: 100204. doi: 10.1016/j.iot.2020.100204 . ISSN   2542-6605.
  7. "What Is Security and Resilience? | Homeland Security". www.dhs.gov. 2012-12-19. Retrieved 2016-02-29.
  8. "The Cyber Resilience Blueprint: A New Perspective on Security" (PDF).
  9. (NIST), Ron Ross; (MITRE), Richard Graubart; (MITRE), Deborah Bodeau; (MITRE), Rosalie McQuaid (December 2021). "SP 800-160 Vol. 2 Rev 1., Developing Cyber-Resilient Systems: A Systems Security Engineering Approach". csrc.nist.gov. Retrieved 2022-08-11.
  10. (NIST), Ron Ross; (MITRE), Richard Graubart; (MITRE), Deborah Bodeau; (MITRE), Rosalie McQuaid (December 2021). "SP 800-160 Vol. 2 Rev 1., Developing Cyber-Resilient Systems: A Systems Security Engineering Approach". csrc.nist.gov. Retrieved 2022-08-11.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.