Cyber resilience

Last updated

Cyber resilience refers to an entity's ability to continuously deliver the intended outcome, despite cyber attacks. [1] Resilience to cyber attacks is essential to IT systems, critical infrastructure, business processes, organizations, societies, and nation-states. A related term is cyberworthiness, [2] which is an assessment of the resilience of a system from cyber attacks. It can be applied to a range of software and hardware elements (such as standalone software, code deployed on an internet site, the browser itself, military mission systems, commercial equipment, or IoT devices).

Contents

Adverse cyber events are those that negatively impact the availability, integrity, or confidentiality of networked IT systems and associated information and services. [3] These events may be intentional (e.g. cyber attack) or unintentional (e.g. failed software update) and caused by humans, nature, or a combination thereof.

Unlike cyber security, which is designed to protect systems, networks and data from cyber crimes, cyber resilience is designed to prevent systems and networks from being derailed in the event that security is compromised. [4] Cyber security is effective without compromising the usability of systems and there is a robust continuity business plan to resume operations, if the cyber attack is successful.

Cyber resilience helps businesses to recognize that hackers have the advantage of innovative tools, element of surprise, target and can be successful in their attempt. This concept helps business to prepare, prevent, respond and successfully recover to the intended secure state. This is a cultural shift as the organization sees security as a full-time job and embedded security best practices in day-to-day operations. [5] In comparison to cyber security, cyber resilience requires the business to think differently and be more agile on handling attacks.

The objective of cyber resilience is to maintain the entity's ability to deliver the intended outcome continuously at all times. [6] This means doing so even when regular delivery mechanisms have failed, such as during a crisis or after a security breach. The concept also includes the ability to restore or recover regular delivery mechanisms after such events, as well as the ability to continuously change or modify these delivery mechanisms, if needed in the face of new risks. Backups and disaster recovery operations are part of the process of restoring delivery mechanisms.

Frameworks

Resilience, as defined by Presidential Policy Directive PPD-21, is the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. [7] Cyber resilience focuses on the preventative, detective, and reactive controls in an information technology environment to assess gaps and drive enhancements to the overall security posture of the entity. The Cyber Resilience Review (CRR) is one framework for the assessment of an entity's resiliency created by the Department of Homeland Security. Another framework created by Symantec is based on 5 pillars: Prepare/Identify, Protect, Detect, Respond, and Recover. [8]

The National Institute of Standards and Technology's Special Publication 800-160 Volume 2 Rev. 1 [9] offers a framework for engineering secure and reliable systems—treating adverse cyber events as both resiliency and security issues. In particular 800-160 identifies fourteen techniques that can be used to improve resiliency:

Cyber Resiliency Techniques [10]
TechniquePurpose
Adaptive ResponseOptimize the ability to respond in a timely and appropriate manner.
Analytic MonitoringMonitor and detect adverse actions and conditions in a timely and actionable manner.
Coordinated ProtectionImplement a defense-in-depth strategy, so that adversaries have to overcome multiple obstacles.
DeceptionMislead, confuse, hide critical assets from, or expose covertly tainted assets to, the adversary.
DiversityUse heterogeneity to minimize common mode failures, particularly attacks exploiting common vulnerabilities.
Dynamic PositioningIncrease the ability to rapidly recover from a non-adversarial incident (e.g., acts of nature) by distributing and diversifying the network distribution.
Dynamic RepresentationKeep representation of the network current. Enhance understanding of dependencies among cyber and non-cyber resources. Reveal patterns or trends in adversary behavior.
Non-PersistenceGenerate and retain resources as needed or for a limited time. Reduce exposure to corruption, modification, or compromise.
Privilege RestrictionRestrict privileges based on attributes of users and system elements as well as on environmental factors.
RealignmentMinimize the connections between mission-critical and noncritical services, thus reducing the likelihood that a failure of noncritical services will impact mission-critical services.
RedundancyProvide multiple protected instances of critical resources.
SegmentationDefine and separate system elements based on criticality and trustworthiness.
Substantiated IntegrityAscertain whether critical system elements have been corrupted.
UnpredictabilityMake changes randomly and unexpectedly. Increase an adversary's uncertainty regarding the system protections which they may encounter, thus making it more difficult for them to ascertain the appropriate course of action.

See also

Related Research Articles

<span class="mw-page-title-main">Security through obscurity</span> Reliance on design or implementation secrecy for security

In security engineering, security through obscurity is the practice of concealing the details or mechanisms of a system to enhance its security. This approach relies on the principle of hiding something in plain sight, akin to a magician's sleight of hand or the use of camouflage. It diverges from traditional security methods, such as physical locks, and is more about obscuring information or characteristics to deter potential threats. Examples of this practice include disguising sensitive information within commonplace items, like a piece of paper in a book, or altering digital footprints, such as spoofing a web browser's version number. While not a standalone solution, security through obscurity can complement other security measures in certain scenarios.

<span class="mw-page-title-main">Business continuity planning</span> Prevention and recovery from threats that might affect a company

Business continuity may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident", and business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations before and during execution of disaster recovery. Business continuity is the intended outcome of proper execution of both business continuity planning and disaster recovery.

Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP. SCAP is a suite of tools that have been compiled to be compatible with various protocols for things like configuration management, compliance requirements, software flaws, or vulnerabilities patching. Accumulation of these standards provides a means for data to be communicated between humans and machines efficiently. The objective of the framework is to promote a communal approach to the implementation of automated security mechanisms that are not monopolized.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Resilience, resilient, or resiliency may refer to:

A resilient control system is one that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature".

NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally intended for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to the operation of security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

<span class="mw-page-title-main">Risk Management Framework</span> US federal government guideline

The Risk Management Framework (RMF) is a United States federal government guideline, standard, and process for managing risk to help secure information systems, developed by the National Institute of Standards and Technology (NIST). The RMF provides a structured process that integrates information security, privacy, and risk management activities into the system development life cycle.

Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation.
X.800 and ISO 7498-2 are technically aligned. This model is widely recognized

Control system security, or industrial control system (ICS) cybersecurity, is the prevention of interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk. Various methodologies exist to manage IT risks, each involving specific processes and steps.

<span class="mw-page-title-main">Resilience (engineering and construction)</span> Infrastructure design able to absorb damage without suffering complete failure

In the fields of engineering and construction, resilience is the ability to absorb or avoid damage without suffering complete failure and is an objective of design, maintenance and restoration for buildings and infrastructure, as well as communities. A more comprehensive definition is that it is the ability to respond, absorb, and adapt to, as well as recover in a disruptive event. A resilient structure/system/community is expected to be able to resist to an extreme event with minimal damages and functionality disruptions during the event; after the event, it should be able to rapidly recovery its functionality similar to or even better than the pre-event level.

Cyber threat intelligence (CTI) is a subfield of cybersecurity that focuses on the structured collection, analysis, and dissemination of data regarding potential or existing cyber threats. It provides organizations with the insights necessary to anticipate, prevent, and respond to cyberattacks by understanding the behavior of threat actors, their tactics, and the vulnerabilities they exploit. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

Active defense can refer to a defensive strategy in the military or cybersecurity arena.

<span class="mw-page-title-main">External dependencies management assessment</span>

The External Dependencies Management Assessment is a voluntary, in-person, facilitated assessment created by the United States Department of Homeland Security. The EDM Assessment is intended for the owners and operators of critical infrastructure organizations in the United States. It measures and reports on the ability of the subject organization to manage external dependencies as they relate to the supply and operation of information and communications technology (ICT). This area of risk management is also sometimes called Third Party Risk Management or Supply Chain Risk Management.

The NIST Cybersecurity Framework (CSF) is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. Developed by the U.S. National Institute of Standards and Technology (NIST), the framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted across various industries, including government and private enterprises globally. The framework integrates existing standards, guidelines, and best practices to provide a structured approach to cybersecurity risk management.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

References

  1. Björck, Fredrik; Henkel, Martin; Stirna, Janis; Zdravkovic, Jelena (2015). Cyber Resilience - Fundamentals for a Definition. Advances in Intelligent Systems and Computing. Vol. 353. Stockholm University. pp. 311–316. doi:10.1007/978-3-319-16486-1_31. ISBN   978-3-319-16485-4.
  2. Roland L. Trope (March 2004). "A Warranty of Cyberworthiness". 2 (2, pp. 73-76). IEEE Security and Privacy. doi:10.1109/MSECP.2004.1281252.{{cite journal}}: Cite journal requires |journal= (help)
  3. Ross, Ron (2021). "Developing Cyber-Resilient Systems: A Systems Security Engineering Approach" (PDF). NIST Special Publication. 2 via NIST.
  4. "Cyber Resilience". www.itgovernance.co.uk. Retrieved 2017-07-28.
  5. Council, Editors, Forbes Technology. "Cybersecurity Is Dead". Forbes. Retrieved 2017-07-28.{{cite news}}: |first= has generic name (help)CS1 maint: multiple names: authors list (link)
  6. Hausken, Kjell (2020-09-01). "Cyber resilience in firms, organizations and societies". Internet of Things. 11: 100204. doi: 10.1016/j.iot.2020.100204 . hdl: 11250/2729453 . ISSN   2542-6605.
  7. "What Is Security and Resilience? | Homeland Security". www.dhs.gov. 2012-12-19. Retrieved 2016-02-29.
  8. "The Cyber Resilience Blueprint: A New Perspective on Security" (PDF).
  9. (NIST), Ron Ross; (MITRE), Richard Graubart; (MITRE), Deborah Bodeau; (MITRE), Rosalie McQuaid (December 2021). "SP 800-160 Vol. 2 Rev 1., Developing Cyber-Resilient Systems: A Systems Security Engineering Approach". csrc.nist.gov. Retrieved 2022-08-11.
  10. (NIST), Ron Ross; (MITRE), Richard Graubart; (MITRE), Deborah Bodeau; (MITRE), Rosalie McQuaid (December 2021). "SP 800-160 Vol. 2 Rev 1., Developing Cyber-Resilient Systems: A Systems Security Engineering Approach". csrc.nist.gov. Retrieved 2022-08-11.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.