Risk Management
Cyber Security Framework: Back to Basics
Dr. Ivan Pavlov once said: “If you want new ideas, read old books.” The same applies with cybersecurity best practices. Discover how you can extend a basic cyber security framework to reduce systems and employee security risks.
Cybersecurity Awareness Month 2022 Series
Security awareness means knowing what a security problem is, what could cause a security problem, and how to stop or prevent a security problem. This Cybersecurity Awareness Month I’m focusing on how a basic cyber security framework how can tackle system and employee security risks.
A Basic Cyber Security Framework
In November 1994, ISO published standard ISO/IEC 7498, the seven-layer Reference Model for Open Systems Interconnect (OSI).
Benefit of the OSI model include:
- Reduces complexity by dividing aspects of network operations into simpler components
- Standardizes interfaces, enabling more specialised design and development efforts to specific functions
- Accelerates evolution and makes troubleshooting easier; network admins can look at the layer that is causing an issue instead of investigating the entire network
- Facilitate modular engineering and prevents changes in one layer from impacting others
- Enables network admins to determine the required hardware and software to build their network
The lesser-known companion standard, ISO 7498-2, applies security capabilities across this OSI model. The five security primary capabilities are:
- Authentication: How do you prove you are who you say you are, when talking with a computer?
Multifactor authentication (MFA) – part of the zero trust architecture – means you not only have a user ID and a password or a key, but you also have additional support for your claim to be the right person. Whatever system you use to track authorised users, make sure it is up to date – do not let individuals retain permissions they should not have or do not need. - Authorization: Now that we know who you are, what can you do? Most systems use some form of access control list. Make sure your list is up to date.
- Data Integrity: Make sure that the data you see has not been tampered with.
- Data Confidentiality: Make sure that the data has only been seen by the right people and services.
- Non-repudiation: This has two forms. One form applies to the sender: if I send you a message, I cannot deny being the author. The other form applies to the recipient: if you get a message, you cannot deny having received it. Both forms use a public key system for implementation
These capabilities do not simply “line up” with the layers in the OSI model. Different implementations are possible. This cyber security framework shows how these capabilities can give you an architecturally secure platform for trustworthy and reliable messaging. It does not say how to do it – there are different ways to secure communications – but it suggests things to think about when you building a secure environment.
A Cyber Security Framework for Employees
CISOs and security leaders can extend the ISO cyber security framework by integrating the primary capabilities – authentication, authorisation, data integrity, data confidentiality, and non-repudiation – into its employee training.
Having a security program is critical to reducing cyber risk. But how can you measure its effectiveness and relay it to the board? Ultimately, you should be able to demonstrate that the security program achieved three goals: basic awareness, positive culture, and effective procedures. To test your program, you can hire a penetration tester, utilise red teaming, bring in a consulting organisation, or perform a comprehensive audit.
However, a simpler way is to imagine an employee – not a technical person, just anyone – who is working away and sees something that might be wrong. Ask them these three questions:
- Would she know if it were wrong or not?
- Would she choose to report it?
- If she picked up the phone, would they know who to call?
Put more formally, the first question tests the employee’s basic awareness. The second one probes the organisation’s culture. The third one verifies that the management mechanisms are in place to support that culture and awareness.
To go deeper, if she can’t tell if the situation might be a security problem (a suspicious email, or an unexpected response from an app), then the awareness program is not resonating.
Suppose she decides it is a problem, would she choose to do something about it? Maybe she reaches out to their supervisor who says “Yes, that could be a problem, but it isn’t really in our area so we shouldn’t cause trouble.” Maybe she remembers that when a colleague reported a problem everybody heard about it, and nobody will sit with them in the break room any more. But she soldiers on and pick up the phone to call the Help Desk. She is then immediately connected with Site Security, who wants to know where the fire is.
If the answers to these three questions include a “no” then your program is broken. But if the answers are all “yes”, then things are working well. It doesn’t matter what you spend on security tools – if there is a “no,” the tools are just window dressing. But if there is a solid “yes” across the board then even if the tools are imperfect, the people will make it work.
When it comes to security, people are the strongest link.
What do you think? Let me know at @WilliamMalikTM