• No products in the cart.
View Cart
Subtotal: £0.00

Knowledge Lab

Get the Latest Information Security and Data Protection Analysis

Information Security Governance: A Bulwark Against Chaos

Just as a house with shoddy foundations will never be secure, an information security programme without empowered and effective governance will only lead to chaos. A key purpose of information security governance is to ensure that the information security programme aligns with the goals and objectives of the business, and can be defined as the collection of top-down activities intended to control the security organisation (and security-related activities in every part of the organisation) from a strategic perspective.

A Secure Business is a Successful Business

As commonly assumed by outsiders, the purpose of information security is not to make life unnecessarily difficult, lock everything down and present barriers at every step. By doing so, no business would be able to function effectively. Instead, information security governance is about facilitating the organisation’s activities while protecting it from a hostile world replete with numerous threats and risks. A breach leading to a loss of the confidentiality, integrity or availability of valuable data, can all lead to significant financial losses — in some cases being so damaging as to put an organisation out of business or setting it back months or years. The job of information security governance is to communicate these risks — and any shortcomings in addressing them — to senior management and stakeholders across the business. Without this key line of communication a silo is created in which information security is misunderstood across the business and insufficient resources are allocated to address genuine threats and risks.

Security Tools Require Effective Governance

A common approach in some organisations is to make up for inadequate governance by purchasing multiple security tools, often without necessary reference to needs and resources. These can be vulnerability scanners, a SIEM and other threat detection and response software. As a box ticking exercise, having these tools in place might look good, but not having the governance to effectively manage and monitor these tools within a broader strategic approach, only adds to the confusion and noise as a palliative solution. If an organisation has no documented incident response process (with assigned responsibilities), and has failed to carry out incident response training exercises in the last twelve months, then it should come as no surprise if in the event of a genuine incident it ends up beset by confusion and a response that is far from optimal.

Support and Alignment with the Business

Where security governance activities are effective, information security will be in a position to support the business in areas such as:

  • Risk management
  • Process improvement
  • Event identification
  • Incident response
  • Improved compliance
  • Business continuity and disaster recovery planning
  • Metrics
  • Resource management
  • Improved IT governance

When activities such as these are managed through a strong governance foundation it leads to increased trust from customers, suppliers, and partners.

In order to align itself with the business the information security programme should also be fully aware of and adapt to all of the following:

  • Culture
  • Asset values
  • Risk tolerance
  • Legal obligations
  • Market conditions

Healthy Governance

Healthy security governance should lead to outputs that include:

  • Objectives
  • Strategy
  • Policy
  • Priorities
  • Standards
  • Processes
  • Controls
  • Programme and project management
  • Metrics and reporting

Strong information security governance ensures that the organisation itself, as well as people, process, culture and technology — including the dynamic interconnections between these — are all holistically addressed.

Through measures such as policies, standards, guidelines, process documentation, resource allocation and compliance, management can ensure that a solid foundation is in place to achieve desired information security outcomes, and this is all the more important now in a world where organisations at all levels and industries are increasingly dependent on their information and information systems.

Finding Cyber Threats with Attack-Based Analytics

All too often, security teams within organisations fail to test their controls using the same real-world techniques that would be used by potential adversaries. Only by emulating offensive techniques can defences be tested, measured and improved, thereby augmenting intrusion detection and prevention mechanisms. An effective security team should not only aim to test technical controls, but also their outcomes. These should answer basic questions such as:

  • What can our controls and programme currently detect?
  • What do they fail to detect?
  • How quickly do they detect the attack methods?
  • What would be the likely outcome in the event of a detection failure?
  • How long does it take for us to contain the attack, remediate and recover?
  • Are our intrusion detection tools and systems working as they should?
  • What is the signal-to-noise ratio for the detection criteria?

Such tests would demonstrate where different threat actors would be successful or would be caught in the environment and would allow the business to know exactly what is detected or mitigated and what is not.

The ATT&CK Framework

One of the most valuable frameworks for building adversary attack emulation scenarios is ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge).

As described by MITRE:

ATT&CK is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. ATT&CK has several parts: PRE-ATT&CK, which focuses left of delivery and exploit, ATT&CK for Enterprise, which covers initial access/exploit and beyond, and ATT&CK for Mobile, which focuses on mobile devices.

The ATT&CK model applies to enterprise IT systems covering Windows, macOS, and Linux, and mobile devices using Android or iOS. It places the tactical goals of an adversary within ten categories:

  • Persistence
  • Privilege Escalation
  • Defence Evasion
  • Credential Access
  • Discover
  • Lateral Movement
  • Execution
  • Collection
  • Exfiltration
  • Command and Control

Each of the tactical categories within the matrix includes common attack techniques, such as ‘Supply Chain Compromise’ or ‘Spearphishing Link’ for Initial Access. Privilege Escalation includes ‘Sudo’ and ‘Launch Daemon’, while Credential Access contains ‘Bash History’ and ‘Two-Factor Authentication Interception’. Of course, some of the techniques, such as Network Sniffing, can span multiple categories (Credential Access and Discovery).

It’s important to stress that ATT&CK doesn’t claim to cover all possible techniques in a given tactical category (it would be dangerous to make this assumption), but is based on a community of knowledge about actions that adversaries have used for a particular purpose. Using the framework, a Red Team posing as the adversary can test each of the methods while the Blue Team acting as network defenders can see whether the actions are detected or not. In this way the security team can benefit from exposing themselves to a wide variety of adversary types and techniques.

Best Practices

The ultimate aim of running these tests is to identify visibility gaps and determine where we need to make improvements. Is your intrusion detection system doing its job and has it been configured correctly? Would the attacks be detected in your log files (assuming software or a person actually examines these files)?

Test: Ensure that you have permission and approval before running any test. You should run the test in a test environment that mimics your production environment and that’s covered by your IDS. Simulate the attack either through an automated or manual method.

Gather Evidence: Did your IDS raise an alert? Is there a new entry in a log file revealing the attack? Perhaps nothing was detected. Record and measure everything you observe.

Develop Detection: If your existing defences failed to detect anything, it’s time to investigate and implement a solution that does.

Measure: Before moving on to the next attack tactic, ensure that you record whether detection was a success or failure. This way you will know where the gaps are and can track progress.

Develop Threat Intelligence: Even with an automated solution, it’s advisable that you have a sound technical understanding of how these attacks work. If you don’t, this will be an opportunity to learn. New attacks will keep emerging and an effective threat intelligence programme will ensure that it keeps you prepared by making you aware of every new attack tactic.

Test and Enhance

As adversaries continue to evolve methods for compromising systems and evading common defences, it’s critical that information security leaders understand how their defensive operational capabilities, such as technical controls, expertise, and response processes, perform in the face of a determined adversary. Only by carrying out real-world tests can gaps in these defences be identified. As such, ATT&CK represents an excellent framework for systematically testing your defences against attack techniques and tactics.

Bioinspired Information Security

It is perhaps the most remarkable security system known to man; an intricate, ingenious and extraordinarily efficient series of defence mechanisms to fight off an extreme number of hostile threats, each with their own shape, size, composition and subversive character. It is the immune system and its remarkable defence mechanisms that ensure the vast majority of us resist and fight off infectious agents, allowing most of us to remain disease-free throughout our lives.

At the heart of this system is a multi-layered defence mechanism and a conglomerate of cells, each playing its own special role within a series of highly effective systems to deal with anything deemed to be an unwelcome intruder. Indeed the ability to recognise what is foreign is central to the function of the immune system, for that is what the 24 hour surveillance system within us does, monitoring the integrity of our tissues. It has two basic roles: Firstly to recognise all foreign substances and organisms that have penetrated through our first layer of defence – our natural physical firewalls (e.g. the skin and mucosal surfaces) and secondly to act in concert to eliminate and neutralise the threats.

Our firewall does more than simply act as a physical barrier to the external world replete with threats. Lactic and fatty acids in sweat generate a low pH which acts as a bactericidal solution. Other open paths of entry also create a hostile bactericidal environment, such as the acid in gastric juice. The bacterial flora of the body can also suppress the growth of potentially pathogenic bacteria through competition for essential nutrients and the use of inhibitory substances.

Our second layer of defence – the innate immune system – are the sentinels such as macrophages and neutrophils, standing guard as our intrusion detection system, looking out for the detection of particular molecular patterns that are associated with infectious agents. Pattern recognition receptors provide intelligence on the threat, revealing the precise nature and location of infection, fingerprinting the pathogen. The innate immune system stands guard, ready to destroy infectious agents from the moment they enter our bodies.

The most sophisticated threat defence mechanism lies within the third layer of our defence: our adaptive immune system. This layer, comprised of cell types such as cytotoxic T-cells and natural killer (NK) cells, excels in what is termed immunological memory: the ability to remember previous infectious threats in order to maintain a reserve of cells capable of swiftly responding to and eliminating a threat by the same type of microbe. It also acts as a more powerful targeted weapon in situations where the innate response fails to deal with infectious threats. Responding to a more advanced threat with a highly tailored solution requires time, which is why it may typically take 4-5 days for the innate immune system to respond to such intruders. Both the innate and adaptive immune systems work in concert to effectively deal with infectious agents through their actions and the exchange of information.

Responding to threats can also be metabolically costly (to make new proteins and cells), which is precisely why proportionality must play a critical role. Too eager a response, and not only is energy unnecessarily wasted, but healthy tissue of the self may also be destroyed. As a result, the immune system must carefully assess the threat at the initial stages of infection and use the most appropriate response from the wide variety of weapons at its disposal. There is no one size fits all response; Different types of infection (viral, bacterial, parasite) require different tailored responses in order to effectively deal with a threat. Moreover, each of these threats have evolved to use different strategies against us and evade detection. Some aim to steal nutrients to nourish their own tissues. Others, like viruses, invade our cells. Responding to a virus inside a cell requires a significantly different weapon to a bacterial infection outside of a cell. In the latter case the infected cell has to be killed and engulfed or contained in a way that minimises the escape of the pathogen hiding within. For these more advanced viral threats, our immune system uses the special cell types in its armoury: cytotoxic T-cells and NK cells, which are able to detect and kill infected cells. Engaged in an arms race with our immune systems, viruses and bacteria can mutate at exceptional rates, leaving us vulnerable if the genes responsible for our defence fail to rapidly mutate in response.

Even if a pathogen evades our surveillance mechanism, a growing body of evidence suggests that our immune system looks out for other unusual secondary signs of danger, such as any unnatural tissue damage leading to cell death. This too can trigger and activate the immune system. This type of damage results in the creation of molecular patterns that act as danger signals. In this way if a pathogen initially evades direct detection, its presence will eventually be betrayed if it provokes such cell death.

Among the most critical features of this astounding system is the ability of the cells to communicate with one another and this is done through protein signals (cytokines) released by cells in response to the detection of molecular patterns deemed as threats. Like a bugle call, this alerts other cells into joining the fight. Identified threats are also tagged for removal by molecules called opsonins.

All of this is an incredibly vast operation, with the average human requiring a daily production of four hundred billion of these cell types (leukocytes) involved in securing us from a wide array of external threats. Much of this prodigious production rate is a result of the short half-lives of these cells, but without these noble microscopic warriors protecting us within an ingenious security structure, our world would be a great deal less secure and indeed impossible to exist in.

The Evolution of Phishing

It’s becoming increasingly clear that weak passwords and phishing offer far easier mechanisms for breaking into most organisations than exploiting software vulnerabilities. Email and the human threat vector are effectively seen by attackers as the weakest security links within most organisations. This should come as no surprise, given that email itself, like much linked to the early Internet was developed without much though given to information security. As a result, the vast majority of email communications continues to be inadequate in verifying user authenticity, and increasingly sophisticated professional criminals and state-level actors have access to a vast treasure trove of information on individuals within sites such as LinkedIn, Twitter, Facebook, personal information aggregating sites, business and national registries, along with information taken from a multitude of breaches.

A recent threat report finds that the frequency of email fraud attacks and the number of individuals targeted per organisation are continuing to rise. Attackers are also looking to make phishing even harder to detect, via new tactics such as using AI to monitor executives’ online behaviour, and AI-enabled chatbots to lure users into clicking on malicious links. Universities are also becoming a desirable target, with researchers detecting nearly 1,000 phishing attempts hitting at least 131 universities in 16 countries over the last year.

Emails attempting to steal corporate credentials have increased over 300% between the second and third quarters of 2018. The threat of such attacks are amplified by employees’ worsening security habits. A survey of 1600 global employees found that 75% of respondents reuse passwords across both personal and professional accounts, a figure which has drastically increased. 18-25-year-olds are reusing passwords at a particularly high percentage, suggesting that younger employees have perhaps less security experience and/or are simply less security inclined. Particularly worrisome for most organisations should be the finding that 15% would consider selling their workplace passwords to a third party. This highlights the significant insider security threat often overlooked by many companies.

State-level actors have also been accused of targeting businesses through phishing. In one case, spear-phishing emails were sent to hotel staff in at least seven European countries and one Middle Eastern nation. Opening the email’s .doc attachment deployed malware on the hotel machine that then infected equipment that controlled internal and guest Wi-Fi networks, allowing those responsible to attack people of interest.

Weak information security policies, insufficient awareness, inadequate enforcement and insecure system configurations often lead to an increased level of threat in all of these areas. In some cases information security awareness training is viewed as an inconvenience that is carried out (if at all) upon hire or annually without any further follow-up. This fails to support information retention and positive habitualisation by the trainee. Only a sustained and well-planned year-round information security awareness programme can ensure that organisations prepare themselves for hostile actors and prevention of insecure internal practices.

Given that emails continue to be the cyber-criminals’ vector of choice for distributing malware and phishing, the right course of action for organisations would be to address this major threat by reviewing and improving information security awareness programmes. In particular, regular and strategically planned phishing awareness exercises should be carried out to raise the alertness levels of employees to this threat. Digital signatures and email security software can also be deployed as further threat mitigating measures. While risk mitigation measures will seldom eliminate a threat, such measures combined with more secure system configurations, should go a long way towards significantly mitigating this sizeable threat, which is likely set to further grow through the use of more advanced AI attacks.

The Weakest Link

As the UK’s National Cyber Security Centre warns in its The cyber threat to UK business 2017-2018 report:

“Supply chain compromises of managed service providers and legitimate software…provided cyber adversaries with a potential stepping stone into the networks of thousands of clients, capitalising on the gateways provided by privileged accesses and client/supplier relationships. It is clear that even if an organisation has excellent cyber security, there can be no guarantee that the same standards are applied by contractors and third party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim.”

“Supply chain compromises typically seek to introduce security flaws or other exploitable features into equipment, hardware, software, or services, prior to their supply to the target (or make use of a compromised supplier organisation’s connections to the target). Operations or activities are usually designed to breach confidentiality and integrity, but they may also be designed to affect availability (such as supplying defective equipment). Ongoing servicing, support or updates to equipment, hardware or software may also provide opportunities for threat actors to interfere with the supply chain…When done well, supply chain compromises are extremely difficult (and sometimes impossible) to detect.”

No matter how strong the information security structure of your business may be, you are only as strong as your weakest link, and often adversaries are aware that businesses fail to adequately assess the information security practices of their suppliers. The first step in efficiently prioritising your resources in this area is to know precisely who your key suppliers are and to maintain a consistent methodology to address this issue. You should also have in place criteria by which different types of information are classified based on sensitivity. The volume of data that the supplier has access to can also be a key part of the assessment criteria. In this way, we can place a higher level of scrutiny on critical suppliers that have access to sensitive business data. In some cases we may find that the supplier has no need to access certain data sets and so we can take adequate measures to limit access to only that which is necessary.

Finding suppliers that touch little to no company data of any kind is often rare in the digital age, so many suppliers should be undergoing review by qualified and experienced information security professionals. The first step in engaging with suppliers on an information security review will often be a questionnaire, and these questions should be based on formalised information security standards. Ideally, critical suppliers should also be undergoing on-site reviews to verify results of a question-based survey.

Once a formal supplier security process is in place and integrated into the procurement process, with criticality and risk ratings generated, a business can ensure that adequate measures are being taken to minimise the attack surface through a third-party vector. There are numerous benefits to having such a process in place, including a significant reduction in business risks such as damage to assets and reputation, and major fines. All of these can result in big financial losses. By having a formal review process, you also provide assurance to your suppliers that you have strong information security measures in place and that any shortcomings on their part may result in them losing your business. This therefore leads to an amplifier effect where your information security and that of your suppliers are increased in concert.

Ultimately, an adversary is looking for and needs only one small point of entry to carry out a costly attack on your organisation. As past events have shown, if organisations fail to carry out adequate information security reviews of their suppliers, it becomes only a matter of time until your company’s name may end up in the news – for all the wrong reasons.

The Importance of Information Security Metrics

Imagine for a moment a scientific experiment where no one measured anything. How reliable would the results be? Firstly, no one would be able to test a hypothesis with any real certainty. Even if observations were made, the experimenters would have to recall these from memory, with all of its inherent shortcomings. The experimenters would likely even disagree among one another over what they had observed. Then of course they would have to present their findings. They could describe the experiment, but all of the key questions like how much, how fast, etc. would all have to be left unaddressed or described in a qualitative manner: “The material combusted quite quickly.” or “The bacteria multiplied quite fast.” This would be enough for any respectable scientist to howl in laughter or pull their hair out in frustration. There would be no confidence in any of the findings and the study itself would be impossible to replicate. An unscientific scientific experiment indeed.

In a similar vein, no information security programme can be effective if it fails to gather relevant data to create metrics and track progress. While mistakes and biases can still skew results, the beauty of the scientific method is that it places our faith in facts and evidence. Like an astute detective scanning a crime scene with a keen eye, we must derive meaning from chaos. We can only do so by gathering information pertinent to the investigation.

What would be ill advised is to gather information without first knowing what questions we are trying to answer. Key questions to ask oneself when developing information security metrics include:

– What are the goals of my information security programme?
– How will metrics demonstrate the progress of my information security programme?
– What data do I have access to and what data will I need?
– What tools will I use to gather that data?
– How much time and money will it take to implement these metrics?
– Which metrics will be key indicators?
– How can I present these metrics in a way that can be understood by senior management and translates to the broader goals of the organisation?

We also need to be aware of the potential limitations and pitfalls of metrics. If it becomes too great of an obsession, organisations and individuals can often lose sight of the main strategic purpose of the metrics. The numbers become an obsession, to such an extent that it becomes a game of sorts; people and organisations desperately look for any way to show an improving metric by any means necessary, even if it happens to run counter to the spirit of that metric.

The old adage of “you can’t manage what you don’t measure” remains true in almost every field and organisational department. Ultimately the question we are aiming to answer with information security metrics is: Am I (or are we) spending time and money on what matters most? In that sense, an effectively implemented and sustained metrics initiative will prove to be invaluable in harnessing the full power of an information security programme.

Scroll to top