Cybersecurity Threats: How to Keep Up the Pace Using Different Cybersecurity Frameworks

What we refer to as Cyberspace is in fact the totality of interactions between people, services, software etc. on the Internet. Cyberspace as such, does not exist in any physical form, and thus it is often perceived as this abstract notion which signifies processes, actions and platforms, exchanges and online communications. Targets of Cyber-attacks range from identity theft, financial fraud to political hacktivism. People willingly share information about themselves on social networks, chats, which often may lead to the creation of digital files of personal data for abuse later on. At the same time, corporations and their information assets are exposed to various risks because they are open, digitized and operate through the Internet. Cybersecurity incidents impacting business may result from different threat agents:

Insider attacks – Typically initiated by employees or contractors who get access to a computer or network within an organization. It could be unintentional misuse or intentional abuse. Some examples of this kind of attack are: access to users’ password information by the authorized system administrator; using packet sniffer software; acting as middleman in non-protected Wi-Fi networks; using some malware that use the loose situation of a network interface of the infected computer in order to eavesdrop on traffic through the private network, etc.

Attacks from outside – There are different types of attack from outside the private network. They can be divided into:

1. Attacks for financial purposes – It could be achieved by hackers as well as by different people who enable attack for others, such as distributed denial of service (DDoS). It is often used by organized criminal groups that blackmail an organization etc. For these kind of attacks different methods and approaches could be used: port scanners, buffer overflows, IP Spoofing, botnet, phishing, etc.
2. Industrial spies – This category of attackers usually work on behalf of competitors and try to gather information such as production capacity, technologies involved and plant architecture. Also, it could be initiated by foreign governments to steal industrial secrets, disrupt production, exploit safety hazards, etc.
3. Hacktivism – Hacking for a politically, socially or environmentally motivated purpose.

Due to the many possible threats, the most important challenge today is to preserve the confidentiality, integrity and availability of information in the Cyberspace – which is to say to provide cybersecurity. For that purpose, there are more frameworks and standards as a base for developing and implementing an efficient Cybersecurity program.

Cybersecurity is, however, not synonymous with Internet security, network security, application security, information security, or CIIP (Critical Information Infrastructures Protection). It has a unique scope requiring stakeholders to play an active role in order to maintain and improve the usefulness and trustworthiness of the Cyberspace (Figure 1).

Security technology has not kept pace with the rapid development of IT, leaving systems, data, and users vulnerable to both conventional and novel security threats. Cybersecurity standards improve security and contribute to risk management in numerous imperative ways.

Standards help in establishing common security requirements and the abilities necessary for fast responses and safe solutions. The importance of having a framework isn`t a question, however, which framework works best for the organization is something to be decided with caution because there are about 250 different security frameworks used globally, developed to suit a wide variety of businesses and sectors.

The approach that could be used for better preparation for cyber-attacks at the national level is an Evaluation Framework for National Cybersecurity Strategies prepared by the European Union Agency for Network and Information Security (ENISA). A lot of countries in Europe have in place a national cybersecurity strategy as a key policy, which helps them to mitigate risks which could jeopardize the information assets in the Cyberspace. ENISA has analyzed the existing national cybersecurity strategies and developed the guidance and practical tools for developing and evaluating these national strategies. The key objectives of a cybersecurity strategy evaluation framework are:

1. Develop cyber defense policies and capabilities
2. Achieve cyber-resilience
3. Reduce cybercrime
4. Support industry on cybersecurity
5. Secure critical information infrastructures

Published by the US National Institute of Standards and Technology in 2014, NIST Cybersecurity framework provides a common language for understanding, managing, and expressing cybersecurity risks both internally and externally. This is a tool that helps align business, policy, and technological approaches to manage the risk and it can be used in identifying and prioritizing actions for cybersecurity risks reduction. The framework is a risk-based approach to managing cybersecurity risks, and consists of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. Each component of the Framework supports the connection amongst business drivers and cybersecurity activities.

The Framework Core is a set of cybersecurity activities, anticipated results, and applicable references that are common over critical infrastructure sectors. The Framework Core comprises of five simultaneous and continuous functions – Identify, Protect, Detect, Respond, Recover. When taken together, these functions provide a high-level, tactical view of the lifecycle of an organization’s management of cybersecurity risks. Then for each function, it identifies main categories and subcategories and matches them with example Informative References such as existing guidelines, standards, and practices for each subcategory (Figure 2).

ISO/IEC 27001 could be used as a cornerstone of an Information Security Management System (ISMS) and expanded with ISO/IEC 27032 which is helpful in preventing potential cyber-attacks and protection in case of cyber incidents. The first step is the identification of all physical and virtual, personal and organizational assets. One of the main virtual assets is an individual consumer’s online identity.

Online identity is considered an asset since it is the key identifier for an individual consumer in the Cyberspace. Other individual consumer’s virtual assets include references in virtual worlds.

In virtual worlds, members often use virtual avatars to represent or identify themselves or to act on their behalf. Often a virtual currency is used for virtual transactions. These avatars and currencies can be considered as assets belonging to an individual consumer. IT hardware and software, as well as personal digital devices or endpoints that allow a consumer to connect to and communicate in the Cyberspace, are also considered as assets in the context of this international standard. ISO/IEC 27001 could bring many benefits besides the fact that it comes with a higher cost of certification. It is accepted as a global benchmark for the effective management of information assets. On the other hand, a BCMS aligned with ISO 22301, will ensure that your Business Continuity Plan remains up to date and becomes part of the organization’s culture. It will support the efficient management of a BCMS and ensure the minimization of Business Continuity Management risks. But as it maps well into other frameworks it can be supplemented with other frameworks such as CIS Top 20 CSC, which is not as comprehensive as other frameworks but gets updated every 2 years.

Both NIST and ISO/IEC 27001 are technology-neutral, applicable to any type of organization, and both have the purpose of achieving business benefits while monitoring legal and regulatory requirements, and the requirements of all the interested parties. The biggest similarity is that both are based on risk management: meaning that they both require the safety measures to be executed only if cybersecurity risks were identified. The NIST Cybersecurity Framework is better when it comes to structuring the areas of security that are to be implemented and when it comes to defining exactly the security profiles that are to be achieved; ISO/IEC 27001 is better for making a full picture: for designing a system within which security can be managed in the long-term. The next and very important step is risk assessment that means identification and analysis of threats and vulnerabilities.

The results of risk assessment could be used for the determination and implementation of the appropriate cybersecurity measures. There are different kinds of cybersecurity controls, such as:

1. Application-level controls
2. Server protection controls
3. End-user controls
4. Controls against social engineering attacks
5. Cybersecurity readiness controls
6. Other controls

Some examples of application level controls are:

1. Display of short notices, which provide clear, concise one-page summaries of the policies
2. Secure handling of sessions for Web applications (cookies)
3. Secure input validation (prevention of SQL-Injection)
4. Secure Web page scripting (prevention of Cross-site Scripting)
5. Code security review and testing
6. Ensuring that the consumer can authenticate the service (subdomain, https credentials)

Also, it is very important that end users take certain security measures, such as:

1. Use supported operating systems, with the most updated security patches installed
2. Use anti-virus and anti-spyware tools
3. Enable script blockers – accepting only the scripts from trusted sources
4. Use phishing filters
5. Enable a personal firewall and HIDS Enable automated updates – ensure that systems are updated with the latest security patches whenever they are available

Cybersecurity frameworks provide organizations with useful templates to guide their cybersecurity efforts. By leveraging the work which has already been done to develop these frameworks, an organization can achieve a better improvement in cybersecurity more rapidly than would otherwise be possible for a given resource expenditure. Frameworks are available in varying degrees of focus.

Where appropriate, organizations may wish to use elements from multiple frameworks to mound a structure that meets the specific requirements of their organization. Likewise, the controls advocated within the framework standards may be augmented as required by additional controls to meet new risks arising from changing threats, changing vulnerabilities, changing assets, changing business objectives, or other changing factors that may arise.