Achieving Cyber Resilience within Organizations

I do not for one moment feel that any professional would argue that we are not facing a time of digital instability in our interwoven words of business, social media, or when we utilize some form of online service. It may be that the associated risks manifest as some cloak covered communication, with a must-read attachment sent from a LinkedIn member, who for some reason does not even possess a profile! Or maybe, in line with this theme, it could be a tracking advice from Amazon, or maybe a HMRC tax rebate, or even a surprise payment notification you were not expecting! Or could it be that crypto currency pot you were never aware of that must be claimed within 24 hours, or you will forfeit the unknown wealth of £7200.00 in profits you never realized you were entitled to! And that is only considering a sample of the ever-rising scams, and potential security vulnerabilities which are waiting in the wings to pay unsuspecting user’s a call.

When we get to the world of the SME, and up to big business, the risks multiply. Not only are all those dangers, as discussed above, potentially winging their way to a corporate mailbox, but in the macro scale of the business environment, these risks are multiplexed by an unknown factor of cyber and social risks. Here we may be considering the industrial scale threats of ransomware, DDoS, backdoor intrusions, not to mention some of those over trusted contractors who happen to insist that they simply can’t work without the support of a privileged account. And just in case your bank, or business has stockpiled some cryptocurrency to pay any prospective attacker off, it may be a good time to consider how such virtual assets are secured – before some passerby decides to highjack them – and we haven’t even started to consider the ordinary users who we rely on so much to get the corporate daily chores addressed – yes, there is a long list to consider.

Having now spent 30 years plus in an industry which has now morphed into a world of cyber, when I look back down the operational road, I realize that along the way, driven possibly by commercial exuberance, many of those early skills and teaching have got lost along the way, and in my opinion, the cyber security challenge seems to have risen far too high up to the presentation layer, and has (is) jumping over some of those important security nuts-and-bolts, whist delivering what is considered to be a semblance of robust Cyber Security. By inference, or in some cases, ignorance, is leaving the supposedly protected enterprise wide open to any semi-skill miscreant passerby. As my very good friend Steve Gold (RIP) once relayed to me post interviewing a group of successful German hackers with a question he posed – Steve asked:

‘How come you are so very accomplished at hacking into other people systems?’ However, Steve was somewhat taken aback by their response, when one member replied, ‘It is not us who are so accomplished, it is everybody else we have hacked who are just plain stupid, leaving loose ends exposed for manipulation’.

One of the major issues I have faced year after year when working with clients is the lack of appreciation of the risk model of the presented horizons of exposure, based on the aspects of the Vertical, Horizontal, and 370⁰ (the extra 10⁰ applied for good x-check measure) potential areas of insecurity. If any organization wishes to even stand a chance of surviving the ‘Era of Cyber Adversity’, then it is time to overhaul their kit-bag of skills and add into that container the required adequate embellishment of trained and accomplished professionals, to ensure that when a situation is encountered, there is more than just a pen and paper siting on the desk with which the MIR team will attempt to scrawl out their immediate response plan.

Some of the most robust and sensible solutions I can ever offer to any client is to ensure that, as a minimum the following areas are considered:

• Conduct a Technology and People Threat Assessment and identify any areas in which shortfalls exist, and then look to the training budget to plug those holes – and in quick time.
• As painful as it may be, at least get a grip of all your critical assets in whatever form they arrive in, for example; data, systems, infrastructure, people, business partnerships and real estate etc.
• Consider getting your staff trained to, not just a pen and paper level of skills, but to a level where they can understand what the pragmatic back to basics aspect of cyber security really expects in its full protective form.
• Where specialist needs exist, such as supporting a first response activity, conducting a digital forensics mission, or carrying out a fraud audit, remember the success, or failure of the outcome is based on two factors; current situational awareness of the art, linked to an accomplished professional who owns a safe pair of informed hands.
• Know where your wires go – in other words, have an idea of the overall topology of the interconnected estate, including any promiscuous signal, and other forms of expensive communications – say microwave – it is valuable information to have in hand when you are trying to make a decision as to what may be discounted in times of pressure.
• Take serious attention in employing the art of OSINT (Open Source Intelligence) to proactively watch over your social, digital assets and brand(s): or, in the negative reactive profile, use this powerful open source world to monitor your interest post an attack to derive any useful adverse information which could assist you to mitigate the impact.

When training, I find that the most advantageous methodology is, along with a health warning, to demonstrate to the delegates the adverse side of security, and to familiarize them with the darker side of the art. The theory here being, if they have been taken into the world of understanding the Poachers Mindset, they will be better enabled to understand him/her at such time they commence battle. The second benefit of the Certified Cyber Security Specialist course is, if we can lower the mindset from the presentation layers of anticipated risks, maybe we may also start to understand those holes that have been missed by the operational staff, which are so eagerly sought after by our potential adversaries.

About the Author

Prof. John Walker FBCS CISM CRISC CITP ITPC FRSA

John is a leading expert in the field of Cyber-Security. With over 30 years of international experience. He is a World Class Info-Crime, Cyber Security Researcher who has worked within the Covert Worlds of CESG, GCHQ, ‘TK’ Sky Technology, with the Security Services. He has delivered over 90 Global Presentations, and has originated over 100 Papers, & Articles on Cyber-Security. He is actively involved with supporting the countering of eCrime, eFraud, and on-line Child Abuse, an ENISA CEI Listed Expert and an Editorial Member of the Cyber Security Research Institute (CRSI).

John is a Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts (RSA), Board Advisor to the Digital Trust and Writer for SC Magazine UK. He was the Originator of DarkWeb Threat Intelligence, CSIRT, Attack Remediation and Cyber Training Service/Platform, Accreditation Assessor and Academic Practitioner and Accredited Advisor to the Chartered Society of Forensic Sciences in the area of Digital/Cyber Forensics.

John is also a practicing Expert Witness in the area of IT, and the originator, and author of a CPD/MSc Module covering Digital Forensics, and Investigations. Professor John Walker is a Visiting Professor at the School of Computing and Informatics, Nottingham Trent University (NTU), Visiting Professor/Lecturer at the University of Slavonia, CEO of HEXFORENSICS LTD, and Independent Consultant in the arena of IT Security and Forensics, and Security Analytics.