Cybersecurity is typically associated with protecting systems from attacks. While protection is important, it is not sufficient to concentrate our efforts on this goal alone. We can never achieve a complete protection of our system, even trying to get close to this goal would cost infinite resources.
Why is that?
- The weakest link counts. Our systems are complex, we would have to check every line of our source code and every configuration of our infrastructure, make sure every security measure is 100% tested and keep everything up to date in real time. This is not achievable – the effort expended would ruin every business case.
- We cannot keep up with our adversaries. The technical capabilities of hackers are very powerful and constantly evolving. Even so-called ‘script kiddies’ can use automated toolsets to scan systems for vulnerabilities and exploit them. There is a professional market for zero-day exploits (more), so we would have to close holes in our system that we do not even know about yet.
Broadening the scope of cyber security to cyber resilience helps to overcome this dilemma. The term resilience has been used in different areas such as psychology or engineering for a long time and means ‘to be able to cope with catastrophic events by limiting the effects and recovering quickly’. With cyber resilience we aim to:
- Make sure operation of essential business processes can continue even in the event of a successful cyber-attack.
- Keep the disruption of a security breach minimal. Disruptions can be efforts to deal with the breach, financial losses, or loss of trust with customers or business partners.
To achieve this, we need to change our focus. Instead of focusing on protecting our systems alone, we need a balance of seven disciplines:
- We identify factors influencing cybersecurity and derive the risks and appropriate mitigating measures from them to build a resilient system.
- We protect the system and make it hard for attackers to penetrate it.
- The system is designed to contain the attack within defined boundaries and to limit its effects in case it should be compromised.
- Logging and monitoring helps us to detect attacks and penetrations as early as possible, ideally by actively notifying us.
- The response to security incidents consists of analysis, mitigation activities and communication with stakeholders.
- Quick recovery has been planned beforehand with means to enable business continuity such as physically distributed sites and backups of data.
- We gather knowledge about vulnerabilities, from attacks, and developments in the security scene to evolve our security measures.
The first two pillars above, identification and protection, are well understood, and you will find a lot of information on them. In the remainder of this article, I would like to explore the remaining five areas in more detail to make the shift from cybersecurity to cyber resilience more apparent.
Contain the attackers where they penetrated the system
Attackers can use the smallest gap to penetrate a system, e.g. a slight misconfiguration or a zero-day exploit. Often, they are not only interested in the system they originally hacked but use it as a springboard to gain access to other systems on the network where they can collect further data.
We have two architecture principles which help us to contain the extent of an attack. They can be applied to both software and infrastructure:
- Defence in Depth – Build systems like a medieval castle. Defend it on different levels and with different methods. This forces an attacker to overcome several hurdles to break in.
- Least Privilege – A modularized system allows you to keep the permissions of each component as low as possible. Also give users only the rights that are absolutely necessary for their role.
Detect breaches immediately
A lot of hacks are only detected days, weeks or even months after an attacker first breached the system. A long time in which damage can be done. Observability is a well-known devops concept that helps to quickly detect breaches, with meaningful logging and monitoring and a mechanism to accurately detect anomalies.
On clients, especially mobile devices, we can detect tampering, e.g. if the software is running on a rooted or jailbroken device, if a debugger has been installed or if the software is running in an emulator.
The organisational level is also important. Employees or users can notice and report security incidents they observe if they know the appropriate reporting channels.
Be prepared to respond to cyber-attacks
Responding to cyber-attacks is mainly an organisational topic:
- Processes on how to react to security events must be in place. In the event of an attack, speed is of the essence. Therefore, you should have planned who is responsible for actions such as analysing the event that has happened, communicating with relevant stakeholders and remediation to regain control of the situation.
- Additionally, you should have a business continuity plan, outlining procedures and instructions how the organization responds to disruptions; it covers business processes, assets, human resources, business partners and more.
Have your recovery measures in place
After an attack, it is often not easy to clean everything up. If systems or data have been manipulated, it is difficult and time-consuming to find out what has been changed and to completely remove any "infection". Going back to a safe state is usually the best solution. To do this, you need backups of systems and data, as well as backups of your sites. Procedures for restoring backups and switching between sites need to be well tested so that if the worst happens, all operations run smoothly.
Don’t stand still, evolve your measures to keep up
Cyber resilience is a never-ending process:
- You change your systems and need to re-evaluate what these changes mean for security
- The overall security situation changes with new threats you need to defend against
- New vulnerabilities in libraries or utilities become known that you need to update
- You learn from security incidents or attempted attacks.
You need to constantly develop your knowledge and security measures so that your defences are always up to date with the latest threats.
Cyber resilience needs a comprehensive approach
Cyber resilience cannot be solved by technology alone. Only the close interaction of measures at the technical, organisational, and human levels can ensure that the goals of cyber resilience are achieved, so that critical business processes continue to function even in the event of successful attacks and the consequences of disruptions are minimised.
Zero-day exploits are security vulnerabilities that are not publicly known and can be exploited by hackers before they can be fixed by developers.