Opportunity breeds thieves – what hackers and burglars have in common...

Author
Reinhold Zurfluh
Published
19. October 2018

...and what this means for your Cyber Security...

The days are getting shorter and the nights are getting longer, and as happens every year, the number of burglary offences will (unfortunately) be on the rise again. The reason is obvious: burglars use the cover of darkness to move around without being seen. I imagine you're wondering why I am talking about this in our Cyber Security Blog. Quite simply, because we can transfer a lot of what happens in the event of a break-in and the subsequent criminal investigations (hopefully leading to the arrest of the perpetrator) into cyber security.

Doors and locks work well – but even so, there are incidents and cyber attack

It is not true to say that the victims of a burglary have been careless. Doors and windows are carefully locked when leaving the house or the apartment; if necessary the openings are even fitted with a lockable handle or security film, and yet the burglar can still break in silently. And this is exactly what happens day in, day out, with cyber attacks too. In the past, ICT security walls have been made higher and higher - but they barely interrupt the progress of a professional attacker. He will find the means to reach his desired goal and the ways in. This is why rapid detection and reaction are increasingly important these days, as well as simple protection. But I don't want to frighten you, quite the opposite! I want to encourage you to go one step further with your cyber security strategy and for your own protection, devote more attention to the areas of intrusion detection and response.

Detect & Response – what we can learn from a break-in

Back to our analogy with a break-in: When it comes to burglar detection, we increasingly rely on technical assistance such as alarm systems, video surveillance and motion detectors, etc. But people are also extremely important – watchful neighbours or a police patrol. Once the alarm system has gone off, things have to move quickly. The police will do everything they can to catch the culprit in the act. If this doesn't succeed, the specialists in forensics and tracing will come in. With all the small pieces of the puzzle, the police then (hopefully) succeed in arresting the burglar, recovering the loot and so minimizing the damage to the victim.

Why only experts are good enough

It’s exactly the same with cyber security: detection solutions and analysts' skill and experience are needed when it comes to detecting a cyber attack. If they detect a security incident, a team of experts (CSIRT) is deployed. This team does everything it can to minimize the extent and damage; using appropriate means, and just like with a burglary, a security incident should be handled by complete experts. You would be sceptical if traffic policemen were used to search for clues instead of detectives or forensic experts, after all!

5 Functions – 360° coverage for your cyber security

Of course, it is essential to expand targeted measures to defend against cyber attacks. I am convinced that just focusing on preventive measures is clearly an insufficient response. A systematic security strategy that takes into account risk management, information protection, detection and response to security incidents as well as recovery and optimization is the be-all and end-all of a successful cyber security strategy. Incidentally, this is also what the NIST Cyber Security Framework stipulates and what FINMA, for example, requires of Swiss financial service providers. In fact, you are already familiar with the principle. It's similar to the procedure we've always used in the event of a home burglary. In one of our last blog post, we explained this to you graphically - including an information diagram for you to download free of charge.

Get the poster here!

 

NIST Cyber Security Framework in brief:

  • IDENTIFY: The identification of risk and the associated threat potential is one of the most important prerequisites for being able to define effective measures in the sphere of cyber security.
  • PROTECT: This is the "traditional" part of IT security, i.e. the protection of confidential information and critical systems, as well as making staff aware of the issues involved.
  • DETECT: Traditional security systems have their limits when it comes to detecting advanced attacks and zero-day exploits. The aim here is to detect cyber attacks as quickly as possible, in order to minimize their scale.
  • RESPOND: As well as detecting attacks, it is crucial to have proven experts who can react swiftly and professionally. With standardized processes in accordance with SANS, you are guaranteed to have normal operations restored promptly.
  • RECOVER: After an attack, the "modus operandi" must be re-established in every company. In addition to this, important conclusions for the future must be drawn from every incident, in order to optimize long-term security.

Free tutorial for a Cyber Security Framework:

We have made cyber security frameworks and the measures that are required in the individual phases, available to you in a checklist for download. You too can benefit from our free framework:

 

Cyber Security Framework Checklist

 

(Like a burglary) a security incident can happen to anyone

You need to come to terms with the fact that your company may also become a victim of a security incident. For you, this means that you need to recognize a security incident when it occurs and respond quickly. Just remember the GDPR reporting obligation for data protection breaches within 72 (!) hours. (Note: It often takes weeks or even months for a successful attack to be detected at all. So three days - whether it's during the weekend, holidays or a public holiday - is a real challenge.

Detection & Response are not disciplines that the IT department can carry out "on top of other work" - particularly as today's requirements for ensuring normal operations are already a huge challenge. This paradigm shift, putting the focus on the timely detection of risks and attacks, is the starting point for taking the correct response measures and predicting and preventing potential damage. None of these tasks can be accomplished without a Security Operations Center (SOC), or as we call it Cyber Defence Center (CDC), with a specialized CSIRT (Cyber Security Incident Response Team).

CSIR tracks down the attacker

Without having a cyber defence center like this, companies may not detect attacks at all, or too late. As a result, they cannot adequately respond to threats. This makes a dedicated incident response team indispensable. That's why this assessment has also been confirmed by the SANS 2017 Security Operations Center Survey.

A dedicated incident response team in a cyber defence center helps to minimize the length of time a security incident lasts and the damage it causes, as well as drastically reducing its business impact. Cyber defence is a demanding job - and goes far beyond network monitoring. Therefore, it is advisable to call in professional help. This means that companies are not at the mercy of cyber security incidents and at the same time benefit from the experience and knowledge gained from dealing with other security incidents. Ultimately, this helps to strengthen cyber resilience and improves the protection of corporate assets in a targeted, long-term way.

Cyber defence – a multi faceted subject

Cyber defence is crucial in the battle against cyber criminals. For this very reason, you can expect more valuable blog articles, tips and tricks from our experts, as well as checklists and whitepapers on the subject of cyber defence in the near future, in which we will be explaining in a step by step way what cyber defence is all about and why it is so important. Subscribe to our blog updates now to make sure you don't miss out any of the other articles. You won't regret it - quite the opposite! Subscribe to our blog updates now!

Blog subscription

Share article