The ever-increasing threat of cyber-attacks on organisations around the world and their potentially devastating financial, reputational, or operational impact on the business means it has never been more important to position Cyber Security as a major issue in front of the C-Suite. The C-Suite holds ultimate accountability for an organisation’s approach to risk in both setting the appetite for Cyber risk for the business and ensuring sufficient budget & resource is assigned to manage Cyber risk to within the appetite. If they are not appropriately informed of the risks associated with Information Security (IS), the organisation may not put in place the correct and appropriate mitigations to protect the organization from their top threats and risks.

Failure to effectively protect against these cyber threats can have both organisational and personal consequences for executives. For example, The Senior Managers and Certification Regime (SMR) is an FCA enforced regulation that assigns responsibility for Information Security to executive level employees, making them liable for correct implementation of cyber protections for IS.

This article will provide you with a 4-stage approach on how to better engage the C-Suite in your organisation on Information Security, to build a fruitful partnership between these executives who direct budget & resource towards Information Security and the Cyber teams who are responsible for the oversight & implementation of security.

Stage 1: Introducing the Execs to Cyber Security

In this first session with the C-Suite, it is imperative that you initiate the conversation by focusing on an introduction to Cyber Security that provides an overarching view of the organisation’s Cyber Security capabilities and operating model, that will encourage future more in-depth discussion.

Outline the responsibilities the organisation and executives have towards Information Security and how these align with the strategic priorities of the organisation & Cyber team. This should include a presentation of the top threats to the organization (both internal & external), the risks that they expose the organisation to and the existing roadmap to mitigating these risks. This will provide a high-level overview of the organisation’s Cyber capability and will set the tone ready for future conversations with the C-Suite.

Provide an overview showing the blueprint for Information Security and how security integrates and adds value to the rest of the business. It is important to include metrics that can be used to compare the organisation’s approach to Cyber Security against peers within the market. A difference in budget or team size compared to a competitor can provide guidance on whether the organisation is assigning adequate resources and budget to the issue. 

Stage 2: 360 Audit

After successfully introducing the C-Suite to Information Security, it is now essential that you lock in that second session where you can provide a more granular breakdown of the organisation’s Cyber Security capability with a clear focus on where resources need to be focussed.

Industry standard frameworks, such as ISO and NIST, should be deployed to measure an organisation’s Cyber Security maturity and provide analysis on potential improvements that can be presented to the C-Suite executives. These frameworks offer controls against which the organisation can be benchmarked, to identify areas that require maturing to mitigate risk from the organisation’s top threats. While these frameworks in their original state offer a good measurement of maturity, it is important to refine the controls so that the framework is tailored towards the organisation, taking into consideration the industry sector and regulatory environment. Wavestone recommends taking the NIST framework as a basis and fitting it to the specific stakes of the organisation to overcome any framework limitation and focus it on the businesses’ needs.

Wavestone have built our own framework, called the Cyber Benchmark, that leverages the best of industry frameworks to provide a comprehensive approach to maturity assessment with organisational & technological perspectives included. We recommend organisations follow a similar approach to accelerate their framework improvements to increasing their Cyber maturity.

Capturing the attention of senior executives to invest time & resources into developing a framework to improve Cyber maturity can be difficult. A good methodology is to provide real life evidence of their security vulnerabilities, for example by presenting evidence of how an internal ‘Red Team’ gained access to the mailboxes of the senior executives present, with an explanation of how few days it took. 

Stage 3: Programme and Framework

Once this more granular breakdown has been presented, a key priority must be to ensure the C-Suite has bought into the Cyber Security strategy & roadmap; developed using the maturity improvement opportunities identified through the framework assessment. Buy in from the C-Suite on the roadmap will guarantee the required funding & resources required to implement these enhancements.

Using the customised framework, develop a roadmap that focuses on maturing controls that will most effectively reduce the risk from the organisation’s top threats. This roadmap will become the building blocks for the security programme. The security programme should be defined so that it provides clear targets to be met to ensure compliance with the customised framework controls, beginning with a remediation approach that will guarantee a standard Cyber maturity across the organisation, and followed by steps to achieve the Cyber maturity goals. Ensuring a standard maturity across the organisation will alleviate the risk from current threats, while building on this to achieve maturity targets will reduce the potential risk from over-the-horizon threats.

Programme support can be leveraged from a specialised Project Management Office (PMO) that will supervise the execution of the programme. It is important that this PMO curates a good relationship between IT who will implement the roadmap to maturity and the business, so that the benefits are understood and extracted across the organisation.

Stage 4: Risk Quantification and Business Accelerators

The final stage of engaging with the C-Suite requires you to demonstrate the return on investment (ROI) that Cyber Security can deliver, both through risk reduction from top threats and as a business enabler that encourages expansion into new territories and engaging new client relationships.

Implementing the appropriate customised framework to the organisation and following the established roadmap to Cyber Security maturity will require an increased budget allocation. However, it is important to emphasise to the board that the return on this investment will far exceed the initial cost due to a dramatic decrease in the scale and severity of risk that the organisation is exposed to. Use calculations to demonstrate this Return on Investment (ROI) quantitively and link this to the efforts and changes delivered by the security programme. It should also be explained that this initial outlay required to deliver the security programme is far less than the potential financial, reputational, and personal (e.g., SMR) repercussions that would result from a failure to adequately protect information systems during a cyber-attack.

As well as preventing the serious repercussions of failing to protect information systems in an attack, Cyber Security can also become an important business enabler. Effective Cyber Security will ensure that your customers are retained in the event of a properly managed security breach, as well as confirming your organisation as a secure manager of customer data & details, increasing your attractiveness to new customers. A secure organisation can move swiftly into new business environments & seize opportunities with confidence that their Cyber Security maturity will be able to resist potential additional threats that may arise from this expansion; opening the door for the organisation to safely engage a wider client base.

Conclusion

Following the 4-stages outlined in this article will allow you to foster a strong relationship with the C-Suite on Information Security, ensuring they are aware of their responsibilities for Cyber Security under the SMR and that they assign budget & resources appropriately to deal with the top threats facing the organisation. The customised framework will allow these executives to understand the current Cyber Security posture of the organisation and buy in to the roadmap for future maturity. Once this vision of mature Cyber Security has been delivered, the business incentives can be leveraged to ensure the C-Suite continues to invest in developing Information Security within your organisation.

Cet article Engaging the C-Suite on Information Security est apparu en premier sur RiskInsight.

Cyber Supply Chain attacks are a growing trend amongst cybercriminals where one attack can leave countless organizations vulnerable and potentially damaged.  You’ve seen the headlines following a number of high-profile incidents in recent months.  The European Union Agency for Cybersecurity (ENISA) warns that these types of attacks are now growing 400% year-over-year as cybercriminals are shifting to larger, cross-border targets.

Attackers’ main motivations remain to gain access to source code and customer data, and now they can do so across multiple target organizations by first compromising vendor software being deployed to those companies and government agencies.  This is an ingenious (and nefarious!) approach on a few fronts:

1. This type of attack can generally get around any target company’s strong cybersecurity posture, particularly related to its perimeter security; the attack is brought into the target environment via a trusted vendor’s product.
2. Such an unsuspected attack vector (a form of “friendly fire”) means that the attacker’s “dwell time” within the target can be quite long before discovered (or revealed in the form of ransomware!). Quite a lot of damage can be done during this time.   
3. The shear breadth in number of targets that can be addressed via a single attack is immense; the economies for a cybercriminal vastly multiply their criminal profitability.

About 50% of these attacks can be attributed to known advanced persistent threat (APT) organizations (e.g., the Russian state-sponsored threat group APT29, a.k.a. “Cozy Bear”, responsible for the 2020 SolarWinds attack).  These APT groups have access to many resources and much funding enabling their creativity for damage and not getting caught.  Hence, these attacks are growing rapidly and more complex with such backing; and this trend will continue, enlarging the gap between such risks and an organization’s ability to detect and remediate them in a timely fashion.     

Some most notable recent cyber supply chain attacks include:

• SolarWinds – Where attackers in 2020 exploited known vulnerabilities in its IT software Orion (used to manage servers in many organizations, including large businesses, several arms of the U.S. government, threat response firm FireEye, and Microsoft.
• Kayesa – More recently in 2021, the notorious REvil ransomware gang (another APT organization) exploited known vulnerabilities in IT management platform Kayesa VSA, which ultimately compromised an estimated 1,000 organizations that use the platform.

C-SCRM Survival Tip #1: In terms of your organization’s vendors for software or hardware, etc., it turns out that their risk model is now your risk model!  Frankly, it always has been, and attackers have evolved to take advantage of this existing threat vector.

Graphic #1: Unavoidably Intertwined Operational Models in Managing Cyber Supply Chain Risk

Hence, the complete Cyber Supply Chain lifecycle for all your business applications and IT tools must be considered within your Cybersecurity strategy and practices.  This means that before you choose a vendor, you should assess their security posture and security & incident management processes BEFORE you allow them to contribute software, tools, or equipment to your otherwise secure enterprise.

More so, beyond an initial assessment and acceptance of a vendor’s software, etc., the acceptability of a vendor’s continual access to your environments via releases and patches of their products needs to be continually monitored and assessed.     

C-SCRM Survival Tip #2: Shift Security Left. The only way to fully secure your enterprise continually is to ensure the sanctity of anything that comes into it.  That includes all vendor products that would integrate into your IT environments, etc., and the vendor’s lifecycle for development and deployment of their products.  You can only be as secure as they are!   

C-Supply Chain Risk Management – Definition and Scope

Attacks on Cyber Supply Chains continue to take advantage of ongoing disconnects in an organization’s understanding of the related supply chain risks and how to deal with them:

• Most organizations have a false sense of security (“blind spots“) based on assumptions that their vendors are already secure, and their products can be trusted in the organization‘s environment. They believe their recognizable “brand name“ vendors are at least as diligent and proactive about cybersecurity as their organization.
• Many organizations also lack continual robust monitoring and reporting, particularly around their vendors‘ software product interactions within their environments; they’re simply not looking here with sufficient focus based on current events.
• 82% of organizations believe their executive teams and boards are confident in their approach to measuring and managing Supply Chain Risk.
  • Yet only 44% regularly report on their supply chain risks and related industry events to senior leadership. This is clearly a blind spot for leadership.
• Looking at financial services firms, for example, 79% say they would decline a business relationship due to a vendor’s cybersecurity performance.
  • But lack the data to make such decisions.

Graphic #2: Today’s Growing C-SCRM Threat Definition and Scope  

This false sense of security that most organizations have about their vendors’ software, etc. is based upon a (unverified) trust of a vendor’s own security diligence.  But we cannot assume this anymore, and perhaps never should have. 

This is one big reason driving a growing need for:

1. More continual and robust assessment of software (and hardware, firmware, etc.) providers’ cybersecurity performance.
2. Improved monitoring and reporting from both: a) upstream software vendors’ environments; as well as b) the downstream software buyers’ environments.

These may seem to be separate issues at first, but they ultimately compound to corrupt downstream customer environments prolifically.  Hence, we must “Shift Left” and go upstream into the vendor’s cybersecurity practices in order to manage our own Supply Chain risks.

C-SCRM Survival Tip #3:  Both initial and continual assessments of a vendor’s cybersecurity practices and incidents should be analyzed to ensure the security of an organization’s global supply chain before the vendor’s products or services touch their enterprise, and then continually throughout the relationship (and related product updates, patches, etc.).  

Another growing need is for the establishment of cybersecurity consortiums of industries and organizations (”IT ecosystems”) to share vendor and product risk data, and to quickly and continually inform partner organizations of new risks and mitigations to ensure fewer downstream surprises.  Whether performed per organization or through a consortium information sharing, there is (for the first time) a recognized need for continual assessments of many vendors’ cybersecurity practices before and throughout an organization’s relationship with these providers of solutions within their enterprise.  This is an emerging best practice for maintaining your environments’ security.  

Because these types of attacks have proven very successful (and profitable) to cybercriminals over the past few years, organizations should expect more and larger cyber supply chain attacks in 2022 and beyond.  Hence, the cost of the supply chain status quo is going up and this trend cannot be allowed to persist.  This is causing organizations to embrace stronger operational resilience strategies and emerging approaches like never before.

Noted that it is not only financial damage that companies must avoid (or remediate!) in the case of these attacks that often end in data exfiltration and/or ransomware.  83% of compromised organizations have also experienced reputational damage to their brand and public perception of their company.  This “ups the ante” for proactive avoidance of such attacks and more work to do if you are attacked.  

C-SCRM Survival Tip #4: Supply Chain attacks do more than financial harm to a company; in many cases these may also cause long-term reputational damage!  Hence, managing to reduce such attacks but also in robustly handling such attacks is vital to an organization’s survival.   

In response to the increasing waves of Cyber Supply Chain attacks, it is no surprise that a global approach to securing their supply chains as well as increasing their operational resilience will be the top priorities for 50% of organizations by 2023.  This is survival of the cyber-fittest.

To accomplish this, 88% of companies state that visibility into their global supply chain is more important now than it was 2 years ago.  But unfortunately, 74% of organizations are still using inefficient and less adaptable manual methods to ascertain and manage their supply chain risks.  Such approaches cannot persist while such risks are increasing at an exponential rate.

For an example of where improved C-SCRM approaches and processes are heading, consider the emerging security ratings services that customer organizations can utilize to initially (and continually) assess the cybersecurity practices and incident management of their vendors.  This is another emerging best practice, yet only 22% of organizations are using these resources to continually monitor their vendors’ cybersecurity performance.  Expect this utilization to grow and for such services to become more robust with available security tracking data for vendors.  

C-SCRM – Current Challenges and Opportunities

The vast number of Cyber Supply Chain attacks are being enabled by many challenges affecting organizations that utilize vendor software.  Yes, you are right; this means almost all organizations.  Try imagining an organization that does not use vendor software; then pause to think about the many(!) types of vendor software your organization relies on.

C-SCRM Survival Tip #5: Everyone has a cyber supply chain that can be corrupted!  There are very few exceptions.  In sort, every organization has a cyber supply chain whether the know it or not, complete with risks that can be exploited, and threats brought into their environment unexpectedly … EVEN IF the organization is highly secure in its perimeter defenses.Hence,cyber supply chain risks must be proactively managed by your organization.

It’s quite clear what the breadth of target organizations can be for cybercriminals when they devise such supply chain attacks.  They only need to breach a small number of the right vendors to indirectly gain access to their preferred (many!) target organizations amongst a vendors’ customer list. 

Some of the current challenges that organizations face in trying to regularly assess their vendor and supply chain cyber risks include:

1. Lack of data that is readily available related to such risks, including its timeliness, accuracy, and actionability. Organizations have had to develop their own data for such analysis and decision-making to select or continue with a particular vendor or product.
   1. This can be (too) time-consuming and resource-intensive for organizations.
   2. Such data, when possible, is intended to help organizations to identify as early as possible any potential risk exposure when using a particular vendor’s product
2. Even when such data is sufficiently available (rarely), most customer organizations have had little sway to force vendors to remediate their internal and supply chain processes to a point that they can regularly be confident in consuming their products as cyber-safe.
3. Such data would need to be refreshed frequently to be effective; but even where there are useful data points, these are generally not monitored continuously as would be needed based on today’s changing and escalating threats.
4. All this lack of actionable data from the above challenges means that the speed of any assessment is simply too long a cycle.
   1. Especially true for continual monitoring where the threat is potentially already in your enterprise (vs. an initial assessment before bringing in a product).
   2. But the only way an organization could previously speed up such assessments was to invest more of its resources into such focused efforts; but it generally didn’t have the capacity to do so.
5. Lastly, how an organization would address its 3^rd Party risk management is strongly determined by its structure, and defined roles and responsibilities for managing this. Most organizations have not made it clear who (what person or team) would own the responsibility for Cyber Supply Chain Risk Management.  This will have to change before many of the challenges above can be addressed considerably.    

Graphic #3: Current C-SCRM Challenges and Potential Solutions

There are emerging opportunities and options in addressing the challenges listed above and related ongoing Supply Chain concerns. For example:

• New technologies are becoming available to organizations that wish to be more proactive and quickly adaptive to their supply chain risks.
  • 3^rd Party Security Ratings – Services are becoming available where an organization can purchase one-time or recurring ratings for a particular vendor or set of products it wants to purchase (or already has).
  • Advanced Monitoring and Detection Tools and Services – Continued advancement and maturity of monitoring, detection, and action-oriented tools and services is enabling earlier detection and appropriate actions than ever before.
  • AI and its behavior analysis capabilities – This is one important advancement amongst monitoring and detection tool improvements; but this technology is also becoming engrained within many other aspects of cybersecurity
    • Wherever unusual patterns can be recognized by AI and enacted on appropriately far more quickly than a human could.
    • Expect AI to become a primary underpinning to many cybersecurity automation tools, not just C-SCRM.
  • For supply chains, Blockchain is an emerging technology that will enable better security management in terms of a product manifest’s chain of custody and that it has not been tampered with during the supply chain deployment.
    • Note, however, that this doesn’t solve the issue of a vendor’s software development process being breached to inject a threat for downstream users; this risk would need to be assessed as part of the vendor’s security practices (see the 3^rd Party Security Ratings services above).
  • Perhaps most importantly, new organizational roles (and responsibilities) are being created to enable greater focus and proactivity in assessing and managing supply chain and other 3^rd Party risks. This is long overdue, and a promising development in appropriately applying all the risk mitigation options listed above as needed for a particular organization’s target security posture.     

If Every Organization has a Cyber Supply Chain that Can Be Corrupted to Create Extensive Damage à What are you going to do about it?

Every organization has a supply chain with risks that can absolutely be exploited; there are no meaningful exceptions to this rule.  Hence, there is no room for a false sense of security, and no excuse to not address this immediately (and ongoing).  After all, you do not want to be the next cautionary tale about an organization in industry news!

To get started with your organization’s C-SCRM strategy, first consider these Success Factors in developing your overall approach.  Remember these factors as the “B-O-O-M“ strategy to pursue when ensuring C-SCRM success:

1. Both internal and external supply chain processes and security checks require focus.
   1. There are clearly a number of processes and capabilities that an organization has direct influence on immediately; start there, but do not end there.
   2. Be sure to also include external forces, such as suppliers, where the organization has only indirect influence; but where failure to implement such influence creates greater risk.
   3. Manage all threat vectors associated with your cyber supply chain risks; hence manage your supply chain vendors as well as your own organization.
2. Optimize Your Organization and related processes to stay aware of current cyber events, industry trends, issues, and best practices.
   1. Ensure sufficient focus by your organization on these items, including assigned roles and responsibilities for coverage.
   2. Partner with industry organizations and vendor partner organizations to stay informed and influential for managing supply chain risks.
3. Optimize Your Data for cyber supply chain and vendor risks, and extensively analyze these to be data-driven in your C-SCRM capabilities prioritization as well as your vendor selections and ongoing risk management.
4. Mature your organization, data, and tailored best practices to keep pace with (or preferably ahead of!) the continually growing and evolving cyber supply chain threats you must manage. This is far from a static set of threat vectors in this cybersecurity space and may just be in its infancy in terms of the future number of threats and types of complexity to be managed!  

Graphic 4: Success Factors for Managing Cyber Supply Chain Risk

C-SCRM Survival Tip #6: Drop the “BOOM” to be successful in your C-SCRM strategy and approach:  Both internal and external forces need to be managed; Optimize your organization for C-SCRM coverage; Optimize your C-SCRM data for analysis, selection, and monitoring risks; and Mature the above as organizational-specific best practices to stay ahead of the curve!       

Defining & Implementing C-SCRM Best Practices for Your Organization

The previously listed success factors for C-SCRM lead directly to the following best practices and capabilities for an organization to implement (shown here in a step-wise approach): 

1. Identify / Inventory all your types of vendor suppliers and service providers.
2. Define risk tolerance criteria for each type of relevant vendor and service for critical business processes.
   • Including important vendor dependencies, their critical software dependencies and single points of failure, etc.)
3. Assess each supply chain risk (e.g., a vendor or product) according to their specific business continuity impact assessment and requirements.
4. Define initiatives and best practice procedures based on industry best practices tailored for your organization and assessed risks.
5. Establish your organizational teams and roles for ownership and maturing these critical C-SCRM responsibilities, including –
   • C-SCRM Leadership and Communications – Report to Executive Team & Board regularly about risks and threats to the organization and identified in the industry (that may become threats which can be proactively avoided).
   • Risk Identification and Monitoring – Continually assess prospective and current vendors via software and service types with their risk profiles and requirements.
   • Cyber Supply Chain Requirements – Actively manage each vendor’s adherence to the organization’s C-SCRM established requirements; and hence, their incorporation into vendor contracts.
   • Cybersecurity Knowledgebase / Data Repository – This resource should be maintained to be more broadly used than just for C-SCRM scenarios; but this is where business line managers as well as technical integrators can access requirements lists, contractual provisions, and ratings data associated with vendors and their products.
   • Supply Chain Risk Liaison to the rest of the organization – In the case of insufficient data available for a vendor-related cybersecurity decision, or the needed investigation into a new vendor, product, or incident.  
6. Continually monitor supply chain risks and threats, based on internal and external sources of data.
   • Including findings from suppliers’ performance monitoring and reviews.
   • Maintain historical and trend data as long as relevant.
7. Make vendors aware of perceived or discovered risks or weaknesses associated with their products and processes.
   • g., managing such vendors throughput their entire product lifecycle, including procedures to manage releases, patches, and end-of-life considerations.
   • In some cases, you can help them improve their cybersecurity capabilities to advance your own security posture.
   • But if they fail to adhere to your supply chain security requirements or attempt to remediate based on findings you share, all bets are off.  
8. Continually use and enhance data to optimize your C-SCRM strategy and approach.
   • Strive for C-SCRM process and data maturity in both selecting vendors as well as strengthening these relationships (and your trust in them) over time.
   • Also use data to build an appropriate operational resilience strategy that will take over in the case of a vendor’s failure – via an attack needing remediation and/or the subsequent removal of such a unacceptable vendor or product.
9. Grow your C-SCRM Optimization maturity.

• This will never be a static set of vulnerabilities or threat vectors; stay diligent at continual improvement and maturity in your organization’s capabilities to actively avoid supply chain risk and to remediate it quickly if encountered.

The listing above of C-SCRM best practices was laid out in a suggested chronological order (do this first, second, and so on).  However, for further elaboration on implementing your best practices, the list below in Graphic #5 shows these same best practices in relation to achieving organizational C-SCRM strategic objectives.

Graphic 5: C-SCRM Best Practices to Implement Now and Ongoing

C-SCRM Survival Tip #7: Implement your C-SCRM Best Practices in the order that makes most sense for your organization’s transformation into C-SCRM maturity; but ensure these accomplish the strategic objectives above as you mature.

Conclusion & Next Steps

So, to what extent do you need a C-SCRM strategy?  By now you should understand the value for any organization to have such a strategy and accompanying best practices.  But the extent to which SCRM should be aligned with and support your business and IT strategies will depend on your business model, vendors profile, cybersecurity capabilities, and risk tolerance.

How important are your vendors’ products (e.g., software, tools, hardware, or firmware) to your critical business operations?  Or to your potential growth?  How fragile are your business operations if a vendor in your supply chain was no longer a secure option?   What is your feasible risk tolerance for such external disruptions to operations?  Think about these questions regarding your supply chain, vendor and product choices, and ongoing operational resilience requirements to determine how to develop your specific C-SCRM strategy for current and future needs.

Once you’ve determined the next steps that are appropriate for your organization, here are a few ways that Wavestone can assist you when you’re ready to build out your Cyber Supply Chain Risk Management optimization approach to enhance, baseline, or continually improve your C-SCRM capabilities:

1. Develop a customized C-SCRM strategy for your organization.
2. Establish a Cyber Supply Chain Center of Excellence (CSC-CoE) with robust C-SCRM capabilities for vendor-related decision-making as well ongoing monitoring and reporting at all organizational levels.
3. Execute a C-SCRM (Vendor & Product) Capabilities Maturity & Risk Management Assessment to identify any vulnerabilities, risks, or threats; as well as to enable targeted decision-making about selected vendors or products of interest.

Feel free to reach out to us if you’d like to discuss your Cybersecurity journey and capabilities, and how to get started towards supply chain risk management success.

About Wavestone US

Wavestone US is the North American arm of global management and IT consulting firm Wavestone. We have supported the transformations of more than 200 Fortune 1000 companies across a wide range of industries, leveraging a strong peer-to-peer culture, offering a practitioner’s perspective on IT strategy, cost optimization, operational improvements, cybersecurity, and business management. It is our mission to help business and IT leaders successfully deliver their most critical transformations and achieve positive outcomes. We drive change for growth, lower cost, and risk, and create the trust that gives people the desire to act.

Cet article Cyber Supply Chain Risk Management Best Practices : Operationalizing Your proactive C-SCRM Defenses est apparu en premier sur RiskInsight.

In this example, we will assume that you are a coffee machine manufacturer. Your current project is to build a connected coffee machine for your corporate customers. You have identified multiple use cases for this IoT machine. For instance, it automatically orders new coffee capsules when the stock falls below a certain threshold. A second option would be that the coffee machine, sends automatic alerts to your servers when maintenance management such as cleaning, repairs, etc. is needed. Finally, it offers your clients functionalities for monitoring consumption.

How can you choose the right network for your needs? What questions should you ask yourself? How do you make a good choice while considering the overall security of your system?

First Step – Define your business requirements and perform a risk analysis

First, you must identify the requirements for your IoT network which are twofold: business and security requirements. We characterize these requirements with levels 0 to 3, 0 being the lowest and 3 being the highest level.

For the business requirements, you must answer questions such as:

1. How far should the object’s signal reach?
2. How much bandwidth do you need?
3. What is the autonomy of your object?

In our example, we assume that your connected coffee machines will be distributed to corporate customers operating over a large geographical area (i.e. over 100 km radius). Therefore, you will need a wide coverage to enable your customers’ widespread machines to communicate with your Information System.

Two business cases are outlined here: If your customer agrees to connect your machine to its existing local network, you will then only need a short-range wireless network between the machine and the internet router. If they refuse to do so, you will then need to set up a long-range network as you will deploy your service and machines over a wide area.

For the bandwidth, a small/short amount will be needed as it solely requires to be able to send small data packages a few times a day at most (capsule orders, alerts, general status, …).

In regard to energy consumption, a coffee machine is traditionally connected to a power supply to perform its tasks; henceforth, power does not constitute an issue in terms of IOT, i.e. the object autonomy is therefore not constraint. There is no energy consumption requirement per se as it is already covered by the coffee machine’s connection to the power grid.

We summarize the levels for business requirements as follows:

• Range (R) = 3 or 1
• Bandwidth (B) = 1
• Energy consumption (E) = 0

Having defined your business requirements, a risk analysis must be conducted to formulate the security requirements of your project for availability, integrity, confidentiality, and traceability purposes.

A loss of availability would occur in the event of a dysfunction on the connected coffee machine that would render it unusable for a customer. A loss of access to the network or unavailability of backend servers should never result in the machine being unavailable: it must remain working off-network. However, if a dysfunction of the machine occurs, we assume that you would want it to be reported back as quickly as possible through the network in order for maintenance actions to be triggered.

How long can this last? The answer would be several hours rather than several days, as we wouldn’t want to deprive employees from their coffee breaks! Therefore, 4 to 24 hours is an acceptable window of unavailability which can be translated into an availability requirement level of 2.

A loss of integrity would result in data corruption. For example, a potential excess order of coffee capsules may occur by altering the messages sent by the coffee machine or by replacing the same order multiple times. In both cases, this would result in a financial loss for your client. Data on the network needs to be communicated rigorously and exactly. Hence, we can conclude this is a requirement level of 3.

A loss of confidentiality would result in data being divulged; orders quantities are rather sensitive data that shouldn’t be shared with external parties. It needs to be ensured that data is communicated securely on the network and is not accessible by externals parties.  Hence, we conclude that confidentiality has a requirement level of 2.

For traceability, and for simplification reasons, we choose to leave this aspect aside assuming that it is already accounted for by the study of the first 3 criteria.

In a nutshell, risk analysis concludes to the following security requirements:

• Availability (A) = 2
• Integrity (I) = 3
• Confidentiality (C) = 2

For more details about risk analysis methodology for smart objects, you can refer to this article.

At the end of this analysis, you obtain for both of your business cases a radar chart of your requirements.

Business case 1: your customer connects your coffee machine to its local network

Business case 2: your customer does not connect your coffee machine to its local network

Though not discussed in this article, financial aspects are also important and depend on various factors such as the network operator pricing model. Same goes for geographic constraints as some networks may not be available on some regions.

Eventually, the ease of configuration of the network may be included in your business requirements, especially if your connected object targets a B2C audience.

Second step – Choose your IoT Network

Building on business and security requirements, we developed a methodology to choose the right network that will be optimal to meet your business and security needs: range, bandwidth, energy consumption, availability, integrity, confidentiality.

The three business requirements are mandatory, the network you choose must fulfil them, otherwise, it will be eliminated.

For security requirements, the assessment requires pre-emptive analysis. Between two networks that cover the same business requirements, you should choose the one that offers the best level of security with the minimum cost.

If a network doesn’t cover one of the security requirements, you will have to implement some additional security feature as a part of your project backlog, consequently raising your costs.

You should also be vigilant that the additional implementation doesn’t impact the system’s performance. For instance, if you implement data encryption at the application layer, increasing processing times would negatively impact your maximum data rate or could be constrained by the hardware capabilities of the device, with a potential financial impact in case of a hardware upgrade. Consequently, one of your business requirements may no longer be met.

In case high availability is required (A=3), you ought to choose a robust network by design that will meet your real-time needs.

In fact, spread spectrum (like Bluetooth or ZigBee) or frequency hopping modulated protocols (like Sigfox or Bluetooth) are more resistant to radio jamming or radio interferences.

These types of networks are particularly recommended when availability is an important requirement, such as on an industrial production line.

Moreover, mesh protocols are known to be more reliable and scalable than point to point protocols. However, for them to achieve efficiency, they need to be used in a context where multiple connected devices are linked together. Mesh protocols like WirelessHART can also guarantee real-time communications. Their usage is especially adapted to an industrial context.

A simple methodology to choose the right network is to confront your business requirements to the network’s business and security offerings.

In the following radar charts, we present different types of IoT networks providing different levels of business and security offerings, and we compare each one of them to our business requirements.

Business case 1: your customer connects your coffee machine to its local network

Business case 2: your customer does not connect your coffee machine to its local network

Let’s apply the previous methodology to your connected coffee machine. First, we use our previous radar charts to see which networks comply with our business requirements.

Business case 1: your customer connects your coffee machine to its local network

For your first business case, Bluetooth and Wi-Fi are two viable short-range options if your customer connects the machine to its local network. On the one hand, Bluetooth meets all the security requirements, but it is less straightforward to implement compared to Wi-Fi. On the other hand, Wi-Fi meets all of them except for availability but that is something we can work out with SLA agreements.

Business case 2: your customer does not connect your coffee machine to its local network

For your second business case, Zigbee, BLE and Wi-Fi are clearly out of the equation because they do not meet the range requirements. However, LoRa, LTE-M and Sigfox are still in the mix.

We use the radar charts again, this time to assess these three candidate’s compliance with the security requirements.

Sigfox does not meet one of your security requirements (confidentiality) whereas LoRa complies with all security requirements. LTE-M is the best offering as it meets all your requirements, but it is also the most expensive. We conclude that LoRa is a relatively good candidate.

In conclusion, we have one good candidate: LoRa which will require the deployment of a new network and an alternative using a pre-existing Wi-Fi network. It should be noted that you may refuse to connect to the Wi-Fi network on company premises for security reasons.

We will undertake a new scenario in a next article: a customer company buys the machine and discusses what payment options to use.

Cet article Connecting your connected coffee machine: yes, but how? est apparu en premier sur RiskInsight.

“Security accreditation is a formal act by which the authority responsible for a system commits its responsibility to risk management.” [1]. It is of course mandatory in some cases[2], but beyond that, it is also a way of sending a strong message to users and top management: security is indeed a major topic for the organization. Agile methodology was at first designed for projects, but it can be a real opportunity for security teams to reduce security risks.

This method disrupted working habits of product teams and ISS teams (Information System Security). The latter have to find a way to go beyond adapting old accreditation method and propose a new relevant solution to still comply with the original goal of the accreditation: “Find a balance between acceptable risk and security costs, then have it formally accepted by a manager/an authority who has the power to do so[3]”.

One solution: provisional accreditation and long-term accreditation

As a famous Agile Security expert from Wavestone once said: “Agile and accreditation, it’s not rocket science”. Without denying the difficulties, explaining it is quite simple. Faced with teams that must deliver faster and provide continuous releases, the risk levels and therefore the security accreditation must be dealt with at the same pace.

What should the accreditation consider?

As always, security accreditation is all about giving thorough information on a project’s security risk level to the Accreditation Authority, for them to decide if it’s acceptable with regard to the organization ISS criteria (e.g. number of EUS still on the backlog, percentage of security baseline rules implemented on a given scope, etc.). Then, they take responsibility for the possible residual risks.

For example, only a few features are available to a few users at the beginning of a project. This small scope will display a lower level of risk (because of a low level of exposure) despite not being fully secured yet. Provisional accreditation (for a few months for example) may be issued to allow experimentation. It will have to be renewed when renewal criteria (defined in advance) are met.

Figure 1 – Product exposure to residual risk
From the ANSSI guide (in French): Digital Agility and Security, October 2018 (link to the guide)

For a project at cruising speed, accessible to its target audience with all the expected features, a firm accreditation (3 years for example) is pronounced. The criteria for renewal, leading to the issuance of a new accreditation, are also defined in advance.

When to renew the accreditation?

The criteria used to know when to renew the accreditation are closely linked to the project, the context, or the scope, but here are some examples to build these criteria. The provisional accreditation is valid until:

• New critical features are added (“critical” depending on the project),
• A new threshold for the number of users has been reached (defined in advance, depending on the associated risks),
• New personal data must be integrated and processed by the project,
• New features related to payments must be implemented,
• A new level of transaction volume is reached,
• And of course when the accreditation deadline is reached.

Long-term accreditation is valid for a longer time because less changes are expected at this stage of the project. That being said, the accreditation will have to be renewed regularly (at least every 3 years) to check on security levels and in a will of continuous improvement.

What evidence should squads bring?

Squads/feature teams should be able to bring different types of evidence/proofs (of the security level) to the Accreditation authority/responsible for the accreditation. The Evil User Stories (EUS) serve as what we used to call risks, where prioritization gives information about their criticality (see our article on how to lead a workshop on risk analysis in Agile). An extract from the backlog can be used as proof that the main EUS have been processed and that residual EUS are known (and accepted by the Accreditation Authority).

The Security Form (or Passport, detailed in this article on Agile transformation – in French -) is also a relevant way to follow-up on security levels of projects.

Code review and vulnerability scan reports can also be used (for squads that have integrated DevSecOps and have the appropriate tools).

If the X-team exists (see our article on the new ISS roles in Agile and the corresponding organization) or if an external audit team was able to perform them, the penetration test reports are also presented.

Any other existing documents can be used to give all necessary information (architecture documents, applicable regulations, etc.).

For provisional accreditation, these documents don’t have to be gathered in a proper “accreditation folder”, which would imply losing time for squads. What is necessary is to ensure they exist and are available to anyone involved in the accreditation process (accreditation authority or their delegate, ISS team, etc.).

Who are the actors in this process?

During product development, the Security Champion (see this article for definition) is in charge of organizing the risk analysis workshops (identification of EUS and associated Security Stories). The ISS team is of course involved in the process, bringing their knowledge to the squads during workshops.

The Product Owner is responsible for the creation and updates of the necessary documentation. They also make sure the ISS team is informed and asked for help when needed.

The accreditation Authority should be a business manager (e.g. the Business Owner) as usual. They must have the capacity to accept residual risks and validate the product security levels. As security should not slow down any Agile processes, the signing of a provisional accreditation may be delegated to the Product Owner, as they are representative of the Business Owner in the squad. The temporary accreditation can thus be signed faster if criteria for validity are met. In some cases, where projects would pose a risk to other businesses or systems, a transversal officer/business owner must be found, to sign for both businesses or systems. If no one is found, or no compromise is achieved, the Chief Information Officer (CIO) will assume responsibility, as it is their role to ensure the operational conditions of the Information System.

As a conclusion, security accreditation remains key when speaking about integration of security into projects, in particular within the Agile framework which changes the product teams’ way of working. The ISS teams must take advantage and (re)join these product teams (through the Security Champion and the security training of the product teams) and thus work together towards the incremental reduction of risk.

More articles to come on Agile Security, stay tuned!

[1] ANSSI guide (in French): Digital Agility and Security, October 2018 (link to the guide)

[2] (French regulations only) For administrations: decree n ° 2010-112 of February 2, 2010, terms of the General Safety Reference System (RGS). For any product dealing with information coming under National Defense secrecy: Interministerial General Instruction 1300. For operators of vital importance: cyber section of the LPM (law n ° 2013-1168 of 18 December 2013 – article 22), to strengthen the security of the critical information systems they operate, carried out as part of an accreditation process.

[3] ANSSI guide (in French): The nine steps of the security accreditation, August 2014 (link to the guide)

Cet article Security accreditation for Agile projects: how to successfully do it ! est apparu en premier sur RiskInsight.

Introduction

Components of Electron 

https://www.wildnettechnologies.com/build-cross-platform-desktop-apps-with-electron/

Principe de l’attaque

• Le dossier « app » qui contient l’application ;
• Le fichier « electron.asar » qui prépare l’environnement Chronium au lancement de l’application.

app.on(‘browser-window-focus‘, function (event, bWindow) { bWindow.webContents.executeJavaScript(“alert(Hello Github !!’);“) })

Démonstration

Conclusion

Cet article BEEMKA – Electron Post-Exploitation When The Land Is Dry est apparu en premier sur RiskInsight.

1)     Analyse des opérations

L’analyse dynamique permet la surveillance de nombreuses informations : les registres, le système de fichiers et les processus. Cette étape est au début assez fastidieuse étant donné que de nombreuses informations sont accessibles. Il existe différents outils permettant d’accéder à ces informations. ProcessMonitor est l’un de ces outils qui a l’avantage de permettre à l’analyste de filtrer ses recherches sur un exécutable, ce qui est très pratique pour l’analyse de malwares.

Figure 1 : Résultat d’une analyse de ProcessMonitor sur un malware appelé mm32.exe

Figure 2 : Résultat de Process Explorer sur un exécutable

Dans ce résultat, le premier constat est la création d’un mécanisme de persistance HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run par le programme ckr.exe, le deuxième est la modification de la valeur de la seed pour le générateur de nombre aléatoire, ce qui représente un bruit habituel.

2)     Analyse réseau

Figure 4 : Interception des requêtes DNS et simulation des réponses par ApateDNS en utilisant l’IP 192.168.120.1

Figure 5 : Résultat renvoyé par Netcat lors de l’exécution de RShell en redirigeant les requêtes vers l’hôte grâce à ApateDNS

Figure 6 : Capture d’écran d’une analyse Wireshark

Figure 7 : Fonctionnalité Follow TCP Stream de Wireshark

3)     Analyse via débogueur

• Les software breakpoints : ces points d’arrêt sont utilisés pour faire en sorte que le programme s’arrête lorsque l’instruction sur laquelle ils sont placés est appelée. Pour réaliser cela, le débogueur remplace le premier octet de l’instruction par 0xCC, l’instruction pour INT3.

Cet article Reverse Engineering – focus sur l’analyse dynamique de malware est apparu en premier sur RiskInsight.