Implementing Cyber Security

Submitted by Katie.Koukouli… on Mon, 12/18/2023 - 16:03

Once a cyber security framework is in place, implementing cyber security requires monitoring, evolving, and communicating business wide the cyber security requirements of the business.

By the end of this topic, you will understand:

  • communication models for improving cyber threat awareness in a business including training
  • monitoring techniques to evaluate the current risks to the business from cyber crime
  • how to compliance check in a business to ensure cyber security policy is being adhered to
  • how to build feedback channels to identify new risks to the business.

 

Sub Topics

Technical updates (such as patches and using MFA authentication) will make it difficult for cyber criminals to successfully attack a business. However, unless cyber security policy is followed by staff there will be gaps opened in a business’ cyber security.

Case Study

Public Wi-Fi

ACE Pty Ltd has a policy that external access to the ACE network (such as from airports/cafes) cannot use public Wi-Fi. An employee in the sales team discovers that many staff use public Wi-Fi rather than 4g or 5g networks as they sometimes have trouble connecting to cellular networks.

This can allow hackers to access laptops and mobile phones using the public Wi-Fi. One such attack is called a MITM attack (Man In The Middle). It works by intercepting network traffic, reading it, and trapping confidential data.

To ensure that cyber security is adhered to, a cyber security manager must:

  • Provide regular awareness training to all staff
  • Communicate in cyber security
  • Compliance check to ensure that staff are working within the policy guidelines

We will look at these three components now.

Provide Regular Awareness Training to all Staff

It is typical in a business that when new staff join the workforce, they are inducted. The induction provides the new staff member with all the information they need as background on their new role. Included in the induction will be a briefing on cyber security.

While an induction is typical, ongoing activity to keep staff aware of cyber security issues may not be. It is critical to a business’ cyber threat protection that staff are refreshed on their cyber security responsibilities.

A strategy to provide awareness training is a critical component of any business’ cyber security framework. Training can be formal (such as in an e-learning system or from a circulated PowerPoint) or informal (such as using an email to advise staff of emerging threats).

A simple communication, such as an email, may be sufficient to refresh staff understanding. Various techniques can be explored to provide awareness training. Consider your workplace and select techniques that suit your environment. Some examples are as follows:

  • Schedule regular time efficient training to ensure staff remain focused.
  • Provide regular (weekly) short emails updating staff on emerging threats so they have current knowledge. Case studies and examples from the business community on cyber-crime activity is also valuable. Any weekly email should be concise and contain interesting information that grabs the attention of readers. By its nature, cyber security is interesting to people. Using stories of hacking activity to highlight the dangers will lift cyber security awareness in a business.
  • In cases where training is needed to respond to a high-level threat, custom formal training is required with follow-up communications. If the threat needs to be acted on quickly, do not wait for formal training to be developed. Emailing and meeting staff in person should be considered as an ASAP approach. This will be an uncommon occurrence and such a reaction is typical of a response to a Zero Day threat.

Always ensure that training keeps a record of participants to provide a registry of when the last training on a particular topic was covered. Refer to this registry to schedule refresher courses.

Work with training managers in the business and team managers. In this way:

  • training (formal and informal) will be informed by training experts
  • cyber security training is part of an overall training schedule. In a typical company, there are numerous training requirements that are ongoing. Cyber security training should be scheduled to avoid date conflicts and loading staff up with too much training at any given time.
Tip

The Center for Internet Security (CIS) framework in requirement 14 describes that a business should ‘Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.’

Some frameworks, such as the Essential Eight, take a purely technical approach and exclude training from their frameworks. While it is possible to pick and choose from various frameworks, use a framework such as CIS or NIST to ensure the full range of cyber security tasks and factors are identified first.

Communicate Changes in Cyber Security 

Communicating changes appropriately is critical to gathering the support of staff and ensuring that changes are adopted.

When implementing any workplace cyber security changes, a clear procedure should be written and circulated. To ensure that staff are aware of the proposed changes:

  • liaise with the managers of teams affected by the cyber security changes early and gather their input to ensure minimal disruption.
  • provide managers with a draft procedure that is simple to follow and is concise. Gather their input to ensure the procedure uses appropriate text.
  • discuss with managers the communication requirements. Is it sufficient to send an email with the new security requirements included? Should the manager meet with staff? Is specific training needed?

Changes in cyber security requirements occur when:

  • the business changes their business workflow or the digital assets they use
  • cyber threats emerge requiring changes in workplace behaviours
  • gaps are identified in cyber security that the business decides must be closed. 
Tip

The CIS framework, in Control 17 (Incident response), describes the requirement to

‘Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard.’

This describes the communication protocols in the event of a cyber-attack or threat. It is important to test cyber security responses to ensure that communications function as required (emails, phone numbers etc. are working and connect to the appropriate people). Emails and phone numbers change.

Reflection

Changes in business workflow or digital assets in a business require review and a cyber security response. What happens if a business’ cyber security management are not made aware of intended technology changes? It is probable that gaps will appear in a cyber protection.

Business policy should set guidelines for updating to technology that ensures that:

  • any technology additions involve input from a business’ cyber security team in the planning stage
  • cyber security requirements as approved by management and suggested by cyber security management must be adhered to for a new technology to be implemented.

Compliance Checks

Cyber security managers have a key role in ensuring that cyber security compliance is maintained across a business. Compliance checks are conducted to correct behaviour that is outside expected cyber-safe norms by:

  • informally observing practices in the workplace that are non-compliant with expected cyber safe behaviours.
  • formally conducting reviews in a business using a specific compliance checklist. A checklist can assess processes undertaken and ensure that staff are working within a business’ cyber security policy.
  • Audit applications and networks to ensure technical requirements for cyber security are being met.

When a comprehensive technical, formal and informal compliance check is conducted across a business or business team, this is called a cyber security audit. Sometimes audits are conducted by external companies to ensure objectivity.

Watch 

Learn more about the scope of a cyber security audit. Watch the video below:

In the cases where a compliance check finds non-compliance, a cyber security manager should act as follows:

  • Seek to address the non-compliance with the relevant areas of management where it occurs. Depending on the co-operation provided, senior management outside the area in question may not need to be informed. Escalation in the event of non-compliance occurs when the non-compliant staff or management do not act in a timely way to correct the non-compliance.
  • Depending on the severity of the non-compliance and the risk it presents, the action taken should reflect the potential risk that it exposes the business to. For example, staff storing company data including personal details on unauthorised external storage (such as google docs), exposes a business and, in many cases, contravenes the Privacy Act. In this case, immediate action should be taken to delete the data, provide direction to all staff on data storage practices (many companies rely on secure cloud-based storage), and consider if a data breach has occurred.

Compare the example above to some staff attempting to browse non-business websites. In this case, the staff were unable to access the non-business websites as the firewall allows only a limited number of websites to be accessed. In effect, staff were non-compliant, however the risk to the business was mitigated. In this case, an informal email will be sufficient to reinforce the policy to the staff in question, along with continued monitoring (see next page for monitoring techniques).

The requirement that all staff comply with a business’ cyber security policy must be a condition of employment and policy should exist describing:

  • The role of a cyber security manager in compliance
  • The steps a cyber security manager can take in cases of non-compliance
Case Study

Technical Compliance

The task of updating software in a business will be the responsibility of a business’ IT department.

All devices and applications used by a business operate using various versions of software. The version is typically an incremental number that indicates what code has been used to produce the software.

Consider the browser Microsoft Edge.

In one business, an active cyber security manager becomes aware through research and an email alert from Microsoft that version 103.0.1264.49 of Edge contains a vulnerability. Microsoft advise updating any browser to the latest version.

The IT department is required by cyber security policy to update within 2 weeks to new versions of Microsoft Edge. The cyber security manager is aware that the latest patch is 105.0.1343.42 which was released 4 weeks ago.

The cyber security manager checks with IT, and they advise all Edge browsers in the business are on release 104.0.1.1293.78. While this means the exploit described by Microsoft for version 103.0.1264.49 is not applicable, the cyber security manager notes that the latest patch of Edge has not been applied to the business’ browsers within two weeks: 105.0.1343.42 is not the version in use.

The cyber security manager meets with the IT manager to highlight the issue. The IT manager advises a recent database upgrade has resulted in this oversight as staff have been focused on the database task. The IT manager advises that the update will occur in 2 days’ time.

The Importance of Feedback

Communication is not one way traffic. Cyber security in a business is enhanced when staff and other knowledgeable parties (contractors, external clients, and security experts) provide input that:

  • enhances cyber safety in a business
  • identifies risks and non-compliance with policy

Cyber security managers should take any opportunity to discuss and consult with other people in the field of cyber security. Cyber security in any business addresses the same problem – attempts by internal or external agents to commit cyber-crime. Cyber security managers should consider networking with cyber security online forums (such as on LinkedIn), subscribing to active and topical news groups (the ASCS offers free memberships to Australian business that allows for access to topical education and information) and consider undertaking penetration testing.

Penetration testing is typically undertaken by external third parties who are paid to ‘attack’ a business’ cyber defences. The concept is that by attempting the latest and most common attacks, a business can be advised if they have gaps that require closing. In effect, a penetration test report identifies weaknesses (physical, technical and workplace driven) that the business finds before hackers can exploit them.

Feedback Channels

Cyber security managers should always put in place a way for employees and other parties to inform them of breaches in security, gaps, and non-compliance with cyber security policy. This typically takes the form of an email and phone number that is published to allow information to be provided to the cyber security manager. Importantly, it should be possible for the information to be provided anonymously and that it should be treated as confidential. In Australia, information dealing with cyber-crime and the person making the report are protected by the Enhanced Whistleblower Protections Act of 2019 for companies with greater than 25 million dollars in revenue per year, or otherwise 50 million dollars in assets.

Case Study

An Unusual Request

As cyber security manager of ACE Pty Ltd, you have created an email address report@ace.com.au and have a phone number that you publish for reporting cyber security incidents.

Checking the email address, you find a report from a sales agent (Tom Alvin). They note they were asked by a third-party client company to provide them with the Tom’s username and password. The client wanted the username to allow them to place their own orders directly.

Tom reported the incident as he felt it was an unusual request as the client company has high levels of cyber security awareness. You make a note to discuss the request with management at the third-party company.

Activity 1

Office: Professional Black IT Programmer Uses Headphones while Working on Desktop Computer

Monitoring of cyber security in a business takes two forms:

  • Monitoring the effectiveness of cyber security in protecting a business
  • Monitoring emerging risks.

Collectively, both types of monitoring provide insight to improve cyber security. We will now examine these two formats.

Monitoring the Effectiveness of Cyber Security in Protecting a Business

If a business indicates it has never been the subject of a cyber-attack does this mean the business has an effective cyber security approach? It may be that the business:

  • has been lucky
  • does not have a risk profile making it attractive to hackers
  • has been the subject of numerous attacks and but has sufficient cyber security to stop simple cyber-attacks
  • has inadequate monitoring and reporting and is unaware there have been cyber-crime attempts.

A less happy possibility is that the business has been the subject of attacks and they have been successful. The business is unaware the attacks have been made.

Unless a business monitors activity on its digital platforms (devices, software, workflow), the effectiveness of cyber security cannot be measured. The term ‘effective’ means more than just recording that a hacking attempt was stopped at a business’ network boundary. Businesses with effective cyber security have:

  • staff that comprehend and work within cyber security policy
  • systems that pass penetration tests and vulnerability scans
  • the appropriate levels of software to reduce exploitable software bugs
  • cyber-attack detection software that is tested and records attempts to ‘hack’ a business’ system
  • physical security and staff monitoring in place and uses malware detection. 

Let’s now consider how the four points above can be monitored.

Staff that Comprehend and Work Within Cyber Security Policy

The results of training, compliance audits and checks speak to the cyber security awareness of staff in a business. A cyber security manager can look to the results of such evaluations to identify the preparedness of staff to resist cyber-crime.

When deficiencies are detected in staff behaviour and comprehension, aside from correcting the issue, the root cause of the lack of awareness should be identified. Is the method of training inadequate? Does policy reflect the reality of the workplace? – it may be that staff simply cannot work the way policy requires. By addressing the root cause, there may be a remedy that can be applied broadly across the business to improve cyber security.

Systems That Pass Penetration Tests and Vulnerability Scans

As we have discussed, penetration tests provide reporting to assess the ready status of a business’ digital systems to resist cyber-attack. A further method is to run software that is called a vulnerability scan (VS). A VS is software that can be directed to check network, system, and digital devices to ensure that these resources are using software versions that do not contain known exploits – bugs that when exploited allow hackers to access a computer network illegally.

Both penetration tests and vulnerability scans provide monitoring, but not in real time – these methods are not running all the time and checking for cyber security issues. Run regularly, they provide a business with a valuable way to gather information on what technical steps should be taken.

Note

A business can run their own vulnerability scans and penetration tests. Some of these tools are commercial while some vendors provide tools for free.

Extreme care should be taken with the selection of these software types – free or commercial – and relying on proven and recommended vendors should be undertaken rather than referring to web recommendations. In effect, these tools are developed by ‘white hats’ – these are hackers per se who protect businesses whereas ‘black hats’ are hackers looking to damage businesses.

Penetration tools and vulnerability scanners are what hackers use to detect weak cyber security defences. As a result, when a business uses them as a self-test it can mitigate and close gaps before they are exploited by hackers.

Cyber-Attack Detection Software That Records Attempts to ‘Hack’ a Business’ System

Detection software is real time and runs in the background on the servers and other devices across a business’ network.

The software provides monitoring of activity and is designed to trigger reporting to cyber security management and can be in some cases, instructed on the steps to take to stop a cyber-attack.

This software is sometimes called Intrusion Detection and Intrusion Prevention Software (IDPS).

Sophisticated hacking techniques are designed to break into a business. In some ways, a hacking attempt can be compared to cracking open a safe. Consequently, IDPS software is complex and operates on various levels:

  • On a business’ network to identify unusual traffic or data traffic with a ‘fingerprint’ that indicates a hacking attempt
  • On a business’ applications to look for unusual requests for services such as large data copy request and amendments to databases from suspicious sources.

Any activity on a business’ digital platform creates a log entry. A log is a file that lists all the changes, access requests and any read/write activity. A business will have multiple logs being written to at any one time: the network router receives a request and writes a log entry that a certain IP address attempted to access the network. The database writes to its log file that a user changed the address details for a client.

By reviewing all these log files, a cyber security manager could trace and find unusual activity. But this will be after the fact. Using an IDPS provides real time monitoring and protection that acts in the moment.

The CIS framework refers to IDPS software as a requirement for threat Level 3 (IG3 highest level) businesses – in effect, businesses that have a risk profile that warrants more investment in cyber security.

The NIST framework in the Detect set of activities identifies that first: a baseline of typical/expected activities on a business’ system are identified, then abnormalities can be identified using network monitoring (DE.AE-1,2,3,4,5 and DE.CM.1).

Note: Detect is one of five types of activity the NIST framework identifies – Identify, Protect, Detect, Respond and Recover in that order.

Has Physical Security and Staff Monitoring in Place and Uses Malware Detection

  • Physical devices such as data centres or server rooms require physical security to ensure that only authorised personnel are allowed access. DEF of expensive computer equipment is as much a cyber attack as any other form of cyber crime.Theft of expensive computer equipment is as much a cyber-attack as any other form of cybercrime.
  • All digital devices require anti-malware software to be running to intercept attempts to install malicious code. The anti-malware software monitors for hacking attempts and locks it. In a business, all the digital devices running anti-malware software should provide reporting understand us back to the cyber security manager.
Reading

Learn more about the NIST framework DE.CM 2,3,4,5,6,7 

Cybersecurity Framework | NIST

Watch

Learn more about intrusion prevention and detection systems. Watch the video below:

Activity 2

Monitoring Emerging Risks

The monitoring of developments in cyber security can drive changes in policy and technical delivery as threats emerge. The CIS framework in Control 7 (continuous vulnerability management) states that:

“New security vulnerabilities are identified using industry-recognized sources for security vulnerability information …”

Cybercrime is a global phenomenon. Reliable and insightful information can be gathered from many sources online. These sources will disclose what businesses globally are discovering by monitoring their systems and networks.

Cyber security managers should schedule time to regularly research for emerging risks. Sources of information include:

  • identity software vendors such as SAP, IBM, Microsoft
  • peak bodies such as the Australian Prudential Regulatory Authority (APRA)
  • government agencies such as the Australian Cyber Security Centre (ACSC)
  • security focused groups such as those found on LinkedIn.

Visiting online websites provided by reputable sources (e.g., ACSC) provides research insight. Often, online cyber security portals also provide memberships. Members receive cyber security updates on key developments over email. 

Module Linking
Main Topic Image
Happy multiethnic smiling business women working together in office
Is Study Guide?
Off
Is Assessment Consultation?
Off