Vendors talk about a cyber security attack being inevitable all the time, various news articles remind us that these attacks are common, regulatory and law enforcement bodies want us to prepare and remind us of just how likely an attack is. We, as professionals, also know that it is a case of when, not if that attack will happen.
Knowing an attack is effectively inevitable we all take our defensive systems and shore up as much as we can, offering as little room as possible for an attacker. This is probably the wisest and best thing to do. However, despite our best efforts an attack will succeed. It is then we must consider resilience.
Cyber Resilience
What do we mean by resilience? Resilience is the capability to recover quickly from difficulties or setbacks. Notice how I said capability and not capacity, the answer isn’t more cloud services or more servers. We need to understand our own capabilities and a couple of other important factors.
Understanding your processes, systems and data and knowing which are critical and which could have a slightly longer recovery times allows you to ensure your focus is on what matters to your organisation. If you are a sales led organisation then your CRM is probably key and needs to be available near 100% whereas an employee vacation booking system, perhaps that might not be your primary focus.
By understanding your systems, and planning for the order systems will need to be restored in you can also ensure your defences are strongest where you need them most. Many vendors will tell you that you need to spend money to start this process off. Whilst it may speed up the process, I disagree. If you know your systems and you know your business, then you have most of what you need already, the only thing you are missing is a documented and practiced plan.
OWASP Vulnerability Management Guide (OVMG)
These ideas aren’t new, and people talk about planning and preparation all the time. It’s actually completing it that is the real challenge, especially when we look at all our other day to day activities we have on our list and the myriad of fires that need to be put out each day. I would recommend the OWASP vulnerability management guide as a brilliant and well thought our place to start.
This guide, addresses planning for vulnerability management, and suggests you understand your asset groups by defining what is mission critical and what isn’t, determining them by environment, and types of system. E.g. a public facing windows server that runs your payment processing should be considered critical whereas a Linux box for testing would not. Not only will this help your vulnerability management, again reducing the surface for an attacker but this provides you a solid foundation upon which you can then begin to plan for resilience capabilities. You will understand what matters most and then be able to identify any potential choke points.
If you know what is mission critical, you can ensure that your technology is designed to operate in challenging times. It could be that you implement geographic and supplier diversity on your network connections, it may be ensuring a cloud-based system is backed up and recoverable within a certain time frame. There is no right or wrong when someone else is talking to you about resilience.
You know your organisation best and you are best placed to ensure that when that attack does happen, the impact is one which you can cope with. The best laid plans can easily be undermined during an actual cyber-attack, but if you have your plan, you know what matters and what needs to be done first and you rehearse, you will find that cyber attack becomes less of an “all hands to the pumps” situation and more of a “this is business as usual for my security team”. Your organisation will thank you too.
Defences are critical and necessary, but they aren’t the be all and end all to cyber security threats. The same must be said of resilience. By understating the whole eco-system, knowing our mission critical services and technology and planning for interruptions we can ensure our future is as assured as it can be.
