When you assume, you make an ass out of ‘u’ and me, or so the saying goes and, in many situations, making assumptions can be misguided. There are, however, certain situations, like information security, where it is beneficial to assume the worst and by doing so, you can proactively plan and prepare to defend against potential threats.
Ransomware attacks, for example, serve as a stark reminder of what a worst-case scenario could look like, and many companies have found themselves taken offline or have lost critical data because of such attacks. These wake-up calls have pushed many organisations into action. However, ransomware is just one of many potential attack vectors and whilst it garners significant media attention, it may not be a company’s most pressing threat. If you are seeking solutions based on current headlines, you might be wasting your resources.
Successful attacks only require one entry point, but defenders must protect against numerous potential vulnerabilities. In this context, the advantage lies with the attacker. Given enough time, skills, and resources, it’s a question of ‘when’ an attack will occur rather than ‘if.’
Conducting ‘tabletop’ or ‘paper-based’ risk analysis and scenario planning enables you to assume that an attack will breach your defences, and this approach is increasingly being adopted by companies facing growing and often unknown threats.
As a cost-effective approach, these exercises are far less expensive than deploying a technological solution and allow organisations to assess their overall security. Helping develop a roadmap for improvements that yield the most significant security benefits.
So, what should you be looking at when running effective scenario planning when it comes to your cybersecurity? That’s exactly what this insight looks to consider.
Know what’s important
A company’s crown jewels aren’t just important, they’re critical and if they were to be stolen or made unavailable, for even the shortest time, it could mean your business stops operating. But what are your company’s crown jewels? For many it’s intellectual property, the design of a new product or your products ‘secret recipe’, for others it could be financial data.
Maybe it’s the source code for a piece of software you’ve been developing, patient information, live production systems, servers running internal operations, your e-commerce website, the list goes on. Your crown jewels can be a combination of many things, but whatever they are, they need to be protected. The key question you need to ask yourself is: what are the things I, or my clients, can’t afford to lose?
Identify your real-world threats
When it comes to cyber threats, sophisticated is a word that is used a lot. “We were the victims of a sophisticated cyber-attack” is the usual line when news of a breach breaks. But when the dust settles, it’s often found that the attack wasn’t sophisticated at all.
Everyone likes to think they’re the target of sophisticated attacks, but most attacks are opportunistic in nature, using simple techniques to expose weak security practices, unpatched systems or take advantage of human vulnerability. By identifying your most likely real-world threats and targets, you can start to prioritise the risks, identify the techniques they would most likely use, and the potential routes they are likely to take.
Understand your full estate and how attackers could move across it
One of the fundamental IT security challenges within organisations is the shadow IT ‘visibility gap’ between assumed, or known, infrastructure and what truly exists. Whether it’s because of merger & acquisition activities, personnel changes, or infrastructure changes over time, it can be easy to lose track of your IT estate.
Obtaining an exact picture of what you have is key and if you can’t see a legitimate device on your network then how can you properly defend it? Once you have full knowledge of what you have, you then need to understand the security measures you have in place, but not just from a tech point of view, you need to look at your security processes, procedures, operating rules, and system design as well.
Having this clear picture across your estate will enable you to understand where potential entry points exist and expose weaknesses which may allow an attacker to move easily across your network.
Develop your scenarios, prioritise your improvements
Once you have full view of your organisation, what’s important to you and your threats, you can start to develop scenarios, ones that could have an extreme effect on your company. For example, a realistic scenario could be that an organised criminal group has stolen your intellectual property, or that hacktivists have brought down your ecommerce website through a DDOS attack. With a range of realistic scenarios in hand you can then evaluate which ones bring the highest risk.
Once you’ve evaluated the risk scenarios, you can start to think about making improvements, but firstly, it’s important to understand the steps the threats may have taken to achieve their goal. This can be done by conducting an attack tree or kill chain analysis, working backwards from the goal, step by step, to continually ask ‘how’ it was possible.
Now you understand the potential steps taken to achieve the goal, you need to identify controls that would predict, prevent, detect, or respond to these actions at every stage of the attack. Some controls may already be in place, but it’s important to analyse how effective controls are and identify where gaps exist. Where gaps do exist, you can then evaluate the associated cost, and effectiveness, of the controls needed, helping to prioritise your remediation efforts.
Put your improvement efforts to the test
The more effective defensive measures you put in place, the more difficult you make it for would-be attackers. But how do you know if your defences are truly effective? You need to test them. Having your work tested can seem like a daunting prospect and it can be easy to think that it’s going to belittle or ridicule your security efforts. But that’s not the case. Testing is designed to support your efforts, ensuring that your business is as protected as possible from the primary risk scenarios you have identified.
Penetration testing and red teaming are great options, in terms of evaluating your defensive measures – and testers will look to simulate the actions of an attacker, potentially uncovering further vulnerabilities, supporting remediation and providing you with the assurances that your efforts have been truly effective.
Make sure information security is an ongoing process, not just a one off
Information security can sometimes be seen as a tick in the box exercise and that, once it’s complete, you’re protected. But that isn’t the case. What’s considered safe today may be vulnerable to attack tomorrow. Attackers are always looking for new attack routes, new techniques, new vulnerabilities and no company, or technology, is ‘unhackable’.
Security improvement efforts, such as risk analysis and scenario planning, need to be ongoing, helping keep your company one step ahead of any malicious threats.
