Cyber Security – Addressing Highly Dynamic Risks

Cyber Security

Addressing Highly Dynamic Risks

Flavio Gerbino
by Flavio Gerbino
time to read: 14 minutes

The term cyber has gradually increased in significance in recent years, alongside information security, and beyond specialist circles. It has become acceptable, and even if the sensationalism of the term has worn off a little, it is used readily and widely. However, it still has a dramatic, almost mythical connotation.

It often comes as a prefix, attaching itself to established terms to lend them a certain gravity and impact: cyber attack, cyber crime, cyber espionage, cyber security, cyber warfare, etc. It has become a universally applicable term of security discourse.

The origins of a word

Delving into the etymology of the word cyber, the first word we come across is cybernetics, the control sciences _of _cybernetics, thus the Greek kybernetes, helmsman, together with his kybernetike (techne), the helmsman’s art, and finally the primary word kybernan, to steer.

In the book What Philologists Love – 27 Word Histories by Klaus Bartels, you will find the following explanation:

This “Greek” kybernetes was an interloper in Greek, with no related words, and we do not know from which “barbarian” land it washed up on the Greek coast.

So this description might suggest why we should really think carefully about the cyber issue – it is precisely this menacing uncertainty, this doubtful, unforeseeable quality that can abruptly make its presence felt from out of nowhere that causes us concern. Just like the Greeks felt about the sudden appearance of the kybernetes.

And in more recent literature, references to the word cyber can be found. In 1982, the American science fiction author William Gibson wrote the short story Burning Chrome. The hacker’s software described in the story is called Cyber Space Seven.

In an interview with the New York Times a few years later, Gibson revealed that in fact the word had no meaning. But he liked it all the same, if only for the sound of the word.

Cyber for businesses

The fact that the term cyber is so widely used makes it all the more important from a corporate point of view to limit it to a specific perspective in order to ensure that the areas of activity are better delineated in context and appropriately defined.

This should extend to cyber security assuming the quasi status of a significant facet of information security and information security management. This reflects the fact that cyber security incorporates everything that the company may wish to protect against premeditated attacks, threats, vulnerabilities and their consequences.

Despite the polyvalent usage of the term, cyber security should be aligned with every other aspect of a company’s information security. Naturally, that includes management disciplines such as governance and risk management.

In contrast with traditional, more static information security, the leitmotif of cyber security stems from its pronounced dynamism, which has a highly situational focus and is, according to the threat level, permanently adaptable in order to address subjects as they arise. This characteristic entails a continual process of improvement that ensures all defined requirements can be fulfilled. These result not just from company-specific security objectives, but also evolve naturally from the development of good practices, legal framework conditions and regulatory rules of play.

Shift in security models

Traditional information security Cyber security
Reactive (historic) Intelligence-driven (future)
Perimeter-based Risk & attack scenario-based
Static controls Dynamic controls
“Silo” management system “Contextual” management system

The action sphere of traditional information security is expanded to encompass all cyberspace as we know it. This includes all the technologies associated with the internet and other networks (including the Darknet) and takes into account extended communication paths, processes, applications, data streams and information. From this, one can draw the following conclusions.

Starting with the major business areas of a company, one can incorporate various perspectives of cyber security that can contribute to a greater understanding of reality in terms of the significance of effective risks and threats:

The development of a tailor-made cyber security strategy, then, comes from taking a bird’s-eye view beyond the company’s industry-standard framework, in order that security innovations and emerging threats and trends from other channels (e.g. Dark Net) are registered and tracked minutely.

Furthermore, national and international advances, strategies and tactics from the fields of business, politics and other organizations or industry groupings can provide a valuable basis for orientation. These include:

Orientation and further development of cyber security measures and projects in terms of a commonsense comparison.

Regulatory positions

In the guideline Corporate governance principles for banks issued by the Basel Committee on Banking Supervision in July 2015, the theme of cyber security and cyber risks is mentioned for the first time.

(…) cyber risks have captured the attention of regulators and bank executives alike after large-scale and coordinated denial of service attacks on banks and high profile criminal hacking (…)

it is interesting that mention is made of cyber risks in the Annual Report of the Swiss National Bank SNB. In other words, cyber attacks are being documented as concrete risks in the financial system for the first time, specifically in the context of the Financial Stability Board:

The FSB promotes international financial stability; it does so by coordinating national financial authorities and international standard-setting bodies as they work towards development of strong regulatory, supervisory and other financial sector policies. It also represents the link between sector-specific standard-setting bodies and the G20.

In Switzerland, FINMA (Financial Market Supervisory Authority) is naturally also concerned with aligning the Swiss basis with international standards, such as the Basel Committee.

That means FINMA, too, is concerned with Summarizing Corporate Governance of Banks (internal control system risk management). Here, they have combined different provisions – previously distributed in various circulars – in one circular and adapted the provisions in the light of findings arising from the financial market crisis and updated international standards.

This results in stricter regulations for corporate governance, internal control systems and risk management, as well as the first use of the term cyber to cover management of IT and cyber risks. This principle of IT and cyber crime is taken up in the 2008/21 Circular: Operational Risks – Banks.

If the new Principle 4, which concerns the cyber security requirements of FINMA, is considered, one sees that the previously mentioned dimensions are almost congruent with current standards of cyber security (NIST Cybersecurity Framework).

FINMA NIST
Planning: Cyber risk management strategy N/A
Identification: Identification of potential risks for cyber attacks Identify
Protect: Protection from cyber attacks Protect
Detection: Detection of cyber attacks Detect
Reaction: Reaction to cyber attacks Respond
Recovery: Recovery after a cyber attack Recover

Cyber security standards

You can now find established standards that form a good basis for development of cyber security strategies:

The essence of cyber security

Cyber security takes more than just an uncritical compliance with regulations, standards and good practices. We have seen that the traditional, preventative perimeter security is no longer reliable enough. Today’s threats tend not to come from perimeter intrusions per se, as the regular, established point of view would have it.

With advanced persistent threats (APT), for example, it becomes clear that the defensive line has already been successfully breached at one or other of the sites of traditional information security and that hackers are able to lurk undetected behind enemy lines, perhaps without causing direct, visible damage at first.

The danger of attackers lurking for extended periods behind these apparent lines of protection is now more real than ever. This requires a paradigm shift among security experts and company management – a shift to security modeling.

In essence, it’s about aligning cyber security objectives with the anticipation of future, potential cyber risks and emerging threats with the objective of optimally preparing and positioning the company to offer the best defense against present and future developments.

The early discovery of targeted attacks through detection of anomalies (and by no means just technical anomalies) and rapid assessment of potential impact – that is, the optimal situational awareness of security in real time – are essential. And this is precisely the essence of cyber security.

This includes, in particular:

Conclusion

There is no simple Archimedean point of cyber security, only countless parameters, protection objectives, risks, threats and attack scenarios. The view of the whole is more than the sum of its parts. And the dangers also arise out of effects and tendencies the causalities and correlations of which we currently have little understanding.

Even the most refined cyber security strategy does not allow us to recognize, register, measure and detect everything. But that’s not to say that we should not engage intensively with cyber security. On the contrary – we find ourselves in a tricky center position. We know some things, we can get more in-depth information on others, and with a bit of imagination we can realistically recognize and register threat scenarios. From this perspective, cyber security is the concrete attempt to do our best for security.

About the Author

Flavio Gerbino

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

Is your data also traded on the dark net?

We are going to monitor the digital underground for you!

×
Passwordless Authentication

Passwordless Authentication

Tomaso Vasella

Data Markets

Data Markets

Marc Ruef

Transport Layer Security

Transport Layer Security

Andrea Hauser

Diversify AI

Diversify AI

Marisa Tschopp

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here