Is there a requirement to monitor the threat environment? We believe that organizations have an obligation to understand the risks they face. Without such an assessment, an organization cannot effectively target the resources available to them to maximize their protection, and some may require assistance in monitoring for threat intelligence and active threats. There are many sources – commercial, government, academic and not-for-profit – that may be able to provide assistance in this regard.
Threats are constantly evolving along with technology. Business risks that were acceptable yesterday may be unacceptable today. New threats are constantly arising. Simply carrying out a threat assessment is not enough; the process must be constantly reviewed to take into account threat evolution. But in addition to threats posed by nation-state actors, NGO actors, insiders and hacker groups, an organization’s freedom of action regarding self-defense may also be affected by laws, regulations, contract provisions and self-interest. These may require or prohibit certain actions by an organization to accomplish cybersecurity goals.
Governments worldwide are recognizing the risks associated with cyber operations in their public and private sectors, and passing laws to criminalize certain actions. These laws may extend to movement (or limitation of movement) of data across national borders. Organizations are responsible for maintaining knowledge of laws in countries in which they operate or in which their customers or data reside.
Regulations, like laws, can affect decisions about how systems are structured and protected. As with laws, it is incumbent on companies to maintain knowledge of applicable regulations. Note that regulations can be promulgated by or limited to a single nation, or may be associated with a multinational organization. For example, the EU General Data Protection Regulation has effect throughout the European Union.
Some cybersecurity requirements can be the result of a contractual relationship. For example, on a global basis, those organizations accepting payment cards (debit and credit cards) are obliged by contract to protect card information using the Payment Card Industry Data Security Standard.
An organization may set rules that are more strict than those required by law, regulation or contract. Having more limitations on data protection and movement than are required by external factors may be important in some industries, and companies are free to self-impose restrictions as long as those restrictions are compatible with laws, regulations and contractual requirements.
How to Accomplish Monitoring the Threat Environment
Obviously, organizations differ in size, technological capability, size of legal staff and needs. While some may have the in-house capability to monitor the nature of threats that they face, others may not. Regardless of these factors, the need to monitor the threat environment, to carry out risk assessment and to design, implement and maintain a commercially reasonable and effective cybersecurity program is incumbent on all organizations. Any organization that lacks the capabilities to do so must seek assistance. In some cases, organizations may turn to government agencies for help with monitoring threats and developing and implementing an effective cybersecurity program, or they may seek help from academic institutions or not-for-profit organizations. But in many cases, the most cost-effective alternative is to work with a commercial vendor that can provide a continuing service to carry out monitoring, leveraging updated indicators of compromise and real-time notifications of problems.
Why Are So Many Attacks Successful?
We have been fighting challenges to our computer systems for almost 50 years, and challenges to our financial systems, intellectual property and informational targets with value for centuries. But it seems that as quickly as we develop defenses, the criminals develop new ways of defeating them. Can we change that paradigm? And if we can, will we?
The root cause of the problem starts with the fact that the internet, as we know it, was never designed to be secure. It permits users to hide their identities. It allows for the creation of regions such as the deepnet or the darknet, which are invisible to most users and are employed in many cases for nefarious purposes.
We don’t believe that the internet was created as it was with the intention of facilitating misuse. Rather, we believe that many – perhaps most – of the problems we face are a result of what is known as The Law of Unanticipated Consequences. This concept states that there can be results of actions we take that are not what we intended, and they can be either positive or negative. An unanticipated consequence can be the result of insufficient testing or simply not thinking in terms of negative (or positive) ways in which a piece of software could be used or abused.
Cyber investigations often involve identifying root causes that are unanticipated consequences. This should not be surprising. This aim of this book is to provide guidance in initiating, carrying out and reporting on investigations of cyber incidents. While most of the steps in an investigation are quite logical, sometimes investigative success involves thinking outside the box. In fact, it is the inability to think broadly that can be the cause of an investigative failure. Keep this in mind as you read and use this book.
An extract from the first edition of The Guide to Cyber Investigations. The whole publication is available at Global Investigations Review.