Serious cyberattacks are in the news almost on a daily basis. They often result in data loss or companies or organisations being unable to provide their services. An understanding of how much we rely on a functioning IT system is growing fast, both in our daily lives and in the workplace. The increasingly complex and distributed IT structures offer more and more attack surfaces, which are shamelessly exploited by cybercriminals.
The weak defence capabilities in many companies have led to increased regulatory pressure. For “critical infrastructure” in particular, regulators are increasingly demanding that companies increase their cyber resilience. There is a broad agreement that 100% protection cannot be achieved, and a way of dealing with the never-ending attacks must be found instead.
Traditionally, the financial industry has been the most regulated industry. For example, FINMA has revised the circular on operational risk and resilience, and the credit and debit card standard-setting body has issued the new PCI DSS 4.0 standard. Many other regulations also aim to make organisations more diligent and assertive in identifying cyber risks and reducing them to an acceptable level.
At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.
Every company needs transparency with regard to the IT environments it uses. This entails an inventory of IT assets with all devices, versions of firmware, operating systems and all other important software. To reduce the attack surface:
Fast and reliable detection of cyberattacks is only successful if an organisation is able to monitor the following aspects and identify anomalies or known attack patterns based on them:
Aggregating logs from different systems can help, but is definitely not enough for the quick detection of anomalies. This requires modern (nowadays mostly cloud-based) “extended detection and response” systems and a highly effective team. However, this does not mean that every organisation must set up a “Security Operations Centre” (SOC) itself. After all, not every organisation has built up its own fire brigade.
As soon as an attack, an anomaly or a suspicious data leak is detected, the “Incident Response Team” must be able to react quickly and take effective measures. Cyber crises in particular need to be trained for, since people can only deal with crises if they also understand them. A cyberattack scenario differs from other crisis situations such as floods, fires or earthquakes in precisely this respect – the crisis is not visible and is difficult to “grasp”.
Despite all precautions, attacks or failures of the IT infrastructure can still occur. The ability to restore from “bare metal” after a ransomware attack as well as understanding the interdependence of the individual IT components and their orderly restoration is something that requires concepts and practice.
As the saying goes: “No master has been trained in one day”. That is why every organisation should first strive to quickly protect the most important data and IT systems and then constantly improve and expand the scope of protection. Very few succeed in creating the ideal solution right from the start, since the environment and an organisation’s own IT landscape are subject to such rapid change.
The first step to cyber resilience requires knowing your attack surface and minimising it to an acceptable level. The following aspects play a decisive role in this first step:
Get an overview of the IT landscape and create an inventory of IT assets:
This inventory as a breakdown of your IT assets is the prerequisite for an organisation to be able to monitor which users, with which devices, over which networks, access which applications and ultimately data. If there is no transparency, no anomalies can be detected.
Every IT landscape has a life cycle. If you use an IT device or an operating system, then you will be aware of how long the manufacturer will provide support for it. If you overlook this, your vendors will usually make you aware of when a system will no longer be supported (“end of support”). After that, you will no longer receive security updates or “patches” to close possible security vulnerabilities. It may sound banal, but everyday reality has shown that in many cases systems are still in productive use even though they are no longer supported by the manufacturers, which significantly weakens the security of a company’s IT system.
There may be operational reasons to justify not replacing equipment that has this status. In these cases, however, the additional risks must be identified, evaluated and reduced to an acceptable level. It is very risky to operate an “end of support” device without taking further measures. It is better to replace devices and software versions that are no longer supported at an early stage.
Each manufacturer as well as various organisations such as CIS, NIST, etc. provide baselines on how to configure devices and systems to enable only the functions that are needed and protect against known attack vectors as much as possible. This means that a company creates hardening standards for its servers, PCs and network devices, and regularly checks and adjusts them. It is not enough to write the standard down and publish it. The respective company organisations must ensure that new installations comply with the specifications.
Furthermore, it is necessary to check at regular intervals (according to PCI DSS, for example, at least every three months) whether the hardening on the running systems still complies with the specifications.
You can read more about state-of-the-art security compliance management, and how to implement it smoothly in our blog.
In addition to hardening, regular checks must also be made to ensure that known vulnerabilities are detected on the systems. These must then be eliminated in an orderly process based on the risks they present or be mitigated by compensatory measures.
Learn how to manage software vulnerabilites efficiently and effectively in our white paper.Download your copy
All these things can only be done reliably if roles and responsibilities are clear and tasks are assigned to teams with sufficient resources and skills. For this purpose, an IT service management/IT security process landscape should be created in accordance with ITIL 4 so that the roles and responsibilities for the respective process steps are formalised, documented and assigned to individuals. They must also be accountable if the specifications are not met.
Cyber resilience requires transparency with regard to the IT landscape and the status of the components. To do this, the inventory and the vulnerability scanner must be linked to verify whether the information listed in the inventory matches the key items scanned in the network. This is the only way to keep the inventory up to date and keep the data quality high.
Our solution approach covers your entire cyber resilience journey.
In the assessment, we establish how far along your organisation is on the path to cyber resilience. For this purpose, common “best practices” and maturity models that identify the biggest gaps are used as a reference.
A transformation is planned and initiated in a project to close the gaps identified. This is comprehensive and takes into account the “tooling” as well as processes and governance aspects.
A solution is only as good as it is integrated into an organisation’s operational processes. To this end, we support you with different models such as “early life support”, “managed service” or whatever makes the most sense for your specific environment and needs.
In Vulnerability Management and Hardening Standards/Security Configuration Baseline Management as well as Managed Cyber Defence, PwC has extensive experience and expertise which we are happy to offer at attractive prices in a “pay per use” model which includes tooling. This will enable your organisation to benefit in a very short space of time and take a significant step towards resilience.
Head Cybersecurity Technology & Transformation, PwC Switzerland
Tel: +41 58 792 13 33