3

What is a Cyber Strategy?

A cyber strategy is a documented approach toward various aspects of cyberspace. It is mostly developed to address the cybersecurity needs of an entity by addressing how data, networks, technical systems, and people will be protected. An effective cyber strategy is normally on par with the cybersecurity risk exposure of an entity. It covers all possible attack landscapes that can be targeted by malicious parties.

Cybersecurity has been taking center-stage in most cyber strategies because cyber threats are continually becoming more advanced as better exploitation tools and techniques become available to threat actors. Due to these threats, organizations are advised to develop cyber strategies that ensure the protection of their cyber infrastructure from different risks and threats. This chapter will discuss the following:

  • How to build a cyber strategy
  • Why do we need to build a cyber strategy?
  • Best cyber attack strategies
  • Best cyber defense strategies
  • Benefits of having a proactive cybersecurity strategy
  • Top cybersecurity strategies for businesses

Let’s begin by discussing the foundational elements you need in order to build a cyber strategy.

How to build a cyber strategy

In the 6th century BC, Sun Tzu said, “If you know your enemies and know yourself, you will not be imperilled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperilled in every single battle.” This quote still applies today to cyber strategies, and explains why it is so vital to understand both your business and the risks posed to it by threat actors: doing so will form the basis of a strong cyber strategy that helps protect your business from attack.

To build a cyber strategy, there are three major pillars that you need to form a solid foundation:

Graphical user interface, application Description automatically generated

Figure 3.1: Foundations of a cyber strategy

These three components are crucial to understanding what makes a cyber strategy effective.

1 – Understand the business

The more you know about your business, the better you can secure it. It’s really important to know the goals and objectives of your organization; the people you work with; the industry and its current trends; and your business’s risks, risk appetite, and most valuable assets. Having a complete inventory of assets is essential to prioritize the strategy plans based on the risk and impact of an attack on these assets. Everything we do must be a reflection of the business requirements approved by the senior leadership.

2 – Understand the threats and risks

It’s not easy to define risk as the word “risk” is used in many different ways. While there are many definitions of the term, ISO 31000 defines risk as the “effect of uncertainty on objectives” where an effect is a positive or negative deviation from what is expected. We will use the ISO definition of risk in this case.

The word risk combines three elements: it starts with a potential event and then combines its probability with its potential severity. Many risk management courses define risk as:

Risk (potential loss) = Threat x Vulnerability x Asset

Figure 3.2: The definition of risk illustrated

It is important to understand that not all risks are worthy of mitigation. If the mitigation is going to cost you more than the implementation, or if it’s not a major risk, then the risk can be accepted.

3 – Proper documentation

Documentation acts as a kind of standardization between processes that ensures everyone in your organization is working in the same way toward the same outcome. It is a key aspect of every strategy and plays a particularly critical role when it comes to assuring business continuity. Documenting the cyber strategy plan will ensure efficiency, consistency, and peace of mind for everyone involved. However, documentation should not be treated as a one-time activity, as even after a cyber strategy plan is written down, it will still require updating to reflect changes in the cybersecurity landscape.

The illustration shown in Figure 3.3 provides an example of what good cyber strategy documentation should cover:

Figure 3.3: What a cyber strategy plan should cover

In summary, a cyber strategy is a plan for managing organizational security risk according to the company’s definition of risk tolerance with the intent to meet business and organizational goals. A cyber strategy should be fully aligned with the business strategy as well as with the business drivers and goals. Once this has been aligned, you can build the technical aspects and the cyber strategy to be more cyber safe. We will discuss these aspects later in this chapter, but now that you understand the basics of forming a cyber strategy, let’s take a moment to discuss the benefits that will come from having one in place.

Why do we need to build a cyber strategy?

Organizations are constantly dealing with threats emanating from hardened professionals in cyber attacks. It is a sad reality that many intrusions are carried out by nation-states, cyber terrorists, and powerful cybercriminal groups. There is an underground economy of hackers that facilitates the purchase or hiring of intrusion tools, techniques, and personnel, as well as the laundering of monetary proceeds from successful attacks. It is often the case that attackers have far more technical expertise in cybersecurity than the average IT employee. Therefore, attackers can leverage their advanced expertise to easily bypass many cyber defense tools set up by the IT departments in many organizations.

This, therefore, calls for a redefinition of how organizations should deal with cyber threats and threat actors, because leaving the task to the IT department is just not enough. While hardening systems and installing more security tools would have worked just fine a few years ago, today organizations need a well-thought-out cyber strategy to guide their cyber defense approaches. The following are some of the reasons why cyber strategies are essential:

  • They provide details on security tactics – cyber strategies lay out high-level tactics for ensuring the security of the organization. These tactics touch on incident response, disaster recovery and business continuity plans, and behavioral responses to attacks to help calm stakeholders, among other tactics. These can help to inform stakeholders about the preparedness of an organization for dealing with cyber attacks.
  • They move away from assumptions – some cybersecurity defense mechanisms used in organizations today are based on assumptions from the IT department or cybersecurity consultants. However, there is always a chance that assumptions could be misleading and, perhaps, tailored only toward a certain goal such as compliance. Cyber strategies, on the other hand, are informed plans of action that cover different cyber threats and risks. They are also developed with a common end goal in sight: to align security objectives with business objectives.
  • They improve organization – cyber strategies bring centralized control and decision making to matters regarding cybersecurity since they are built in collaboration with different stakeholders. This ensures that different departments in an organization can set and work in coordination toward achieving a common set of security goals. For instance, line managers could discourage junior employees from sharing login credentials to prevent phishing. Such small contributions from different departments, as informed by the cyber strategy, help improve the overall security posture of an organization.
  • They prove your long-term commitment to security – a cyber strategy provides assurance that the organization will commit considerable efforts and resources toward securing the organization. Such commitment is a good sign to stakeholders that the organization will remain secure during attacks.
  • They simplify cybersecurity to stakeholders – a cyber strategy helps to break down the complexities of cybersecurity. It informs all stakeholders about the cyberspace risks and threats then explains how these are mitigated through a set of small achievable goals.

With that we can conclude that without a cyber strategy you will not optimize your investment, you cannot prioritize the needs of the business, and the overall security state becomes way more complex.

Cyber strategies might take two approaches toward security: the defense perspective, or the attack perspective. In the defense perspective, the cyber strategy focuses on informing stakeholders about the defense strategies that an organization has put in place to protect itself from identified threats. On the other hand, cyber strategies of the attack perspective might be focused on proving the effectiveness of existing security capabilities so as to find flaws and fix them. Therefore, attack perspective strategies might extensively cover the different methods that will be used to test the organization’s preparedness for attack. Lastly, some strategies might be a mix of the two perspectives, covering the testing and strengthening of existing defense mechanisms. The chosen approach will depend on available resources and business objectives. The following sections will discuss some commonly used cyber attack and defense strategies.

Best cyber attack strategies

One of the best ways to secure an organization is to think like a hacker and try to breach the organization’s security using the same tools and techniques that an adversary would use.

Testing the defense strategies can be done either via external testing from outside the network or internally. These testing processes aim to ensure that the implemented security strategy is effective and aligns with the objectives of the business processes.

The sections that follow highlight some of the best cyber attack strategies that organizations should consider when testing their systems.

External testing strategies

These testing strategies involve attempting to breach the organization externally, that is, from outside its network. In this case, cyber attacks will be directed at publicly accessible resources for testing purposes. For instance, the firewall could be targeted via a DDoS attack to make it impossible for legitimate traffic to flow into the organization’s network. Email servers are also targeted to try and jam email communication in the organization. Web servers are also targeted to try and find wrongly placed files such as sensitive information stored in publicly accessible folders. Other common targets include domain name servers and intrusion detection systems, which are usually exposed to the public. Other than technical systems, external testing strategies also include attacks directed at the staff or users. Such attacks can be carried out through social media platforms, emails, and phone calls. The most commonly used attack method here is social engineering, whereby targets are persuaded to share sensitive details or send money to pay for non-existent services, ransoms, and so on, so external testing strategies should mimic these attacks.

Internal testing strategies

This includes attack tests performed within an organization with the goal of mimicking insider threats that may try to compromise the organization. These include disgruntled employees and visitors with malicious intent. Internal security-breach tests always assume that the adversary has standard access privileges, is knowledgeable of where sensitive information is kept, and can evade detection and even disable some security tools.

The aim of internal testing is to harden the systems that are exposed to regular users to ensure that they cannot be easily breached. Some of the techniques used in external testing can still be used in internal testing, but their efficiency often increases within the network since they are exposed to more targets.

Blind testing strategy

This is a testing strategy aimed at catching the organization by surprise. It is conducted with limited information given to the IT department so that, when it happens, they can treat it as a real hack and not a test. Blind testing is done by attacking security tools, trying to breach network defenses, and targeting users to obtain credentials or sensitive information from them. Blind testing is often expensive since the testing team does not get any form of support from the IT department to avoid alerting them about the planned attacks. However, it often leads to the discovery of many unknown vulnerabilities.

Targeted testing strategy

This type of testing isolates only one target and carries out multiple attacks on it to discover the ones that can succeed. It is highly effective when testing new systems or specific cybersecurity aspects such as incident response to attacks targeting critical systems. However, due to its narrow scope, targeted testing does not give full details about the vulnerability of the whole organization.

Best cyber defense strategies

The bottom line of cybersecurity often comes down to the defense systems that an organization has in place. There are two defense strategies that organizations commonly use: defense in depth and defense in breadth.

Defense in depth

It is also referred to as layered securing and involves employing stratified defense mechanisms to make it hard for attackers to breach organizations. Since multiple layers of security are employed, the failure of one level of security to thwart an attack only exposes attackers to another security layer. Due to this redundancy, it becomes complex and expensive for hackers to try and breach systems.

The defense-in-depth strategy appeals to organizations that believe that no single layer of security is immune to attacks. Therefore, a series of defense systems is always deployed to protect systems, networks, and data. For instance, an organization that wishes to protect its file server might deploy an intrusion detection system and a firewall on its network. It may also install an endpoint antivirus program on the server and further encrypt its contents. Lastly, it may disable remote access and employ two-factor authentication for any login attempt. Any hacker trying to gain access to the sensitive files in the server will have to successfully breach all these layers of security. The chances of success are very low as each layer of security has a complexity of its own. Common components in defense-in-depth approaches are:

  • Network security – since networks are the most exposed attack surfaces, the first line of defense is usually aimed at protecting them. The IT department might install a firewall to block malicious traffic and also prevent internal users from sending malicious traffic or visiting malicious networks.

In addition, intrusion detection systems are deployed on the network to help detect suspicious activity. Due to the widespread use of DDoS attacks against firewalls, it is recommended that organizations purchase firewalls that can withstand such attacks for a continuous period of time.

  • Host protection (computer and server security) – antivirus systems are essential in protecting computing devices from getting infected with malware. Modern antivirus systems come with additional functionalities such as built-in firewalls that can be used to further secure a host in a network.
  • Encryption – encryption is often the most trusted line of defense since it is based on mathematical complexities. Organizations choose to encrypt sensitive data to ensure that only authorized personnel can access it. When such data is stolen, it is not a big blow to the organization since most encryption algorithms are not easy to break.
  • Access control – access control is used as a method of limiting the people that can access a resource in a network through authentication. Organizations often combine physical and logical access controls to make it hard for potential hackers to breach them. Physical controls involve the use of locks and security guards to physically deter people from accessing sensitive areas such as server rooms. Logical controls, on the other hand, entail the use of authentication before a user can access any system. Traditionally, only username and password combinations were used but due to increased numbers of breaches, two-factor authentication is recommended.

Layered security is the most widely used cyber defense strategy. However, it is increasingly becoming too expensive and quite ineffective. Hackers are still able to bypass several layers of security using attack techniques such as phishing where the end user is directly targeted. In addition, multiple layers of security are expensive to install and maintain and this is quite challenging for SMEs. This is why there is an increase in the number of organizations considering the defense-in-breadth approach.

Defense in breadth

This is a new defense strategy that combines the traditional security approaches with new security mechanisms. It aims to offer security at every layer of the OSI model. The different OSI model layers include the physical, data link, network, application, presentation, session, and transport layers. Therefore, when hackers evade the conventional security tools, they are still thwarted by other mitigation strategies higher up the OSI model. The last layer of security is usually the application layer. There is an increase in the popularity of Web Application Firewalls (WAFs) that are highly effective against attacks targeted at specific applications. Once an attack has been launched, the WAF can thwart it and a rule can be created to prevent future similar attacks until a patch has been applied. In addition to this, security-aware developers are using Open Web Application Security Project (OWASP) methodologies when developing applications. These methodologies insist on the development of applications that meet a standard level of security and address a list of common vulnerabilities. Future developments will ensure that applications are shipped when almost fully secure. They will therefore be individually capable of thwarting or withstanding attacks without relying on other defense systems.

Another concept used in defense in breadth is security automation. This is where systems are developed with the abilities to detect attacks and automatically defend themselves. These capabilities are achieved using machine learning where systems are taught their desired states and normal environment setups. When there are anomalies either in their state or environment, the applications can scan for threats and mitigate them. This technology is already being fitted into security applications to improve their efficiency. There are AI-based firewalls and host-based antivirus programs that can handle security incidents without the need for human input. However, defense in breadth is still a new strategy and many organizations are apprehensive about using it.

Whether an organization uses defense in breadth (to address the security of every sector of an organization) or defense in depth (to provide multiple layers of security to a sector) or even a combination of both defenses, it is worth ensuring that their overall cybersecurity strategy is proactive in its approach.

Benefits of having a proactive cybersecurity strategy

It is no longer just enough to have a cybersecurity strategy in place. The functioning of the cybersecurity strategy you have developed needs to be proactive to benefit you the most, given the possible negative effects of a successful security incident. A proactive security strategy essentially focuses on anticipating threats and doing something about them before they happen. Some of the benefits of having a proactive approach to cybersecurity are listed below:

  • A proactive approach is less costly compared to a reactive approach. A reactive approach to cybersecurity means you develop systems and policies that focus on reacting to security incidents after they occur. The danger of such an approach is that if your organization is faced with a new type of threat, the organization may not be fully poised to handle the consequences of such a threat. This will probably lead to much higher costs compared to having a proactive approach.
  • A proactive approach to risk management means that you remain ahead of your threat actors. Being ahead of your potential attackers is a dream situation for any security team. It means that the security team develops means of protecting the organization that will keep attackers at bay. Having such an approach means that threat actors will struggle to develop any meaningful attack on the systems and in case of a security incident, little negative effect is expected.
  • A proactive approach reduces confusion. A proactive approach provides the security team and the organization at large with a means of addressing security incidents and any potential risks of such incidents. It provides a clear plan on how an organization will carry out its activities in case they are faced with potential threats. In situations where a proactive approach to security is used, confusion during the aftermath of a security incident will lead to further loss and further delays to getting organizational systems back up.
  • A proactive approach makes it harder for attackers to carry out their attacks. Attackers are continually searching for weaknesses to exploit in any organization. A proactive approach means that the organization will carry out similar approaches themselves, continually evaluating their systems to identify exploitable vulnerabilities in the system. Once these vulnerabilities are identified, the organization takes measures to address them before they are exploited by threat actors targeting the organization. Therefore, a proactive approach helps prevent threat actors from finding vulnerabilities first and then exploiting these vulnerabilities to the detriment of an organization.
  • Aligning cybersecurity with the organization’s vision. A well-planned and proactive approach to risk management and cybersecurity is essential for helping an organization in aligning its cyber strategy plans with the organization’s vision. An unplanned cyber strategy can affect an organization’s business operations and plans both in the short and in the long term. But with a proactive approach, an organization can ensure that the strategy fits with the long-term vision of an organization and that the budgeting and implementation of the strategy fits the vision of the business.
  • It fosters a security-conscious culture: Every member of an organization is crucial to the implementation of a cybersecurity strategy. People, just like the informational assets in an organization, can be targeted as the weak links in the security system and then used to gain access to an organization’s system. Therefore, developing a security-conscious culture in an organization will massively benefit the organization’s security aspects and boost its ability to keep attackers at bay.
  • A proactive approach helps an organization go beyond just compliance requirements. In many cases, organizations will develop a cybersecurity strategy that fits compliance requirements in order to avoid problems with the law. In many cases, these compliance requirements will be enough to protect an organization against many threats, especially the common ones. However, the most dangerous attacks, which are often carried out to score more from an organization, will not be prevented by having a cybersecurity strategy that aims to provide the minimum legal requirements.
  • A proactive approach to cyber strategy development ensures that an organization equally invests in the three sections of cybersecurity: the prevention, detection, and response phases. All three phases of cybersecurity are important to implement an effective security strategy. Focusing on one area while neglecting another area will lead to ineffective strategies that will not fully benefit an organization, or adequately address a security incident if and when it occurs.

As you can see, there are a lot of advantages to using a proactive cyber strategy, and a variety of reasons why your business may benefit from using one. Additionally, there are a number of specific cybersecurity strategies that can be employed to help keep your organization safe.

Top cybersecurity strategies for businesses

The recent past has seen an increase in security incidents and many businesses falling prey to threat actors targeting data or other informational assets from these organizations.

However, with the careful development of cybersecurity strategies, it is still possible to keep your business secure enough in these challenging times. Some of the top cybersecurity strategies that can be implemented to help improve the security posture of your organization include:

  • Training employees about security principles
  • Protecting networks, information, and computers from viruses, malicious code, and spyware
  • Having firewall security for all internet connections
  • Installing software updates
  • Using backup copies
  • Implementing physical restrictions
  • Securing Wi-Fi networks
  • Changing passwords
  • Limiting access for employees
  • Using unique user accounts

We will discuss each of these strategies in more detail in the following subsections.

Training employees about security principles

Employees are, undoubtedly, an important aspect of cybersecurity strategies. In many cases, threat actors will target employees or weaknesses caused by employee behavior to gain access into a company’s systems. The security team needs to develop basic security practices that need to be adhered to by all employees at the workplace and when dealing with work-related data. In addition, these security practices and policies need to be adequately communicated to the employees whenever they are established and when any changes are made to the policies. Employees should know the penalties for failing to adhere to these security practices. These penalties should be clearly spelled out to help cultivate a security culture among employees.

Protecting networks, information, and computers from viruses, malicious code, and spyware

Threat actors will most probably target the aforementioned assets in an organization. They will use malicious code, viruses, and spyware to infiltrate the systems as these are the most commonly used means of illegally gaining access to any system. Therefore, an organization needs to ensure that it protects its computers, information, and networks from such infiltration tactics. Some of the available means of achieving this are through the installation of effective antivirus systems and regularly updating them to fight off viruses and other malicious code. Automatic checking of updates for the installed antivirus systems is recommended to ensure that the system is up to date to fight off any new attacks.

Having firewall security for all internet connections

Internet connections are the most likely avenue that attackers will use in this day and age to attack your systems. Therefore, ensuring that internet connections are secure is an important and effective way of keeping the systems secure. A firewall is a set of programs that will help prevent outsiders from accessing data in transit in a private network. Firewalls should be installed on all computers, including those that employees may use to access the organization’s network from home.

Using software updates

All software applications and operating systems used within the organization should be updated. Ensure that it is organizational policy to download and install software updates for all applications and software used within the company to ensure that the system is running on current and updated software, which reduces the risk of threat actors finding vulnerabilities in old systems and exploiting them. Updates should be configured to be done automatically. The process of updating should continually be monitored to ensure the efficiency of the process.

Using backup copies

Always ensure that your organization keeps backup data of all important information and business data. The backup processes should be done regularly for every computer used within the organization. Some examples of sensitive data that may need backing up within the business include Word documents and databases. The backup process should be done regularly, either daily or weekly.

Implementing physical restrictions

Restricting physical access is an effective strategy for keeping intruders out of the system. In many cases, intruders attempt to gain physical access to some systems to gain access to others. Some informational assets such as laptops are particularly vulnerable and should be kept under lock and key whenever they are not being used. Theft can be done even by staff members and hence physical restrictions are necessary to ensure the safety of all assets in an organization.

Securing Wi-Fi networks

Ensure that you secure and hide Wi-Fi networks to secure them against malicious individuals. You can set up the wireless access points in such a way that the network name is not broadcasted. In addition, you can use encryption and passwords that will ensure only authenticated individuals are authorized to gain access to the systems.

Changing passwords

Hacking passwords is one of the easiest ways for attackers to gain access to any system. Employees should be instructed to change their passwords and not to use common passwords. This ensures that prolonged use of the same password that may be shared with coworkers is not exploited by attackers.

Limiting access for employees

Having limitations and privileges in using the organization’s system should be done based on the needs of the employees. Employees should only have access to certain resources in the system that they need for their work, and access can be limited to certain periods when they are at work. Limiting the installation of software while using company systems ensures that they cannot install malicious software either accidentally or otherwise.

Using unique user accounts

Organizations should ensure that employees use unique user accounts with every user having their own user account. This ensures that every user is responsible for their user account and can be held accountable for negligence or malicious activities on their accounts. Every user should also be instructed to ensure they use strong passwords for their user accounts to ensure security and avoid hacking. In addition, privileges should be set for these user accounts based on the seniority of the employee and the needs of the employee within the system. Administrative privileges should not be accorded to any employee except the trusted IT staff who will then be held liable for any misuse and abuse of such privileges.

Users pose as much a threat to a system as software weaknesses and may even pose greater threats as attackers are known to use such weaknesses to gain entry into targeted systems. As a result, the previous sections identify both behavioral aspects and technical user actions that can be implemented in the various cybersecurity strategies that you choose to employ in your organization.

Conclusion

This chapter has looked at cyber strategies, their necessity, and different strategies that can be used when developing them. As explained, a cyber strategy is an organization’s documented approach toward different aspects of cyberspace. However, the key concern in most cyber strategies is security. Cyber strategies are essential because they move organizations away from assumptions, help centralize decision making about cybersecurity, provide details about the tactics employed toward dealing with cybersecurity, give a long-term commitment to security, and simplify the complexities of cybersecurity. This chapter looked at the two main approaches used in writing cyber strategies, the attack and the defense standpoints.

When written from the attack perspective, cyber strategies focus on the security testing techniques that will be used to find and fix security vulnerabilities. When written from a defense perspective, cyber strategies look at how best to defend an organization. The chapter also explained the two main defense strategies; defense in depth and defense in breadth. Defense in depth focuses on applying multiple and redundant security tools while defense in breadth aims at mitigating attacks at the different layers of the OSI model. An organization can opt to use either defense or attack security strategies or both of these in its quest to improve its cybersecurity posture.

Lastly, the chapter also provided examples of top cybersecurity strategies that can be effectively used by organizations to secure their businesses.

In the next chapter, we will seek to understand the cybersecurity kill chain and its importance in the security posture of an organization.

Further reading

The following are resources that can be used to gain more knowledge about the topics covered in this chapter:

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.11.62