IT Security Heretical
The purpose of this white paper is twofold.
The first is to present the reader with a further approach thanks to which we can significantly increase our cyber defenses in a simple and at the same time very powerful way in the IT Security field.
The second purpose is to warn Cyberspace Security studious that IT Security (Standard) is now seriously compromised and the time has come to seriously consider IT Security Heretical (briefly introduced here).
IT Security: The Situation Today
Cyber-attacks on various data centers (and beyond) around the world are on the agenda. Even if these nerve centers are never directly connected to the Internet, but are connected to it through advanced IT Security systems (Firewall, SIEM, IDS-IPS, etc.), however, the growth trend of cyber-attacks in the world continues to be unstoppable.
Cybercrime will cost the world 10.5 trillion dollars a year by 2025. Already today, the situation is not at all rosy, in fact, if cybercrime were measured as a country, it would be the Third World Economic Power after the United States and China. In fact, the recent study reported in the note predicted that cybercrime would inflict approximately $ 6 trillion in damage globally in 2021 .
If this is the case, it is clear that there is something wrong with the general approach that companies and individuals have in defense of their assets.
The approach to the world of IT Security reminds me of what we have in the medical field.
It is an almost unanimous opinion that only drugs exist to fight the disease. Hence the abuse of allopathic medicine (drugs) in our day. Epigenetics, on the other hand, is revealing to us that we human beings, only with our "will", can give substantial "support" to our highly evolved immune system. Epigenetics, in a nutshell, is telling us that man is able to defeat any disease with just his thought, even those considered incurable today by modern science.
The same thing happens in the world of IT Security. We think that with technology we can raise our defense barriers, but this is not the case, and the disastrous data from cyber-attacks mentioned above remind us mercilessly. When instead we could activate our digital immune system thanks to a valid Security Strategy, appropriate Methodologies, sets of Architectures, Algorithms, and Best Practices, all joined together in a recursive, weighted, simple, and powerful way.
The activity of the vCISO (virtual Chief Information Security Officer) is to study the appropriate Security Strategy in order to protect the tangible and intangible assets of the company that has requested his professional support.
vCISO & Corporate
The first thing to understand is that the vCISO (virtual Chief Information Security Officer) considers the company as an entity that manifests itself on two distinct levels closely connected to each other, in particular:
At a mental/strategic level, the vCISO's main objective is to support corporate business strategies through appropriate security tactics in the ICT (Information Communication Technology) field.
At the physical/digital level, the vCISO has, at the same time, the necessary IT skills that allow it to translate the aforementioned security strategies into the appropriate security methodologies and technologies in the Cyberspace field.
The vCISO needs to interact personally with the members of the company and in particular with the Business Managers and, particular, also with the Security Steering Committee.
The aim is to learn the wishes of the company, which are normally expressed within the company's Strategic Plan.
Those involved in strategy know the power of words very well. The etymology of the word itself, that is its deeper meaning, often hides real "algorithms".
For example, at a colloquial level, we use the word Goal and the word Objective indifferently. Instead, the two words, on a deep level, are different even if apparently very similar.
The goal is what we set out to do or achieve. It is the achievement of a certain goal that we "want" to achieve. The goal is timeless because once achieved we also want to keep it, perfect it, in an infinite cycle.
The objective is the path I must follow to achieve my goal. The objective is temporal and an effort, sometimes even very demanding, which however has a beginning and an end. When I reach my objective I have entered the domain of my goal.
This is just a small example of how words sometimes hide real internal algorithms within them. There are, in fact, cases in which transforming the profound meaning of our words into “keywords” can prove to be an effective, simple, and powerful method in outlining the algorithms that will support the realization of our own business strategy.
Let us look at the figure shown above. Everything starts from a business idea, which then turns into our corporate Mission, further deepened and outlined through our Goals, which in turn are concretized through their Objectives. Already with this “core”, our Security Strategy begins to take shape “in parallel”. In addition to this sort of "core", there are other "parameters" to consider (represented within the circle that encloses the pyramid) that normally influence and enrich our business strategy, I will mention just a few: Asset Value, Culture, Legal Obligations, Market Conditions, Risk Tolerance, and many, many more.
Our business and security strategy (a sort of "seed" ready to sprout) is activated within the company in different ways depending on the main departments of which the organization itself is composed.
Regardless of how the specific department translates the corporate strategy in its own way, each department "inherits" from the corporate strategy the same logical/functional structure always structured in 3 distinct intercommunicating levels; and they are:
Let us imagine using Google Earth, with the difference that in front of us we do not have our planet but a globe that represents our Organization.
The vCISO sees each organization as a processing system, called Organization System, which has its own operating system whose internal modules correspond to the fundamental "pillars" (departments) on which the company itself relies to operate.
As previously said each Department (Department System) is in turn internally structured at 3 levels (Governance, Management, and Operational). The 3 levels are intercommunicating with each other through the central Management level (see figure above - OSS - Organization Strategy System) and are also able to communicate with the equal levels present in the other Department Systems.
Logical intersections between the various Department Systems are granted and welcome, bearing in mind that the new entity, born from the intersection between the two departmental systems, will always and in any case maintain the aforementioned 3-level structure.
For example, the intersection between the departmental IT system (IT infrastructure) and the corporate Security system (at 360 degrees) creates a new "specific" Security subsystem for the Cyberspace (or IT Realm), the one that all of us are used to calling it as IT Security.
This new system is technically known as the Information Security Management System (ISMS).
ISMS is internally structured on three levels called as follows:
ISG – Information Security Governance
ISM – Information Security Management
ISOC – Information Security Implementation/Operation Center
Obviously, each level has its own peculiar functions (processes) as the good William Stalling shows us in his book entitled: “Effective Cybersecurity A Guide to Using Best Practices and Standards” (see diagram shown below).
It should also be borne in mind that ISMS is a very particular sub-system of the Organization System because it is to be considered not only as a "vertical" pillar of the company (given its importance) but it is also "horizontal" because, at the same time, it “intersects” (crosses) the other vertical pillars (as shown in the figure below).
Our IT Security Strategy can be effectively enhanced through a Risk Based approach worthy of the name. It must also be said, at the same time, that well-done Risk Management is by no means a simple process.
The true complexity of Risk Assessment (the heart of Risk Management) derives from the fact that it is essentially a human, mental, as well as methodological process.
Valid help comes from the standards in the Risk Management field, just to name a few important ones such as ISO/IEC 27005, ISO 31000, ISO/IEC 31010, NIST SP 800-39, NIST SP 800-37, NIST SP 800-30, Risk IT Framework by ISACA, Risk Management by ENISA, Microsoft Risk Management Approach, and many more.
Despite everything, the situation is far from crystalline.
Knowledge, as often happens, is fragmented. In particular, many technical books in the Risk Management field always have some limitations. They describe in great detail only "part" of the story. Other books add more details, but they forget to deal with other topics that should be described and without which it is difficult to close the circle.
The same software in the Risk Assessment area, indispensable tools that support the IT Security professional in the Risk Assessment process, today also have unpleasant limitations. Obviously, the professional is always looking for different strategies to achieve his risk assessment goal, but it is not always that easy. And in any case, you must "have" the Big Picture of the vast and complex world of Risk Assessment within you. Otherwise, how do you understand what is missing from your final RAR (Risk Assessment Report)?
It is also true, however, as I describe below, that through some techniques and methodologies we can make the complex Risk Assessment even more powerful and at the same time simple in its internal structure thanks to recursive techniques and algorithms.
I am sure that new editions of those books will fill some of their gaps. I am also sure that the new versions of the tools vaguely mentioned above will give us much better experiences. But the situation today is still this. Perhaps this gap is the real reason for those catastrophic numbers of economic losses that Cybercrime inflicts inexorably on its victims scattered across the planet.
The RAR is an important component of our Information Security Strategy.
I am aware that the Risk Assessment is only one of the "pillars" of the Security Strategy which will then lead us to the company's Security Program. The Security Strategy is a fundamental component of Information Security Governance (ISG). The ISG is made up of many "complex" and "intercommunicating" processes. To briefly understand what I mean, just go back and look at the diagram drawn by William Stalling in his book.
Therefore, a Security Program is not a single component, instead, there are many processes logically and technically cooperating with each other and the sum of which creates our security program. Having said that, however, the Risk Assessment remains the starting point of our very important IT Security Strategy.
Security is a very fascinating but at the same time indomitable topic because 100% security simply does not exist. And this, by definition, is not a good starting point for those who are preparing to design a Security Strategy.
The description of the Risk Assessment that I offer below is a different approach from those normally used in describing it. I immediately say that I have no way of getting into all the implementation details of the Risk Assessment, but I would still like to offer the reader the big picture I was referring to earlier, that is, that overview that allows the vCISO to design a valid IT Security Strategy that wraps completely and hermetically the company that asked him/her for consultancy support.
Risk Assessment is the heart of the Risk Management process.
The Risk Assessment is based on 3 main phases which are called:
Risk Identification is the first and fundamental phase of the Risk Assessment.
The Risk Identification in turn is based on its 3 sub-processes, which I call Vortex in this paper, in particular they are:
We must, first of all, know our Assets by evaluating them in depth. We need to create a matrix (obviously a database) that is inside an infinite loop.
Each row of the Assets Matrix is an asset that we want to protect. Each of them is deeply categorized into classes, sub-classes, categories, types, and much more. The size of the Asset Matrix is dynamic by definition. It will have our Asset Management system as input but will then extend and refine it in an endless cycle. The “Basic BIA” (Business Impact Analysis) also lives within it. The Basic BIA is a reduced version of the "Comprehensive BIA". The latter is an integral part of the BCP (Business Continuity Plan) process and deals, among other things, with the definition of Recovery Objectives (RPO, RTO, WRT, MTD, MTO, SDO, RCO, RCapO, etc.). The Basic BIA does not deal with the definition of Recovery Objectives, but apart from that, it has nothing to envy with the Comprehensive BIA.
Each asset (row) also contains a series of parameters that numerically correspond to the "weight" of the answers to a considerable number of questions. Questions that arise from deep within Level 2 of the Security Pyramid. We must ask ourselves why that asset is strategic, its overall economic value, what its loss entails for us as a company, and so on. The deeper our "self-examination" is, the better it will be. These numerical translations of your answers to the numerous questions above will need to be evaluated and filtered through a carefully weighted average. On the basis of this weighted average, the assets will be sorted in order of "preciousness".
Finally, imagine this vortex with a right-handed spin, that is, it swirls to the right (later we will understand what this entails).
We need to investigate all probable Threats capable of attacking our Assets. We must once again create a matrix within an infinite loop.
Each row of the Treats Matrix is a Treat capable of attacking one or more of our assets. Technically, this initial investigation is called TBM (Threats-Business Mapping), or "Macro-Assessment", or even "Risk mapping", however, regardless of the name assigned to it, this investigation aims to understand what the threats are that can compromise the business objectives of the company.
Each Threat is deeply categorized into classes, sub-classes, categories, types, and much more. The dimension of the Threats Matrix is dynamic by definition. Each Threat is enriched with useful information from the various threat intelligence communities. Each threat (line) also contains a series of parameters that numerically correspond to the "weight" of the answers to a considerable number of questions.
We must ask ourselves what threats pose a real danger to our information assets; which threats are internal and which are external; which threats are most likely to occur; which ones have the highest probability of success; and so on. The deeper our intelligence investigation, the better.
This numerical translation of our answers to the numerous questions above will have to be evaluated and filtered through a carefully weighted average. On the basis of this weighted average, the threats will be sorted in order of danger.
Finally, imagine this vortex with a left-handed spin, that is, the vortex to the left (we will soon understand what this entails).
Therefore, there is an Assets Vortex with a right-handed spin which is intrinsically also in defense of itself (corporate assets). However, 100% security simply does not exist. This means that there is always a “potential” threat to our assets. All-time!
The number of threats in the world are practically infinite. The root of a Threat essentially branches into three main branches; they are Technical, Human, and Nature. Our assets can be the victim of technical problems, or of an attack by one or more human beings, or affected by the force of nature. Nothing prevents all three types of threats from happening simultaneously. The mere existence of the Asset Vortex with a right-hand spin always generates a Threats Vortex with a left-hand spin. The two vortexes are completely opposite. If one is positive, the other is negative. If one is right-handed, the other is left-handed. Classical physics teaches us that every action has an equal and opposite reaction.
The existence of these two vortexes always generates the formation of a sort of "protomatter", a third "information structure" which is the "potential" point of contact between the two primordial vortexes. We call this third information structure Vulnerabilities Vortex.
I return to underline what has just been expressed because it is of vital importance to understand it well. This third information structure or Vulnerabilities Vortex even if we do not see it, because it has not yet manifested itself in the world of things, already exists by virtue of the existence of the other two Vortexes.
As for the Vulnerabilities Vortex, the vCISO is able to understand it, estimate it, measure it, and therefore also predict it in advance before it manifests itself in the world of matter (Physical/Digital Level).
Like the other two vortexes, also The Vulnerabilities Vortex is an information field that we can technically convert into a complex numerical matrix within an infinite loop.
The vCISO gives its best in the creation of this latter matrix. Here there is its added value thanks to its highly interdisciplinary knowledge.
Each cell of the Vulnerabilities Matrix is the intersection between a specific Asset of the Assets Matrix with a specific Threat of the Threats Matrix. We remind you that the Assets Matrix and Threats Matrix are ordered within them (decreasing for example), respectively in order of Value (asset), and Danger (threat).
Consequently, the Vulnerabilities Matrix is generated in order of Weaknesses (Weaknesses) also in descending order. Physically and logically, each single Vulnerabilities Matrix cell is actually a "macro cell" because it contains an indefinite number of sub-cells. Each single unit cell corresponds to a specific Vulnerability. This means that potentially an Asset when it comes into contact (impact) with a Threat, can be subject to one or more Vulnerarabilities (pre-existing or consequential).
The ultimate purpose is to try to understand, through the three information matrices, the information that allows us to evaluate in advance the level of risk in the event that the three vortexes come into contact with each other. Keep in mind that the intersections of all three vortexes give us the "risk level".
Each vulnerability (always logically connected to the asset and the threat) must be numerically "weighed" on the basis of "at least" the so-called CIA triad (Confidentiality, Integrity, Availability). The CIA triad is the bare minimum with which each asset should be evaluated (weighed) in the event of an "impact" with one or more Threats.
We have stated the bare minimum because depending on the nature of the Asset, it should be "weighed" not only on the basis of the CIA triad but also on the basis of the little-known "E²RCA²" (Efficiency, Effectiveness, Reliability, Compliance, Accountability Authentication). If there are extremes, the vCISO will also include in its "weighted average" the evaluation of the so-called STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) by Microsoft.
The algorithms briefly described above organize the Vulnerabilities Matrix in order of Weaknesses with a very fine "granularity" (CIA triad, E²RCA², STRIDE, etc.). This logical layer is in turn "wrapped" by another layer of algorithms that have the task of further "perfecting" this ordering in an endless process.
In fact, it is possible that high-priority vulnerabilities that are completely different from each other and related to different assets and/or threats have "interesting" points of contact between them. In this case, the ordering of the Vulnerabilities Matrix on the basis of the Weaknesses is further refined. This refinement can also involve in turn the ordering of assets and threats, helping us to discover high-priority assets and threats that at the beginning of the analysis we did not even suspect their existence or importance.
Finally, the set of these logical layers (algorithms) are expertly replicated and divided into the 3 structural levels of the company that are intercommunicating with each other: Governance, Management, and Operational.
The Risk Analysis is the second phase of the Risk Assessment. Its objective is to determine the Risk Level provided by the intersections of the T-V-A (Threat-Vulnerability-Asset) triad.
Obviously, for all the T-V-A triads (3 vortices) processed in the Risk Identification phase.
The numerous Risk Levels will then be positioned on the so-called Risk Matrix (also known as the Heat Map) which is the final output of the Risk Analysis phase.
The Risk Level is a numerical value given precisely by the intersection of the T-V-A triad. In particular, the numerical value of the Risk Level is always within a numerical range in order to be always represented within a Risk Matrix.
The Risk Matrix or Heat Map is logically divided into ranges of values. Let us take the Risk Matrix shown in the figure above as an example. This Risk Matrix is divided into three risk levels: low (green), medium (yellow), and high (red).
The reference value that provides us with the information to logically divide the Risk Matrix is called the Risk Threshold. It is easy to understand the usefulness of this reference value. If we have, for example, a Risk Level equal to 3, or equal to 16, there must be a reference value with which to compare our Risk Level. Precisely on the basis of this comparison, we can determine that the Risk Level in question is "low" rather than "high". This reference value is provided by the Risk Threshold. So far, this is what literature tells us.
However, this is only the beginning of our Risk Analysis. Let us not forget that the purpose of the Risk Analysis is to have in our hands a valid tool with which to identify the risk level of our assets (intersection of the T-V-A triad). Assets we remember can be tangible and intangible. For example, we could extend the concept of the Risk Matrix in order to have an even more powerful tool that allows us to have diversified “views” of the Risk Matrix. Technically, this is achieved by stratifying the Risk Matrix on several levels and also having the possibility to scroll these levels easily between them (vertically and horizontally).
Furthermore, there should not be only one Risk Threshold but a number equal to “n”, where “n” is a value “at least” equal to the number of our security objectives; and that, in the case of stratification, these values should also take into account the level in question at that moment. This layered stratification of the Risk Map obviously involves a careful modification of the three underlying matrices (the triad T-V-A) and more. This hierarchical Risk Matrix would provide an extremely powerful analysis tool but at the same time adds considerable complexity to the database and the algorithms necessary for their processing.
The details of this extension of the Risk Matrix are beyond the scope of this document.
The output of the Risk Analysis, i.e. the Risk Map, becomes the input of the Risk Evaluation as the third and last phase of the Risk Assessment.
The objective of the Risk Evaluation is to consider the Risk Levels based on the company's Risk Appetite and then formulate possible solutions and scenarios to be submitted to the company's Business Managers.
It should be borne in mind that the Risk Evaluation bases its assessments precisely on the reference parameters (Risk Threshold for example) that must be known "before" starting the Risk Assessment itself (Risk Management Governance).
So far this is what the literature tells us, but this is only a basic level of Risk Evaluation. Normally the Risk Threshold can be modified in order to logically divide our Risk Matrix as explained above. This change allows us to make a sort of “tunning” of our Risk Matrix, allowing us to logically divide it on the basis of our personal and business wishes. However, the modification in question is normally left in the hands of the user without helping him to understand that the Risk Threshold value is actually the result of two distinct mental processes called Risk Appetite and Risk Attitude.
Once again, as always, "the intimate meaning of the words" comes into play. As happened in the etymological analysis of "Goal" and "Objective", the same thing occurs here with the words "Risk Appetite" and "Risk Attitude". The deep meaning of the two words is different even though in many respects they are similar. In this case, the adjective different means that each concept can be represented through its specific algorithm. While the adjective similar means that these specific algorithms logically have "points of intersection". Both Risk Appetite and Risk Attitude contribute to setting the Risk Thresholds, but they do it in a different ways.
It is necessary to remember that the Risk Thresholds are those fundamental parameters that allow us to divide our Risk Matrix by risk bands. They are therefore those parameters that reveal to us that that certain level of risk is altogether acceptable or that it has exceeded our warning level. Put another way, these metrics reveal what is good and what is bad for that specific asset. So the accurate generation of Risk Thresholds is not a whim, nor a trivial matter. Defining precise Risk Thresholds is, on the other hand, very important in modeling our IT Security Strategy.
Given the importance of the methodology for generating Risk Thresholds, it is therefore very important to know how to integrate the two mental processes into a single model within which the Risk Appetite and Risk Attitude cooperate wisely with each other. This unique model is technically known under the name RARA Model.
The description of these aspects goes far beyond the scope of this document.
IT Security Standard
Once our IT Security Strategy has been created, we also know the "possible" Security Controls to be put in place to defend our assets (whether tangible or intangible).
Security Controls typically refer to technology in the IT Security field, thanks to which we can reduce the level of risk that we have assessed through our Risk Assessment (as shown in the figure below).
The implementation of any Security Controls without having done a valid and thorough Risk Assessment is never a good idea.
Technically we have 2x3x6 = 36 different types of Security Controls which are, at the same time, cooperating with each other (see figure below).
Each of the 36 possible types made up of the whole of this triad (Classes, Types, Categories) can contain an indefinite number of specific security controls. This means that in reality, we have a very large number of possible solutions to be put in place to defend our assets. However, identifying the T-V-A (Threat-Vulnerability-Assessment) triads with a high level of risk is by no means an easy process.
Let us imagine, for example, Company X, an important company operating in the Fintech world. The company, for various reasons and after a "short and not in-depth" Risk Assessment, has chosen to implement a manual security control (need for qualified personnel with high costs), technical category (other significant economic investments), and deterrent class (we are referring to the triad with which we logically divided the security controls and represented in the figure above).
After a short time, Company X is the victim of an accident that causes very important economic and image losses. Following this incident, the IRT [Incident Response Team) made a Post-Incident Analysis essay that brought to light unpleasant news. This news is that our manual-technical-deterrent security control was completely useless because the T-V-A triad was erroneously evaluated as a high priority when it was not at all, but it was only "consequential" of other T-V-A triads, unfortunately, completely forgotten in our Risk Assessment.
Furthermore, the efficient IRT always elegantly reveals that a manual-administrative-preventive security control (such as a corporate security policy, for example) would have been sufficient to prevent the unpleasant incident that just occurred in a valid and economical way.
IT Security Heretical
The gigantic problem is that man has lived a kind of spell since the dawn of time, a false reality generated precisely by our "standard" knowledge. In short, we are the ones who create the aforementioned spell. Let us take an example in IT Security.
What is “Level -3”?
Level -3 is a privileged processing state capable of nullifying IT Security worldwide .
Any shocking knowledge has the power to change the man. This new awareness comes from the world of IT (Information Technology) Security.
When a new and profound scenario unfolds before us, this “always” creates a crossroads in our mind, the duality of choice. And we are forced to decide which way to go.
If you have chosen to follow the path of IT Security Heretical, a whole new world will appear to you. And you will not only be aware of the Matrix and its true origin. But, above all, like any deep search, in the end, you will find only and inexorably yourself.
The choice is yours.
CC BY 4.0
You can spread the work; modify it and use it for commercial purposes, as long as you mention or link to the author and specify the CC license used.