This is the first introductory article our Founder, Chairman and Chief Executive, Lehan Premith Edirisinghe is proudly publishing on behalf of Cyberspace Command (Private) Limited. Please bear with us, as we progressively improve the quality of our research publications with time. We have used extensive sources found on the internet to create these. We use these cybersecurity principles ourselves to develop and deploy IT security strategy for our clients.
These are: (1) Least Privilege, (2) Separation, (3) Non Interference, (4) Minimization, (5) Simplification, (6) Awareness, (7) Agility, (8) Resilience, (9) Affordability,(10) Optimization and (11) Asymmetry.
However, before we begin discussing these, we want to quickly explain our current international IT security situation to establish some much needed context.
We are becoming more socially entrenched on technology and connectivity. This disappointingly brings increased dangers in the form of electronic threats. We predict static malware signatures will rise rapidly from today's less than 10mn to 200mn by 2025. HP conducts interesting Cost of Cyber Crime Studies; which we recommend everyone read. We have made certain claims based on their studies.
They discovered 5 years ago, 100 successful cyber attacks breached into the core networks or enterprise systems of each company involved in their study. Each attack took 32 days to deal with and cost close to $11.6mn dollars (Ponemon Institute, 2015). This was an increase of close to 80% from a prior study 4 years ago. Also around this time period, Aberdeen Group correspondingly estimated a software security breach cost $300,000 per event (Brink, 2010).
In 2015, the average cost according to HP, each organisation faced due to cyber crime increased from the aforementioned $11.6mn to a whopping $15mn. We predict this figure is sadly, going to keep rising as professional hackers and nefarious state actors bear foreboding fruits off their unholy alliance.
The more recent, similar sounding, but different 2015 Cost of Data Breach Study: Global Analysis showed us for the 350 participating companies, the average total cost of a data breach increased from $3.52 to $3.79mn. This calculates: 350 firms x $3.79m = $1, 326, 500, 000 or $1.326bn for 350 companies.
The average cost paid for each lost or stolen record containing sensitive or confidential information simultaneously increased from $145 in 2014, to $154 in 2015. A single private photo of a celebrity stolen from cloud storage, a VVIP's medical records or a firm's prized strategy or marketing data might be invaluable or difficult to value. But often, criminals steal innumerable/ all given records possible.
Leaders are trying to lower these IT security risks and respond to events. Following the JPMorgan Chase data breach suffered towards the end of 2014, the bank's CEO Jamie Dimon, personally informed shareholders JPMorgan Chase would invest $250mn and commit 1,000 trained IT security staff. Likewise, we pre-emptively co-ordinate to protect our clients by implementing IT security strategy as well.
Without further ado, we humbly present Cybersecurity Principles:
(1) Least Privilege
Users are only given the minimum permissions or rights they need to finish their work or mission. So, for instance, you give a traffic police officer a handgun only, and you do not give them an automatic rifle because they probably would not need either weapon to co-ordinate traffic successfully. We can establish Least Privilege in IT architecture by removing unnecessary privileges to users, software or hardware by using access control systems.
This might involve pre-approved software or services. In the CIA, they configure devices to only perform basic tasks, this prevents serious information security compromises. Least Privilege can be supported in hardware, for example, by using ring architecture of Pentium Chips to limit access or functionality. During operations, actively managing user privileges, while-listing or using containers to limit functionality can also implement Least Privilege.
Least Privilege drastically lowers opportunity windows for unintentional mistakes or intentional mischief. Akamai's global network for caching never suffered a lack of availability as they have used Least Privilege from policy to architecture to operations.
We recommend Least Privilege to our own clients.
(2) Separation/Balance of Power
By distributing authority, employing peer review, or using two person authentication rules, checks on power can be used to help maintain positive control, helping stop malicious insiders or outsiders. Balance of power is related to the fundamental principle of separation or segregation of duties from the Orange Book (OB). The Orange Book refers to: Trusted Computer System Evaluation Criteria (TCSEC) by the United States Department of Defence.
The principle of non-interference describes the requirement to lower unneeded dependencies and for the guaranteed split of security levels as well as requiring that one operator not thwart the actions of another, achievable through careful coordination and harmony of loosely coupled but symbiotically beneficial action. This is vital, for example, when co-ordinating defence across joint, inter-agency, public-private, and international networks.
(4) Minimization and (5) Simplification
Minimization of attack surfaces by pursuing solutions that do only necessary functions (not more), limiting dependencies, or providing only essential services can help reduce potential avenues of attack and/or vulnerabilities. Simplifying systems (e.g., standard architectural interfaces, avoiding complexity, limiting developers to pre-approved code) can reduce cost and risk. Simplification and minimization and the ability to replace compromised components are consistent with the principle of “modularity” within Trusted Computing Base (TCB).
As you might be able to understand from Principles 1, 2, 3, 4 & 5 or sure enough, other principles, cybersecurity principles pertinently revolve around compromise. We invariably forsake convenience for security. However, some of our solutions do not depend precariously on detection. We have non-detection based technology from Israel, which we fervently champion as they can stop zero-day attacks. Beyond these solutions, we also have arguably resource heavy, AI and machine learning based solutions which collect, read and understand big data (electric and computer activity) gathered to find lost productivity or suspicious criminal activity. Some of our professional services include reconfiguring kernels (which if your using Windows, Unix or Linux, is likely to be several decades obsolete) or adding proprietary security layers to stop full blown calamities. Our military grade ICT defence products are also delivered to approved clients, so they can successfully combat unlawful criminals.
(6) Awareness and (7) Agility
System resilience and survivability can be enhanced by readiness, improved intelligence and situational awareness, faster responsiveness, flexibility and ability in reacting to a threat (cyberspace maneuver), and rapid evolution as threats and opportunities advance. MITRE’s framework for cyber resiliency (Bodeau and Graubart, 2013) provides detailed resiliency goals, objectives, and techniques.
Disruption can be either an abrupt or a sustained event and may be natural or man-made (e.g., internal failure or external attack). Sometimes it could even be unexplained. Since attacks often cannot be avoided and sophisticated adversaries successfully penetrate defences, resilience can be enhanced by including redundancy, alternate (e.g., wartime) modes, a contingency strategy, an incident response strategy, diversity of components, active defences, and rapid reconstitution following a catastrophic attack. Resilience enables systems to repel, absorb, and/or recover from attacks. Resilience can be enhanced through hardening, reduction of attack surfaces, critical mission segregation, and attack containment.
Autonomous compromise detection and repair (self-healing) and adaptation to and evolution from changing environments and threats can enhance survival.
Defenders must balance costs and benefits. Open architectures, standards, reuse, and rapid evolution can also help mitigate costs of architectures and designs. Efficient operations and maintenance via appetite suppression (i.e., focusing and limiting requirements and associated efforts), competition, and autonomy can free significant resources.
Some of the most successful organizations are able to integrate and optimize across defense and offense and tap into the appropriate mix of automation and human intelligence to allow them to properly balance between confidence in distributed operations and the need for detailed, centralized control.
Some of the best organizations leverage limited talent, treasure, and time, by focusing on maximizing the benefits of their cyber posture (cost savings, efficiencies, and effectiveness) while maximizing costs to the adversary (resources, risks, uncertainty) and/or denying them benefits, thus deterring attacks.
We would be happy to discuss these IT security strategies with our clients when implementing our cybersecurity solutions to protect them. We hope this helps a lot of entities and people defend against cyber security attacks.
Confidential sources helped us write this report. We found many sources on the internet which helped us develop these principles. We decided we wanted to use a document which contained these 11 principles, as we felt we wanted to build on existing great research and help others, rather than replace our understanding of IT security. The document in question, also did not individually name contributing authors or research papers.
Bodeau, D., & Graubart, R. (2013). Cyber Resiliency Assessment: Enabling Architectural Improvement. mitre.org. Retrieved from www.mitre.org/sites/default/files/pdf/12_3795.pdf
Brink, D. (2010, October 7). Quantifying Business Value of Application Security: Cost Avoidance, Cost Savings. Retrieved from http://blogs.aberdeen.com/it-security/quantifying-business-value-of-application-security-cost-avoidancecost-savings/
Ponemon Institute. (2015, May 23). 2015 cost of data breach study: Global analysis. Ponemon Institute Research Report. Retrieved from http://public.dhe.ibm.com/common/ssi/ecm/se/en/sew03053wwen/SEW03053WWEN.PDF