| Listen on Google Podcasts | Listen on Mave | Listen on Yandex Music |
Ruslan Rakhmetov, Security Vision
As a rule, the majority of terms related to information technologies come to Russian communities and regulatory documents from various English-language international standards. Thus, in the last few years, the information security industry has been actively using terms with the prefix cyber, in particular, ‘cyber security’.
Cybersecurity
Many people believe that cybersecurity is synonymous with the term ‘information security,’ but this is actually a mistake. Consider the international standard ISO/IEC 27032:2012 Information technology - Security techniques - Guidelines for cybersecurity. In this document we should pay attention to the scheme that visualises the relationship between the main terms quite well (see Figure 1).
Figure 1 - Logical relationships between cybersecurity and other areas of security according to ISO/IEC 27032:2012
As we can see, cybersecurity is only an integral part of the information security process and it is exclusively related to digital technologies. The standard mentions that cybersecurity is a process that provides all of us with the familiar properties of confidentiality, integrity, availability, but only in some abstract framework - cyberspace. In its turn, cyberspace is understood as a complex virtual information environment that does not have the physical embodiment we are accustomed to.
Since Russian regulatory practice does not yet have an established definition of cybersecurity, in our opinion, given the above, the most appropriate definition is the following: cybersecurity is a section of information security whose activities are aimed at protecting programmes, systems and networks from computer attacks in cyberspace.
Cyber resilience
Next, let's break down another new term: cyber resilience. As we know from other fields, resilience is the ability of an object to maintain its current state when it is affected by various external influences. Actually, based on the term ‘resilience’ in the field of information security, the term ‘cyber resilience’ was formed, which can be briefly formulated as follows: cyber resilience is the ability of information systems to perform their normal (target) functioning under the influence of computer attacks in cyberspace.
All specialists in departments responsible for cyber security know that in today's world it is impossible to achieve absolute, one hundred per cent security of an organisation's information systems and networks. Therefore, all organisational and technical measures are applied only to improve cyber resilience. It is important to understand that absolutely any programme, information system or network can be hacked. It is only a matter of time and resources for attackers.
There is a concept of cyber resilience, and it is not based on if... but when an organisation will be subject to a cyber attack. This means that instead of focusing your efforts on preventing criminals from penetrating your network, it is better to assume that they will eventually breach your defences and start working on a mitigation strategy.
Internationally, there are various methodologies for assessing cyber resilience, one of which is the Cyber Resilience Review (CRR). The CRR is a suite of methodological documents developed by the US Department of Homeland Security. The assessment is designed to measure an organisation's cyber resilience and to analyse gaps for improvement based on recognised best practices. The CRR evaluates corporate programmes and practices in the following ten areas:
- Asset Management
- Controls management
- Configuration and change management
- Vulnerability management
- Incident Management
- Service continuity management
- Risk Management
- External dependencies management
- Training and awareness
- Situational Awareness.
Actually, besides the cyber resilience assessment methodology itself, the CRR also contains guidelines to help you implement the necessary practices for each of the aforementioned domains.
Cyber Training
Conducting drills and training in a near real-world environment is essential for improving the skills of the staffing levels of company departments. Often cybersecurity departments spend a lot of time and effort testing the effectiveness of their security controls and preparing for an incident, but not enough time learning how to deal with an incident when it occurs. The consequences of being unprepared are directly reflected in business losses and can include system downtime, loss of sensitive data, costly fines and damage to brand reputation.
There is currently no established definition and boundaries for the term ‘cyber training,’ but as a rule, the Russian cybersecurity community understands it as a practical event for practicing team response to incidents. Such events are also known as cyberpolygon. These events simulate various types of attacks on a virtual infrastructure, where cybersecurity professionals hone their skills to counter threats and gain new knowledge and identify weaknesses. The formats of cyber exercises can vary, such as workshop, staff, functional, and full-scale exercises.
Thus, cyber exercises are training events that simulate various cyber security threats to virtual infrastructure in order to test and improve the practical skills of an organisation's cyber security professionals.
