CYBER RESILIENCE NEWSLETTER JANUARY 2020
KARM Legal Consultants are proud Members of the Arab Monetary Fund Regional Fintech Working Group, recently having been privileged to assist the Working Group in the research and drafting of three (3) policy guidelines in Fintech. One such policy included The Cyber Resilience Oversight Guidelines for the Arab Region, concerning Financial Market Infrastructures, presented at the Third Meeting of the Arab Regional Fintech Working Group on 15 and 16 December 2019; and which will be formally published by the Arab Monetary Fund during early 2020.
We hope and trust that our work will be an informative resource for our readers. Herewith a brief introduction to Cyber Resilience.
“πάντα χωρεῖ καὶ οὐδὲν μένει”, translated to mean: “Everything changes and nothing stands still.”- quoting the Greek philosopher Heraclitus of Ephesus. Although a quote of approximately 2,500 years ago, same is true for the global, present-day cybersecurity and threat landscape.
Cyber resilience is an organisation's ability to continuously deliver the intended outcome, despite adverse cyber events. It refers to an organisation’s capability to sense, resist and react to disruptive cyber events, and to recover from them in a timely fashion. Cyber resilience, as a concept, essentially brings the areas of information security, business continuity and resilience together. Due to the nature of a digital (internet) economy being borderless and ever changing, it is advisable to create the capability to anticipate threats, to absorb the impacts of such threats and to react in a rapid and flexible way to ensure that an organisation’s key systems and processes continue operating, without undue interruption. This ability is further enhanced through an organisation’s use of smart technology.
The rapid digitization of the global economy has led, increasingly so, to a dramatic increase in the number of cybersecurity incidents. Cybersecurity issues are becoming a day-to-day struggle for organisations. Recent trends and cybersecurity statistics reveal a huge increase in hacked and breached data from sources that are increasingly common in varied environments, including workplace and household environments, given the fact that emerging technologies are expanding. Furthermore, recent security research suggests that most organisations have unprotected data and poor cybersecurity practices in place, making them particularly vulnerable to cyber-attacks and possible data loss.
To successfully defend and fight against malicious cyber-attacks, it’s imperative that organisations make cybersecurity awareness, prevention, security best practices and enabling foresight capabilities as a part of their culture, in addition to strict adherence and compliance with regulatory provisions – the provisions in turn needing to be robust, with a measure of flexibility, so as to not stifle or frustrate the innovation of technology, which helps serve organisations’ stakeholders, curb costs and provide organisations with a competitive edge to in the global market. There is a clear, growing imperative for cyber threat resilience in the digital age. It is acknowledged that governments, organizations in the private and public sectors and individuals must all play their part in building an ecosystem that is resilient to cyber threats.
Statistics (from an international perspective) may assist to motivate the need for cyber resilience through representation of the overall impact of cyber-attacks. As such, be advised of the following reported statistics:
Governments, together with Regulators, Supervisory Authorities, as well as organisations and individuals alike all play a critical role in the establishment of a national cyber resilient culture, where all are informed, aware, educated, skilled and necessarily enabled in defence. Innovation and investment in technology will thrive within an environment nurtured by smart, strong authorities and organisations governed thereunder.
It is reasonable for Organisations to be expected to maintain adequate competence and capability in the area of Cyber Resilience. Due to the fact that cyber-risks pose ever-growing, ever-evolving and unique challenges to organisations, it must be acknowledged (with a sufficient degree of understanding and appreciation) that dedicated attention and resourcing is required in the facilitation hereof. Organisations may minimise their cyber risk exposure by means of ensuring that systems are “secure-by-design”, where foundationally software and hardware development aim to ensure that systems are free from vulnerabilities (or at least best protected against vulnerabilities) and best impervious to attacks, in so far possible, through such measures as continuous testing, authentication safeguards and adherence to best programming practices. Emphasis is to be placed on resilience (and foresight), having due regard of current and possible future threats, as opposed to ensuring mere compliance to a standard, without due reflection on whether there may be unique threats that the regulations may not or do not address – particularly given the constant evolution of threats and changes in technology, the possibility of new attack mechanisms and vulnerabilities must always be taken into account.
Cyber governance, traditionally defined, concerns the organisational arrangements for the creation, implementation, examination and review of its approach to managing cyber-related risks (or perils), as well as cyber-attacks.
An effective Cyber Resilience Framework consists of the following components: -
In discussing cyber risk management:
Governance; Identification; Protection;
Detection; as well as Response and Recovery.
Ancillary components, include: Testing; Situational awareness; as well as Learning and evolving.
SITUATIONAL AWARENESS & CYBER THREAT INTELLIGENCE
Situational awareness refers to an organisation’s understanding of the cyber threat environment within which it operates, the implications of being in that environment for its business / operations and the adequacy of its cyber risk mitigation measures. Strong situational awareness can significantly enhance an organisation’s ability to understand and pre-empt cyber events; and to effectively detect, respond to and recover from cyber-attacks that are not prevented. An organisation’s solid understanding of the threat landscape can help it better identify and appreciate the vulnerabilities in its critical business functions, and facilitate the adoption of appropriate risk mitigation strategies, vulner-
abilities in its critical business functions, as well as facilitate the adoption of appropriate risk mitigation strategies. It can also enable an organisation to validate its strategic direction, resource allocation, processes, procedures and controls with respect to building its cyber resilience.
As part of the Threat Intelligence Process, an organisation should establish a process to gather and analyse relevant cyber threat information. Its analysis should be in conjunction with other sources of internal and external business and system information, so as to provide business-specific context, turning the information into usable cyber threat intelligence, providing timely insights and informs enhanced decision-making by enabling the organisation to anticipate a cyber attacker’s capabilities, intentions and modus operandi.
A key means of achieving situational awareness for an organisation and its ecosystem is an organisation’s active participation in information-sharing arrangements and collaboration with trusted stakeholders within and outside the industry. In respect of information-sharing, organisations should participate actively in information-sharing groups and collectives, including cross-industry, cross-government and cross-border groups to gather, distribute and assess information about cyber practices, cyber threats and early warning indicators relating to cyber threats.
SITUATIONAL AWARENESS - FOCUSING ON THE MIDDLE EAST
In an interview with Mr Khaled Chatila of Anomali Inc., a niche provider of Cyber Threat Intelligence solutions, he discusses Threat Intelligence in greater detail.
Mr Chatila is quoted in saying: “Research on threats targeting the Middle East by Anomali, , indicates the following: In a total of more than 870 000 malicious and suspicious observables are presently located in the Middle East - 75% of which is associated with Malware Command and Control - Communication channels between malicious actor and malicious software or tools infrastructure are used by cyber criminals to control and update/change their malware as needed. 13% is associated with Anonymization - Systems on the internet that obfuscates the origin of an attack. 6% is associated with APT (Advanced Persistent Threat) - An actor/group that has a high level of sophistication and skill, usually well funded and/or supported by Nation States. 4% is associated with Botnet activity - A network of systems used for various types of attacks like DDoS (Denial-of-service attack) or act as Command and Control for malware. 2% is associated with Phishing - Websites that trick victims to enter their credentials which is captured by an attacker.
A documented North Korean APT group known as Lazarus, has been observed to be very active in the Middle East region. Since the beginning of 2019 alone, North Korean agents have attempted five major cyber-thefts world-wide, including a successful $49 million heist from a financial institution in Kuwait, according to the U.N.
With all this in mind, it is clear that cyber threats are very real and should be front of mind. Rapid digitization increases the likelihood of a cybersecurity incident. Within organisations, information security and situational awareness should be addressed from a top-down approach. This includes: budget allocation, awareness training for all employees; and investing in security technologies and people.
From an individual perspective the only form of defense against highly skilled social engineering campaigns, is our personal awareness and a culture fostering such awareness. For example, do not click on random, unknown or unexpected links received in messages, emails or communications from senders which you do not know. Deception is often a key tool in the attacker’s arsenal and can, in many instances, craft and send an email or message to a victim that may appear to be legitimate.
Does this mean that we should turn off all of our phones, laptops smart / mobile devices and their connectivity capabilities? Absolutely not. The advent of the technological breakthroughs in connecting the world is one of man’s greatest achievements, but as the renowned saying goes: “With great power comes great responsibility”. Consider it your personal duty to be more aware, wise and informed of the digital threats that surround you. We like to refer to it in Threat Intelligence terms as “Protecting the Herd”. Stay safe.”
THE NOTPETYA DATAWIPING WORM: A GLIMPSE AT SYSTEMIC CYBER RISK
The closest example to a systemic cyber risk event—the NotPetya attack—started in Ukraine in late June 2017. A self-replicating computer virus used an exposed nation-state-grade technology exploit as well as several other advanced techniques to infect thousands of computers.24 The total costs from NotPetya are estimated to have ranged between $2 billion and $10 billion.25 The attack took some networks down for several weeks.26The event revealed some possible characteristics of a future systemic cyber event: fast propagation, causing a high number of victims in a short period of time; intended logical or physical destruction of a system that leads to disruption of an organization’s mission or business operations; and collateral damage outside the intended victim. Cyber insurance may not cover such events as they could fall into the “war clause” exemption.27
Cyber threats are real and can be as devastating as risks of terror and other catastrophic events. Embracing a culture of cyber resilience and cyber security awareness is of paramount importance
KARM passionately advocates sound cyber resilience and sound security practises. Given KARM’s specialised focus on Cyber Law, Information Security, Cyber Security, Data Security, Data Governance, Compliance and Threat Intelligence, we are actively involved in consultancy, regulation and policy drafting, as well as education through training and workshops.
We invite you to engage with us directly on this topic for further discussion. Please contact us: http://karmadv.com/contact-us
EXTERNAL SHOCK AND OTHER SCENARIOS
 IBM Ponemon “Cost of a Data Breach” report, released on 30 July 2019. https://diligent.com/en-gb/blog/cost-of-a-data-breach-ponemon-institute-report/
 Bank for International Settlements and International Organization of Securities Commissions 2016, Committee on Payments and Market Infrastructures, Board of the International Organization of Securities Commissions, Guidance on cyber resilience for financial market infrastructures, June 2016 - https://www.ecb.europa.eu/paym/pol/shared/pdf/CPMI_IOSCO_Guidance_on_cyber_resilience_for_FMIs.pdf?69e99441d6f2f131719a9cada3ca56a
Authored by Luna De Lange
To stay updated,
subscribe to our newsletter