Ravi Dhungel  / Pooja Bastakoti

You are trying to buy something important for your loved one on an e-commerce website and suddenly, the server doesn’t respond after you click ‘buy’ icon. You are in the middle of your medical screening and a medical professional cannot access your electronic medical record. Government has critical infrastructures which include power lines and central banks information that the government cannot access due to cyber-attack. Are computer systems inherently unreliable? Do we have cyber security controls in place to ensure the data is confidential, integral and available? Building cyber resilient enterprises continues to be a challenge to industry, government and military.

Developing cyber resilient enterprises is both art and science. Computer science is in the conundrum of art and science. Securing data in the computer and servers are even more challenging and inherently complex because of the scalability, complexity and interconnectivity of the computer networks. Lately, COVID-19 has led to the creation of plethora of workforces that have never worked from home and have established the new norm of zoom way of doing things all over the world.

Conceptual security model
CIA (Confidentiality, Integrity and Availability) triad is the well-known conceptual security model for implementing security controls in the digital information system. ’C’ in the CIA triad stands for Confidentiality. Confidentiality ensures that data is confidential and people with proper access will have access to confidential data. One way of achieving confidentiality is through encryption. The unreadable format is achieved through encryption. Use of encryption techniques safeguards our data. DES (data encryption standard) and AES (advanced encryption standard) are widely used encryption technologies. Only the person with the encryption key can decrypt and read the data.

‘I’ in the CIA triad stands for integrity. The integrity ensures that the content of the message is not altered either maliciously or by accident. Hash function is used to map the data from arbitrary size to fixed size values which is used for data integrity check. The storing of the secrets with hash value and salting ensure that the passwords have integrity. Signing the code provided by the vendors also ensures integrity.
‘A’ in the CIA triad means availability, which includes network and services, should readily be available for the authorised users. To keep the system running and making sure the network can handle the expected load to ensure the data availability. DOS or DDOS (distributed denial of service) may render a network unavailable as the resources of the network are drained. Securing the system services like DNS (domain name system) is critical to mitigate DDOS attack in any web applications. Building cyber resilient enterprises requires administrative and security controls in the genes of the organisation. Proper data security policies, compliances and processes that consist of the administrative and technical controls are framed on the basis of confidentiality, integrity and availability of the enterprises.

Although the red team and blue teams evolved in the armed forces, security teams across the organisation simulate the red blue environments. Red team exploits and compromises the organisation's own system to predict the potential attackers’ pattern. Red team uses security vulnerabilities of access system, computers, credentials, file servers, endpoints, and physical security breach, exploiting directory and email, and using different social engineering techniques. Red team is great way of validating the attack surface and identifying security risks to reduce the attack surface digitally, physically and socially.

The blue team is defense focused and builds security architecture and maintains the protective internal cybersecurity infrastructure. Blue team gathers data, documents of what exactly needs to be protected and carry out the risk assessment. Defensive plan is made by first identifying the key assets. Then, the related threats for each asset are identified to perform the risk assessment. Finally, the action plan is developed to implement based on cost-benefit analysis to lower the impact of the threat by building layered security controls with zero trust. If the blue team identifies that the company’s network is vulnerable to DDOS which reduces the availability of network for users, then the team calculates the loss in case if the threat occurs. Consideration of installing the intrusion detection and prevention system is based on the cost-benefit analysis aligning with business objectives.

Phishing is the most widely used tactic to lure the receiver with some financial gains so they click the links that are vulnerable. Building resilient cyber security programmes requires good investment in insider's threat programmes. Insider’s threat has been the challenge to most organisations. In one way, insiders require proper access to data for employees to do their work. In contrast, most data leakage and exfiltration are happening inside the organisation accidentally or deliberately. The concept of principle of least privilege and separation of duties plays an effective role to mitigate the challenges of the insider’s threat. Training and awareness is another important function of the good cyber security programmes to mitigate the insider’s threat challenges.

Data regulation
Proper data compliance and regulations enforced by the state or federal government with financial penalty to the enterprises also helps build cyber resilient enterprises. Regulations like HIPAA, FERPA, and GDPR enforce penalty for data leakage and exfiltration. Cyber security continues to be the biggest challenge in developing countries and developed countries alike. President Joe Biden recently emphasised cyber security through the executive order and with public private-partnership. Public private partnership has been emphasised in recent meetings presided by the President as many critical infrastructures are managed by the private corporations in the United States and all over the world.

Google and Microsoft have committed to providing $10 billion and $20 billion to implement cybersecurity initiatives respectively. The AWS committed to provide free multi-factor authentication devices to US customers who spend at least $100 a month on average on Amazon Web Services. Similarly, IBM committed to provide secure backup service and Apple too encouraged enhancing the cybersecurity of supply chain as well as multi-factor authentication and better logging. This shows the securing digital supply chain requires collaboration between the federal government and private enterprises. Developing resilient cyber security programs requires multi-year planning with both internal and external stakeholders executing cyber security programmes in the enterprises.

(Dhungel is a cyber security practitioner and co-founder of esrtech.io and Bastakoti is an electronics engineering student at IOE, Tribhuvan University.)