91探花

Foundational cyber hygiene is crucial for preventing many common cyber-attacks. Firms should ensure they are adhering to a recognised cyber control framework and have robust and continuous visibility of their current control effectiveness. 

The CBEST thematic report states that true and meaningful cyber resilience cannot be delivered or achieved without a whole-organisational and continuous effort. To that end, the implementation of cyber foundations is not a 'once and done' task and must be underpinned by a cyber strategy aligned to business objectives. This strategy should be accompanied by well-considered cyber programmes that allow for agility in responding to threats and the implementation of robust operating models with clear accountability and responsibilities.

Importantly, all levels of a firm should have confidence in the coverage and effectiveness of detective, preventative and response measures. To achieve this, firms should focus on consistently tracking relevant metrics aligned to well-defined cyber KPIs. They should also monitor the status of cyber programmes, ensuring that clear success criteria are reported to senior leadership. 

Managing cyber risk is a challenge, often resulting in overwhelm and capacity limitations in IT and cyber security teams. To support prioritisation, it is crucial that firms understand the threats they face. This understanding should be used to inform focus areas for ongoing cyber threat intelligence and control optimisation, especially if intelligence identifies an imminent attack. 

CBEST and offensive security methods identify relevant threat actor levels likely to target a firm based on its functions and operational context. The CBEST thematic report details scenario testing from the perspective of state actors, or advanced persistent threats (APTs), organised criminal groups, and insider threats. 

While the types of threat actors identified provide insights for the sector, firms should consider undertaking their own threat profile assessment and offensive security testing. This will provide a perspective on the relevant threat actors they need to defend against and how effective their controls are at detecting and withstanding attacks from those threat actor levels. 

Key benefits

• Gain visibility of risk and exposure from the perspective of relevant threat actors.
• Gain assurance and confidence in the effectiveness of defensive controls and resilience to withstand a cyber-attack.
• Meet regulatory, compliance and customer expectations.
• Prioritise remediation and control efforts.
• Reduce reputational damage, financial loss and regulatory scrutiny.
• Gain clarity of investment requirements to protect information, systems, and ultimately, business value.

The thematic findings from the CBEST thematic report focus on six foundational control areas. While positive examples demonstrate that good practices are in place, these are inconsistent across participating firms. Conversely, the common gap examples provided undo some of the good work that firms have put in place through ineffective practices of foundational control area management.

This inconsistency illustrates varying levels of cyber maturity across the sector, indicating that participating firms still have a long way to go to reach the desired level of cyber resilience. 

For firms that do not participate in CBEST, the following themes and examples should still be a key focus for improving cyber resilience. Please note, the examples provided are not exhaustive.  

Identity and access management 

The challenge

Positive examples include the hardening of centralised authentication methods, such as Active Directory, which is commonly targeted during attacks. However, common gaps still include insufficient practices for managing privileged accounts and a lack of strong multi-factor authentication. 

Why it matters

Currently, threat actors can leverage over 12 billion accounts available in breach lists, and as a result, can take advantage of poor password practices or a lack of multi-factor authentication, potentially resulting in a trivial system compromise. 

What firms should do

Firms should ensure that appropriate password policies are in place and that guidance for handling credentials sets out clear expectations for users and management of privileged accounts, where possible policy requirements should be enforced through technology. Furthermore, firms should implement and enforce multi-factor authentication to reduce risk of falling victim to password based cyber-attacks. 

Staff awareness and training 

The challenge

Positive examples include rapid and high-quality response to CBEST testing by specialist security staff, as well as proactive reporting of phishing emails. Common gaps, however, include a failure to sufficiently review and measure cyber hygiene and an over-exposure of sensitive data in public domains and social media. 

Why it matters 

As part of an attack lifecycle, motivated threat actors undertake thorough reconnaissance and research. Gaps in a firm’s cyber hygiene and inappropriately disclosed information, such as technical details, are extremely valuable to a threat actor. This type of information is likely to be used to establish attack targets and paths of least resistance across people, process, and technology.

What firms should do

Firms should regularly review their digital footprint and current levels of cyber hygiene, including the discovery of leaked information in the public domain and social media. Staff should be educated on the impact of sharing information and provided guidance on the level of information sharing that is acceptable on social media and other platforms.

Secure configuration

The challenge

Positive examples show that some firms were able to disrupt less sophisticated attack paths due to securely configured foundational infrastructure services. However, common gaps include insecure configuration, or a lack of testing, and a failure to achieve the core principle of least privilege/functionality.

Why it matters

Due to the plethora of attack paths through people, technology, and physical approaches, firms should work on the assumption that they will be breached. As such, they should apply equal focus to perimeter and internal network controls. Insecure configuration of systems, applications and infrastructure reduces the effort for a threat actor and increases the likelihood of a successful compromise.

What firms should do

To increase visibility of insecure and misconfigured systems, applications and infrastructure, firms should set out standards for secure configuration across the varying technology types deployed in the organisation and validate compliance by performing regular vulnerability assessments and configuration compliance reviews.

Network security

The challenge

Positive examples include segmented networks and the ring-fencing of core systems/services, particularly around critical infrastructure, as well as the use of industry standards and good practice to harden infrastructure. Interestingly, common gaps identified demonstrate inconsistencies between participating firms. These include insufficiently segregated corporate networks and weaknesses due to ineffective limitation of exposure of secure network areas resulting in lateral movement across group entities. 

Why it matters

Robust segmentation/segregation is crucial in limiting the spread of malware/ransomware and the overall impact of an attack. Firms should ensure that appropriate segmentation is in place for important business services and dependent systems. Without appropriate segmentation control, response to a cyber-attack becomes more challenging, and recovery time is likely to increase.  

What firms should do

Robust segmentation/segregation is crucial in limiting the spread of compromise including malware/ransomware between networks and in a group enterprise context operational location. Firms should ensure that appropriate segmentation is in place for important business services, dependent systems and wide area networks. Without appropriate segmentation control, limiting the impact and responding to a cyber-attack becomes more challenging.

Incident response and security monitoring 

The challenge

Positive examples include effective workflows using cyber threat intelligence to improve preventative controls and cyber-attack detection use cases. Other positive examples include firms with rapid response capabilities to eradicate active cyber-attacks before they can cause impact. Conversely, examples of some of the common gaps identified again demonstrate inconsistencies between participating firms. These include a lack of specialist staff ready to execute complex response activities and a lack of suspicious activity alerting and log management including insufficient log retention to support cyber incident response.

Why it matters

To enable timely and effective detection and response to attacks, firms should invest in Security Operation Centre (SOC) capability. This includes ensuring that detection capabilities are robust and that effective response playbooks have been developed and aligned to the firm’s specific threat profile.

What firms should do

Firms should review their current security operation capability. Where outsourced arrangements are in place, these should be appropriately tested to ensure detection and response capability is effective for a range of relevant threats and scenarios.

Data security

The challenge

Positive examples include the deployment of strong encryption algorithms and the use of full-drive encryption to mitigate attacks where assets were physically out of an organisation’s control. Conversely, common gaps for some participating firms include inadequate levels of protection for data at-rest and in-transit and inconsistencies in levels of data protection, such as how data backups are created and stored.

Why it matters

Implementation of data protection controls such as encryption for data at-rest and in-transit is crucial to maintain confidentiality at the point of compromise. Additionally, protection of backed-up data is key, especially considering recoverability from attacks such as ransomware.

What firms should do

Firms should review their encryption and other data protection controls to ensure that confidential and sensitive data cannot be accessed if breached while at-rest and in-transit. Controls applied to backup solutions should also be reviewed to ensure they provide expected levels of recovery under varying attack scenarios.