Abstract
A former boss of mine (Peter Drissell (https://www.linkedin.com/in/peter-drissell-b917896/) (Commandant General RAF Regiment Air Officer Royal Air Force Police) once delivered a presentation at a University lecture, which I had been attending. Here he made the following statement:
Many business leaders regard Security as being very expensive and virtually invisible. That is until it goes wrong, when it becomes very visible and considerably more expensive!
Ever since hearing this statement, I have sought to change this view. Having a proactive, asset and risk focused approach that is aligned with the business mission statements/objectives has a significant impact on changing the business leaders’ perspectives. This chapter seeks to explain how you can start to reduce the opportunities for the cyber-attackers, through a more targeted and prioritized approach. Many organizations are feeling a sense of Cyber-security fatigue and often sensing that the cyber-criminals have got the upper hand and that this is a battle that they are losing, frequently believing that they are ‘Boiling the Ocean’. If a business fails to identify and categorize their assets, they will not be able to truly appreciate the value of their most important company assets, and their importance to the business. Consequently, when it comes to carrying out the risk assessments, it can often feel like this is based upon a premonition or a hunch. Additionally, when it comes to applying appropriate mitigation controls, this can be extremely difficult to show proportionality and a return on investment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
www.militarydictionary.org (n.d.) F2T2EA acronym definition—MilitaryDictionary. https://www.militarydictionary.org/acronym/m/f2t2ea. Accessed 10 Feb 2021
Lockheed Martin (2019) Cyber Kill Chain®. [online] Lockheed Martin. https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.
www.etymonline.com (n.d.) cyber | search online etymology dictionary. https://www.etymonline.com/search?q=cyber. Accessed 10 Feb 2021
https://www.carbonblack.com/blog/introducing-the-cognitive-attack-loop-and-its-3-phases/
Pols P (2017) The unified kill chain designing a unified kill chain for analyzing, com-paring and defending against cyber attacks. https://www.csacademy.nl/images/scripties/2018/Paul_Pols_-_The_Unified_Kill_Chain_1.pdf.
www.trendmicro.com (n.d.) Exploiting AI: how cybercriminals misuse and abuse AI and ML—Security news. https://www.trendmicro.com/vinfo/hk/security/news/cybercrime-and-digital-threats/exploiting-ai-how-cybercriminals-misuse-abuse-ai-and-ml. Accessed 10 Feb 2021
Editor CC (n.d.) asset(s)—Glossary | CSRC. [online] csrc.nist.gov. https://csrc.nist.gov/glossary/term/asset.
partners.securityscorecard.com (n.d.) Cyber rescue alliance—Member | securityScore-card partner portal partner directory. https://partners.securityscorecard.com/english/directory/partner/462331/cyber-rescue-alliance. Accessed 10 Feb 2021
Stone M, Irrechukwu C, Perper H, Wynne D, Kauffman L (2018) IT asset management: financial services. https://csrc.nist.gov/publications/detail/sp/1800-5/final.
Inc G (n.d.) Enterprise asset management (EAM) software reviews 2021 | gartner peer insights. [online] Gartner. https://www.gartner.com/reviews/market/enterprise-asset-management-software. Accessed 10 Feb 2021
Inc G (n.d.) Network access control (NAC) solutions reviews 2021 | gartner peer In-sights. [online] Gartner. https://www.gartner.com/reviews/market/network-access-control. Accessed 10 Feb 2021
us-cert.cisa.gov (n.d.) Assessments: cyber resilience review (CRR) | CISA. https://us-cert.cisa.gov/resources/assessments
CRR Supplemental Resource Guide Asset Management (n.d.) https://us-cert.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-AM.pdf
Cambridge.org (2019) RISK | meaning in the Cambridge English Dictionary. https://dictionary.cambridge.org/dictionary/english/risk
www.etymonline.com (n.d.) Security | origin and meaning of security by Online Etymology Dictionary. https://www.etymonline.com/word/security#etymonline_v_30368. Accessed 10 Feb 2021
Cambridge.org (2019) SECURITY | meaning in the Cambridge English Dictionary.https://dictionary.cambridge.org/dictionary/english/security
www.etymonline.com (n.d.) Threat | search online Etymology Dictionary.https://www.etymonline.com/search?q=threat&ref=searchbar_searchhint. Accessed 10 Feb 2021
Frue K (2019) PESTLE analysis—Business and SWOT analysis. [online] PESTLE analysis. https://pestleanalysis.com
Nist.gov (2015) Threat—Glossary | CSRC. https://csrc.nist.gov/glossary/term/threat
Royal Navy MOD UK (2017) CHAPTER 29 ESTABLISHMENT/UNIT SECURITY OFFICER. Duties of the Establishment/Unit Security Officer. Accessed 10 Feb 2021
Exabeam (2020) 6 threat modeling methodologies: prioritize & mitigate threats. https://www.exabeam.com/information-security/threat-modeling. Accessed 10 Feb 2021
jegeib (n.d.) Threats—Microsoft threat modeling tool—Azure. [online] docs.microsoft.com. https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats
Reliable Cyber Solutions (2020) PASTA threat modeling method: all you need to know—RCyberSolutions.com.https://www.rcybersolutions.com/pasta-threat-modeling-method-all-you-need-to-know. Accessed 10 Feb 2021
EC-Council (n.d.) Threat modeling | importance of threat modeling. https://www.eccouncil.org/threat-modeling. Accessed 10 Feb 2021
Simplilearn.com (2020) What is threat modeling: process and methodologies. https://www.simplilearn.com/what-is-threat-modeling-article
www.etymonline.com (n.d.) vulnerability | search online etymology dictionary. https://www.etymonline.com/search?q=vulnerability&ref=searchbar_searchhint. Accessed 10 Feb 2021
www.etymonline.com (n.d.) vulnerable | origin and meaning of vulnerable by online etymology dictionary. https://www.etymonline.com/word/vulnerable. Accessed 10 Feb 2021
Nist.gov (2015) vulnerability—Glossary | CSRC. https://csrc.nist.gov/glossary/term/vulnerability
www.etymonline.com (n.d.) impact | origin and meaning of impact by online etymology dictionary. https://www.etymonline.com/word/impact#etymonline_v_1545. Accessed 10 Feb 2021
Editor CC (n.d.) Impact—Glossary | CSRC. [online] csrc.nist.gov.https://csrc.nist.gov/glossary/term/impact. Accessed 10 Feb 2021
Excel TMP (2016) Business impact analysis template excel. https://exceltmp.com/business-impact-analysis-template-excel. Accessed 10 Feb 2021
IADC Lexicon (2017) Definition of initial risk. https://www.iadclexicon.org/initial-risk. Accessed 10 Feb 2021
Editor CC (n.d.) Risk appetite—Glossary | CSRC. [online] csrc.nist.gov. https://csrc.nist.gov/glossary/term/Risk_Appetite. Accessed 10 Feb 2021
nicole.keller@nist.gov (2020) Risk management framework. [online] NIST. https://www.nist.gov/cyberframework/risk-management-framework
Blank R, Gallagher P (2012) Guide for conducting risk assessments NIST special publication 800–30 Revision 1 JOINT TASK FORCE TRANSFORMATION INITIATIVE. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf
Giles S (2012) Managing fraud risk : a practical guide for directors and managers. Wiley, Chichester, West Sussex
Editor CC (n.d.) Residual risk—Glossary | CSRC. [online] csrc.nist.gov. https://csrc.nist.gov/glossary/term/residual_risk. Accessed 10 Feb 2021
Editor CC (n.d.) Qualitative assessment—Glossary | CSRC. [online] csrc.nist.gov. https://csrc.nist.gov/glossary/term/Qualitative_Assessment. Accessed 10 Feb 2021.
Editor CC (n.d.) Quantitative assessment—Glossary | CSRC. [online] csrc.nist.gov. https://csrc.nist.gov/glossary/term/Quantitative_Assessment. Accessed 10 Feb 2021
app.fairu.net (n.d.) FAIR-U. https://app.fairu.net. Accessed 10 Feb 2021
Tool 3: Risk management (n.d.). https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/550691/Tool_3.pdf
Bush T (n.d.) 3 tools to include in risk management framework for best results. [online] pestleanalysis.com.https://pestleanalysis.com/risk-management. Accessed 10 Feb 2021
Acuity Risk Management (n.d.) STREAM integrated risk management software. https://acuityrm.com. Accessed 10 Feb 2021
Acuity Risk Management (n.d.) STREAM, cyber risk & compliance management platform. https://acuityrm.com/platform. Accessed 10 Feb 2021
CRR Supplemental Resource Guide Risk Management (n.d.). https://us-cert.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-RM.pdf. Accessed 10 Feb 2021
Common Controls Hub (n.d.) Compliance map** for PCI, HIPAA, and more. https://commoncontrolshub.com. Accessed 10 Feb 2021
NIST (2020) Security and privacy controls for information systems and organizations. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
public.cyber.mil (n.d.) Security technical implementation guides (STIGs)—DoD cyber exchange. https://public.cyber.mil/stigs. Accessed 10 Feb 2021
public.cyber.mil (n.d.) Community gold standard (CGS)—DoD cyber exchange. https://public.cyber.mil/cgs. Accessed 10 Feb 2021
Cloud Security Alliance (n.d.) Cloud security alliance. https://cloudsecurityalliance.org/research/cloud-controls-matrix. Accessed 10 Feb 2021
ISO—International Organization for Standardization (2019) ISO/IEC 27001:2013. [online] ISO. https://www.iso.org/standard/54534.html.
14:00–17:00 (n.d.) ISO/IEC 27701:2019. https://www.iso.org/standard/71670.html. Accessed 10 Feb 2021
14:00–17:00 (n.d.) ISO/IEC CD 27402. [online] ISO. https://www.iso.org/standard/80136.html. Accessed 10 Feb 2021
Pcisecuritystandards.org (2019) Official PCI security standards council site—Verify PCI compliance, download data security and credit card security standards. https://www.pcisecuritystandards.org
CIS (2018) The 20 CIS controls & resources. https://www.cisecurity.org/controls/cis-controls-list
Isaca (2019) COBIT | control objectives for information technologies | ISACA. [online] Isaca.org. https://www.isaca.org/resources/cobit
BASELINE CYBER SECURITY CONTROLS FOR SMALL AND MEDIUM ORGANIZATIONS FOR SMALL AND MEDIUM ORGANIZATIONS. (n.d.) https://cyber.gc.ca/sites/default/files/publications/Baseline%20Cyber%20Security%20Controls%20for%20Small%20and%20Medium%20Organizations.pdf. Accessed 10 Feb 2021
www.ncsc.gov.uk (n.d.) About cyber essentials. https://www.ncsc.gov.uk/cyberessentials/overview
us-cert.cisa.gov (n.d.) Assessments: cyber resilience review (CRR) | CISA. https://us-cert.cisa.gov/resources/assessments. Accessed 10 Feb 2021
owasp.org (n.d.) OWASP application security verification standard. https://owasp.org/www-project-application-security-verification-standard
owasp.org (n.d.) OWASP mobile security testing guide. https://owasp.org/www-project-mobile-security-testing-guide
Zortrex (n.d.) Data protection—Secure tokenisation solutions. [online] Zortrex. https://www.zortrex.com. Accessed 10 Feb 2021
www.gcicom.net (n.d.) Gartner recognised contact centre solutions from GCI. https://www.gcicom.net/Our-Services/Unified-Communications/GCI-Contact-Centre. Accessed 10 Feb 2021
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Seaman, J. (2021). Combating the Cyber-Security Kill Chain: Moving to a Proactive Security Model. In: Montasari, R., Jahankhani, H. (eds) Artificial Intelligence in Cyber Security: Impact and Implications. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-88040-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-88040-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88039-2
Online ISBN: 978-3-030-88040-8
eBook Packages: Computer ScienceComputer Science (R0)