Safe Cities: A Proactive Approach to Cyber Resilience

The methods employed by advanced cyber attackers now compel organisations to adopt a more proactive approach to the security of digital assets and the processes that handle them.

The nature of sophisticated threats negates the efficacy of static and reactive measures to securing against cyber-attacks and, in most cases, limits the options for real-time response to a breach in its earlier phases.

The principles of a proactive approach should be based on development of insight and foresight. Insight into the organisation’s vulnerabilities – both system-based and ‘human-enabled’ – is a prerequisite for formulating a hierarchy of ‘concerns’ and security priorities.

Developing foresight is critical to anticipate potential causes of failure in cyber defence.

Characteristics of a breach response vary fundamentally, depending on whether the breach’s nature was familiar to the security team, or whether the mode and methods were previously unknown, leaving the organisation unprepared.

Forewarned is forearmed

Analysing the causes of security failure is key to developing insight into both probable and plausible outcomes. The enduring adage that being ‘forewarned is forearmed’ justifies testing and exercising an organiation’s capabilities, but is chronically under-valued by most firms – partly for want of a converged framework for identifying those capabilities.

In this context the term ‘capabilities’ must be all-encompassing to include technology, procedures and human aspects of prevention, detection and response, which invariably don’t fall under a single department’s management. So testing is fragmented and often limited to system aspects.

The causes of security failure are often human, but extend beyond the commonly recognised flaws in the awareness of staff or adherence to good security practices.

When examining the most common failing – poor situational awareness and analysis – there is a catalogue of potential errors in response as much as prevention. Analytical bias is common and heuristics a typical weakness exploited by deception.

The managerial tendency towards anticipating high-probability scenarios or a propensity to build evaluations based on the familiar certainly warrants scrutiny. Furthermore, the inability to synthesize ‘unknowns’ or integrate ‘uncertainties’ into scenarios, all override the more usual problems like a lack of early-warning, suitable threat intelligence, and even the over-reliance on technology to mitigate threats.

All this can lead to poor decision-taking in response to a breach and in preparation of cyber defence. The challenge for a proactive posture is to champion an approach that organisations can adopt to identify their failures before they happen and generate the self-awareness required to improve performance.

For any organisation this provides a basis for trust in capabilities, confidence in security investment and initiatives and a clear view of tactical and strategic remediation priorities.

Information security: the process

Integrating various facets of an organisation’s preparedness and planning into an overarching security framework that incorporates systems, processes and management practices, the process of information security is increasingly complex.

This really emphasizes the dynamic nature of performance failure analysis: firstly in the static examination of what happened within each vector, and secondly in a dynamic examination of how it happened.

This can be forced on an organisation after a major breach, whether conducted internally or by an expert third party. But assessing the organisation’s defence performance in a dynamic, holistic context highlights four distinct challenges:

• Many firms struggle with methodologies for evaluating and quantifying risk involving digital assets and processes
• The requirement for physical and cyber security domains to collaborate in combating the converged nature of sophisticated threats challenges both functions to dovetail capabilities effectively, while many organisations struggle with identifying interdependencies and vulnerabilities
• Penetration testing provides no guarantees that vulnerabilities have been proven or uncovered and single-faceted security measures are being circumvented by new attacker methods. This is compounded by firms’ tendency to avoid dynamic exercising of defensive and response capabilities against ambitious scenarios, which ultimately hampers their ability to handle unexpected or unfamiliar aspects of their ‘next threat’
• In most cases, organisations rely heavily on the deployment of static security measures and lack options for more agile defensive concepts. Defence is a more dynamic concept because it incorporates the assumption that we must react to an attack in real time, and we require various ways to respond, depending on the attacker’s objectives and methods

The process of simulating real-world attacks and analysing the performance of security apparatus forensically to determine its strengths and weaknesses is a key platform of organisational preparedness – and not only because ‘practice makes perfect’.

It should also develop an organisational preoccupation with ‘what if’ scenarios and the failure to deal with them effectively.

Dissecting an attack

The benefits of dissecting an attack provide an organisation with opportunities to examine its detection and respond to incidents to develop real precision in actions and reactions to events.

This characteristic is most evident among ‘high-reliability’ teams like specialist medical teams undertaking pioneering and complex surgical procedures in top operating theatres. The anticipation of what might go wrong at any stage and preparation for dealing with it can make the difference between life or death for the patient.

Other examples, like F1 teams, freefall display teams and even NFL teams, seek absolute precision in timing and actions.

In many cases, awareness of the organisation’s strengths is secondary to the benefit of having a clear demonstration of vulnerabilities to focus on. The learning-by-doing experience can prompt a rapid shift in appetite and posture.

Ultimately, the justification for adopting a preemptive approach must be to enable better risk-informed decisions about security. A comprehensive evaluation of cyber risk requires a meticulous approach to mapping assets and processes before modeling risk – something few methodologies are fully evolved to accomplish.

The mapping process is complex in itself, but is imperative to assess vulnerabilities, and later plan defensive structures.

A methodology like FAIR – Factor Analysis of Information Risk – then builds on an overlay of the threat landscape, based on up-to-date intelligence, requiring a fusion of various types of intelligence and sources to highlight exposure to specific types of threat.

This is central to a rigorous approach to vulnerability analysis when combined with vulnerability scanning and testing because it allows the identification of ‘gaps’.

These steps all enable the modeling of risk in quantitative terms, producing hard data points for probabilities, the financial implications of different events, and the deterrence versus cost assessment of different defensive measures alongside alternatives for impacting risk posture.

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.

Download The Video Surveillance Report