Cyber Resiliency: Difference between revisions
No edit summary |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
'''Cyber Resiliency''' is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.<ref>[https://www.mitre.org/sites/default/files/publications/pr-18-2579-cyber-resiliency-metrics-measures-of-effectiveness-and-scoring.pdf Cyber Resiliency Metrics, MITRE]</ref> In essence, it is the effectiveness of an entity's cybersecurity. Cyber resiliency differs from [[Cybersecurity]] in that it emphasizes the need to minimize ''mission impacts'' rather than the need to minimize losses of information, information systems, or other assets. Cyber resiliency differs from other concerns of [[SSR|resilience]] in that it focused on ''adversarial'' disruptions.<ref>[https://www.mitre.org/sites/default/files/publications/pr-18-2579-cyber-resiliency-metrics-measures-of-effectiveness-and-scoring.pdf Cyber Resiliency Metrics, MITRE, pg. 17]</ref> | '''Cyber Resiliency''' is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.<ref>[https://www.mitre.org/sites/default/files/publications/pr-18-2579-cyber-resiliency-metrics-measures-of-effectiveness-and-scoring.pdf Cyber Resiliency Metrics, MITRE]</ref> In essence, it is the effectiveness of an entity's cybersecurity. Cyber resiliency differs from [[Cybersecurity]] in that it emphasizes the need to minimize ''mission impacts'' rather than the need to minimize losses of information, information systems, or other assets. Cyber resiliency differs from other concerns of [[SSR|resilience]] in that it focused on ''adversarial'' disruptions.<ref>[https://www.mitre.org/sites/default/files/publications/pr-18-2579-cyber-resiliency-metrics-measures-of-effectiveness-and-scoring.pdf Cyber Resiliency Metrics, MITRE, pg. 17]</ref> | ||
==Standards== | |||
* Security of Information, ISO 27001<ref>[https://www.itgovernance.co.uk/iso27001 ISO 27001, IT Goverance]</ref> | |||
* Business Continuity, ISO 22301 | |||
* Risk Management framework, ISO 31000 | |||
* Organization of resilience, ISO 22316<ref>[https://www.ebrc.com/en/company/cyber-resilience Cyber Resilience, EBRC]</ref> | |||
==Metrics== | ==Metrics== | ||
There are two different approaches to measuring cybersecurity effectiveness: Dashboards and benchmarking. Dashboards visualize and make assessable metrics quantified in terms of cost, risk level, and time. Benchmarking refers to the gathering of data from similar organizations for comparison with one's own organization’s cybersecurity measures.<ref>[https://www.logsign.com/blog/what-are-cyber-security-measures-of-effectiveness/ Cybersecurity effectiveness measures, Logsign]</ref> | There are two different approaches to measuring cybersecurity effectiveness: Dashboards and benchmarking. | ||
===Dashboards=== | |||
Dashboards visualize and make assessable metrics quantified in terms of cost, risk level, and time. | |||
Key Performance Indicators (KPIs):<ref>[https://cipher.com/blog/10-cybersecurity-metrics-you-should-be-monitoring/ Top 10 Cybersecurity KPIs, Cipher]]</ref> | |||
# Mean-Time-to-Detect and Mean-Time-to-Respond | |||
# Number of systems with known vulnerabilities | |||
# Number of incorrectly configured SSL certificates | |||
# Volume of data transferred using the corporate network | |||
# Number of users with “super user” access level | |||
# Number of days to deactivate former employee credentials | |||
# Number of communication ports open during a period of time | |||
# Frequency of review of third party accesses | |||
# Frequency of third-party accesses to critical enterprise systems | |||
# Percentage of business partners with effective cybersecurity policies | |||
===Benchmarking=== | |||
Benchmarking refers to the gathering of data from similar organizations for comparison with one's own organization’s cybersecurity measures.<ref>[https://www.logsign.com/blog/what-are-cyber-security-measures-of-effectiveness/ Cybersecurity effectiveness measures, Logsign]</ref> They compare their metrics with others, focusing in particular on:<ref>[https://www.darkreading.com/attacks-breaches/cyber-resilience-benchmarks-2020 Cyber Resilience Benchmarks 2020, Dark Reading]</ref> | |||
# Speed: how fast entities can detect a security breach, mobilize a response, and return to business as normal | |||
# Resiliency: the number of systems that were compromised or stopped and for how long | |||
# Accuracy: how well they pinpointed cyber incidents | |||
# Impact: How long attacks last, how much disruption, and how high the costs are for an organization | |||
# Automation: How much reliance on humans/how automated is the detection/stopping of attacks | |||
# Data Privacy Regulation: How many violations and how many fines | |||
# Collaboration: How often and how well does the entity work with law enforcement or other security sectors | |||
==Assessments== | |||
===Cyber Resilience Review=== | |||
The CRR is a free, voluntary, non-technical assessment developed by the [[CISA]] to evaluate an organization’s operational resilience and cybersecurity practices.<ref>[https://us-cert.cisa.gov/resources/assessments Assessments, CISA]</ref> The CISA partnered with the Computer Emergency Response Team ([[CERT]]) Division of Carnegie Mellon University’s Software Engineering Institute to create the CRR, which was derived from the CERT Resilience Management Model.<ref>[http://cert.org/resilience/rmm.html Resilience, CERT]</ref> | |||
==References== | ==References== | ||
[[Category:Concepts]] | [[Category:Concepts]] |
Latest revision as of 15:05, 9 August 2021
Cyber Resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.[1] In essence, it is the effectiveness of an entity's cybersecurity. Cyber resiliency differs from Cybersecurity in that it emphasizes the need to minimize mission impacts rather than the need to minimize losses of information, information systems, or other assets. Cyber resiliency differs from other concerns of resilience in that it focused on adversarial disruptions.[2]
Standards[edit | edit source]
- Security of Information, ISO 27001[3]
- Business Continuity, ISO 22301
- Risk Management framework, ISO 31000
- Organization of resilience, ISO 22316[4]
Metrics[edit | edit source]
There are two different approaches to measuring cybersecurity effectiveness: Dashboards and benchmarking.
Dashboards[edit | edit source]
Dashboards visualize and make assessable metrics quantified in terms of cost, risk level, and time. Key Performance Indicators (KPIs):[5]
- Mean-Time-to-Detect and Mean-Time-to-Respond
- Number of systems with known vulnerabilities
- Number of incorrectly configured SSL certificates
- Volume of data transferred using the corporate network
- Number of users with “super user” access level
- Number of days to deactivate former employee credentials
- Number of communication ports open during a period of time
- Frequency of review of third party accesses
- Frequency of third-party accesses to critical enterprise systems
- Percentage of business partners with effective cybersecurity policies
Benchmarking[edit | edit source]
Benchmarking refers to the gathering of data from similar organizations for comparison with one's own organization’s cybersecurity measures.[6] They compare their metrics with others, focusing in particular on:[7]
- Speed: how fast entities can detect a security breach, mobilize a response, and return to business as normal
- Resiliency: the number of systems that were compromised or stopped and for how long
- Accuracy: how well they pinpointed cyber incidents
- Impact: How long attacks last, how much disruption, and how high the costs are for an organization
- Automation: How much reliance on humans/how automated is the detection/stopping of attacks
- Data Privacy Regulation: How many violations and how many fines
- Collaboration: How often and how well does the entity work with law enforcement or other security sectors
Assessments[edit | edit source]
Cyber Resilience Review[edit | edit source]
The CRR is a free, voluntary, non-technical assessment developed by the CISA to evaluate an organization’s operational resilience and cybersecurity practices.[8] The CISA partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University’s Software Engineering Institute to create the CRR, which was derived from the CERT Resilience Management Model.[9]