A cyber strategy is a documented approach toward various aspects of cyberspace. It is mostly developed to address the cybersecurity needs of an entity by addressing how data, networks, technical systems, and people will be protected. An effective cyber strategy is normally on par with the cybersecurity risk exposure of an entity. It covers all possible attack landscapes that can be targeted by malicious parties.
Cybersecurity has been taking center-stage in most cyber strategies because cyber threats are continually becoming more advanced as better exploitation tools and techniques become available to threat actors. Due to these threats, organizations are advised to develop cyber strategies that ensure the protection of their cyber infrastructure from different risks and threats. This chapter will discuss the following:
Let’s begin by discussing the foundational elements you need in order to build a cyber strategy.
In the 6th century BC, Sun Tzu said, “If you know your enemies and know yourself, you will not be imperilled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperilled in every single battle.” This quote still applies today to cyber strategies, and explains why it is so vital to understand both your business and the risks posed to it by threat actors: doing so will form the basis of a strong cyber strategy that helps protect your business from attack.
To build a cyber strategy, there are three major pillars that you need to form a solid foundation:
Figure 3.1: Foundations of a cyber strategy
These three components are crucial to understanding what makes a cyber strategy effective.
The more you know about your business, the better you can secure it. It’s really important to know the goals and objectives of your organization; the people you work with; the industry and its current trends; and your business’s risks, risk appetite, and most valuable assets. Having a complete inventory of assets is essential to prioritize the strategy plans based on the risk and impact of an attack on these assets. Everything we do must be a reflection of the business requirements approved by the senior leadership.
It’s not easy to define risk as the word “risk” is used in many different ways. While there are many definitions of the term, ISO 31000 defines risk as the “effect of uncertainty on objectives” where an effect is a positive or negative deviation from what is expected. We will use the ISO definition of risk in this case.
The word risk combines three elements: it starts with a potential event and then combines its probability with its potential severity. Many risk management courses define risk as:
Risk (potential loss) = Threat x Vulnerability x Asset
Figure 3.2: The definition of risk illustrated
It is important to understand that not all risks are worthy of mitigation. If the mitigation is going to cost you more than the implementation, or if it’s not a major risk, then the risk can be accepted.
Documentation acts as a kind of standardization between processes that ensures everyone in your organization is working in the same way toward the same outcome. It is a key aspect of every strategy and plays a particularly critical role when it comes to assuring business continuity. Documenting the cyber strategy plan will ensure efficiency, consistency, and peace of mind for everyone involved. However, documentation should not be treated as a one-time activity, as even after a cyber strategy plan is written down, it will still require updating to reflect changes in the cybersecurity landscape.
The illustration shown in Figure 3.3 provides an example of what good cyber strategy documentation should cover:
Figure 3.3: What a cyber strategy plan should cover
In summary, a cyber strategy is a plan for managing organizational security risk according to the company’s definition of risk tolerance with the intent to meet business and organizational goals. A cyber strategy should be fully aligned with the business strategy as well as with the business drivers and goals. Once this has been aligned, you can build the technical aspects and the cyber strategy to be more cyber safe. We will discuss these aspects later in this chapter, but now that you understand the basics of forming a cyber strategy, let’s take a moment to discuss the benefits that will come from having one in place.
Organizations are constantly dealing with threats emanating from hardened professionals in cyber attacks. It is a sad reality that many intrusions are carried out by nation-states, cyber terrorists, and powerful cybercriminal groups. There is an underground economy of hackers that facilitates the purchase or hiring of intrusion tools, techniques, and personnel, as well as the laundering of monetary proceeds from successful attacks. It is often the case that attackers have far more technical expertise in cybersecurity than the average IT employee. Therefore, attackers can leverage their advanced expertise to easily bypass many cyber defense tools set up by the IT departments in many organizations.
This, therefore, calls for a redefinition of how organizations should deal with cyber threats and threat actors, because leaving the task to the IT department is just not enough. While hardening systems and installing more security tools would have worked just fine a few years ago, today organizations need a well-thought-out cyber strategy to guide their cyber defense approaches. The following are some of the reasons why cyber strategies are essential:
With that we can conclude that without a cyber strategy you will not optimize your investment, you cannot prioritize the needs of the business, and the overall security state becomes way more complex.
Cyber strategies might take two approaches toward security: the defense perspective, or the attack perspective. In the defense perspective, the cyber strategy focuses on informing stakeholders about the defense strategies that an organization has put in place to protect itself from identified threats. On the other hand, cyber strategies of the attack perspective might be focused on proving the effectiveness of existing security capabilities so as to find flaws and fix them. Therefore, attack perspective strategies might extensively cover the different methods that will be used to test the organization’s preparedness for attack. Lastly, some strategies might be a mix of the two perspectives, covering the testing and strengthening of existing defense mechanisms. The chosen approach will depend on available resources and business objectives. The following sections will discuss some commonly used cyber attack and defense strategies.
One of the best ways to secure an organization is to think like a hacker and try to breach the organization’s security using the same tools and techniques that an adversary would use.
Testing the defense strategies can be done either via external testing from outside the network or internally. These testing processes aim to ensure that the implemented security strategy is effective and aligns with the objectives of the business processes.
The sections that follow highlight some of the best cyber attack strategies that organizations should consider when testing their systems.
These testing strategies involve attempting to breach the organization externally, that is, from outside its network. In this case, cyber attacks will be directed at publicly accessible resources for testing purposes. For instance, the firewall could be targeted via a DDoS attack to make it impossible for legitimate traffic to flow into the organization’s network. Email servers are also targeted to try and jam email communication in the organization. Web servers are also targeted to try and find wrongly placed files such as sensitive information stored in publicly accessible folders. Other common targets include domain name servers and intrusion detection systems, which are usually exposed to the public. Other than technical systems, external testing strategies also include attacks directed at the staff or users. Such attacks can be carried out through social media platforms, emails, and phone calls. The most commonly used attack method here is social engineering, whereby targets are persuaded to share sensitive details or send money to pay for non-existent services, ransoms, and so on, so external testing strategies should mimic these attacks.
This includes attack tests performed within an organization with the goal of mimicking insider threats that may try to compromise the organization. These include disgruntled employees and visitors with malicious intent. Internal security-breach tests always assume that the adversary has standard access privileges, is knowledgeable of where sensitive information is kept, and can evade detection and even disable some security tools.
The aim of internal testing is to harden the systems that are exposed to regular users to ensure that they cannot be easily breached. Some of the techniques used in external testing can still be used in internal testing, but their efficiency often increases within the network since they are exposed to more targets.
This is a testing strategy aimed at catching the organization by surprise. It is conducted with limited information given to the IT department so that, when it happens, they can treat it as a real hack and not a test. Blind testing is done by attacking security tools, trying to breach network defenses, and targeting users to obtain credentials or sensitive information from them. Blind testing is often expensive since the testing team does not get any form of support from the IT department to avoid alerting them about the planned attacks. However, it often leads to the discovery of many unknown vulnerabilities.
This type of testing isolates only one target and carries out multiple attacks on it to discover the ones that can succeed. It is highly effective when testing new systems or specific cybersecurity aspects such as incident response to attacks targeting critical systems. However, due to its narrow scope, targeted testing does not give full details about the vulnerability of the whole organization.
The bottom line of cybersecurity often comes down to the defense systems that an organization has in place. There are two defense strategies that organizations commonly use: defense in depth and defense in breadth.
It is also referred to as layered securing and involves employing stratified defense mechanisms to make it hard for attackers to breach organizations. Since multiple layers of security are employed, the failure of one level of security to thwart an attack only exposes attackers to another security layer. Due to this redundancy, it becomes complex and expensive for hackers to try and breach systems.
The defense-in-depth strategy appeals to organizations that believe that no single layer of security is immune to attacks. Therefore, a series of defense systems is always deployed to protect systems, networks, and data. For instance, an organization that wishes to protect its file server might deploy an intrusion detection system and a firewall on its network. It may also install an endpoint antivirus program on the server and further encrypt its contents. Lastly, it may disable remote access and employ two-factor authentication for any login attempt. Any hacker trying to gain access to the sensitive files in the server will have to successfully breach all these layers of security. The chances of success are very low as each layer of security has a complexity of its own. Common components in defense-in-depth approaches are:
In addition, intrusion detection systems are deployed on the network to help detect suspicious activity. Due to the widespread use of DDoS attacks against firewalls, it is recommended that organizations purchase firewalls that can withstand such attacks for a continuous period of time.
Layered security is the most widely used cyber defense strategy. However, it is increasingly becoming too expensive and quite ineffective. Hackers are still able to bypass several layers of security using attack techniques such as phishing where the end user is directly targeted. In addition, multiple layers of security are expensive to install and maintain and this is quite challenging for SMEs. This is why there is an increase in the number of organizations considering the defense-in-breadth approach.
This is a new defense strategy that combines the traditional security approaches with new security mechanisms. It aims to offer security at every layer of the OSI model. The different OSI model layers include the physical, data link, network, application, presentation, session, and transport layers. Therefore, when hackers evade the conventional security tools, they are still thwarted by other mitigation strategies higher up the OSI model. The last layer of security is usually the application layer. There is an increase in the popularity of Web Application Firewalls (WAFs) that are highly effective against attacks targeted at specific applications. Once an attack has been launched, the WAF can thwart it and a rule can be created to prevent future similar attacks until a patch has been applied. In addition to this, security-aware developers are using Open Web Application Security Project (OWASP) methodologies when developing applications. These methodologies insist on the development of applications that meet a standard level of security and address a list of common vulnerabilities. Future developments will ensure that applications are shipped when almost fully secure. They will therefore be individually capable of thwarting or withstanding attacks without relying on other defense systems.
Another concept used in defense in breadth is security automation. This is where systems are developed with the abilities to detect attacks and automatically defend themselves. These capabilities are achieved using machine learning where systems are taught their desired states and normal environment setups. When there are anomalies either in their state or environment, the applications can scan for threats and mitigate them. This technology is already being fitted into security applications to improve their efficiency. There are AI-based firewalls and host-based antivirus programs that can handle security incidents without the need for human input. However, defense in breadth is still a new strategy and many organizations are apprehensive about using it.
Whether an organization uses defense in breadth (to address the security of every sector of an organization) or defense in depth (to provide multiple layers of security to a sector) or even a combination of both defenses, it is worth ensuring that their overall cybersecurity strategy is proactive in its approach.
It is no longer just enough to have a cybersecurity strategy in place. The functioning of the cybersecurity strategy you have developed needs to be proactive to benefit you the most, given the possible negative effects of a successful security incident. A proactive security strategy essentially focuses on anticipating threats and doing something about them before they happen. Some of the benefits of having a proactive approach to cybersecurity are listed below:
As you can see, there are a lot of advantages to using a proactive cyber strategy, and a variety of reasons why your business may benefit from using one. Additionally, there are a number of specific cybersecurity strategies that can be employed to help keep your organization safe.
The recent past has seen an increase in security incidents and many businesses falling prey to threat actors targeting data or other informational assets from these organizations.
However, with the careful development of cybersecurity strategies, it is still possible to keep your business secure enough in these challenging times. Some of the top cybersecurity strategies that can be implemented to help improve the security posture of your organization include:
We will discuss each of these strategies in more detail in the following subsections.
Employees are, undoubtedly, an important aspect of cybersecurity strategies. In many cases, threat actors will target employees or weaknesses caused by employee behavior to gain access into a company’s systems. The security team needs to develop basic security practices that need to be adhered to by all employees at the workplace and when dealing with work-related data. In addition, these security practices and policies need to be adequately communicated to the employees whenever they are established and when any changes are made to the policies. Employees should know the penalties for failing to adhere to these security practices. These penalties should be clearly spelled out to help cultivate a security culture among employees.
Threat actors will most probably target the aforementioned assets in an organization. They will use malicious code, viruses, and spyware to infiltrate the systems as these are the most commonly used means of illegally gaining access to any system. Therefore, an organization needs to ensure that it protects its computers, information, and networks from such infiltration tactics. Some of the available means of achieving this are through the installation of effective antivirus systems and regularly updating them to fight off viruses and other malicious code. Automatic checking of updates for the installed antivirus systems is recommended to ensure that the system is up to date to fight off any new attacks.
Internet connections are the most likely avenue that attackers will use in this day and age to attack your systems. Therefore, ensuring that internet connections are secure is an important and effective way of keeping the systems secure. A firewall is a set of programs that will help prevent outsiders from accessing data in transit in a private network. Firewalls should be installed on all computers, including those that employees may use to access the organization’s network from home.
All software applications and operating systems used within the organization should be updated. Ensure that it is organizational policy to download and install software updates for all applications and software used within the company to ensure that the system is running on current and updated software, which reduces the risk of threat actors finding vulnerabilities in old systems and exploiting them. Updates should be configured to be done automatically. The process of updating should continually be monitored to ensure the efficiency of the process.
Always ensure that your organization keeps backup data of all important information and business data. The backup processes should be done regularly for every computer used within the organization. Some examples of sensitive data that may need backing up within the business include Word documents and databases. The backup process should be done regularly, either daily or weekly.
Restricting physical access is an effective strategy for keeping intruders out of the system. In many cases, intruders attempt to gain physical access to some systems to gain access to others. Some informational assets such as laptops are particularly vulnerable and should be kept under lock and key whenever they are not being used. Theft can be done even by staff members and hence physical restrictions are necessary to ensure the safety of all assets in an organization.
Ensure that you secure and hide Wi-Fi networks to secure them against malicious individuals. You can set up the wireless access points in such a way that the network name is not broadcasted. In addition, you can use encryption and passwords that will ensure only authenticated individuals are authorized to gain access to the systems.
Hacking passwords is one of the easiest ways for attackers to gain access to any system. Employees should be instructed to change their passwords and not to use common passwords. This ensures that prolonged use of the same password that may be shared with coworkers is not exploited by attackers.
Having limitations and privileges in using the organization’s system should be done based on the needs of the employees. Employees should only have access to certain resources in the system that they need for their work, and access can be limited to certain periods when they are at work. Limiting the installation of software while using company systems ensures that they cannot install malicious software either accidentally or otherwise.
Organizations should ensure that employees use unique user accounts with every user having their own user account. This ensures that every user is responsible for their user account and can be held accountable for negligence or malicious activities on their accounts. Every user should also be instructed to ensure they use strong passwords for their user accounts to ensure security and avoid hacking. In addition, privileges should be set for these user accounts based on the seniority of the employee and the needs of the employee within the system. Administrative privileges should not be accorded to any employee except the trusted IT staff who will then be held liable for any misuse and abuse of such privileges.
Users pose as much a threat to a system as software weaknesses and may even pose greater threats as attackers are known to use such weaknesses to gain entry into targeted systems. As a result, the previous sections identify both behavioral aspects and technical user actions that can be implemented in the various cybersecurity strategies that you choose to employ in your organization.
This chapter has looked at cyber strategies, their necessity, and different strategies that can be used when developing them. As explained, a cyber strategy is an organization’s documented approach toward different aspects of cyberspace. However, the key concern in most cyber strategies is security. Cyber strategies are essential because they move organizations away from assumptions, help centralize decision making about cybersecurity, provide details about the tactics employed toward dealing with cybersecurity, give a long-term commitment to security, and simplify the complexities of cybersecurity. This chapter looked at the two main approaches used in writing cyber strategies, the attack and the defense standpoints.
When written from the attack perspective, cyber strategies focus on the security testing techniques that will be used to find and fix security vulnerabilities. When written from a defense perspective, cyber strategies look at how best to defend an organization. The chapter also explained the two main defense strategies; defense in depth and defense in breadth. Defense in depth focuses on applying multiple and redundant security tools while defense in breadth aims at mitigating attacks at the different layers of the OSI model. An organization can opt to use either defense or attack security strategies or both of these in its quest to improve its cybersecurity posture.
Lastly, the chapter also provided examples of top cybersecurity strategies that can be effectively used by organizations to secure their businesses.
In the next chapter, we will seek to understand the cybersecurity kill chain and its importance in the security posture of an organization.
The following are resources that can be used to gain more knowledge about the topics covered in this chapter:
Join our community’s Discord space for discussions with the author and other readers: