ATTENTION: TOP SIGRID CONTENT!
NOTE:
You are obliged to close your eyes if you are not allowed to see such classified information!
At least one! Since I'm also turning a blind eye, we should be compliant!
[Effectiveness of organizational measures in a nutshell]

"Impulsive people know no limits!"

.. neither do cyber security attackers, thus, lets talk about cyber security!


The nice thing about cyber or information security is that most customers come by themselves at some point, because the impacts are getting closer and the reports of massive damage (including in German mechanical engineering sector) are also known in the management floors.

Incidentally, in such scenarios the term "computer mafia" or organized crime is quickly used. I'll put it this way:

.. if the smoked sausage was stolen from farmers Lemke farm, then the village's own FBI, consisting of Aunt Ilse and her 20 sister-in-law, will probably tend to asperse the "Michl from the village" rather than an world-wide operation Criminal organization. But who knows, maybe the sausage is really good ...

What I want to say is that most of the attacks were caused by ScriptKiddiz, which was carried out in an amateur way, which actually makes it even sadder, because these could have been prevented very easily.

But if you now think about what - if our "Michl" had already got this far - an organized crime or intelligence service can achieve ... if they want.

WoW .. luckily for us, it were just script kiddiz, do you think?


Hhm .. maybe, but please keep in mind how america reacted, when the cracked the enigma.

■ Did they directly called the germans: "Ätsch Ätsch" or did the safe directly all their ships?
■■ No to both.. they used their knowledge strategically and wanted to remain undiscoveredy
■■■ I think you know what I want to emphasize, nor?


■ NOTE: Secret services make no big secret of the fact that they see it as their task to strengthen the economy in their country.
How great would it be, to know competitors offer-strategy in context of a worlwide bid?
What do you think?


If you are dealing with the topic for your organization for the first time, you should not assume without a doubt that you are communicating in your network without "unfamiliar ears/eyes". It`s like COVID-19: No symptoms does not mean you`re safe! Related to Cyber security it means, that you may be NOT protected on your internal network even if you don`t recognize symptoms! And I think that "friends" who just had been spying our Chancellor a short time ago, should at least understand, that we are a little skeptical and distrustful in some regards.


"The Internet is new territory for us all"

... said Angela Merker (as former Chancellor of the Federal Republic of Germany) and was laughed at for many.
But that's exactly what it is! Notably for some branches the change is very challenging. For example, lets have a look on production and healthcare sector. Even if the bost sectors (especially hospitals) usually do not have much in common, they currently share a major challenge: Both sectors are being challenged by the general digitalization trend, because in both sectors machines are suddenly connected to networks, that were never attended to be used in this regard.

By now, at the latest, we should also be aware that we not only have the CIA protection goals in the area of ​​information security, but also "safety" aspects, although many organizations control this with their (perhaps) already established EHS management system.

While hospitals could be more secure in their customer loyalty and could survive without the networking of devices not intended for this purpose (or other additional digitization activities), in the medium term it will be a MUST for the manufacturing industry to offer added value / additional services, since the companies could otherwise share "kismet" (fate) with a well-known heating specialist who has difficulty getting their heating to the man (or in the basement) because customers complain about the unsupported possibility of heating management via smartphone -APP.

■■■■■■■■■■■■ You have to move with the times or the times move you! ■■■■■■■■■■■■

When planning or building your cyber security strategy, you should consider at least the following facts:
Five facts about Cyber security [please unfold]

FACT-1: Powerful envious people
Please keep in mind that the cyber security attacks, which also have been mentioned, were only the tip of the iceberg and - even if the damage was medium-high - rather amateurishly carried out.
We saw mass attacks, which unfortunately still cause great damage in a very large number of - inadequately protected - organizations, such as maybe yours.

If mass attacks can already cause such damage, what do you think can specialized attackers who are usually not interested in being discovered, such as "Script Kiddies" with their annoying, annoying but rather childish ramsonware extortion, reach? Also mind FACT-5 („Enigma-Example“) in this regard.

Your envious people maybe don't want these peanuts, especially since they know that the most organizations won`t pay pay anyway.
These people have different interests and they have strong weapons ... [Do you also think of James Bond at the moment?] ... and possibly strong partners who often have to support them due to political pressure.

The annoying fact ist, that it would be relatively easy to protect against these attacks if one had the means and processes, which can`t established group-wide by an operational IT department.


Let me give a methaper: Please imagine, that someone complains to you that it is not too much to ask to lock the doors in the evening to improve security for the assets stocked in it.

Maybe you reply that this is fundamentally true, but you do not do that for thousands of doors every day, notably because nobody told you where the doors are and every day you detect new doors, which the craftsmen installed without letting you know.

Maybe you think about priorizing some doors but you don`t have a clue whats behind the doors ("business").
So which should you protect more if you don`t not know behind which of the thousand doors there is an "normal" room and behind which the treasure chest ("Asset")?

Yes, locking it would have helped, but instead of falling wildly into operational panic, im pretty sure, you would certainly ask whether it is not possible, to classify every door and keep the treasure chests only there, where additional doors protect access from unauthorized use. And im pretty shure too, that you would ask for a baseline door security, which for example demands on electrical door lock, which at least prevent external access in the evening.

Last but not least, you would certainly insist that somebody should tell the craftsmen to inform you, when their are plans for new doors ("project management") but that you`re not in the position to do so.


I promised to keep it simple, and I hope the issue got clear.
It is important that the threat is understood.
Please keep this in mind, wenn you`re faced with a proper strategy.
FACT-2: Bilons of new entry points to defend In the past, cyberrisk has primarily affected IT. But as the IoT grows and more companies hook their production systems up to the Internet, operating technology (OT) is coming under threat as well. The number of vulnerable devices is increasing dramatically.
In the past, a large corporate network might have had between 50,000 and 500,000 end points; with the IoT, the system expands to millions or tens of millions of end points.
Unfortunately, many of these are older devices with inadequate security or no security at all, and some are not even supported anymore by their maker.
By 2020, the IoT may comprise as many as 30 billion devices, many of them outside corporate control. Already, smart cars, smart homes, and smart apparel are prone to malware that can conscript them for distributed denial-of- service attacks.
By 2020, 46 percent of all Internet connections will be machine-to-machine, without human operators, and this number will keep growing. And of course, billions of chips have been shown to be vulnerable to Meltdown and Spectre attacks, weaknesses that must be addressed.
FACT-3: Growing complexity makes your organisation more vulnerable While hackers are honing their skills, business is going digital. and that makes companies more vulnerable to cyberattacks. Assets ranging from new product designs to distribution networks and customer data are now at risk.
Digital value chains are also growing more complex, using the simplicity of a digital connection to tie together thousands of people, countless applications, and myriad servers, workstations, and other devices.
FACT-4: A chain is only as strong as its weakest link. This also applies to the value chain of KSB! Implement a End-to-end cyber security management! Know your business and secure everything with a minimum level of protection (baseline) so that you can concentrate on the assets that are worthy of protection. Don`t think IT knows everythink in this regard. Business departments sometimes create their own "shadow IT", provided that the IT does not prevent this with strong measures.
FACT-5: It`s like COVID-19: No symptoms does not mean you`re safe! It`s like COVID-19: No symptoms does not mean you`re safe!
To stick with the Covid metaphor, it means that other areas of the company that rely too much on the health of IT can be attacked because they are too reckless with their own measures, such as not using encryption, with the argument that they only communicate internally.
Do you see the problem?
However, the business can rely on the best efforts of IT ... BUT many IT departments cannot even detect such attacks because they do not have the proper tools or deep insights regarding business, which sometimes tends to come up with solutions of their own.

Another known problem that can also be observed with COVID is that many executives do not take the problem seriously as they derive the possible impact of their organization from similar cases in the environment, which may only have had a "weak history" for example a ransomware script kiddy attack. In the case of real cyber security attacks, they may not notice the effects for years or, for example, wonder why the competitor wins all the lucrative tenders.

Please also note that serious incidents can lead to a loss of confidence. This can lead to the withdrawal of important customs and trade facilities such as AEO.

The good news: in this (cyber) world, whether you get vaccinated or not is up 2 you =)

but: Time will separate the wheat from the chaff!

NOTE: For more information on the facts, please also open the respective point.
Best regards, Matryoshka



What shall we do? What do you propose?



You need a clear cyber security strategy that is integrated into the organization and its processes by TOP management. To guarantee "cyber security", many levers have to be turned. The implementation project and the later system should therefore at best follow the recommendations of a framework that has been tried and tested in practice, which - as is the case with the ABC framework, for example - should be based on the principles listed afterwarts.

Here they are:
The Ten Commandments, uh, ten principles of a good approach to cyber security:
■■ principle-1: We have to go far beyond the technical controls (IT/OT) in order to build a holistic (comprehensive) program that protects the company! It's not just IT that leads us to the next priciple.

■■ principle-2: Cyber ​​security is a governance issue.
NOTE: The designated Cyber ​​Security Officer needs a clear understanding of the context of the organization to be controlled, notably value chain, organizational structure, environmental, cultural or industry-specific features as well as the expectations of the stakeholders. The top management musst support the IS / IC manager.

■■ principle-3: IS/CS risks are always rated regarding their impact on Business not OU-Level, like IT-Department.

NOTE: I saw a lot of companies rating their cs threat as an IT-Threat, without evaluating business impact.
On a Top-level-perspective then the risk often wasn`t visible any more due to fragmentation. Dangerous! Align, additional to management review, your IS Riskmanagement with business risk management and rate risk impact always on your primary assets, your proccesses of the value chain. Use more risk levels on OU-Riskmanagement and decide which of them has to be communicated to risk management team or maybe directly to top management.

■■ principle-4: The top management shows the strong will to master the current situation and is aware that we need all the organizational strengths for this mission, especially those responsible for the business processes.

NOTE: To demonstrate this, IS/CR performance must have an impact on the remuneration and advancement opportunities of Business Process Managers. Anything else would be lip service and if Top Management does not agree in this point, as a CISO I would stop project to emphasize the importance of that point. You won`t have success without bussiness support and you aren`t willing to be reliant on their support, and to hope that they will do nessasary things, when they have found time for it.

AGAIN: You have to be very confident and strong on this point. Remember, without knowing your exact situation now, normally CISOs / CS managers (how ever) are not personally liable for failures in controlling the organization, but top management is. There are also plenty of jobs, so what .. please take part in the discussion, because companies future is not ensured if your cs projekt fails, thus, you are not a supplicant, but maybe the only passenger of the MS Titantic who discovered the icebergs. Tell your boss not to make his problem to yours and ask him if he wants a solution or not. In my experience, top management values ​​people who take a clear position - well knowing that it can be different, but then you should also be somewhere else =)

■■ principle-5: Basic protection (ITSAB) must be provided for the entire organisational infrastructure (IT / OT).

NOTE: Special protection must apply to general platforms such as SAP, Microsoft, vDC (Azure / AWS virtuelles Rechenzentrum cloud) etc.

■■ principle-6: Solutions for monitoring the IT / OT infrastructure (from outside and inside) with regard to vulnerabilities (weak points) must be introduced.

■■ principle-7: Solutions for active intrusion prevention of the LAN / WAN infrastructure as well as endpoint protection must be established. The integrity (of the configuration files) on server and network appliances must be monitored automatically.

■■ principle-8: A solution to be agreed with the works council for clear monitoring of administrative activities on server/systems of the organisation must be introduced. You need a solution for a comprehensive overview of log data, including automatically generated warnings in general. (SIEM).

■■ principle-9: Organisation need an IS/CS Governance-Framework, which follows the recommondations of international standandards. The effectiveness of the controls must be monitored using a system of indicators. In addition, (internal) audits must be carried out both for the system itself and for the areas to be controlled.

NOTE: Areas with considerable potential for improvement must be identified and planned for implementation via cip (continuous improvement process). The implementation of topics that are directly recommended in international standards should, for example, be a KPI: 80 percent of all improvement results derived from standards must be implemented within the next year.
Again, be brave. You are not a supplicant. YOU are an (internal) consultant and it is the task of top management to make the organization fit for the new world. If management fails to do this, then top management has missed its mandate and is personally liable, thus, write E-Mails, create evidence. They`ll hate that but somehow the millions of salaries have to be justified, huh? Nobody gets anything for free, not even top management. And be sure: Very few have the backbone and, in the event of damage, admit to having received the recommendations and not implemented them. They will try to look for errors elsewhere, for example a failure in risk management that would not have brought enough transparency into the risk situation, etc.
But that probably doesn't protect them, at most if they have very good contacts in politics: D And as I said .. that's why they hate emails (evidence) ... but luckily most of the CEOs understand the need and are thankful for an solution.

■■ principle-10: Organisations need to understand OT/IT as an internal supplier and implement a business-alignd OT / IT process and quality model (PROMO AND QUAMO) which, by means of defined operating processes and defined quality criterion results, guarantees approximately the same quality in the landscape to be controlled. NOTE: You need to eliminate the "black spots" on your business map.