Unsinkable Cybersecurity: Lessons from the Titanic
110 years ago the Titanic hit an iceberg and the unsinkable ship sank. There are lessons for the cyber security world today from Titanic's painful fate.
The lesson from the Titanic for today's cyber security professionals is that of cyber resilience.
Titanic was designed and constructed to be unsinkable, yet due to a combination of events, decisions and coincidence she rests peacefully at the bottom of the Atlantic.
We can design in cyber security and still fail. We can maintain firewalls and defensive measures, and still breaches occur. We train employees, but they ignore or find shortcuts around security procedures and processes.
Cyber resilience means you should not assume that your security controls are "unbreachable". Cyber resilience anticipates that there are flaws in cyber security defenses and that a lack of security events in the past is not a basis for assuming vulnerabilities do not exist.
Cybersecurity organizations must assume there are possible vulnerabilities and that procedures are not understood or not followed. The traditional approach that businesses take concerning cyber security has focused on risk assessment and mitigation. Identified risks are then mitigated by implementing preventive or defensive actions to address the risks. Risk assessments and remediation plans are an essential first step, but do not achieve cyber security resilience.
Cyber attacks today are more sophisticated and more likely to succeed. Businesses must not assume a data breach or ransomware attack can’t occur because they have done a risk assessment and implemented remediation plans. Preventive and defensive actions are good, but businesses must also recognize that it is possible for a bad actor to establish and maintain a covert / undetected presence in their systems.
NIST defines cyber resiliency as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” NIST defines cyber resources as “an information resource which creates, stores, processes, manages, transmits, or disposes of information in electronic form and that can be accessed via a network or using networking methods.”
In practical terms cyber resilience means the ability to withstand a cyber attack and continue essential business functions even with systems operating in a degraded state. This may sound like Disaster Recovery Plans (DRP) and Business Continuity Plans (BCP). There is some overlap between DRP, BCP and cyber resiliency. There are, however, some key differences.
DRP and BCP are meant to address a security incident. The goal of DRP and BCP is to address an existing and active security incident with the least disruption to the business.
Cyber resilience has four goals with different strategies for achieving those goals:
Anticipate – strategies that prevent, deter, or avoid potential threats
Withstand – strategies deployed when a threat becomes real; for example, deflection, removal, and absorption strategies may be used when a threat is detected and confirmed
Recover – strategies that restore or reconstitute data, systems or resources, and replacement of damaged systems or impaired functions
Adapt – adaptive strategies may include anything from implementation of compensating controls to a completely new architecture and infrastructure.
The NIST special publication on Cyber-Resilient Systems (NIST Special Publication (SP) 800-160) provides a cyber resiliency engineering framework with eight objectives and fourteen techniques.
Ready to learn more?
Implementation of an effective cyber resiliency program relies on broad experience and knowledge of the threats facing businesses today. 3Factor can help you to develop a cyber resiliency strategy that is optimized for your organization.