There is a saying that I expect many have heard before: “How do you eat an elephant”? “One bite, one part at a time.”
In relation to cyber-resilience, the challenge of having a robust program relates to the design requirements, the objectives of the program, the strategy and the testing of the design before implementation to ensure that the system meets the business needs. Chunk up the project, as a project manager might say. Remember, the optimal strategy is to identify, design and implement a solution that includes a risk framework for managing people, processes, and technologies, and developing the ability to withstand, recover from, and quickly adapt to a threat to or an apparent compromise of a system.
The design challenges can be reduced with strong requirements to have minimum regulatory requirements, where identified, built-in where possible. The key is to remember that there should be a process to keep this evergreen – that is, not a one-and-done design and implementation. It is a living and breathing system that requires continual test scenarios that meet the ever-evolving threat landscape to keep it fresh and resilient.
Another design challenge is to look at legacy hardware, software and applications as part of the design and to review the methodology to mitigate the risk. Remember, a cyber-resilient system is only as strong as its weakest link.
A cyber-resilient system should also cover low-risk systems. The challenge is that low-risk applications, which interface with each other with medium or low vulnerabilities, may provide an expanded threat surface. In other words, the presence of cyber-resilient systems does not preclude the regular blocking and tackling process of patching remediation and compliance. NIST indicates in SP 800-160 in the design discussion for Detection, “An important security objective of system design is to avoid vulnerability where possible and to minimize, manage, and mitigate vulnerability otherwise … Systems are complex entities and, as such, it is not possible to eliminate all vulnerabilities.”
From a cyber resiliency perspective, the design should facilitate redirecting the adversary, precluding adversary activities, impeding the adversary, limiting the adversary and exposing the adversary. Mitigate the vulnerabilities where possible, though you cannot remediate all vulnerabilities. So, design the system to expect vulnerabilities, and implement and test scenarios, and use the scenarios to measure the ability of the system. Using the below matrix can help a security architect look at the building blocks of cyber resilience to determine the gaps and classes of threat events that should be analyzed.
In addition, continual threat training should be conducted by the enterprise to keep the security awareness training evergreen.
| Application Architecture | Vulnerabilities | Impact | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Application Criticality | Vulnerability Criticality | Browser | Application Software | Infastructure (e.g., Server) | Database | Network | Operating System | High | Medium | Low | |
| A | High | ||||||||||
| A | Medium | ||||||||||
| A | Low | ||||||||||
| B | High | ||||||||||
| B | Medium | ||||||||||
| B | Low | ||||||||||
| C | High | ||||||||||
| C | Medium | ||||||||||
| C | Low | ||||||||||
| D | High | ||||||||||
| D | Medium | ||||||||||
| D | Low | ||||||||||
Editor’s note: Find more insights on this topic in Larry’s 2024 ISACA Journal, volume 3, article, Overcoming Cyberresilience Design Challenge.