In April *instinctools hosted an online meetup about Cyber Security. It’s a fascinating topic that sparks a lot of debate and raises many questions to discuss. At the meeting, speakers talked about how to identify cybersecurity requirements, how to implement them, and what methods are used. They also discussed the differences in cybersecurity approaches between product and outsourcing IT companies.
- Artem Kagukin Leading Business Analyst *instinctools “An approach to identifying cybersecurity requirements”;
- Alexey Krasnov, Leading Security Generalist “How to meet customer expectations regarding security requirements?”
- Q&A session
Artem Kagukin, Lead Business Analytic *instinctools “An approach to identifying cybersecurity requirements”
There are two main concepts – information security and cybersecurity. Information security is a practice that aims to prevent unauthorised access, use, disclosure, misrepresentation, alteration, examination, recording, or destruction of information. Although it includes the protection of paper-based information, it is a broader concept. Cybersecurity is a more specific type of information security, focused on protecting computer networks and data from electronic threats. Most publicly available standards and documents relate to information security and only cover cybersecurity partially. Cybersecurity involves protecting electronic information from intruders who may misuse or steal it for their own benefit. This information is owned and processed by various stakeholders, who aim to reduce risks and prevent attacks. Intruders exploit vulnerabilities in the system to access the information. Stakeholders try to identify potential risks and vulnerabilities to prevent attacks. Failing to identify cybersecurity requirements can lead to various risks, such as financial losses and damage to reputation.
There are different reasons why requirements for cybersecurity may not be identified, such as analysts viewing them as too technical, difficulty in working with them, customers forgetting to mention them, or customers assuming they are already being addressed.
How to identify cybersecurity requirements? Risk Based Approach
First, you need to understand what you are protecting and identify potential threats and vulnerabilities. Then, you should prioritise the risks and formulate cybersecurity requirements that developers can implement. It’s also important to consider any restrictions that may affect the implementation of these requirements, such as regulatory or legislative rules.
For example, let’s say a restaurant wants to add a personal account feature to their website for customers to place takeaway orders. This requires integrating the personal account feature into the existing order processing system. Since this feature was not previously included on the site, it’s important to identify and address any potential risks.
To identify and manage cybersecurity risks when making changes, you can follow these steps:
Step 0. Understand what we are focusing on to protect information when making changes
There are 3 aspects of cybersecurity:
- Accessibility – the ability to access information
- Confidentiality – some information can be hidden, depending on privileges
- Integrity – shows that the information stored in the system is up-to-date and truthful
What will help you understand these aspects:
- Interviews with stakeholders
- Business Rule Analysis: Information Security Policy
Step 1. Determine what information in the system we protect
This can be done through various techniques like DFD diagrams, process and data modelling, CRUD summary tables, and analysis of business rules.
Step 2. Risk analysis
Analyse the risks associated with the protected information and select a risk management strategy. Identify potential violators, their goals, capabilities, knowledge of the system, access rights, and any possible collusion. Use the STRIDE methodology to identify vulnerabilities and threats. Prioritise risks by multiplying probability by consequences and then choose one of the four risk management strategies: Saving risks, Risk reduction, Risk transfer, or Risk Prevention.
To prioritise and choose a strategy, you can use interviews with stakeholders, knowledge of threat modelling and assessment techniques and tools.
For instance, let’s consider the example of a restaurant website. Protecting customer data may require preventing threats like theft and blocking, while protecting orders may require preventing threats like falsification. Weak passwords, unsecured channels, connecting external devices, and narrow channels are some of the vulnerabilities that need to be identified and addressed.
Step 3: Defining requirements
To protect the system from cybersecurity threats, we need to identify the vulnerabilities and write down the actions required to neutralise the threats. We can either reduce the likelihood or consequences of risks or accept the level of risk. It is also important to define non-functional and functional requirements.
Step 4: Implementation Restrictions
To implement the cybersecurity requirements, we must identify the restrictions that could impact the implementation process. To do this, we can use interviews, seminars with stakeholders, business rule analysis, as well as regulatory and local documents.
Alexey Krasnov Security Generalist “How to meet customer expectations regarding security requirements?”
To ensure data security, security requirements are necessary. They represent what compliance, customers, and regulators expect from security. Many security domains require security requirements to be implemented.
Security controls help implement security requirements by providing tools that aid in meeting compliance, customer, and regulatory expectations. These controls directly implement security mechanisms.
There are three types of security controls:
- Proactive/Protective: most effective but expensive
How to choose the right security tools?
To choose the right tools, we need to understand our clients and customers first. Large enterprise companies usually have higher security expectations, while small and medium businesses may have lower expectations. This is important to consider because it affects the budget.
It’s important to define the scope properly to ensure predictability, deliver the necessary security controls with enough time, budget, and high quality.
We can divide the requirements and implementation of security controls into four types:
- Simple: we have experience with similar cases before and know the necessary documentation.
- Difficult: there is no relevant expertise in the team, so we need to involve a third-party expert.
- Complex/Confusing: neither we nor the expert know how to implement the requirements, but we choose the most optimal option in terms of budget and time.
- Chaotic: spontaneous requirements that require quick solutions in a limited time.
Requirement: Monitor external perimeter for vulnerabilities.
Control: Use vulnerability scanner (reactive).
Solution: Free or commercial scanner.
Timeframe: 1 week to 1 month.
Requirement: Protect web app from application-level attacks (e.g., cross-site scripting, SQL injection).
Control: Use Web Application Firewall (proactive).
Scope: all public or critical endpoints.
Solution: Cloud or local service with DDoS protection.
Timeframe: 2 weeks to 1 quarter.
Requirement: Ensure confidentiality of information in database.
Control: Implement data encryption (proactive).
Scope: product or infrastructure services.
Solution: Free or commercial encryption or development.
Timeframe: 1 month to 6 months.
Requirement: Restrict employee access to database immediately.
Control: Remove employee access (proactive).
Scope: product or infrastructure services.
Timeframe: 1 day.
Ways to evaluate control effectiveness:
- Third-party audit: hire an external company to conduct an audit (e.g. ISO 2700X, SOC2 Type 2)
- Penetration testing: test security once a year, including employees, infrastructure, and applications
- External BugBounty program: pay external researchers for finding relevant vulnerabilities
- Information security metrics: track vulnerabilities and incidents to measure the quality of your job and find areas for improvement.
All these metrics are useful in order to rate the quality of your job, success of cases and find points to grow.
- ISACA (Information Systems Audit and Control Association)
- International Information System Security Certification Consortium
- Elevating Cyber Workforce and Professional Development
- Build CyberSecurity Skills
- Article on harb.com “In simple words about cybersecurity – behind the scenes of the most secure service?
- The course “Fundamentals of information security” from intuit.ru
- Presentation by Galina Matveeva “Information security in analytics” at Analyst Day #9
- IIBA Cybersecurity Analyst Compendium: Cybersecurity Analysis
- Article Information security requirements: who should be involved in detection?
- Article on harb.com Threat Modeling Guide for Developers
- Microsoft Threat Modeling based on STRIDE
- Online Threat Modeling Tool (Visual Paradigm)
- The ISO 27000 Cybersecurity manager series of standards
- National Institute of Standards and Technology (NIST)
If you haven’t had a chance to watch the discussions yet, you can find the video on our YouTube channel by following this link