By: Corey Holzer, Ph.D. CISSP
November 3, 2020
In A Complex World, Resiliency Protects
By: Corey Holzer, Ph.D. CISSP
November 3, 2020
In a Complex Cyber World Resiliency Protects
In today's interconnected world, a business' network health is vital to the organization's health. In this information age, network failure means lost revenue and the potential for the business' failure. News outlets regularly report about breaches and stolen data at a faster pace than in the past. While the scope of a recent ransomware cyberattack against Universal Health Service is as yet unknown, the experts believe it could be the largest and possibly most costly attack in U.S. history. 
The network's importance as a central component of the business means the organization needs a plan and the systems in place to recover services when the network sustains an attack. In strategic terms, the network is now a "center of gravity" for business. Weakening or effectively destroying a company's "center of gravity" can be catastrophic for the organization. 
Statista estimates the average cost of reported cyberattacks against U.S. businesses is $8.64 million per attack in 2020.  At the time of this writing, a recent ransomware attack against a German hospital forced the hospital to redirect patients to nearby hospitals to receive care.  The delay in treatment contributed to her death. The loss of human life and the financial impact of cyberattacks illustrates the importance of a healthy cybersecurity posture for all businesses. It is not just simply a matter of stopping an attack. This posture includes the network's resiliency.
A Brief Explanation of Cyber Resiliency
Cyber resiliency ensures the company's network can withstand attacks, recover from them, and be adaptable to a changing threat environment. All organizations must be ready andprepared to respond to complex and covert attacks by criminal organizations and other actors. These adversaries are proficient and patient enough to remain dormant within a company's network until they can access their target. [5, 6] There is evidence showing these persistent threats can remain hidden within a network for months or even years.  Gone are the days of "hit and run" website defacements or crashing of servers. Data backups are no longer a sufficient measure to address the crimes perpetrated by these criminals.
MITRE describes cyber resiliency goals as the following: 
- Anticipate - Maintain a state of informed preparedness to forestall compromises of mission function from potential adverse conditions.
- Withstand - Continue essential mission functions despite adverse conditions.
- Recover - Restore mission functions during and after the adverse conditions.
- Evolve - Change mission functions and/or supporting capabilities to minimize adverse impacts from actual or predicted adverse conditions.
MITRE goes on to describe eight (8) objectives. Each objective supports one or more of the resiliency goals. The objectives are as follows [8, 9]:
- Prevent or Avoid – Stop the successful execution of an attack or the realization of adverse conditions.
- Prepare – Maintain a set of realistic courses of action addressing predicted or anticipated adversary.
- Continue – Maximize the duration and viability of essential missions or business functions during the attack.
- Constrain – Limit the damage from adversity.
- Reconstitute – Restore as much mission or business functionality as possible after adversity.
- Understand – Maintain useful representations of mission and business dependencies and the status of resources concerning possible adversity.
- Transform – Modify mission or business functions and supporting processes to handle adversity and address environmental changes more effectively.
- Re-Architect – Modify architectures to handle adversity and address environmental changes more effectively.
NIST designed the individual objectives to support one or more goals.  Achieving the goals and objectives involves the application of the controls outlined in NIST Special Publication 800-53 v5.  The diagram below illustrates how controls are selected, implemented, assessed, and monitored.
Figure 1 - NIST Methodology Overview 
The cyclic process the diagram represents is the method for reducing risk, and it is ongoing. A security manager never assumes he will find a single "magic bullet" control to address all threats or eliminate all risks. The mission of the security manager, and his team, is ongoing and dynamic.  In Cybrary's Physical Security for End Users course, the discussion illustrates the layering of many physical security elements to maximize the protection of a company's personnel.  In the same way, security controls are layered together to protect the network. More on these controls later.
Successful implementation of this methodology requires constant revisions and, more importantly, the stakeholders and business leaders' continued support. Without leadership's support (in funding and enforcement), the security plan will not work. A company's security plan must account for business requirements and the ability to perform business functions. Therefore, the security team must understand the business requirements. Understanding these requirements enables the development of a plan that achieves the balance between the different components of the CIA triad (confidentiality, accessibility, and integrity). 
Evaluating the Business' Requirements
A company's business model, its business processes, and other intellectual properties represent the most valuable commodities within the network. Therefore, these must be protected on the most secure systems in the network. It is not simply a matter of this because a truly hardened system may make the system unusable, and an unusable system or inaccessible data is useless.
Therefore, controls must be put in place to ensure the security of the information while still allowing them to be usable. This means there will be some remaining or residual risk. As long as the company believes the residual risk is acceptable, then the controls can and should be implemented. Cybersecurity has always been about balancing the CIA triad to ensure the smallest amount of remaining risk while ensuring the systems can function to meet the organization's needs.
The Controls in NIST SP 800-53
NIST provides a methodology by offering goals, objectives, controls, and standards. NIST's extensive database of controls, in this publication's referenced documents, provides security professionals with both a method of control and a meaningful baseline that can be used during the assessment phase of the NIST Methodology. [11, 14, 5]
The related documents provide experts with a broad description of the desired condition the professional wishes to implement, the individual controls, and the baselines for measuring the success of the implemented control. As illustrated below, the controls are grouped into families, aiding the security team's understanding of the variety of controls to implement for a given end state. 
Figure 2 - Controls and Baselines Chart 
The processes and methods discussed in this article are fundamental to the establishment of a cyber-resilient network. Scientists and engineers work exhaustively to develop a framework they can readily implement. However, the work is not done—new threats and evolving technology demand regular updates to the framework and controls. Stay abreast of the revisions to each of the publications used in the article. You will find them all in the following "Works Cited" section.
 K. Collier, Major hospital system hit with cyberattack, potentially largest in U.S. history, 2020.
 C. v. Clausewitz, On War, M. Howard and P. Paret, Eds., Princeton: Princeton University Press, 1984, p. 870.
 Statista, Data breach: average U.S. organizational cost 2020, 2020.
 Associated Press, German hospital hacked, patient taken to another city dies, 2020.
 C. T. Holzer and J. E. Merritt, "Risk Assessment in Cyber Resiliency," 2015.
 R. Ross, V. Pillitteri, R. Graubart, D. Bodeau and R. McQuaid, "NIST Special Publication 800-160 (SP 800-60) Vol.2 - Developing cyber resilient systems: A Systems Security Engineering Approach," 2019.
 C. T. Holzer, J. E. Dietz and B. Yang, Employing Link Analysis for the Improvement of Threat Intelligence, vol. 2016, P. D. Weinsier, Ed., Northridge, CA: International Association of Journals and Conferences, 2016.
 D. J. Bodeau, R. Graubart, J. Picciotto and R. McQuaid, "Cyber Resiliency Engineering Framework," 2012.
 D. Bodeau, R. Graubart and M. A. Bedford, "Cyber Resiliency and NIST Special Publication 800-53 Rev.4 Controls Sponsor: NIST," 2013.
 National Institute of Standards and Technology, NIST Special Publication 800-53 Revision 5 Security and Privacy Controls for Information Systems and Organizations, Gaithersburg, MD: National Institute of Standards and Technology, 2020.
 National Institute of Standards and Technology, NIST Special Publication 800-37R2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy, 2018.
 C. Holzer, "End User Physical Security," Cybrary, College Park, 2020.
 J. Fruhlinger, The CIA triad: Definition, components and examples | CSO Online, 2020.
 National Institute of Standards and Technology, Draft NIST Special Publication 800-53B Control Baselines for Information Systems and Organizations, 2020.