Journal:Automated cyber and privacy risk management toolkit

From LIMSWiki
Revision as of 23:27, 4 October 2021 by Shawndouglas (talk | contribs) (Saving and adding more.)
Jump to navigationJump to search
Full article title Automated cyber and privacy risk management toolkit
Journal Sensors
Author(s) Gonzalez-Granadillo, Gustavo; Menesidou, Sofia A.; Papamartzivanos, Dimitrious; Romeu, Roman; Navarro-Llobet, Diana; Okoh, Caxton; Nifakos, Sokratis; Xenakis, Christos; Panaousis, Emmanouil
Author affiliation(s) Atos Spain, UBITECH Ltd., Fundació Privada Hospital Asil de Granollers, University of Greenwich, Karolinska Institutet Department of Learning, Informatics, Management and Ethics, University of Piraeus
Primary contact Email: gustavo dot gonzalez at atos dot net
Editors Mylonas, Alexios; Pitropakis, Nikolaos
Year published 2021
Volume and issue 21(16)
Article # 5493
DOI 10.3390/s21165493
ISSN 1424-8220
Distribution license Creative Commons Attribution 4.0 International
Website https://www.mdpi.com/1424-8220/21/16/5493/htm
Download https://www.mdpi.com/1424-8220/21/16/5493/pdf (PDF)
Emblem-important-yellow.svg This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed.

Abstract

Addressing cyber and privacy risks has never been more critical for organizations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which aims to detect privacy-specific threats and assess the degree of compliance with data protection legislation. Furthermore, a privacy impact assessment (PIA) is conducted in a proactive manner during the design phase of a system, combining processing activities and their inter-dependencies with assets, vulnerabilities, real-time threats and personally identifiable information (PII) that may occur during the dynamic lifecycle of systems.

In this paper, we propose a cyber and privacy risk management toolkit, called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit) that addresses the above challenges by implementing and integrating three distinct software tools. AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner, but it also offers decision-support capabilities to recommend optimal safeguards using the well-known repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT is the first toolkit in the academic literature that brings together the aforementioned capabilities. To demonstrate its use, we have created a case scenario based on information about cyber attacks we have received from a healthcare organization, as a reference sector that faces critical cyber and privacy threats.

Keywords: toolkit, cybersecurity, privacy, risk assessment, risk control, healthcare

Introduction

Cyber risk management has traditionally been a fundamental challenge of every organization that seeks ways to protect its assets against cyber threats.[1] This typically involves the use of cybersecurity countermeasures (technical, operational, and physical) to prevent, detect, and respond to cyber attacks prohibiting the exploitation of the organization. Technical controls can be anything from “inventory and control of hardware assets” to “penetration tests and red team exercises,” according to the Center for Internet Security (CIS) Controls.[2] Operational controls refer to standards, policies, and frameworks adopted by the organization, while physical security measures can prevent physical access to the cyber infrastructure.

In most cases, implementing all controls is neither possible nor required, although some controls are necessary for an organization to operate. For example, corporate cybersecurity strategies dictate the need for aligning with information security frameworks such as the International Organization for Standardization's ISO 27001 and 27002 standards.[3] Regarding the different types of organizations, the National Institute of Standards and Technology (NIST) has published the Framework for Improving Critical Infrastructure Cybersecurity, stating that different organizations exhibit different cyber risks due to their different security requirements and infrastructures to be protected. For instance, financial and healthcare organizations have regulatory requirements to satisfy, while the second also have to protect human lives.[4]

Our work is motivated by the need to undertake cyber risk management in the healthcare domain. Nevertheless, cyber risk management methodologies and tools are generally applicable to a variety of industries, with the underlying models and system components largely remaining the same. Our choice was initially motivated by the criticality of this domain determined by cyber–physical impact inflicted by cyber risks as human lives can be at risk following a cyber incident. In the 2020 Data Breach Investigations Report, published by Verizon, healthcare is listed as the industry with the majority of data breaches.[5]

Last year, the same report indicated that healthcare stands out due to the fact that 59% of breaches are associated with internal actors, and 81% of the incidents within healthcare corresponds to miscellaneous errors, privilege misuse, and web applications. Only in the United States, healthcare organizations have reported since 2016 over 170 individual ransomware attacks, affecting around 1,500 healthcare centers and over 6.5 million patients, which represents an estimated cost to the industry of USD $157 million.[6] This rising number of security incidents has also led to data breaches (e.g., 72% of the data breaches were medical[7]), due to the massive amount of sensitive data that is processed. The observations worsen if we look at the currently overwhelmed healthcare domain due to the COVID-19 pandemic.[8]

The well-known WannaCry ransomware, although not targeting healthcare organizations per se, managed to massively affect the U.K.’s National Healthcare System (NHS), posing not only financial damages but also life-threatening ones, e.g., via operations which could not take place when systems went down during the attack.[8] The low security posture of many hospitals was the reason for WannaCry exploiting so successfully its various hosts, causing tremendous impact during a limited period of time. Having a state actor behind this attack is not the only source of danger to healthcare organizations, which may also be susceptible to attacks launched by anyone ranging from script kiddies through to organized crime and state actors.

Even worse, healthcare data are more valuable than many other data in the Dark Web, because of the potential adversarial use of it, including blackmailing to gain some financial gain, selling intelligence to pharmaceutical companies, as well as compromising data integrity to create chaos in a country or a hospital, such as the recent incident at Valley Hospital, in California, which was hit by a ransomware attack on October 11, 2020. The case of WannaCry clearly demonstrated that U.K. hospitals had not invested in cybersecurity controls, while post-incident analysis shows that 65 NHS Trusts spent 612 million pounds on IT two years after the attack took place[9], which corresponds to 33% budget increase compared to the year preceding this incident.

While everything shows that cybersecurity has been more of an afterthought for healthcare organizations than, for instance, for the banking industry, it is also clear that due to the General Data Protection Regulation (GDPR)[10], hospitals are obliged to report incidents or breaches in data processing. Furthermore, enabling traceability in these domains serves the purpose of demonstrating accountability, which has been recently studied extensively as part of the the literature on blockchain.

Traditionally, information privacy and cybersecurity have been treated as distinct concepts. Even though managing cybersecurity risk contributes to managing privacy risk, it is not sufficient, since privacy risks can also arise by other means unrelated to cybersecurity incidents[11], while loss of personal data does not equate to a loss of privacy. In data terms, privacy is violated if and only if the data are used in a manner that actually violates the data subject’s fundamental right to privacy. However, as the number of privacy and data protection regulations increase, the overlap between privacy and cybersecurity increases.

Organizations are spending valuable resources by duplicating efforts to mitigate the consequences on privacy and cybersecurity attacks, competing for the same budgets. This brings us to a major challenge of having to spend a proportion of the IT budget of the organization on countermeasures that mitigate cyber and privacy risks. This has given rise to a fairly rich literature of cyber investments seeking answers to what the best ways are to select a portfolio of countermeasures given some predefined financial limitations.[12] Within the same domain, researchers are also investigating the role of indirect costs of these countermeasures to the selection process, how countermeasures interact with each other, and what is the minimal set of countermeasures required to achieved a desirable level of overall risk.

Our work on risk assessment and control has led to the development of an innovative toolkit called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit). Although AMBIENT has been designed based on end-user requirements elicited by healthcare professionals, inevitably, its functionalities can be used in other domains. Nevertheless, the knowledge bases of AMBIENT (e.g., vulnerabilities) as well as values for parameters used during risk assessment (e.g., probabilities of attack occurrence) are drawn from the healthcare domain, as published in industrial reports such as the Verizon 2021 Data Breach Investigations Report.

Our motivation behind creating AMBIENT was the lack of automated software that not only conducts cyber risk assessment in the traditional way, but also takes into consideration the GDPR and healthcare processes, and then addresses the fundamental challenge of investing a financial budget to the most effective combination of cybersecurity controls. The automation nature of a cyber risk management tool is critical, because it can save time and resources of an organization that either outsources this task or allocates a significant amount of time to combine the outcomes of the cyber and privacy risk assessments with a tool that suggests best ways to mitigate the identified risks. AMBIENT is a decision support platform that exhibits cyber risk assessment, privacy risk assessment according to GDPR terms and requirements, and proactive cyber risk control (i.e., before threats have materialized) and reactive mitigation (i.e., when signs of intrusions are present or new risks have been identified). At the same time, AMBIENT determines an optimal allocation of a financial budget to various cyber controls by adopting the weakest link model.[13]

AMBIENT is augmented with real-time intrusion detection capabilities to be able to derive changes in the risk that are worthy of being considered by system administrators. Once these notifications are triggered, AMBIENT relies on a Cybersecurity and a Privacy Risk Assessment module, as solutions that take advantage of a variety of input data to perform the analysis and provide qualitative and quantitative scores that will advise organizations on the risks they are exposed to and the mitigation measures they can implement to reduce their attack surface. Such mitigation measures are shared with the Optimal Safeguard Recommendation module that performs further analysis and optimization in order to compute a prioritized list of remediation actions to be taken, acting as a holistic decision support cybersecurity toolkit.

The remainder of this paper is structured as follows. The next section presents the related work in cybersecurity and privacy risk assessments, as well as in optimization of controls. An introduction to the AMBIENT toolkit architecture and details of its main modules follow the related work. Then the applicability of the proposed toolkit is discussed by analyzing security threats in a healthcare infrastructure, followed by a discusses of the preliminary results. The final section of the paper highlights the main advantages and limitations of our proposed toolkit, and provides conclusions as well as perspectives for future work.

Related work

Cyber risk assessment

An integral part of the risk assessment process is the selection of a risk assessment model or methodology. There is a vast variety of risk assessment models in the literature and tools available in the market. Examples of models used in quantitative risk assessments[14] include Fault Tree Analysis[15][16], Bayesian Networks[17][18], Monte Carlo Simulation[19], and Markov Chains.[20][21]

Examples of qualitative risk assessment tools include EBIOS RM (Expression of Needs and Identification of Security Objectives)[22], MEHARI (Harmonised Risk Analysis Method)[23], and OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation).[24] IT-Grundschutz (IT Baseline Protection Manual)[25] is an example of a tool performing quantitative risk assessment. Other tools such as MAGERIT (Risk Analysis and Management Methodology for Information Systems)[26] and CORAS (a method for risk analysis of security-critical systems)[27] are widely used for both qualitative and quantitative risk assessments. Regardless, the choice of risk assessment tool largely depends on the purpose and the data available (e.g., impact, likelihood of occurrence, etc.).[28][29][30]

References

  1. Whitman, Michael E.; Mattord, Herbert J. (2012). Principles of information security (4th ed ed.). Boston, MA: Course Technology. ISBN 978-1-111-13821-9. 
  2. Center for Internet Security. "CIS Controls". https://www.cisecurity.org/controls/. Retrieved 31 May 2021. 
  3. International Organization for Standardization. "ISO/IEC 27001 Information Security Management". International Organization for Standardization. https://www.iso.org/isoiec-27001-information-security.html. Retrieved 14 June 2021. 
  4. Kruse, Clemens Scott; Frederick, Benjamin; Jacobson, Taylor; Monticone, D. Kyle (1 January 2017). "Cybersecurity in healthcare: A systematic review of modern threats and trends" (in en). Technology and Health Care 25 (1): 1–10. doi:10.3233/THC-161263. ISSN 0928-7329. https://content.iospress.com/articles/technology-and-health-care/thc1263. 
  5. Verizon (2020). "2020 Data Breach Investigations Report" (PDF). Verizon. https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf. Retrieved 30 March 2021. 
  6. Bischoff, P. (10 March 2021). "Ransomware attacks on US healthcare organizations cost $20.8bn in 2020". CompariTech. https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/. Retrieved 30 March 2021. 
  7. Verizon (2019). "2019 Data Breach Investigations Report" (PDF). Verizon. https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf. Retrieved 12 April 2021. 
  8. 8.0 8.1 Martin, Guy; Ghafur, Saira; Kinross, James; Hankin, Chris; Darzi, Ara (4 June 2018). "WannaCry—a year on" (in en). BMJ 361: k2381. doi:10.1136/bmj.k2381. ISSN 0959-8138. PMID 29866711. https://www.bmj.com/content/361/bmj.k2381. 
  9. Hughes, O. (15 August 2019). "NHS trust IT spend up more than £150m since WannaCry". DigitalHealth. https://www.digitalhealth.net/2019/08/nhs-trusts-it-spend-up-more-than-150m-since-wannacry/. Retrieved 10 May 2021. 
  10. "General Data Protection Regulation (GDPR)". Intersoft Consulting. https://gdpr-info.eu/. Retrieved 08 June 2021. 
  11. National Institute of Standards and Technology (16 January 2020). NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. Gaithersburg, MD. doi:10.6028/nist.cswp.01162020. https://doi.org/10.6028/NIST.CSWP.01162020. 
  12. Nespoli, Pantaleone; Papamartzivanos, Dimitrios; Gómez Mármol, Félix; Kambourakis, Georgios (Secondquarter 2018). "Optimal Countermeasures Selection Against Cyber Attacks: A Comprehensive Survey on Reaction Frameworks". IEEE Communications Surveys Tutorials 20 (2): 1361–1396. doi:10.1109/COMST.2017.2781126. ISSN 1553-877X. https://ieeexplore.ieee.org/document/8169023/. 
  13. Arce, I. (1 March 2003). "The weakest link revisited [information security"]. IEEE Security Privacy 1 (2): 72–76. doi:10.1109/MSECP.2003.1193216. ISSN 1558-4046. https://ieeexplore.ieee.org/document/1193216/. 
  14. Vavoulas, Nikos; Xenakis, Christos (2011), Xenakis, Christos; Wolthusen, Stephen, eds., "A Quantitative Risk Analysis Approach for Deliberate Threats", Critical Information Infrastructures Security (Berlin, Heidelberg: Springer Berlin Heidelberg) 6712: 13–25, doi:10.1007/978-3-642-21694-7_2, ISBN 978-3-642-21693-0, http://link.springer.com/10.1007/978-3-642-21694-7_2 
  15. Stamatelatos, M.; Vesely, W.; Dugan, J. et al. (August 2002). "Fault Tree Handbook with Aerospace Applications". NASA. http://www.mwftr.com/CS2/Fault%20Tree%20Handbook_NASA.pdf. Retrieved 31 May 2021. 
  16. "Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools" (in en). Computer Science Review 15-16: 29–62. 1 February 2015. doi:10.1016/j.cosrev.2015.03.001. ISSN 1574-0137. https://www.sciencedirect.com/science/article/abs/pii/S1574013715000027. 
  17. Jiang, Xia; Neapolitan, Richard E.; Barmada, M. Michael; Visweswaran, Shyam (31 March 2011). "Learning genetic epistasis using Bayesian network scoring criteria". BMC Bioinformatics 12 (1): 89. doi:10.1186/1471-2105-12-89. ISSN 1471-2105. PMC PMC3080825. PMID 21453508. https://doi.org/10.1186/1471-2105-12-89. 
  18. Koumenides, Christos L.; Shadbolt, Nigel R. (2012). "Combining link and content-based information in a Bayesian inference model for entity search" (in en). Proceedings of the 1st Joint International Workshop on Entity-Oriented and Semantic Search - JIWES '12 (Portland, Oregon: ACM Press): 1–6. doi:10.1145/2379307.2379310. ISBN 978-1-4503-1601-9. http://dl.acm.org/citation.cfm?doid=2379307.2379310. 
  19. Haugh, M. (2016). "Monte-Carlo Methods for Risk Management" (PDF). IEOR E4602: Quantitative Risk Management. https://martin-haugh.github.io/files/QRM/MC_RiskManage.pdf. Retrieved 12 April 2021. 
  20. Komorowski, Matthieu; Raffa, Jesse (2016), "Markov Models and Cost Effectiveness Analysis: Applications in Medical Research" (in en), Secondary Analysis of Electronic Health Records (Cham: Springer International Publishing): 351–367, doi:10.1007/978-3-319-43742-2_24, https://doi.org/10.1007/978-3-319-43742-2_24 
  21. Yu-Ting, Ding; Hai-Peng, Qu; Xi-Long, Teng (1 April 2014). "Real-time risk assessment based on hidden Markov model and security configuration". 2014 International Conference on Information Science, Electronics and Electrical Engineering (Sapporo, Japan: IEEE): 1600–1603. doi:10.1109/InfoSEEE.2014.6946191. ISBN 978-1-4799-3197-2. http://ieeexplore.ieee.org/document/6946191/. 
  22. "EBIOS Risk Manager - The Method". ANSSI. https://www.ssi.gouv.fr/guide/ebios-risk-manager-the-method/. Retrieved 15 June 2021. 
  23. "Bienvenue sur le site officiel de MEHARI". MEHARIPedia. Avada. http://meharipedia.org/home/. Retrieved 15 June 2021. 
  24. Caralli, Richard; Stevens, James F.; Young, Lisa R.; Wilson, William R. (2007). Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. pp. 951038 Bytes. doi:10.1184/R1/6574790.V1. https://kilthub.cmu.edu/articles/Introducing_OCTAVE_Allegro_Improving_the_Information_Security_Risk_Assessment_Process/6574790/1. 
  25. "IT-Grundschutz". Federal Office for Information Security. https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.html. Retrieved 15 June 2021. 
  26. "Magerit". European Union Agency for Cybersecurity. https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_magerit.html. Retrieved 15 June 2021. 
  27. "The CORAS Method". SourceForge. 16 November 2015. http://coras.sourceforge.net/. Retrieved 15 June 2021. 
  28. Gonzalez Granadillo, G.; Doynikova, E.; Garcia-Alfaro, J. et al. (1 October 2020). "Stateful RORI-based countermeasure selection using hypergraphs" (in en). Journal of Information Security and Applications 54: 102562. doi:10.1016/j.jisa.2020.102562. ISSN 2214-2126. https://www.sciencedirect.com/science/article/abs/pii/S221421262030716X. 
  29. Gonzalez-Granadillo, G.; Dubus, S.; Motzek, A. et al. (1 June 2018). "Dynamic risk management response system to handle cyber threats" (in en). Future Generation Computer Systems 83: 535–552. doi:10.1016/j.future.2017.05.043. ISSN 0167-739X. https://www.sciencedirect.com/science/article/abs/pii/S0167739X17311433. 
  30. Gonzalez-Granadillo, Gustavo; Alvarez, Ender; Motzek, Alexander; Merialdo, Matteo; Garcia-Alfaro, Joaquin; Debar, Hervé (2016), "Towards an Automated and Dynamic Risk Management Response System" (in en), Secure IT Systems (Cham: Springer International Publishing): 37–53, doi:10.1007/978-3-319-47560-8_3, https://doi.org/10.1007/978-3-319-47560-8_3 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added.

Retrieved from "https://www.limswiki.org/index.php?title=Journal:Automated_cyber_and_privacy_risk_management_toolkit&oldid=44484"