As the capability, complexity and pervasiveness of emerging technology continues to intensify, the evolving threat landscape presents an ever changing environment for security analysts, data owners and regulators.
Attack surfaces are becoming harder to identify and to define, and the prevalence of sophisticated threats continues to demand an ever greater investment of time, resources and management in order to appropriately mitigate.
At the beginning of 2019, there were 5.9 million businesses operating in the UK. As published by the Department for Business (2019), 99.9% of them were small and medium sized enterprises (SMEs) and 99.3% had fewer than 50 employees. These businesses employed 60.4% of the UK workforce in 2019. Such patterns are replicated across the European Union and the United States.
A thread of research has emerged in response to the challenge of applying effective controls within a resource constrained environment. Previous studies have sought both to characterise the nature of cyber threats which organisations may be exposed to, as well as provide techniques to inform the prioritisation and selection of controls. Typically such models are based on commodity cyber threats in which the threat actor can only use commonly available exploits which target known vulnerabilities.
In 2014, the UK government introduced its Cyber Essentials (CE) scheme which is a framework for helping organisations to establish a basic level of protection from cyber threats, along with a corresponding certification awarded to organisations who have demonstrated compliance.
Cyber Essentials contains five broadly defined technical controls which organisations should implement:
- Secure your internet connection. Use a firewall with properly configured rules to protect devices, especially if they connect to untrusted Wi-Fi networks. Remove networked services which are non-essential or vulnerable.
- Secure your devices and software. Change default configuration to remove unnecessary services and use strong passwords. Only necessary software, accounts and applications should be active.
- Control access to your data and services. Access to user accounts, devices, software and cloud services should operate on the basis of least privilege. Administration privileges should be reserved for those who need them and should be limited to what is necessary.
- Protect from viruses and other malware. Anti-malware software should be active in order to identify and mitigate malicious files, websites and emails. This may include white-listing, sandboxing and running regular malware scans.
- Keep your devices and software up to date. Patches should be applied to computers and network devices by updating their software. The essential problem which CE seeks to address concerns the optimisation of the selection of cyber controls in response to threats, within a resource-constrained environment. It is often assumed that CE was designed for SMEs alone, however it was actually intended to be size-agnostic.
The essential problem which CE seeks to address concerns the optimisation of the selection of cyber controls in response to threats, within a resource-constrained environment.
It is often assumed that CE was designed for SMEs alone, however it was actually intended to be size-agnostic. However in spite of this, it does tend to be smaller organisations who have tighter constraints on the availability of financial resources, capacity and expertise to put in place effective cyber controls.
This contributes to an increased need for support and guidance regarding the prioritisation and selection of controls which will achieve the greatest marginal improvement to their cyber resilience.
Where my research fits in
Cyber Essentials offers particular regard to the intrinsic limitations in the ability of many smaller businesses to effectively manage cyber threats. Accordingly, adopting an optimal selection of cyber controls based on the limited available resources at the disposal of each organisation is critical to its effectiveness.
In essence, Cyber Essentials can be characterised as being: a set of cyber controls (and an accompanying assurance framework), specified at a particular level of technical abstraction, and selected for optimal effectiveness at mitigating a broad range of cyber threats for a broad range of organisations and system architectures, within a constrained resource environment.
However, the optimisation of cyber control selection (including those specified by CE) is itself a complex activity. It relies on a large set of inter-dependent datasets, models and analysis techniques, each of which comes with their own weaknesses and limitations.
If CE is to have an appropriate scientific foundation, its requirements must be supported by the output of a rigorous process of analysis and validation. It is also notable that since CE was first conceived, the 'ways-of-working' and IT practices adopted by SMEs have evolved considerably.
In particular, bring-your-own-device (BYOD), remote-working, use of cloud-provisioned services, edge computing and distributed/federated computing, are increasingly prevalent. This provides a motivation to consider threat modelling for SMEs in view of modern practices.
Considerable attention has been devoted to many of the questions related to the scientific foundations for CE and other related frameworks. However, as we will discuss, there are several notable limitations in the techniques used to perform automated security analysis for SMEs and to underpin the assurance framework set out by CE.
The goal of this enquiry therefore, is to identify, define and characterise the basic components and attributes of a rigorous analysis process which would be suitable for providing an appropriate theoretical foundation for CE.
It is then to identify the primary weaknesses in the components of such a process and to develop improved datasets, models and/or analysis techniques which emerge as presenting the greatest opportunity to contribute to this agenda.
On the basis of any analysis process for CE which emerges, we then aim to build and integrate a set of components into an automated process for formally assessing the suitability of the CE requirements for mitigating threats to SMEs.
Conceptual model of research areas
The domain of my research involves four primary stages: sourcing information, semantic modelling, reasoning and countermeasure analysis (decision support), and a high-level (i.e. human) assessment of that analysis.
Each of these stages comprises activities, methods and models which are integrated together to provide a cohesive representation of a generalised countermeasure analysis process based on semantic modelling.
With reference to Figure 1, the process labelled knowledge selection refers to the selection of data (from the information sources) on the basis of what is necessary to represent and assess the security standard (such as Cyber Essentials). The system features refer to the design features (such as network design features) of the IT system under consideration, which may be elicited through use of a survey and which is consistent with the asset model.
The semantic model contains a semantic representation of at least threats, countermeasures and system asset, and their relationships to each other. Each of these sub-ontologies may further comprise additional concepts which improve the reasoning capability of the semantic model. From the semantic model, a knowledge base may be instantiated by created instances of the semantic models, populated with data from the information sources.
The decision support stage corresponds to the collection of activities which involve reasoning using the knowledge base in order to derive answers to queries. These activities, such as calculating security metrics, assessing countermeasure efficacy and their impact on risk, are facilitated by the concepts contained within the semantic model and are represented in the form of an ontology query language.
The high-level assessment stage represents the activities which may be performed automatically or manually in order to produce concrete recommendations regarding the most appropriate selection of countermeasures. This may involve use of a clustering activity in which countermeasures a grouped together on the basis of type, complexity or similarity, in order to represented countermeasures at different levels of abstraction. Throughout each of these stages, due regard should be given to the relevant enumerations, taxonomies and sharing standards which together provide a coherent foundation to integrate these stages together.
Given the nature of research, the precise activities undertaken are frequently evolving, but I hope this provides an interesting general overview of my research.
Please do get in touch with me if you have anything I might be able to help you with.