On October 19, 2021, we published the book, "Modern Cybersecurity: Tales from the Near-Distant Future". This is an excerpt from a chapter by Sounil Yu.
Cyber is a much-abused term; it is overused to describe anything in our digital ecosystem. Cyber refers to everything and thus means nothing. Because the term lacks specificity, we lack a common understanding of what we actually mean by a cyber asset.
Instead, we often tend to define cyber assets from the narrow perspective of our own background and training. Those with backgrounds in system administration tend to think of cyber assets as endpoints and servers; those with software and product development backgrounds see cyber assets as software and applications; network administrators emphasize communication networks; those with a background in traditional information security think data is the most important cyber asset; and those who have come out of personnel or physical security focus on people. Perhaps we collectively adopted the term cyber because we struggled to find the one word that encompassed all these different types of assets.
This ambiguity is carried over into how we define cybersecurity. Is cybersecurity about endpoint security? Or is it about application security? Or network or data security? How about insider threat? For all its flaws, “cyber” is the one word that seems to come closest to capturing the different types of assets in our digital ecosystem. But in using the word “cyber”, we may quickly forget what each of these cyber assets are. To avoid leaving out an important cyber asset, we should be more explicit in defining the broader classes of cyber assets, which include: devices, applications, networks, data, and users.
When considering the varying types of cyber assets, we also need to account for ownership of those assets. In most cases, the assets that an enterprise cares about are those that are actually owned by the enterprise. However, cyber assets must also account for assets owned by other entities, such as vendors and third parties, customers, and employees. For some organizations, this list may also include assets owned by threat actors (as represented through threat intelligence).
Asset Ownership (Who owns the thing of interest?)
Enterprise
- owned/managed DEVICES
- built/bought APPLICATIONS
- owned/managed NETWORKS
- created/held/managed DATA
- USERS who are employees/on-site contractors
Vendors/Third Parties
- DEVICES: IaaS
- APPLICATIONS: SaaS, PaaS
- NETWORKS: IaaS, ISPs, CDNs
- DATA: S3 buckets, block storage
- USERS: Vendor system administrators, developers
Customers
- DEVICES: Customer’s computer
- APPLICATIONS: Customer's browser
- NETWORKS: Residential networks
- DATA: PII
- USERS: Customers and their identity
Employees
- DEVICES: BYOD
- APPLICATIONS: Employee’s apps
- NETWORKS: Home/Guest networks
- DATA: PII
- USERS: Employees and their identity
Threat Actors (usually available through Threat Intelligence)
- owned/managed/co-opted DEVICES (e.g., botnets)
- built/bought APPLICATIONS (e.g., malware)
- owned/managed NETWORKS (e.g., Russian Business Network)
- held/stolen DATA (e.g., credentials)
- the actor (e.g., Fancy Bear)
As we can see, there are a wide range of cyber assets. But why not just call them digital assets? In general, it appears that we use the prefix “cyber” when it pertains to security concerns in critical assets that warrant protection. Each of these asset classes, including the broad range of different owners of these assets, are not just any digital assets, but rather assets that may be susceptible to attack.
Herein lies a curious contradiction. In financial terms, assets are typically seen as resources that grow in value or help generate revenue. However, to the security practitioner, a cyber asset is one that introduces liabilities. These liabilities usually manifest in the form of new attack surfaces. Despite all the talk and excitement about digital transformation, it also translates to a rapid (and often unmanaged) proliferation of new attack surfaces (i.e., liabilities) that the security team must manage and mitigate.
What is a Modern Cyber Asset?
To understand what makes a cyber asset modern, it may help to use an analogy. For passenger vehicles, modernity implies that the vehicle has many of the options and design patterns that are typically seen only in the latest luxury cars. Over time, many of the advanced safety features trickle down and become a default feature in every newly manufactured, modern vehicle. Furthermore, individual components of modern vehicles have an increased level of interconnectedness with other components, often for the purposes of making the technology easier or more seamless to use.
So likewise, a modern cyber asset is one that incorporates many of the well understood design patterns for safety and security. A modern cyber asset is one that is also highly interconnected to other cyber assets. Unfortunately, many cyber assets today do not incorporate secure or safe design patterns. Furthermore, because they remain highly interconnected, each new cyber asset blurs the boundaries between trustworthy and untrustworthy zones and creates unexpected transitive trust relationships that can be exploited by attackers. As a result, it is important to understand the interconnected relationships of these assets if we have any hope in trying to secure them.
What is Security for a Modern Cyber Asset?
Fortunately, thanks to the NIST Cybersecurity Framework, we have less ambiguity when it comes to defining security, or at least the activities associated with securing modern cyber assets. The NIST Cybersecurity Framework outlines five major functions: IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER.
Coupled with the five cyber asset classes mentioned previously (DEVICES, APPLICATIONS, NETWORKS, DATA, USERS), we can combine these functions and assets into a 5x5 grid that I call the Cyber Defense Matrix (https://cyberdefensematrix.com). This matrix is a useful tool for understanding and organizing cybersecurity capabilities that support our ability to secure modern cyber assets.
By plotting every defensive security function against every kind of modern cyber asset that needs defending, the Cyber Defense Matrix offers a comprehensive, strategic overview of the entire security environment for an enterprise. We can see a macro-level view of where the activities of any given security function would fit and how cyber assets may relate to one another.
This has been an excerpt from Sounil Yu's chapter, "What is a Modern Cyber Asset?" in the newly released book, "Modern Cybersecurity: Tales from the Near-Distant Future". You can read the rest of the chapter as a free, digital download or purchase a hard copy on Amazon.