Cybersecurity audits

focus Q32023
Audit criteria updates Anastasiia Konoplova, CISA,CRISC, CDPSE,
CISA, CRISC, CDPSE Trainer,
LLC UAG,
Threat landscape risk ISACA Kyiv Chapter
Profile: https://www.linkedin.com/in/anastasiia-

factors konoplova-9342b57b/
Public activity:
https://www.slideshare.net/AnastasiiaKonoplova
Blog: https://www.facebook.com/llcuag
Reputation:
https://ec.europa.eu/futurium/en/Women4Cyber
Certifications: https://www.credly.com/users/anastasiia-
konoplova

1
Focusing audits, consider

Consider cloud&Data lakes&AI awareness training.

If you’ve planned your audit 6 month before or Most of vendor applications and services, especially
earlier, check your criteria. They have been updated security apps, are using this stack. Operations within
or appeared additional ones, probably. the stack also changes (CI/CD, DevOps). And threats
change as well.

Business continuity is not enough anymore. We are

coming from “known unknown” to “unknown
unknown”, which is object of resilience. It`s
impossible to RESTORE operations to the norm. It`s
possible to UPDATE operations in the environment
after the risk event (shaping environment by this
update). Update requires the built capability and
awareness.

2
Compliance Shift – 2022-2025

New technology requirements Compliance automation

• AI (e.g. EU AI Act) •GRC Software (e.g. NIST Open Security Controls Assessment
• Clouds, Data Lakes and Fabrics, CI/CD (e.g. US ZTA) Language (JSON, XML, and YAML))
•Assessment automation
• Post-quantum cryptography (e.g. ENISA) (e.g.https://www.gartner.com/reviews/market/it-vendor-risk-
management-solutions)
•CC 2022 Assessment profiles

Critical infrastructure cyberrisk,

supply chain scoped
• Systemic cyber risk (e.g. ESRB)
• ICS-CERTs
• (8)+11 sectors in scope for cybersec reqiurements (EU
NIS2), US DoD CMMC v.2
• Resilience over business continuity (e.g. Bank of England
Resilience framework)

3
Current regulations on technology

4
Tech agenda

5
ENISA Certification Scheme

https://certification.enisa.europa.eu/ 6
https://www.commoncriteriaportal.org/cc/
7
Складові стандарта CC

https://www.commoncriteriaportal.org/cc/
8
Common Criteria Target of Evaluation and assurance levels
5.3 Target of evaluation (TOE) 5.3.2 TOE boundaries
The concept of a TOE boundary is fundamental to the specification of the ST (security target).
EXAMPLE Examples of TOEs include devices characterized by few A TOE may be a complete IT product (or products), a part of an IT product, or made up of various
interfaces, reduced attack surface, components. The ST shall clearly outline the physical and logical scope of the TOE as it is delivered
and a well-known supply chain: to the customer.
— a network device;
— a software application;
In the CC, a TOE can occur in several representations in relationship with the assurance criteria:
— an operating system;
NOTE These assurance criteria include testing (ATE) and vulnerability analysis (AVA), which require
— a virtualization system; TOE samples, some design (ADV_IMP), which require an implementation representation, e.g. source code,
— an integrated circuit; and lifecycle (ALC), which requires the TOE’s configuration list.
— the cryptographic co-processor of an integrated circuit; EXAMPLE TOE representations for a software TOE:
— an application for a mobile device; — a list of files in a configuration management system;
— a database application excluding the remote client software normally — a single master copy that has just been compiled;
associated with that database — the source code for a specific version of an open-source distribution;
application. — a box containing physical media and a manual, ready to be shipped to a customer;
— a binary file available for secure download;
— an installed and operational version.
TOEs can also be more complex, characterized by a large interface/large
TOE representations for a hardware TOE:
interfaces and/or number of — integrated circuit layout;
components, multiple manufacturing/integration phases, field upgradeable — memory mappings;
products such as: — wafers;
— a Local Area Network (LAN) including all terminals, servers, network — modules.
equipment and software; All of these are considered to be a TOE and wherever the term “TOE” is used in the CC, the context
— a mobile device; determines the representation that is described.
— gateways and hubs;
— a software application in combination with an operating system;
— a multi-function device, such as a multi-function printer;
— a Hardware Security Module (HSM).

9
https://www.commoncriteriaportal.org/files/ccfiles/CC2022PART1R1.pdf
Security functions of ICT product/service
10 Class FCS: 12 Class FIA: 13 Class FMT: 16 Class FRU:
8 Class FAU: 9 Class FCO: 17 Class FTA:
Cryptographic 11 Class FDP: User data protection Identification and Security 15 Class FPT: Protection of the TSF Resource
Security audit Communication TOE access
support . authentication . management. utilization
• 8.2 Security audit • 9.2 Non-repudiation of • 10.2 Cryptographic • 11.2 Access control policy (FDP_ACC) . • 12.2 Authentication • 13.2 Limited capabilities • 15.2 TOE emanation (FPT_EMS) . • 17.2 Limitation on • 16.1 Class description
automatic response origin (FCO_NRO) . key management • 11.2.5 FDP_ACC.1 Subset access control failures (FIA_AFL) and availability (FMT_LIM) • 15.2.5 FPT_EMS.1 Emanation of TSF and User scope of • 16.2 Fault tolerance
(FAU_ARP) • 9.2.6 FCO_NRO.1 (FCS_CKM) • 11.2.6 FDP_ACC.2 Complete access control • 12.2.5 FIA_AFL.1 • 13.2.5 FMT_LIM.1 Limited data selectable (FRU_FLT)
• 8.2.5 FAU_ARP.1 Selective proof of • 10.2.5 FCS_CKM.1 • 11.3 Access control functions (FDP_ACF) Authentication failure capabilities . • 15.3 Fail secure (FPT_FLS) . attributes • 16.2.6 FRU_FLT.1
Security alarms . origin. Cryptographic key handling • 13.2.6 FMT_LIM.2 Limited (FTA_LSA)
• 11.3.5 FDP_ACF.1 Security attribute-based access control • 15.3.5 FPT_FLS.1 Failure with preservation of Degraded fault
• 8.3 Security audit • 9.2.7 FCO_NRO.2 generation . • 12.3 Authentication availability secure state . • 17.2.5 FTA_LSA.1 tolerance .
• 11.4 Data authentication (FDP_DAU)
data generation Enforced proof of origin • 10.2.6 FCS_CKM.2 proof of identity • 13.3 Management of • 15.4 TSF initialization (FPT_INI)
Limitation on scope • 16.2.7 FRU_FLT.2
• 11.4.6 FDP_DAU.1 Basic Data Authentication of selectable
(FAU_GEN) . • 9.3 Non-repudiation of Cryptographic key (FIA_API) . functions in TSF • 15.4.5 FPT_INI.1 TSF initialization Limited fault tolerance .
• 8.3.5 FAU_GEN.1 distribution . • 11.4.7 FDP_DAU.2 Data Authentication with Identity of • 12.3.5 FIA_API.1 attributes .
receipt (FCO_NRR) (FMT_MOF)
• 15.5 Availability of exported TSF data • 16.3 Priority of
Audit data generation • 9.3.6 FCO_NRR.1 • 10.2.7 FCS_CKM.3 Guarantor Authentication proof of • 13.3.5 FMT_MOF.1 • 17.3 Limitation on service (FRU_PRS)
• 11.5 Export from the TOE (FDP_ETC) (FPT_ITA) multiple
• 8.3.6 FAU_GEN.2 User Selective proof of Cryptographic key identity Management of security • 16.3.5 FRU_PRS.1
access . • 11.5.6 FDP_ETC.1 Export of user data without security • 15.5.5 FPT_ITA.1 Inter-TSF availability within a concurrent
identity association receipt . • 12.4 User attribute functions behaviour Limited priority of
defined availability metric sessions
• 8.4 Security audit • 9.3.7 FCO_NRR.2 • 10.2.8 FCS_CKM.4 attributes definition (FIA_ATD) • 13.4 Management of service
• • 15.6.5 FPT_ITC.1 Inter-TSF confidentiality during (FTA_MCS) .
analysis (FAU_SAA) Enforced proof of Cryptographic key 11.5.7 FDP_ETC.2 Export of user data with security attributes . • 12.4.5 FIA_ATD.1 User security attributes • 16.3.6 FRU_PRS.2 Full
destruction •
transmission • 17.3.6 FTA_MCS.1
• 8.4.8 FAU_SAA.1 receipt . 11.6 Information flow control policy (FDP_IFC) . attribute definition . (FMT_MSA) . priority of service
• 10.2.9 FCS_CKM.5 • 15.7 Integrity of exported TSF data (FPT_ITI) Basic limitation on
Potential violation • 11.6.5 FDP_IFC.1 Subset information flow control • 12.5 Specification of • 13.4.1 Family behaviour • 16.4 Resource
Cryptographic key • 15.7.7 FPT_ITI.1 Inter-TSF detection of multiple concurrent
analysis • 11.6.6 FDP_IFC.2 Complete information flow control secrets (FIA_SOS) • 13.4.11 FMT_MSA.1 sessions allocation
derivation modification
• 8.4.9 FAU_SAA.2 • 11.7 Information flow control functions (FDP_IFF) • 12.5.6 FIA_SOS.1 Management of security (FRU_RSA).
• 10.2.10 FCS_CKM.6 • 15.7.8 FPT_ITI.2 Inter-TSF detection and • 17.3.7 FTA_MCS.2
Profile based anomaly • FDP_IFF.1 Simple security attributes Verification of secrets . attributes.
Per user attribute • 16.4.6 FRU_RSA.1
Timing and event of correction of modification .
detection .
• • 12.5.7 FIA_SOS.2 TSF • 13.4.12 FMT_MSA.2 Secure Maximum quotas
• 8.4.10 FAU_SAA.3
14 Class FPR: cryptographic key FDP_IFF.2 Hierarchical security attributes . • 15.8 Internal TOE TSF data transfer (FPT_ITT) . limitation on
• FDP_IFF.3 Limited illicit information flows
Generation of secrets . security attributes . multiple concurrent • 16.4.7 FRU_RSA.2
Simple attack heuristics Privacy . destruction .
• 12.6 User • 13.4.13 FMT_MSA.3 Static • 15.8.8 FPT_ITT.1 Basic internal TSF data transfer
sessions Minimum and
• 10.3 Cryptographic • FDP_IFF.4 Partial elimination of illicit information flows protection
• 8.4.11 FAU_SAA.4 authentication attribute initialization . • 17.4 Session maximum quotas.
• 14.2 Anonymity operation (FCS_COP) • FDP_IFF.5 No illicit information flows • 15.8.9 FPT_ITT.2 TSF data transfer separation .
Complex attack (FIA_UAU) • 13.4.14 FMT_MSA.4 Security locking and
heuristics (FPR_ANO) • 10.3.5 FCS_COP.1 • FDP_IFF.6 Illicit information flow monitoring • 12.6.16 FIA_UAU.1 attribute value inheritance • 15.8.10 FPT_ITT.3 TSF data integrity monitoring termination
• 8.5 Security audit • 14.2.5 FPR_ANO.1 Cryptographic • 11.8 Information Retention Control (FDP_IRC) . Timing of • 13.5 Management of TSF • 15.9 TSF physical protection (FPT_PHP) . (FTA_SSL) .
Anonymity . operation . •
review (FAU_SAR) . 11.8.5 FDP_IRC.1 Information retention control authentication . data (FMT_MTD) • 15.9.9 FPT_PHP.1 Passive detection of physical • 17.4.10
• 8.5.8 FAU_SAR.1 Audit • 14.2.6 FPR_ANO.2 • 10.4 Random bit • • 12.6.17 FIA_UAU.2
11.9 Import from outside of the TOE (FDP_ITC) . • 13.5.9 FMT_MTD.1 attack . FTA_SSL.1 TSF-
Anonymity without generation
review . • 11.9.5 FDP_ITC.1 Import of user data without security attributes User authentication Management of TSF data . • 15.9.10 FPT_PHP.2 Notification of physical attack initiated session 18 Class FTP:
soliciting information . (FCS_RBG)
• 8.5.9 FAU_SAR.2 • 11.9.6 FDP_ITC.2 Import of user data with security attributes before any action • 13.5.10 FMT_MTD.2 • 15.9.11 FPT_PHP.3 Resistance to physical attack locking. Trusted
• 14.3 Pseudonymity • 10.4.6 FCS_RBG.1 • 12.6.18 FIA_UAU.3
Restricted audit review • 11.10 Internal TOE transfer (FDP_ITT) Management of limits on TSF • 15.10 Trusted recovery (FPT_RCV) • 17.4.11
• 8.5.10 FAU_SAR.3 (FPR_PSE) Random bit generation Unforgeable data . FTA_SSL.2 User- path/channels .
(RBG) • 11.10.7 FDP_ITT.1 Basic internal transfer protection • 15.10.8 FPT_RCV.1 Manual recovery .
Selectable audit review • 14.3.5 FPR_PSE.1 authentication . • 13.5.11 FMT_MTD.3 Secure initiated locking • 18.2.5 FTP_ITC.1 Inter-
• 10.4.7 FCS_RBG.2 • 11.10.8 FDP_ITT.2 Transmission separation by attribute • 15.10.9 FPT_RCV.2 Automated recovery .
• 8.6 Security audit Pseudonymity . • 12.6.19 FIA_UAU.4 TSF data • 17.4.12 TSF trusted channel .
• 14.3.6 FPR_PSE.2 Random bit generation • 11.10.9 FDP_ITT.3 Integrity monitoring. Single-use • 15.10.10 FPT_RCV.3 Automated recovery without
event selection • 13.6 Revocation (FMT_REV) FTA_SSL.3 TSF- • 18.3 Trusted channel
(FAU_SEL) Reversible (external seeding) . • 11.10.10 FDP_ITT.4 Attribute-based integrity monitoring. authentication undue loss
initiated termination
• 13.6.5 FMT_REV.1 protocol (FTP_PRO) .
pseudonymity • 10.4.8 FCS_RBG.3 • 11.11 Residual information protection (FDP_RIP) mechanisms • 15.10.11 FPT_RCV.4 Function recovery .
• 8.6.5 FAU_SEL.1 Revocation • 17.4.13 • 18.3.9 FTP_PRO.1
Selective audit • 14.3.7 FPR_PSE.3 Random bit generation • 11.11.5 FDP_RIP.1 Subset residual information protection • 12.6.20 FIA_UAU.5 • 15.11 Replay detection (FPT_RPL) FTA_SSL.4 User-
(internal seeding – • 13.7 Security attribute Trusted channel
• 8.7 Security audit Alias pseudonymity • 11.11.6 FDP_RIP.2 Full residual information protection Multiple authentication • 15.11.5 FPT_RPL.1 Replay detection . initiated termination protocol
single source) expiration (FMT_SAE) .
data storage • 14.4 Unlinkability • 11.12 Rollback (FDP_ROL) . mechanisms • 15.12 State synchrony protocol (FPT_SSP) • 17.5 TOE access • 18.3.10 FTP_PRO.2
• 10.4.9 FCS_RBG.4 • 13.7.5 FMT_SAE.1 Time-
(FAU_STG) . (FPR_UNL) • 11.12.5 FDP_ROL.1 Basic rollback . • 12.6.21 FIA_UAU.6 Re- • 15.12.5 FPT_SSP.1 Simple trusted banners Trusted channel
Random bit generation limited authorization .
• 8.7.12 FAU_STG.1 • 14.4.5 FPR_UNL.1 authenticating . acknowledgement . (FTA_TAB) establishment
(internal seeding – • 11.12.6 FDP_ROL.2 Advanced rollback . • 13.8 Specification of
Audit data storage Unlinkability of • 12.6.22 FIA_UAU.7 • 15.12.6 FPT_SSP.2 Mutual trusted • 17.5.5 FTA_TAB.1 • 18.3.11 FTP_PRO.3
multiple sources) . • 11.13 Stored data confidentiality (FDP_SDC) . Management Functions
location . operations Protected acknowledgement . Default TOE Trusted channel data
• 10.4.10 FCS_RBG.5 • 11.13.5 FDP_SDC.1 Stored data confidentiality . authentication
(FMT_SMF) .
• 8.7.13 FAU_STG.2 • 14.5 Unobservability • 13.8.5 FMT_SMF.1 • 15.13 Time stamps (FPT_STM) access banners . protection .
Random bit generation • 11.13.6 FDP_SDC.2 Stored data confidentiality with dedicated feedback .
Protected audit data (FPR_UNO) . (combining noise Specification of Management • 15.13.7 FPT_STM.1 Reliable time stamps • 17.6 TOE access • 18.4 Trusted path
method • 12.7 User
storage • 14.5.9 FPR_UNO.1 sources) . Functions • 15.13.8 FPT_STM.2 Time source history (FTP_TRP) .
• 11.14 Stored data integrity (FDP_SDI) identification
• 8.7.14 FAU_STG.3 Unobservability • 10.4.11 FCS_RBG.6 • 13.9 Security management • 15.14 Inter-TSF TSF data consistency
(FTA_TAH) • 18.4.5 FTP_TRP.1
Guarantees of audit • 14.5.10 FPR_UNO.2 • 11.14.7 FDP_SDI.1 Stored data integrity monitoring (FIA_UID) • 17.6.5 FTA_TAH.1
Random bit generation roles (FMT_SMR) . (FPT_TDC) Trusted path
data availability Allocation of • 11.14.8 FDP_SDI.2 Stored data integrity monitoring and action . • 12.7.6 FIA_UID.1 TOE access history
service • 13.9.9 FMT_SMR.1 Security • 15.14.5 FPT_TDC.1 Inter-TSF basic TSF data
• 8.7.15 FAU_STG.4 information impacting • 11.15 Inter-TSF user data confidentiality transfer protection Timing of identification • 17.7 TOE session
• 10.5 Generation of roles consistency
Action in case of unobservability . (FDP_UCT) . • 12.7.7 FIA_UID.2 User establishment
random numbers • 13.9.10 FMT_SMR.2 • 15.15 Testing of external entities (FPT_TEE) .
possible audit data • 14.5.11 FPR_UNO.3 (FCS_RNG) • 11.15.5 FDP_UCT.1 Basic data exchange confidentiality . identification before (FTA_TSE)
any action . Restrictions on security roles . • 15.15.5 FPT_TEE.1 Testing of external entities .
loss. Unobservability without • 10.5.5 FCS_RNG.1 • 11.16 Inter-TSF user data integrity transfer protection • 17.7.5 FTA_TSE.1
• 12.8 User-subject • 13.9.11 FMT_SMR.3 • 15.16 Internal TOE TSF data replication
• 8.7.16 FAU_STG.5 soliciting information Random number (FDP_UIT) TOE session
binding (FIA_USB) . Assuming roles consistency (FPT_TRC) .
Prevention of audit • 14.5.12 FPR_UNO.4 generation . • 11.16.6 FDP_UIT.1 Data exchange integrity establishment .
data loss Authorized user • 12.8.5 FIA_USB.1 • 15.16.5 FPT_TRC.1 Internal TSF consistency .
• 11.16.7 FDP_UIT.2 Source data exchange recovery
observability . User-subject binding . • 15.17 TSF self-test (FPT_TST)
• 11.16.8 FDP_UIT.3 Destination data exchange recovery
• 15.17.5 FPT_TST.1 TSF self-testing

Common Criteria 2022 10

SWIFT CSF v2023

11
CMMC (US DoD Procurement requirements, 2025)

• Safeguard sensitive
information to
enable and protect
the warfighter
• Dynamically
enhance DIB
cybersecurity to
meet evolving
threats
• Ensure
accountability while
minimizing barriers
to compliance with
DoD requirements
• Contribute towards
instilling a
collaborative culture
of cybersecurity and
cyber resilience
• Maintain public trust
through high
professional and
ethical standards

12
https://www.acq.osd.mil/cmmc/about-us.html
ISO 27001:2022, 27002:2022 – updated control structure
5 Organizational controls 6 People controls 7 Physical Controls 8 Technological controls

• 5.1 Policies for information security • 6.1 Screening • 7.1 Physical security perimeters • 8.1 User end point devices
• 5.2 Information security roles and responsibilities • 6.2 Terms and conditions of employment • 7.2 Physical entry • 8.2 Privileged access rights
• 5.3 Segregation of duties • 6.3 Information security awareness, education, and • 7.3 Securing offices, rooms and facilities • 8.3 Information access restriction
• 5.4 Management responsibilities training • 7.4 Physical security monitoring • 8.4 Access to source code
• 5.5 Contact with authorities
• 6.4 Disciplinary process • 7.5 Protecting against physical and environmental • 8.5 Secure authentication
• 5.6 Contact with special interest groups
• 5.7 Threat intelligence • 6.5 Responsibilities after termination or change of threats • 8.6 Capacity management
• 5.8 Information security in project management employment • 7.6 Working in secure areas • 8.7 Protection against malware
• 5.9 Inventory of information and other associated • 6.6 Confidentiality or non-disclosure agreements • 7.7 Clear desk and clear screen • 8.8 Management of technical vulnerabilities
assets • 6.7 Remote working • 7.8 Equipment siting and protection • 8.9 Configuration management
• 5.10 Acceptable use of information and other • 6.8 Information security event reporting • 7.9 Security of assets off-premises • 8.10 Information deletion
associated assets
• 7.10 Storage media • 8.11 Data masking
• 5.11 Return of assets
• 5.12 Classification of information • 7.11 Supporting utilities • 8.12 Data leakage prevention
• 5.13 Labelling of information • 7.12 Cabling security • 8.13 Information backup
• 5.14 Information transfer • 7.13 Equipment maintenance • 8.14 Redundancy of information processing facilities
• 5.15 Access control • 7.14 Secure disposal or re-use of equipment • 8.15 Logging
• 5.16 Identity management
• 8.16 Monitoring activities
• 5.17 Authentication information
• 5.18 Access rights • 8.17 Clock synchronization
• 5.19 Information security in supplier relationships • 8.18 Use of privileged utility programs
• 5.20 Addressing information security within supplier 4. Context of • 8.19 Installation of software on operational systems
the 9. Performance 10.
agreements 5. Leadership 6. Planning 7. Support 8. Operation
evaluation Improvement • 8.20 Networks security
• 5.21 Managing information security in the information Organization • 8.21 Security of network services
and communication technology (ICT) supply chain • 4.1 • 5.1 Leadership • 6.1 Actions to • 7.1 Resources • 8.1 Operation • 9.1 Monitoring, • 10.1 Continual • 8.22 Segregation of networks
• 5.22 Monitoring, review and change management of Understanding and address risks • 7.2 planning and measurement, improvement
supplier services • 8.23 Web filtering
the commitment and Competence control analysis and • 10.2
• 5.23 Information security for use of cloud services organization • 5.2 Policy opportunities • 7.3 Awareness • 8.2 evaluation Nonconformity • 8.24 Use of cryptography
• 5.24 Information security incident management and its context • 5.3 • 6.1.1 General • 7.4 Information • 9.2 Internal and corrective • 8.25 Secure development life cycle
planning and preparation • 4.2 Organizational • 6.1.2 Communicatio security risk audit action • 8.26 Application security requirements
• 5.25 Assessment and decision on information security Understanding roles, Information n assessment • 9.2.1 General • 8.27 Secure system architecture and engineering
events the needs and responsibilities security risk • 7.5 • 8.3 • 9.2.2 Internal principles
• 5.26 Response to information security events expectations , and assessment Documented Information audit • 8.28 Secure coding
• 5.27 Learning from information security incidents of interested authorities • 6.1.3 information security risk programme
• 5.28 Collection of evidence • 8.29 Security testing in development and acceptance
parties Information • 7.5.1 General treatment • 9.3
• 5.29 Information security during disruption • 4.3 security risk • 7.5.2 Creating Management • 8.30 Outsourced development
• 5.30 ICT readiness for business continuity Determining treatment and updating review • 8.31 Separation of development, test and production
• 5.31 Legal, statutory, regulatory and contractual the scope of • 6.2 • 7.5.3 Control • 9.3.1 General environments
requirements the information Information of documented • 9.3.2 • 8.32 Change management
• 5.32 Intellectual property rights security security information Management • 8.33 Test information
• 5.33 Protection of records management objectives and review inputs • 8.34 Protection of information systems during audit
• 5.34 Privacy and protection of personal identifiable system planning to • 9.3.3 testing
information (PII) • 4.4 achieve them Management
• 5.35 Independent review of information security Information review results
• 5.36 Compliance with policies, rules and standards for security
information security management
• 5.37 Documented operating procedures system

13
The NIST Cybersecurity Framework 2.0 - 2024
GOVERN (GV) – Establish and monitor the organization’s cybersecurity risk
management strategy, expectations, and policy.
• The GOVERN Function is cross-cutting and provides outcomes to inform how an organization will achieve
and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder
expectations. Governance activities are critical for incorporating cybersecurity into an organization’s
broader enterprise risk management strategy. GOVERN directs an understanding of organizational context;
the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles,
responsibilities, and authorities; policies, processes, and procedures; and the oversight of cybersecurity
strategy.

IDENTIFY (ID) – Help determine the current cybersecurity risk to the organization.
• Understanding its assets (e.g., data, hardware, software, systems, facilities, services, people) and the
related cybersecurity risks enables an organization to focus and prioritize its efforts in a manner consistent
with its risk management strategy and the mission needs identified under GOVERN . This Function also
includes the identification of improvements needed for the organization’s policies, processes, procedures,
and practices supporting cybersecurity risk management to inform efforts under all six Functions. Initial
Public Draft The NIST Cybersecurity Framework 2.0 6

PROTECT (PR) – Use safeguards to prevent or reduce cybersecurity risk.

• Once assets and risks are identified and prioritized, PROTECT supports the ability to secure those assets
to prevent or lower the likelihood and impact of adverse cybersecurity events. Outcomes covered by this
Function include awareness and training; data security; identity management, authentication, and access
control; platform security (i.e., securing the hardware, software, and services of physical and virtual
platforms); and the resilience of technology infrastructure.

DETECT (DE) – Find and analyze possible cybersecurity attacks and compromises.
• DETECT enables timely discovery and analysis of anomalies, indicators of compromise, and other
potentially adverse cybersecurity events that may indicate that cybersecurity attacks and incidents are
occurring. • RESPOND (RS) – Take action regarding a detected cybersecurity incident. RESPOND
supports the ability to contain the impact of cybersecurity incidents. Outcomes within this Function cover
incident management, analysis, mitigation, reporting, and communication.

RECOVER (RC) – Restore assets and operations that were impacted by a cybersecurity
incident.
• RECOVER supports timely restoration of normal operations to reduce the impact of cybersecurity incidents
and enable appropriate communication during recovery efforts.

https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd 14
NIST SP 800-53r5
• 322 Security controls (1189 controls) in 20 Controls families by alphabet, flexible
implementation, may be by baseline – prepared by design for assurance

https://nvlpubs.nist.gov/nistpubs/Special
Publications/NIST.SP.800-53r5.pdf
15
Zero trust – initial for FA till 2024

https://zerotrust.cyber.gov/
https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf 16
17
Regulators react: +resilience

Діє з 31.03.2022, full force from 2025:

https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-sop
18
Important business services

https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2021/ss121-march-22.pdf 19
Time matters. Just time to ensure service

https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-
statement/2021/ss121-march-22.pdf
20
Outsourcers of outsourcers, or forth-parties

https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper
21
Financial sector financially motivated persistent threats

https://www.bleepingcomputer.com/tag/fin7/

22
DBIR 2023
The highest quality statistics of confirmed incidents for the
past year. Provides insight into the most likely attacker real-
world tactics and tools. Does not provide insight into errors
and insiders.

A E C D
• Akamai Technologies • Energy Analytic Security • Censys, Inc. • Dell
• Ankura Exchange (EASE) • Center for Internet Security • Department of Government
• Apura Cyber Intelligence • Edgescan • Cequence Security Services, Victorian State
• Elevate Security • CERT Division of Carnegie Government, Australia
• Emergence Insurance Mellon University’s Software • DomainTools
B • EUROCONTROL Engineering Institute
• Bit-x-bit • Eviden • CERT – European Union
• BitSight • CERT Polska K
• BlackBerry • Check Point Software • K-12 Security Information
Technologies Ltd. Exchange (K-12 SIX)
• Chubb • Kaspersky
I G • Coalition • KordaMentha
• Irish Reporting and • Global Resilience Federation • Computer Incident Response
Information Security Service • GreyNoise Center Luxembourg (CIRCL)
(IRISS-CERT) • Coveware L
• Ivanti • CrowdStrike • Legal Services Information
• Cybersecurity and Sharing and Analysis
J Infrastructure Security Agency Organization (LS-ISAO)
F
• JPCERT/CC (CISA)
• Federal Bureau of • CyberSecurity Malaysia, an
Investigation – Internet Crime agency under the Ministry of
Complaint Center (FBI IC3) Communications and P
• Fortinet H Multimedia (KKMM) • Palo Alto Networks
• HackEDU • Cybersixgill • Proofpoint
• CYBIR
M
• Malicious Streams W
• Maritime Transportation N V
• WatchGuard Technologies,
System ISAC (MTS-ISAC) • NetDiligence® • VERIS Community Database Inc.
• mnemonic • NETSCOUT • Verizon Cyber Risk Programs
• Verizon Cyber Security
Consulting
O S • Verizon DDoS Defense
• Okta • S21sec • Verizon Network Operations
• OpenText Cybersecurity • SecurityTrails, a Recorded and Engineering
Future Company • Verizon Threat Research
• Shadowserver Foundation Advisory Center (VTRAC)
• SISAP – Sistemas Aplicativos • Vestige Digital Investigations
U
• Shodan
• U.S. Secret Service • Swisscom

https://www.verizon.com/business/resources/reports/dbir/
23
MITRE ATT@CK
https://attack.mitre.org/#

A systemic community effort to track the tactics of

attackers (and the attackers themselves). Gives
an idea of the implemented attempts to
compromise systems - that is, the available tools
and methods of attacks, or known threats.
(Without prioritisation)
CSA State of of Financial Services in Cloud Report 2023 (data 2022) 24
Threat Intelligence – as activity
Who: Input
SOC
CSIRT • Threat data sources
CERT
Intelligence
provider
M A ND I A N T | G L O B A L P E R S P E C T I V E S ON T H R E AT IN T E L L I G ENC E

Processing Output
• Capturing data • Threat landscape for
• Data analysis planning
• Output preparation • Threat advisories
• Scenarios in order to
mitigate impact

25
Threat landscape: ENISA

ETL 2022 https://www.enisa.europa.eu/topics/cyber-threats

https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view
https://www.enisa.europa.eu/news/enisa-news/how-to-map-the-cybersecurity-threat-landscape-follow-the-enisa-6-step-methodology
26
Preparation of TI analytics products
1.Actionable Information
2.Collection
3.Preparation
4.Storage
5.Analysis
6.Distribution
7.Lab: Extracting Indicators
8.Lab: Handout

https://www.first.org/education/trainings

27
What to collect?

Challenges Cybersecurity data are Big Data.

• Select best sources from a variety of choices They are not collected or processed manually.
Intelligence analysts must select sources adequate
• Adjust choice as situation changes to the task, connect to monitoring systems, and
• Consider ease of integration configure system algorithms. And control relevance.

Inventory of many internal & external sources

• CyberGreen Project, Data Source Catalog:
https://www.cybergreen.net/data-inventory/
• A curated list of “Awesome Threat Intelligence” resources:
https://github.com/hslatman/awesome-threat-intelligence#sources
• ENISA, “Proactive Detection of Security Incidents—Honeypots,” November 2012, Available from:
http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-
honeypots

28
About cybersecurity monitoring

Mostly performed by ISACs. Local SOC teams integrate

it with data from local network to categorize alerts and
act: isolate compromised nodes, update blacklists,
configure firewalls/IDS, etc.

https://www.enisa.europa.eu/publications/proactive-detection-measures-and-information-sources 29
AI in cybersecurity tools: 2023

Challenges: false positives

• achieving verifiable, reliable, explainable, auditable, robust and unbiased AI;
• quality of data sets: among the self-built limitations, there is the notion of ‘trash
in/trash out’ i.e. you need good quality inputs to get reasonable quality output,
meaning not only the quality of data bearing in mind their practical algorithmic
usability but also how well they represent the problem being tackled;
Approaches to determine threats: how to achieve end-to-end protection (data is particularly at risk when it is in transit);
• how to achieve optimal accuracy under real-world conditions and not in a simulated
environment;
• the need for computational complexity and ‘low-latency operation’ to be
addressed especially when the system being monitored is of critical importance;
• the need to investigate whether the inferred models are valid or biased, or whether
there are perceive changes in the time variance;
• Ensuring that the security of the protection mechanism is assessed following a
standardised framework considering diverse malicious attempts, cases, figures of
merit, etc. (security-by-design);
• preservation of privacy e.g. training data and confidentiality of the information
flowing in the system so that the characteristics of the system are not
exposedindirectly and potentially classified information is not also revealed.

https://www.enisa.europa.eu/publications/artificial-intelligence-and-cybersecurity-research 30
This defines cybersec 2025 (in regulations) - 2030 (in reality)

War Compliance
• Politics, government security agencies on • More requirements –AML, PII, Governance;,
the board; more consequences (AML&GDPR), bigger
• not only money under risk, but life in budgets
warfare, critical infrastructure and with IoT

Collaboration Convergence
• Via industry and government; • Out of tech: OSINT is weapon of journalists;
• via community (e.g. MITRE, SANS); awareness needs teachers; compliance
• via technology (e.g.DBIR) requires lawyers, governance - economics

Orchestration and automation Technology shift

• SOAR, Cybersecurity mesh, DevSecOps, • Post-quantum crypto; 6G;
Chaos Engineering (distributed, immutable, • AI-100; data lakes and fabrics
and ephemeral: DIE to change CIA), Zero • Omniverse
Trust Architecture

31