tashatuvango - Fotolia

APMG opens door to military-grade cyber security assessments

Developed for the MoD, the CDCAT tool enables any business to assess and manage its cyber defence capabilities using continually updated multiple cyber security controls and inputs

A military-grade cyber defence capability assessment tool (CDCAT) is being made available to commercial business through global certification and accreditation organisation APMG.

The CDCAT cyber security management and maturity assessment tool was originally developed for the ministry of defence (MoD) by the UK Defence Science and Technology Laboratory (DSTL).

When the MoD was hit by the Conficker worm in 2009, it wanted a flexible tool to analyse systems rapidly and repeatedly to see what security controls are in place and what controls should be added.

APMG has since been charged with taking the risk management tool to market by Ploughshare Innovations, which manages the commercial licensing of defence technology developed by the DSTL.

CDCAT enables any business to assess and manage its cyber defence capabilities using multiple cyber security controls and inputs from commercial, military and government organisations.

The tool includes the full sets of best practice controls including ISO 27001:2013, the US Cyber Security Framework, and the UK’s 10 Steps to Cyber Security and Cyber Essentials Scheme. APMG is planning to add the payment card industry data security standard (PCI DSS).

The resultant “uber” framework, includes 145 controls, but only the top 15 or 16 are used to measure an organisation’s capabilities, depending on the risk appetite and the current threat landscape, to show where there might be gaps and what mitigations can be implemented, said Andy Taylor, CESG Listed Advisor Scheme (CLAS) consultant and lead assessor at APMG.

“According to experiments by GCHQ and others, compliance with those top 16 controls with a level five maturity means you are around 98.5% secure against standard threats that the average company is facing,” he said, adding that state sponsored threats are “a whole different ball game”.

The tool and its scoring system can be used on an on-going basis to monitor cyber risk by obtaining a business licence from APMG for the .NET version or signing up for the soon-to-be-introduced web-based service. CDCAT is also available in a version that works with the MooD Platform that takes inputs from various enterprise systems for managing resources, projects, assets and risks. Alternatively, if a company is looking to reassess its cyber defence strategy, it can get a CDCAT assessment and report through consultation with an APMG assessor.

Read more about cyber security

“We question the people who run the systems and know them well, and on the basis of their answers we can assess how well existing controls are operating and determine a maturity level,” said Taylor.

The report provided by using the CDCAT approach provides details such as where controls are not operating effectively for the risk tolerance required, estimated costs of incidents if vulnerabilities were to be exploited, how well an organisation complies with a particular standard or framework, and a high level action plan with cyber security metrics to improve control maturity to the desired target level.

“The report will identify what is preventing an organisation from achieving a higher level of maturity, it will provide an action plan to follow, and outline the risks of failing to act,” said Taylor.

The tool can be used to run assessments whenever there is a change to the system, the risk tolerance, the threats or any other factor to help organisations stay ahead of attackers. Controls can be added to the top 16 controls as required. “For example, if we are assessing a database, we will usually add data restoration controls,” said Taylor.

Business risk appetite analysis

In a commercial business context, CDCAT enables a company to dynamically and proactively tackle its cyber security needs through business risk appetite analysis.

“Understanding your organisation’s risk appetite is important to help identify what systems and assets need the best protection and controls, and those that do not,” said APMG CEO Richard Pharro. However, he said this means that organisations also need to understand what systems they have, and what data they hold before they can think about how secure they need to be.

Uniquely, CDCAT is updated on a quarterly basis with information drawn from multiple international sources, including Nato, that are not otherwise available to public and private enterprise.

The main business benefit of CDCAT is that it provides cyber professionals with the tools to build business cases for security updates. The worst case scenario modelling outlines the potential cost to an organisation of not implementing the recommended change and suffering a breach. This is measured against the costs of enacting the change. These forecasts are based on the data provided during the assessment.

“Because the CDCAT produces a figure that says you are 82% secure, for example, this means to the business that there is an 18% chance of being attacked successfully, and because we can calculate the financial impact of that based on things like the Verizon data breach report, we can have a business discussion comparing the cost of taking action with the potential financial and reputational cost of failing to act,” said Taylor.

The most common effect of this, he said, is that it facilitates business decisions by converting a “fairly techie” discussion around how to do security into a business discussion about how the organisation approaches risk and translates security investment directly into how much risk will be reduced.

At a board level, said Pharro, the CDCAT report enables directors to see what needs to be done in the business to be more cyber secure and helps non-execs identify the questions they should be asking executives about the way they are going about doing cyber security.

Continuous security improvements

Another practical use of CDCAT, he said, is to support continuous security improvements for organisations and supply chains as threats, consequences and risk appetites change. “Through integrating multiple evolving reference standards, it provides a framework for the assessment and integration of new technologies such as cloud-based and mobile applications,” he said.

The tool provides a way of demonstrating that an organisation is addressing sector-based vulnerabilities and proactively improving potential weak spots in its cyber defences.

Cost savings can be driven through adopting an efficient risk management approach using the recommendations in a CDCAT report, said Taylor. “The report will also identify if organisations are overspending in some areas so they can re-assign budget to areas that are most in need of investment,” he said.

Although CDCAT is available to organisations of any size, APMG expects first adopters to be large organisations who will help smaller organisations in their supply chains. “A big organisation could have all their suppliers checked through CDCAT to ensure that none are the weak link in the chain that could threaten their own security,” said Taylor.

For many of the organisations that have already done assessments, which include suppliers of critical national infrastructure, he said it is the first time they have been able to see the risk profile of all their systems in a consistent way. “Typically, it is the first time they are able to see which systems are more at risk than others.”

These assessments have also identified the trends the senior managers are still not buying into security management and that network monitoring is often an area of weakness, mainly because this is often outsourced and suppliers are either failing to deliver the information to the business or they are simply not required to do so by the outsourcing contract.

According to Pharro, CDCAT enables organisations to look beyond compliance. “By looking at how well controls have been implemented shows how mature the controls are in managing the risk and how effectively the organisation is protected, as well as identifying the areas of remaining weakness and potential vulnerability,” he said.  

Some organisations that have already been assessed, said Taylor, had recently been audited and certified as being compliant with ISO 27001, and did not expect to learn anything new. “One organisation in particular was so surprised what the CDCAT assessment uncovered that it asked for assessments on the organisation’s remaining five systems,” he said.

Read more on IT risk management