Cyber Entropy™ the Bane of every CISO
The concept of Cyber Entropy™ refers to the uncontrolled growth of all aspects of an organization within the “cyber” domain. This is most obvious with the proliferation of core business systems and enabling information technologies; however, less obvious are the cascading effects which impact business concepts such as expectations, opportunity, obligations, and risk. Left unaddressed, the entropy of the environment leads to increased complexity, inefficiency, poor decision-making, and negative consequences to the business. The most effective way to tame such ever expanding complexity is to decompose it into more tractable components and apply disciplined management to bring order to each of those topic areas. For this discussion, we’ll use the following decomposition of core topics:
· Networks, Hardware, Software, Deployments, and Vendors;
· Data/Information, and associated Access;
· Business Dependencies and Expectations, Opportunities, and Obligations;
· Threats, Vulnerabilities, and Risks
Network Entropy
Network entropy refers to the unmanaged growth of network infrastructure, including physical and virtual networks, switches, routers, wireless access points, segmentation, gateways, perimeters, tunnels, overlays, etc. Compounding this is the continued expansion of interconnected networks; most alarmingly, connecting “operational technology” (OT) networks like those supporting Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) environments with traditional corporate IT backbones. While connectivity is a fundamental business enabler, left unmanaged it will expose the organization to malicious actors.
Hardware Entropy
(e.g., rampant proliferation of physical and virtual devices)
This type of entropy is likely most obvious with the proliferation of devices, including both physical and virtual IT equipment, such as servers, storage devices, networking equipment, and end-user technology like computers and mobile devices. Not to be ignored is the emergence of network-connected Internet of Things (IoT) devices from smart controls like thermostats, to connected appliances and “smart” assistants, to wearable personal devices, to home/office security systems, to smart/connected robots and automobiles. Within a business, such sprawl of hardware devices often occurs due to decentralized purchasing, lack of inventory management, and inadequate hardware lifecycle management. And the result is an ever expanding “attack surface” for the business.
Software Entropy
(e.g., applications, "apps", services, components, plug-ins, extensions)
The entropy concept with software refers to the uncontrolled adoption of software components (commercial, open source, and internally developed) across an organization. More specifically, software or “application” entropy involves the proliferation of redundant, outdated, or underutilized applications within an organization. Which usually results from a lack of centralized software governance, decentralized purchasing, willingness to permit “shadow” IT, and insufficient software license management. The broad adoption of open source software and industry obsession with "micro-services" has accelerated this software entropy in recent decades. But so have the existence of browser-plugins (e.g., the “browser” has become the end-user’s “operating system” as the platform where they install personal software) and software available “as-a-service” (SaaS) where software lives remotely but portions of it are pulled into the browser (temporarily) to execute on the end-user’s device. Compounding this, more and more technology today is “software-defined” which blurs the lines of exactly what is considered “software” vs “hardware”.
Deployment Entropy
(e.g., on-premise, "cloud", "edge", "hybrid")
Directly related to hardware and software entropy, is the concept of deployment entropy. Given the prolific use of terms such as “cloud” and “edge” to refer to the relative location of hardware and software, the topic of deployment approach is worth addressing here separately. Deployment entropy with respect to “cloud” assets, occurs when an organization lacks visibility and control over resources centrally deployed in some “cloud” (e.g., “public” or “private”, it is still in an external datacenter). This can include the proliferation of virtual networks, virtual machines, containers, storage instances, and software-as-a-service (SaaS) subscriptions across multiple cloud providers; leading to increased costs, security vulnerabilities, and difficulty in managing and securing the cloud environment. Deployment entropy with respect to “edge” assets, refers to the lack of visibility and control over decentralized resources which are deployed at or very near to the remote or end-user device; such as real-time analysis of videos on dedicated devices attached to cameras on a manufacturing assembly line.
Vendor Entropy
(e.g., Third Party software and services)
No contemporary organization is an island. Over time, all develop dependencies on external parties to provide commodity goods and services which are not unique or critical to the competitive differentiation of their own business. This is particularly true with commodity “cyber” components such as hardware, software, and general business systems. The concept of vendor entropy here describes an organization’s ability to stay informed about market dynamics and analyze the potential risks and opportunities associated with their vendor selection, procurement strategies, and supply chain management. High vendor entropy usually results from undisciplined acquisition, often fueled by the search for greater efficiencies (better pricing) or perceived-to-be-unique offerings. While increasing flexibility and responsiveness, this introduces complexities in managing vendor relationships, evaluating options, and monitoring/auditing vendors to ensure performance and security levels are maintained. On the other hand, low vendor entropy does provide stability and consistency, but it may limit the ability to adopt market innovations, potentially result in higher costs, and/or create single-points-of-failure in critical dependencies for the business. Either way, an organization must deliberately balance the Risks inherent in their growing dependencies on external vendors.
Data/Information Entropy
Perhaps the most familiar and most taxing topic in this list, Data Entropy involves the exponential growth of information within an organization, including structured and unstructured data that is received, processed, shared, and stored across various internal and external systems and repositories (addressed above). This entropy most often results from inadequate data governance, lack of data classification, reluctance to develop a data “architecture” (e.g., what is it, where is it, for how long, where did it come from, where is it going to, etc.), decentralized data storage practices, and inconsistent data replication, backup and archiving procedures.
Access Entropy
(e.g., chasing privileges)
Very closely related to Data Entropy, and directly reliant upon a well maintained Data Inventory, is the concept of Access Entropy. Here, this term refers to the level of disorder or poor discipline exercised in granting and revoking access permissions or privileges, very likely impacting the security (confidentiality integrity, and availability) of sensitive information within an organization. Such entropy is at its worst where the principles of “Need to Know” and “Least Privilege” are considered too burdensome, e.g., in startups and other organizations with a high risk tolerance and “need for speed” to get a product or service to market. Even where privileges or permissions are explicitly granted to individuals, they are often never revisited or revoked, leading to excessive privilege aggregation. The consequences of such Access Entropy (e.g., privilege creep) include the risk of unauthorized access, data breaches, extortion, and even data destruction when exploited by malicious actors or abused by authorized users; potentially leading to operational degradation, reputational harm, revenue losses, and legal liabilities for the business.
Recommended by LinkedIn
Business Entropy
(e.g., evolving Dependencies, Expectations)
As businesses expand and evolve, their reliance and potentially critical dependence on information and IT infrastructure and solutions tends to increase. This can include reliance on the networks, hardware, software applications, databases, cloud services, and other IT resources discussed above. The problems arise when these dependencies on and expectations of IT are allowed to grow and evolve implicitly, unplanned, undocumented, and without adequate resources or management. This type of Business Entropy, the unchecked sprawl of the organization’s Dependencies upon and Expectations of the “cyber” infrastructure supporting and enabling the business, can lead to risky decision-making, poor business performance, missed business objectives, and even operational failures due to unplanned disruptions or outages of systems or suppliers. As the business evolves, its critical dependencies on information and enabling technologies must be explicitly documented, and must continuously inform the investments required to ensure that investments in the Resiliency of IT infrastructure stay well aligned to the needs of the business.
Opportunity Entropy
(e.g., new products/services, new partners, new customers, new markets)
For contemporary businesses like those driven by the promise of digital transformation, the concept of Opportunity Entropy refers to the expansive range of possibilities and potential growth avenues that arise from internal R&D efforts, external M&A targets, or leveraging technology and digitization to enhance business operations, to create new products and services, or to tap into emerging markets. Consideration of new Opportunities is of course fundamental to maintaining the agility, adaptability, and competitiveness of any business. But too often, pursuit of such new business Opportunities is not well Risk-informed. Most important here is to acknowledge that the objective of information security and risk management is “Not about saying No”, but rather is “About saying Yes, responsibly.”
Obligation Entropy
(e.g., Legal, Regulatory, Contractual, Ethical)
Critical to this concept of Cyber Entropy is the acknowledgment that the organization is subject to an ever-growing set of professional Obligations. Here the business must embrace the expanding scope and complexity of responsibilities and requirements that organizations must comply with in their planning and decision-making processes, their ongoing operations, and even with their interactions with staff, clients, consumers, partners, and vendors. In recent years, the expansion of these Obligations has intensified due to several factors, including: globalization, technological advancements, threat actor activity, introduction of new regulations (e.g., international, extra-territorial Privacy laws), and evolving societal expectations. Businesses are increasingly being held accountable for their actions, and non-compliance or unethical behavior can result in reputational damage, legal consequences, financial penalties, even personal criminal liabilities, and most importantly a loss of Trust.
Vulnerability Entropy
(e.g., in people, processes, and technologies)
Any discussion regarding Entropy in the Vulnerability landscape has to start with those in information technology. Here there are an ever-growing number of vulnerabilities that can be exploited by malicious actors or inadvertently expose sensitive information. These vulnerabilities can arise from various sources, such as software bugs, coding errors, misconfigurations of storage of virtualized environments, insecure protocols, or weaknesses in hardware components. The continuous expansion of these vulnerabilities increases the complexity of managing and securing business systems, as well as the difficulty in predicting and addressing potential security risks. That said, beyond vulnerabilities in technologies, most organizations also wrestle with vulnerabilities in their people (e.g., lack of awareness, discipline, responsibility, accountability) and their processes (e.g., lack of consistency, checks, audits, etc.) as well.
Threat Entropy
(e.g., natural disaster, man-made, external threats, insider threats)
Entropy in the Cyber Threat Landscape needs no explanation to those directly involved with digital forensics and incident response (DFIR) on a regular basis. The cyber threat landscape is constantly evolving, with new capabilities and malicious tactics, techniques, and procedures (TTP) emerging literally daily, making it nearly impossible to predict, detect, and defend against all potential cyber threats. Complicating this are the influences on people that can turn trusted staff into Insider Threats. For all practical purposes, there is no way for even the largest of organizations to force order and control on the chaos and entropy in the Threat Landscape. The best that can be achieved is to stay continuously informed and use that knowledge to inform one’s own defenses.
Risk Entropy™
(e.g., emergent Risk Scenarios)
Risk is not a problem to be solved. It is a characteristic of performing any task or function to achieve an important objective or outcome, while protecting the interests of all potential stakeholders. Further, Risk is never static, but dynamically evolves as the operational environment where the task/function is performed continues to evolve. Herein lies the inherent Entropy of Risk, which ignored or left unchecked can eventually lead to a range of potential negative consequences for a business.
One practical yet powerful concept that has proven to be effective at bringing order to the chaos of Risk Entropy is that of Risk Level Agreements™ (RLA) between an executive team and an organization’s board of directors. These agreements are based on specific Risk Scenarios that have been qualitatively and quantitatively assessed, include matrices of recommended Controls, and establish a Cost/Benefit Analyses to help inform Risk Treatment decisions and investments.
Conclusion
In summary, Cyber Entropy is the amalgamation of many concurrent and potentially destructive market forces continuously pulling on the resources of every organization.
While the resulting complexity can seem overwhelming, addressing Cyber Entropy is possible with some discipline and deliberate investment in both staff time and supporting technologies, to implement effective governance, disciplined risk management, and control mechanisms across many levels of the organization.
Learn more about how Phenomenati helps our clients tame their Cyber Entropy at www.cyberentropy.com.
Cyber Entropy –Control it, or it will control you.
Copyright © 2023 Phenomenati – All Rights Reserved.