The Ten Commandments of Not Getting Pwned

The ‎purpose‏ ‎of ‎"Cyber ‎Defense ‎Doctrine ‎that‏ ‎Manages ‎Risks:‏ ‎a‏ ‎Complete ‎Applied ‎Guide‏ ‎to ‎Organizational‏ ‎Cyber ‎Defense" ‎is ‎to‏ ‎establish‏ ‎a ‎set‏ ‎of ‎core‏ ‎principles ‎that ‎organizations ‎should ‎adhere‏ ‎to‏ ‎in ‎order‏ ‎to ‎effectively‏ ‎manage ‎cyber ‎risks ‎and ‎enhance‏ ‎their‏ ‎cyber‏ ‎resilience.

The ‎intended‏ ‎audience for ‎these‏ ‎principles ‎includes‏ ‎organizational‏ ‎leaders, ‎information‏ ‎security ‎professionals, ‎and ‎cyber ‎defense‏ ‎experts ‎who‏ ‎are‏ ‎responsible ‎for ‎managing‏ ‎cyber ‎risks‏ ‎and ‎implementing ‎defense ‎strategies‏ ‎within‏ ‎their ‎organizations

Automation‏ ‎and ‎Integration‏ ‎process

The ‎document ‎emphasizes ‎the ‎importance‏ ‎of‏ ‎automation ‎and‏ ‎orchestration ‎processes‏ ‎in ‎defense ‎doctrine:

📌Automation ‎and ‎orchestration‏ ‎processes‏ ‎reduce‏ ‎the ‎need‏ ‎for ‎human‏ ‎involvement ‎in‏ ‎defense‏ ‎and ‎operational‏ ‎processes, ‎thereby ‎minimizing ‎the ‎likelihood‏ ‎of ‎human‏ ‎error‏ ‎and ‎reducing ‎the‏ ‎level ‎of‏ ‎exposure ‎of ‎various ‎bodies‏ ‎to‏ ‎personal ‎information

📌The‏ ‎document ‎suggests‏ ‎adopting ‎the ‎MITRE ‎ATT&CK ‎ontology‏ ‎to‏ ‎use ‎advanced‏ ‎automated ‎solutions‏ ‎for ‎continuous ‎and ‎ongoing ‎control‏ ‎and‏ ‎execution‏ ‎of ‎response‏ ‎processes. ‎This‏ ‎would ‎limit‏ ‎human‏ ‎manual ‎involvement‏ ‎to ‎exceptional ‎cases

📌proactive ‎defense ‎actions‏ ‎should ‎be‏ ‎taken‏ ‎to ‎preserve ‎information.‏ ‎This ‎includes‏ ‎maintaining ‎effective ‎capabilities ‎for‏ ‎dealing‏ ‎with ‎information‏ ‎leakage ‎events,‏ ‎such ‎as ‎acquiring ‎the ‎ability‏ ‎to‏ ‎remove ‎information‏ ‎that ‎has‏ ‎been ‎leaked ‎to ‎the ‎Internet‏ ‎and‏ ‎Darknet

📌The‏ ‎document ‎emphasizes‏ ‎that ‎the‏ ‎Chief ‎Information‏ ‎Security‏ ‎Officer ‎(CISO)‏ ‎plays ‎a ‎significant ‎role ‎in‏ ‎protecting ‎information‏ ‎and‏ ‎privacy, ‎and ‎must‏ ‎harness ‎the‏ ‎various ‎bodies ‎within ‎the‏ ‎organization‏ ‎to ‎maximize‏ ‎the ‎level‏ ‎of ‎defense

📌The ‎defense ‎doctrine ‎controls‏ ‎are‏ ‎incorporated ‎into‏ ‎a ‎framework‏ ‎that ‎includes ‎aspects ‎of ‎identification,‏ ‎defense,‏ ‎detection,‏ ‎response, ‎and‏ ‎recovery. ‎Through‏ ‎the ‎implementation‏ ‎of‏ ‎cyber ‎defense‏ ‎recommendations ‎and ‎information ‎security, ‎aspects‏ ‎that ‎serve‏ ‎the‏ ‎defense ‎of ‎privacy‏ ‎are ‎interwoven‏ ‎into ‎the ‎controls ‎themselves

📌The‏ ‎concept‏ ‎of ‎defense‏ ‎required ‎to‏ ‎address ‎advanced ‎threats ‎includes ‎advanced‏ ‎approaches.‏ ‎Using ‎these‏ ‎approaches ‎will‏ ‎help ‎the ‎organization ‎achieve ‎advanced‏ ‎capabilities,‏ ‎such‏ ‎as ‎validation‏ ‎and ‎deception‏ ‎in ‎order‏ ‎to‏ ‎gain ‎time,‏ ‎exhaust ‎the ‎attacker, ‎and ‎even‏ ‎create ‎deterrence‏ ‎against‏ ‎potential ‎attackers

CISO ‎Role

The‏ ‎CISO ‎plays‏ ‎a ‎critical ‎role ‎in‏ ‎protecting‏ ‎information ‎and‏ ‎privacy ‎within‏ ‎an ‎organization. ‎This ‎includes ‎understanding‏ ‎and‏ ‎complying ‎with‏ ‎privacy ‎laws,‏ ‎balancing ‎different ‎interests, ‎managing ‎risk,‏ ‎guiding‏ ‎defense‏ ‎strategies, ‎and‏ ‎implementing ‎controls‏ ‎effectively:

📌 Protection ‎of‏ ‎Privacy‏ ‎Law: It ‎states‏ ‎that ‎any ‎infringement ‎on ‎privacy‏ ‎must ‎be‏ ‎carried‏ ‎out ‎in ‎accordance‏ ‎with ‎the‏ ‎law ‎and ‎general ‎principles‏ ‎of‏ ‎reasonableness ‎and‏ ‎good ‎faith.

📌 Balancing‏ ‎Interests: The ‎CISO ‎must ‎strike ‎the‏ ‎right‏ ‎balance ‎between‏ ‎different ‎interests‏ ‎to ‎enable ‎informed ‎decisions ‎within‏ ‎the‏ ‎organization.‏ ‎This ‎includes‏ ‎considering ‎aspects‏ ‎of ‎privacy‏ ‎and‏ ‎compliance ‎with‏ ‎principles ‎such ‎as ‎Security ‎by‏ ‎Design, ‎Privacy‏ ‎by‏ ‎Design, ‎and ‎Threat‏ ‎Informed ‎Defense

📌 Risk‏ ‎Assessment ‎and ‎Management: a ‎process‏ ‎for‏ ‎risk ‎assessment‏ ‎and ‎management‏ ‎includes ‎defining ‎main ‎defense ‎objectives,‏ ‎identifying‏ ‎defense ‎gaps,‏ ‎and ‎building‏ ‎a ‎work ‎plan ‎to ‎minimize‏ ‎these‏ ‎gaps.‏ ‎The ‎CISO‏ ‎plays ‎a‏ ‎crucial ‎role‏ ‎in‏ ‎this ‎process

📌 Management‏ ‎Responsibility: The ‎responsibility ‎for ‎protecting ‎information‏ ‎primarily ‎lies‏ ‎with‏ ‎the ‎management ‎of‏ ‎the ‎organization.‏ ‎The ‎CISO ‎is ‎a‏ ‎key‏ ‎figure ‎in‏ ‎ensuring ‎this‏ ‎responsibility ‎is ‎met

📌 Defense ‎from ‎the‏ ‎Adversary's‏ ‎View: The ‎CISO‏ ‎should ‎understand‏ ‎common ‎attack ‎scenarios ‎and ‎the‏ ‎effectiveness‏ ‎of‏ ‎defense ‎recommendations‏ ‎against ‎them.‏ ‎This ‎understanding‏ ‎informs‏ ‎the ‎weight‏ ‎and ‎priority ‎of ‎defense ‎recommendations

📌 Defense‏ ‎based ‎on‏ ‎Potential‏ ‎Damage: The ‎investment ‎in‏ ‎protecting ‎each‏ ‎defense ‎target ‎should ‎be‏ ‎in‏ ‎accordance ‎with‏ ‎its ‎level‏ ‎of ‎criticality ‎for ‎the ‎organization's‏ ‎functioning.‏ ‎The ‎CISO‏ ‎should ‎guide‏ ‎this ‎investment

📌 Defense ‎based ‎on ‎Depth‏ ‎of‏ ‎Implementation: it‏ ‎encourages ‎organizations‏ ‎to ‎implement‏ ‎controls ‎at‏ ‎different‏ ‎levels ‎of‏ ‎maturity. ‎The ‎CISO ‎should ‎examine‏ ‎controls ‎according‏ ‎to‏ ‎their ‎implementation ‎effectiveness

📌 Organizational‏ ‎Classification: a ‎classification‏ ‎system ‎for ‎organizations ‎based‏ ‎on‏ ‎the ‎potential‏ ‎damage ‎from‏ ‎a ‎cyber ‎incident. ‎The ‎CISO‏ ‎should‏ ‎understand ‎where‏ ‎their ‎organization‏ ‎falls ‎within ‎this ‎classification ‎system‏ ‎to‏ ‎guide‏ ‎their ‎defense‏ ‎strategy.