WO2019240604A1 - Device, system and method for cyber security managing in a remote network - Google Patents

Device, system and method for cyber security managing in a remote network Download PDF

Info

Publication number
WO2019240604A1
WO2019240604A1 PCT/PL2018/050025 PL2018050025W WO2019240604A1 WO 2019240604 A1 WO2019240604 A1 WO 2019240604A1 PL 2018050025 W PL2018050025 W PL 2018050025W WO 2019240604 A1 WO2019240604 A1 WO 2019240604A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
module
monitored network
security level
managing
Prior art date
Application number
PCT/PL2018/050025
Other languages
French (fr)
Inventor
Michal SUCHOCKI
Original Assignee
Suchocki Michal
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suchocki Michal filed Critical Suchocki Michal
Priority to PCT/PL2018/050025 priority Critical patent/WO2019240604A1/en
Publication of WO2019240604A1 publication Critical patent/WO2019240604A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management

Abstract

The invention relates to a device (500) for cyber security managing comprising a security level assessment module (520) for assessing current security level of the monitored network, and configured to be connected within the monitored network (400) so as to cooperate internally with components of the monitored network (400), characterized in that it is configured to acquire input data providing additional functionality to at least said security level assessment module (520) by means of a secure connection via a Jumpserver (300) from a remote security service provider workstation (200) which is located beyond the monitored network (400). The invention also relates to a system and a method for cyber security managing.

Description

DEVICE, SYSTEM AND METHOD FOR CYBER SECURITY MANAGING IN A REMOTE
NETWORK
[0001] The present invention relates to a system and method for cyber security managing in a remote network to cover holistic aspect of cyber security. The invention is directed for external and internal cyber security services domain. More particularly, the invention can be used to monitor and secure complex information system of business entities and of every kind of organization.
[0002] With increasing use of digital technologies and connectivity come greater challenges of security. Cyber security is ever-evolving field, requiring high knowledge and skills. Moreover, the number of probable targets is constantly getting higher, with many sophisticated attacks aimed specifically at the large, company-affiliated networks. Companies are forced to either retain an expensive cyber security personnel and infrastructure or to acquire specialized cyber security services.
[0003] However, current cyber security services require either the physical access to the network of the client company, which requires additional time and expenses required for travel of sufficient personnel, or, in case of remote access, a transfer of large amounts of sensitive data necessary for threat analysis with specialized software by an external cyber security service, which may pose an additional security risk to the client company, which may pose an additional security risk to the client company.
[0004] For example it is known from the document US 2012/001 1077 a cloud based system and method for cyber security managing offered by third party service provider. However such system and method is not convenient for organizations reluctant to use cloud services.
[0005] It is also know from the document US2017/0237752 system and method for cyber security managing adapted to monitor industrial premises. The known system comprises a risk manager connected within the monitored network, while a known method includes receiving, by a risk manager system, real-time data from a plurality of connected devices. The method includes creating, by the risk manager system, a data model based on the real-time data. The method includes analysing, by the risk manager system, the data model to identify potential current threats. The method includes predicting, by the risk manager system, potential threats. The method includes notifying a user, by the risk manager system, of the potential threats. However such known system and method are not convenient solution to be offered by third party service provider as it does not provide a remote control for the service provider. Moreover, said known system and method do not provide the possibility to react automatically to boost the security level within the monitored network.
[0006] Therefore, there is still a need for providing a system and method for cyber security managing that would enable remote and very secure access to a customer’s network to be monitored so as to minimize the amount of transferred data outside the monitored network. Moreover there is still a need for providing a system and method for cyber security managing that would provide quality security assurance service enabling at once cyber security level assessment and cyber security level enhancement, in particular in real time.
DISCLOSURE OF THE INVENTION
[0007]
The present invention proposes to remedy the drawbacks referred to above at least in part by providing a device for cyber security managing comprising a security level assessment module for assessing current security level of the monitored network, and configured to be connected within the monitored network so as to cooperate internally with components of the monitored network, characterized in that it is configured to acquire input data providing additional functionality to at least said security level assessment module by means of a secure connection via a Jumpserver from a remote security service provider workstation which is located beyond the monitored network.
[0008] In a preferred refinement of the device, it is provided that it is further configured to acquire input data providing additional functionality to at least security level assessment module to acquire input data providing additional functionality to at least said security level assessment module by means of a secure connection via the Jumpserver from a remote expertise database.
[0009] Advantageously, the device is further configured to remote external presentation of the data outputted at least by said security level assessment module by means of a secure connection via the Jumpserver 300 on the remote security service provider workstation which is located beyond the monitored network.
Advantageously, the device further comprises a security level boost module for modifying current security level of the monitored network.
[0010] Advantageously, the device further comprises a security level standards compliance module for monitoring current compliance with security level standards of the monitored network.
[0011] Advantageously, the device comprises a remote display comprising a console enabling to remotely input data for providing additional functionality to at least said security level assessment module.
[0012] Advantageously, the remote display comprises a dashboard module configured to remotely present the data outputted at least by said security level assessment module on a workstation which is located within the monitored network.
[0013] Advantageously, the dashboard module comprises a ticketing module enabling secure communication between said workstation which is located within the monitored network and the remote security service provider workstation which is located beyond the monitored network.
[0014] Advantageously, the dashboard module comprises a snapshot module for emailing information on the security level to work stations within the monitored network. [0015] According to another aspect the object of the invention is a system for cyber security managing characterized in that it comprises a device for cyber security managing according to any of preceding claims which is connected within a monitored network and a security service provider workstation which is located beyond the monitored network and connected to the device for cyber security by means of secure connection via a Jumpserver .
[0016] Advantageously, the system further comprises an expertise database located beyond the monitored network and connected to the security service provider workstation located beyond the monitored network.
[0017] Yet according to another aspect the object of the invention is a method for cyber security managing comprising a step of security level assessing within the monitored network and a step of presenting results of security level assessing within the monitored network characterized in that it further comprises a step of acquiring input data providing additional functionality to at least said security level assessment module by means of a secure connection via a Jumpserver from a remote security service provider workstation which is located beyond the monitored network.
[0018] Advantageously, the method further comprises a step of acquiring input data providing additional functionality to at least said security level assessment module by means of a secure connection via a Jumpserver from a remote expertise database which is located beyond the monitored network.
[0019] Advantageously, the method comprises a step of remote external presentation of the data outputted at least by said security level assessment module by means of a secure connection via the Jumpserver on the remote security service provider workstation which is located beyond the monitored network.
[0020] Advantageously, the method further comprises a step of security level boosting performed in real time based on the data outputted in the step of security level assessment, the data outputted in both steps not leaving the monitored network.
[0021] Advantageously, the method further comprises a step of secure communication via the Jumpserver between a workstation which is located within the monitored network and the remote security service provider workstation which is located beyond the monitored network by remote display means.
[0022] Advantageous developments of the device for cyber security managing in a remote network according to the invention are specified in the dependent claims.
[0023] The device, system and method for cyber security managing according to the invention provide a comprehensive solution for cyber security assurance. It involves organization security risk assessment and compliance, all manageable from a remote localization in a very secure way.
[0024] By working within the monitored customer’s network the device for cyber security managing according to the invention overcomes the need of transfer of big amount of sensitive data to a remote location and from a remote location. The device for cyber security managing according to the invention combines different cyber security technologies with cyber security techniques. Among others, the device allows to perform automation and manual assessment and threat gap analysis.
[0025] The secure connection of the device for cyber security managing with the workstation of the cyber security managing service provider guarantees that no physical presence of the staff members at the location of the monitored network is required and that remote surveillance of the device for cyber security managing is safe for the customer.
[0026] The presence of the remote display module and the console module in the device for cyber security managing provides security assurance team of the service provider with ability to act as the customer security department remotely and allows active work on boosting security of the monitored network, reacting to ongoing threats and most importantly making management of the customer aware of all security risks inside the organization. In particular secure remote presentation of the data generated by the device for cyber security managing allows security assurance team of the service provider or the security team of the customer to decide whether to accept or address the risk.
[0027] Thanks to the assessment module embedded in the device for cyber security managing there is provided the ultimate control of company’s cyber security measures. The assessment module of the device provides assessment to identify and track vulnerabilities with related business impact.
[0028] The device for cyber security managing boosts organization security, by measuring cyber security level and mitigating risks, i.e by dynamic clearance of security gaps and adequate policies implementation thanks to the presence of the security level boost module. The device for cyber security managing thanks to the security level compliance module provides also pro-active managing of compliance to international security standards.
[0029] By embedding into the device the remote display module along with the dashboard submodule there are provided active reports for security specialists as well as for CxO of the monitored network. By embedding into the device the security level assessment module together with the security level boost module the device for cyber security managing according to the invention provides in this manner pure action-oriented security measurements. It transforms post security execution to dynamic risk mitigation and implementation. The device also provides control of all cyber security risk linked to increased accountability.
[0030] Thanks to the presence in one location in one device of at least the level security assessment module and the security level boos module it is possible to directly pass from assessment reports to required actions, from post to dynamic implementation of cyber security measures as well from recommendations to accountability. By connecting with those two modules the security level compliance module it is also possible to pass from periodic compliance to“real time” compliance.
[0031] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only, and should not be considered restrictive of the scope of the invention, as described and claimed. Further, features and/or variations may be provided in addition to those set forth herein. For example, embodiments of the invention may be directed to various combinations and sub-combinations of the features described in the detailed description.
[0032] Other advantages and features will become apparent on reading the description of the invention and from the appended drawings, in which:
[0033] FIG. 1 is a schematic view of the system for cyber security managing according to the invention showing connections between remote components of the system.
FIG.1 A shows schematically the flow of the external knowledge to the device for cyber security managing according to the invention.
FIG. 2 is a general block diagram showing the device for cyber security managing according to the invention,
Fig.3A - 3D area detailed block diagrams showing selected modules of the device for cyber security managing according to the invention,
FIG. 4 - shows schematically details of the dashboard module,
FIG.5 shows schematically the components of the monitored network with which the device for cyber security managing according to the invention cooperates,
FIG.6 shows schematically selected details of the method for cyber security managing according to the invention, particularly in relation to the security level assessing step,
FIG.7 shows schematically selected details of the method for cyber security managing according to the invention, particularly in relation to the security level boosting step,
FIG.8 shows schematically selected details of the method for cyber security managing according to the invention, particularly in relation to the security level compliance monitoring step,
FiG.9 shows schematically the flow of information in the method for cyber security managing according to the invention, particularly in relation to the security level assessing step
FiG.10 shows schematically the flow of information in the method for cyber security managing according to the invention, particularly in relation to the security level boosting step
FiG.1 1 shows schematically the flow of information in the method for cyber security managing according to the invention, particularly in relation to the security level compliance monitoring step.
[0034] Identical elements or elements having the same function are provided with the same reference numbers in the figures.
[0035] One of the objects of the invention is a system for cyber security managing which allows to provide security service by a third party.
[0036] FIG. 1 shows a schematic view of the system 100 for cyber security managing, comprising workstation 200 of cyber security service provider, jump server 300, monitored customer’s network 400 and device 500 for cyber security managing and expertise database 600 of cyber security service provider.
[0037] The workstation 200 of cyber security service provider comprises at least one computer device (not shown). Preferably, the computer device is a Personal Computer. The workstation 200 of cyber security service provider is preferably located remotely in respect to the monitored customer’s network 400. The workstation 200 of cyber security service provider allows for security testers who work for the cyber security service provider to remotely interacts with the monitored customer’s network components as well with the device 500 for cyber security managing.
[0038] The workstation 200 of cyber security service provider is connected with the monitored customer’s network 400, preferably via a Jump server 300.
[0039] The Jump server 300 is a proxy server in communication with both the workstation 200 of cyber security service provider and the monitored customer’s network 400. The jump server 300 provides credentials and access to the monitored customer’s network 400.
[0040] Any known type of connection with the use of the jump server 300 working under Linux system can be used to connect the workstation 200 of cyber security service provider with the monitored customer’s network 400 and the device 500 for cyber security managing.
[0041] In other words, the Jump server 300 is responsible for receiving all incoming connections from/to different customer network devices through 500 for cyber security managing placed within different monitored customer's networks 400. The Jump server 300 consists of a regular Linux server which has been hardened (possessing improved security configurations). This includes operating system security configuration enhancements, such as file and access rights on files and programs, active incoming and outgoing firewall configuration and removal of unnecessary software. The Jump server 300 is exposed to the public Internet so that it can listen for incoming connections from the devices 500 for cyber security management, but firewall configuration has been tightened to not allow any incoming connections except the device 500 for cyber security managing and the workstation 200 of the cyber security service provider . The connection is made through Secure Shell (SSH) service using a public and private key pair. This key exchange is considered cryptographically secure. The connection from the device 500 for cyber security managing to the Jump server 300 is automated using Linux Cron jobs and custom scripts. Once the connection is established an SSH tunnel is created, the security testers working on the workstation 200 of the cyber security service provider have individual credentials to the Jump server 300 and once logged in there they perform a reverse shell connection through the previously established SSH tunnel. This reverse shell connection, which is protected by individual, password protected user accounts will allow the staff member of the service provider working on the workstation 200 of the cyber security managing service provider access to the specific device 500 for cyber security managing. This makes it possible to manage which persons of the staff members of the cyber security managing service provider should have access to certain devices 500 for cyber security managing only. It also allows logging and monitoring the security testers as among others their access to the Jump server 300 and possible plurality of the devices 500 for cyber security managing.
[0042] As shown in Fig.1 the monitored customer’s network 400 monitored by the device for cyber security managing 500 is an internal network of a business entity of any type. It typically comprises at least required servers for business operations such as e-mail, file and backup servers, end-point devices which employees use and other servers such as HR, financial and business-related systems.
[0043] As shown in Fig.1 , the workstation 200 of cyber security service is connected to the expertise database 600 of cyber security service provider. Said expertise database 600 comprises among others data relating to special scenarios for security level assessment which are additional scenarios than the ones provided by default by a security level assessment module 520 of the device 500 for cyber security managing, as it will be mentioned later on.
[0044] As shown in Fig.1 A, the special scenarios are prepared based on the expertise of the service provider specialists. For example said special scenarios can relate to vulnerability scenarios created in a very unique manner. The device 500 for cyber security managing is constantly updated with vulnerability scenarios. The RnD Team of the security service provider is responsible for creating and emulating unique and specific vulnerability based on review and monitoring of “black market vulnerability”, based on exploits emulations and modifications and based on best experience and best practices.
[0045] An example of data stored in the expertise database 600 can be a python script that will purposely connect over internet to a vulnerable service (for example a wordpress website). Once downloaded by the staff of security service provider from the expertise database 600 the script will run automatically on the device 500 for cyber security and abuse the bug in wordpress to execute system commands on the operating system of one of the servers within the monitored network 400. This is known as a RCE, remote code execution vulnerability. By running purposely such a script a specific aspect of the cyber security within the monitored network 400 is assessed.
[0046] Another example of expertise knowledge stored in the expertise database 600 can be an exploit script to be located on an employee laptop within the monitored network 400. When the (non-admin) employee user account runs such a script downloaded purposely by the staff member of the security service provider, it will abuse a bug in SMB protocol, by connecting to a file share on the internal monitored network 400. When the code is executing the privileges escalate to admin privileges, and it is possible to create a new user account that has admin access. The script runner can then use this account to login as admin to other systems. This is known as local privilege escalation exploit. By running purposely such a script another specific aspect of the cyber security within the monitored network 400 is assessed by the staff members of the cyber security service managing provider .
[0047] Thanks to said external remotely located expertise database 600 an important knowledge and additional functionality is provided to the device 500 for cyber security managing without need to physically send members of the security service provider staff to the real location of the monitored customer’s network 400. The external expertise data base 600 provides also a kind of flexibility to the security service and allow to update the cyber security managing service almost on the fly. [0048] The most important component of the system for cyber security managing according to the invention is a device 500 for cyber security managing. It is a physical unit placed on the customer’s location. Thank to this feature no critical and sensitive data are leaving the monitored customer’s network 400 as the data for cyber security managing are acquired and analyzed locally by the device 500 for cyber security managing within the monitored customer’s network 400.
[0049] The device 500 for cyber security managing is a computer unit comprising hardware and software components. The device 500 for cyber security managing is a part of the complex security managing service and is configured by the security service provider. The configuration of the device 500 for cyber security managing can be standard or customized. The person skilled in the art will appreciate that customization can be realized by also remotely by enabling or disabling certain functionalities.
[0050] In other words, the device 500 for cyber security managing comes to the customer as a pre-configured device and in order to enable its operation within the monitored customer’s network 400 the customer only connects a power cable and an Ehternet (RJ-45) network cable. The device 500 for cyber security managing will then automatically initiate SSH connection to the Jump server 300 where at least one staff member of the security service provider can interact with the device 500 for cyber security managing via the workstation 200 of the security service provider.
[0051] As mentioned earlier, all network traffic going to and from the Jump server 300 is encrypted by SSH. This allows to guarantee very secure manner of remotely monitoring the operation of the device 500 for cyber security managing as well as provide other aspects of the complex cyber security managing service like inputting additional data to the device 500 for cyber security managing. For example some assessment activities and their results can be manually enabled controlled and monitored from the workstation 200 of the service provider. In another example special additional assessment scenarios can be uploaded and enabled from the expertise database 600.
[0052] The device 500 for cyber security managing does not interrupt any normal work of the monitored customer’s network 400. If the customer chose to, they can disconnect the network cable to prevent the cyber security managing service provider from accessing the device 500 for cyber security managing certain hours of the day.
[0053] The device 500 for cyber security managing allows monitoring the customer’s network 400 in two different ways. In one embodiment the device 500 for cyber security managing can act as an external work station connected to the monitored customer’s network 400 and is able to identify other servers and end-point clients on the monitored customer’s network 400. For this objective any component of the monitored customer’s network 400 that has obtained an IP address is a potential target for at least security level assessing by the device 500 for cyber security managing according to the invention. Such embodiment allows to execute and emulate unique scripts which are not yet listed in Vulnerabilities data base e.g National Institute of Standards and Technology (NIST). In proper cyber security approach 30% of vulnerabilities can be automated by generic scripts but 70% should be done based on emulation of new exploits. Each organization should have such approach to increase cyber security level and become more proactive.
[0054] In another embodiment the device 500 for cyber security managing can act as a SOC/SIEM device. The device 500 for cyber security managing can be configured to collect certain configuration and log files from other systems of the customer’s network 400 with the customer assistance. The sources gathered can then be reviewed automatically by device 500 for cyber security managing the and security issues can be identified. In this embodiment the most critical systems and servers within the monitored customer’s network 400 will be targeted and monitored. This embodiment is complementary to the previous one. Thanks to SOC/SIEM functionality 500 allows to follow organization cyber security status 24/7 and react in real time for any real time breaches.
[0055] FIG. 2 shows a schematic block diagram of the device 500 for cyber security managing.
The device for cyber security managing 500 embodies a cyber security assurance platform 510.
[0056] The cyber security platform 501 preferably comprises a , security level assessment module 520, security level boost module 540, security level compliance module 560, operation system 570, processor unit 571 , memory 572, storage device 573, communication unit 574, input/output unit 575 and remote display 580.
[0057] As mentioned earlier the device 500 for cyber security managing can be a typical computer unit which comprises a processor unit 571 for performing appropriate calculations and computer program instructions along with the operation system 570 running on it. The device 500 for cyber security managing further comprises the memory 572 which provides memory space for use by the processor unit 571 . It can be for example RAM. Moreover the device 500 for cyber security managing typically comprises the communication unit 574 which facilitates wired communication to and from the device 500 for cyber security managing. The person skilled in the art will appreciate that if required the communication unit 574 can facilitate also wireless communication.
[0058] The device 500 for cyber security managing further comprises additional storage device 573 which stores operation parameters of the device 500 for cyber security managing and other important data, such as database of complex vulnerability scenarios, database with logs, ticketing system database etc. The idea behind the device 500 for cyber security managing according to the invention is to provide locally as much as possible important input data required for proper operation of all modules of the device 500 for cyber security managing which are responsible for complex security managing service. Thus the pre configured device 500 for cyber security managing stores in the storage device 573 also such databases as execution scripts, parameters database, Software, vulnerability details, test results configuration files.
[0059] The storage device 573 also provides space for storing all output data from the security level assessment module 520, the security level boost module 540 as well as the security level compliance module 560. For example, some security test results generated by the security level assessment module 520 are saved in a CSV file on the device 500 for cyber security managing as one line per identified issue/vulnerability. This has the added benefit of storing all sensitive data on the device 500 for cyber security managing, and not on the security tester's laptop. The data will not leave the customer's organisation (except if cloud options are used for dashboard and ticketing system as will be described later on). Moreover the storage device 573 also provides space for storing all input data acquired from different components of the monitored customer’s network 400.
[0060] The device 500 for cyber security managing comprises also the input/output unit 575 which enables to receive and transmit signals from/to external devices.
[0061] In one embodiment, the device 500 for cyber security managing is further provided with the security level assessment module 520.The security level assessment module 520 serves for assessing current security level of the monitored network. The security level assessment module 520 provides security assessment activities, in particular performed automatically. The output data from the security level assessment module 520 are used to detect all current potential security threats, identify vulnerabilities and gaps, analyze risks and derive mitigation plan. The security level assessment module 520 together with the console 51 1 facilitates also performing Assessment Kit services remotely through the device 500 for cyber security managing.
[0062] In another embodiment, the device 500 for cyber security managing is further provided with the security level boost module 540. The security level boost module 540 serves for modifying current security level of the monitored network 400 based on the assessment results obtained by the security level assessment module 520. The security level boost module 540 supports the customer to apply corrective actions, create and implement adequate security standards, define required solution and boost security awareness overall organization. In particular, some of those actions are performed automatically by said security level boost module 540. The security level boost module 540 together with the console 51 1 allows the cyber security managing service provider to assist the customer with mentioned boost tasks, namely allows the staff members of the cyber security managing service provider acting as remote support. For example, it is possible to access the device 500 for cyber security managing and login to an internal customer server using administrative credentials provided by the customer. Once logged on to one of the systems within the customer’s network, the staff members of the cyber security managing service provider remotely can apply missing security patches and perform other boost tasks.
[0063] In yet another embodiment, the device 500 for cyber security managing is further provided with the security level compliance module 560. The security level compliance module 560 serves for monitoring current compliance with security level standards of the monitored customer’s network 400. The security level compliance module 560 helps the customer to apply right security measures defined by appropriate security standards, monitor compliance level to wide range of security standards and maintain accountability throughout the customer organization. One should know that this is an ongoing effort for the customer to implement and maintain the compliance status and the security level compliance module 560 provides a wide range of functionalities to control this area, especially to apply appropriate policies and rules across the whole company.
[0064] The device 500 for cyber security managing is further provided with the remote display module 580 which provides remote visualization for a remote user of the device 500 for cyber security managing. Remote users of the device 500 for cyber security managing are, on one hand, staff members of the cyber security managing service provider, on the other hand employees of the customer who own or use the monitored network 400. Thanks to said remote display module 580 it is possible to remotely see all output data generated by the security level assessment module 520 and/or the security level boost module 540 and/or the security level compliance module 560.
[0065] The output data generated by the security level assessment module 520 and/or the security level boost module 540 and/or the security level compliance module 560 are used to make appropriate decisions by the remote users, for example to initiate manual or automatic procedures enhancing security of the monitored network 400 using remote display module 580.
[0066] Preferably, remote display module 580 only sends video data corresponding to the usual visual interface. By providing a remote display module 580 and by sending out of the device 500 only visual data, it is possible to reduce reaction time of the remote users of the device 500 for cyber security managing, since there is no need for transferring any additional data that usually would be analyzed on an external workstation. By reducing transferred data only to visual data, the security is increased since no crucial data are transferred outside the monitored customer’s network 400.
[0067] Fig.3a - 3d shows a detailed block diagram of chosen modules of the device 500 for security risk management. As mentioned earlier the device 500 for security risk management comprises at least one of the following modules responsible for providing complex cyber security managing service: the security level assessment module 520, the security level boost module 540, the security level compliance module 560. The device 500 for security risk management comprises also the remote display module 580 which is very important on each stage of the cyber security managing service. Each of said modules comprises several submodules, which will be presented below.
[0068] As shown in Fig.3a the security level assessment module 520 comprises at least one of the following modules: vulnerability assessment module 521 , network architecture layout review module 522, penetration tests module 523, virtualization technology review module 524, infrastructure testing module 525, VPN configuration review module 526, application testing module 527, application threat modelling and design review module 528, firewall and router review module 529, social engineering test module 530, DLP review module 531 , disaster recovery ability assessment module 532. [0069] The vulnerability assessments module 521 is responsible for performing automated security scanning of the monitored customer’s network components (firewalls, routers, switches), infrastructure (servers, end-point-devices etc) and software components (software layer such as web applications and mobile applications). The automated scan performed by said vulnerability assessments module 521 results in finding security issues (vulnerabilities) in hardware and software components of the monitored environment.
[0070] The network architecture layout review module 522 performs review of network topology maps and design of how the monitored network 400 is built. By analysing it is possible to focus on security aspects of the monitored network 400 and to check whether proper configurations of the monitored customer’s network 400 are used, as well as high-level design and components (security appliances) are used. Thanks to the network architecture layout review module 512 it is possible to indicate elements of the monitored customer’s network 400 to be changed in order to build a strong, secure network environment suitable for customer needs.
[0071] The penetration tests module 523 performs controlled software attacks on the monitored customer’s network 400 system elements (network and infrastructure components as well as application level software) in order to practically evaluate the security level and find any weaknesses in the monitored network 400. The penetration tests module 523 requires a human interaction and does not only rely on software to do the assessment/scan.
[0072] The virtualization technology review module 524 is responsible for testing the virtualization technology to determine if the successful penetration, both to the client and the security experts, is possible. The tests performed by the virtualization technology review module 524 include review of VM (virtual machine) configuration files to detect security issues. Other penetration testing will try to detect security vulnerabilities that would allow an attacker (local user on virtual machine) to escape the VM constraints to gain access to the host operating system. This type of attack is known as VM sandbox escape and would allow an attacker who have access to one virtual machine to access any virtual machines installed on the host server.
[0073] The infrastructure testing module 525 is focused on testing network infrastructure components. This includes firewalls, routers, switches, hubs, access points etc. Servers, end- point-devices and other hardware connected to the network is also included. The result of testing is used to determine whether the tested components contain any security vulnerabilities. These can arise due to missing security patches on the system, misconfiguration or poor programmatic coding used during development of web applications and other software.
[0074] The VPN configuration review module 526 reviews current VPN configuration to determine whether the current VPN settings provide safe and secure connection. The testing is done from external sources (located on internet) as well as internal sources (office and server environments) in order to test VPN setup and make sure it is not misconfigured. [0075] The application testing module 527 is focused on testing software layer which comprises among other applications such as web applications, mobile applications, custom and 3rd party software binaries. Said application testing module 527 is performing also source code review.
[0076] The application threat modelling and design review module 528 is focused on the design of the application and application flows. It checks how the software interacts with databases and other components of the monitored network 400 in order to identify weak design or use of technology from a security perspective. The application threat modelling and design review module 528 is able to detect a lack of encryption for sending data over the monitored network 400 or no high-availability and load-balancing functionality to prevent denial-of-service attacks.
[0077] The firewall and routing review module 529 is responsible for examining the configuration files running on the monitored devices of the customer’s network 400. By analysing information acquired by said firewall and routing review module 529 it is possible to discover misconfigurations and security issues and make improvements in this area.
[0078] The Social Engineering Test module 530 is responsible for testing the users of the monitored customer’s network 400 and their susceptibility to common social engineering tactics, for example including phishing e-mails. It is done by virtual means (phishing e-mail containing malware) and/or physical means (attempting to give employees USB memory drives etc).
[0079] The DLP review module 531 is responsible for assessing the data-loss-prevention appliance/solution in place in the monitored customer’s network 400 . Said DLP review module 531 advantageously attempts to identify employees extracting sensitive company information in order to block them.
[0080] The disaster recovery ability assessment module 532 is responsible for gathering information on actions to be implemented in the event the customer’s network 400 is compromised. Input data for the disaster recovery ability assessment module 532 advantageously come from workshops with management and other employees in order to create an effective step-by-step guide on what to do in certain types of events. Necessary data are acquired and analysed automatically with the use of special forms available on-line to employees of the customer or are inputted manually by the staff members of the service provider with the use of the console terminal 51 1 . The disaster recovery ability assessment module 532 asses among others current reporting hierarchy and responsibilities to check whether the organisation may operate in a speedy manner to get business up and running again in the event of a disaster.
[0081] The above mentioned modules generate output data which are further forwarded to another submodules present in the security level assessment module 520 for complex analysis. Those additional modules are: threat analysis module 533, gap analysis module 534, risk assessment module 535, business impact analysis 536.
[0082] The threat analysis module 533 allows to create profiles of the most likely attack scenarios and actors (the ones who perform the attack scenario). It allows the customer to prioritize security efforts and budget while improving the security level. Some input data for analysis performed by the threat analysis module 533 are gathered externally. For example the staff members of the service provider conduct workshops together with the customer in order to understand what type of business they conduct and how. This information is used when creating attack scenarios and risk analysis. All technical data such as security vulnerabilities discovered during Assessment Kit security testing will also be used to grade the security maturity level of the customer.
[0083] The gap analysis module 534 allows to create an up-to-date snapshot of the current security level in the organisation. This is then compared to a security standard such as IS027001 or PCI/DSS and identifies gaps on which the customer should prioritize. The gap analysis consists of detailed information and questions that responsible persons at the customer organisation need to answer accordingly. The security focused questions cover entire organisation, from FIR hiring and firing process and physical security in the office building, to IT security issues such as measures to identifying and protecting business critical assets and data. The answers are analysed and the results show weak and strong areas. From this prioritisations are set and a roadmap to improving security is created. The goal is to lift security levels to comply with security standards imposed by industry, central entities or laws and regulations.
[0084] The risk Assessment module 535 contains a calculation algorithm on how to rate the risk level of the security issue/vulnerability. This will give the CxO level management a value on how big the risk is that the issue/vulnerability is exploited by malicious attacker.
[0085] The business Impact Analysis module 536 contains a calculation algorithm on how to rate the business impact level if an issue/vulnerability is actively exploited.
[0086] All output data generated by the security level assessment module 540 represent the current security level within the monitored network 400 and advantageously at least part of said output data is directly used by another module, namely by the security level boost module 540. Thanks to direct and instant access to the security test results within the same device 500 for cyber security managing it is possible to provide almost real time reaction to detected threats. As it will be described later, the output data generated by the security level assessment module 540 can be also used to generate reports on the current security level to the management of the customer.
[0087] As shown in Fig. 3b the security level boost module 540 comprises at least one of the following modules: assets and data classification module 541 , gap implementation module 542, network monitoring module 543, end point security module 544, network assets monitoring module 545, system hardening module 546, identity and access management module 547, security, information and event management module 548, DLP management module 549, priviledged access management module 550, firewall monitoring module 551 , malware investigation module 552, patch management module 553, application monitoring module 554, policy review module 555, risk mitigation module 556, disaster recovery planning module 557. The person skilled in the art will appreciate that said list is only an exemplary one and that the security level boost module 540 can comprise also others submodules.
[0088] The assets and data classification module 541 is responsiblefor collecting information about assets inside customer networks. It will scan network and provide information how many assets and what kind of assets customer have in his network. It will also have classified assets in different type of groups based on their purpose of use.
[0089] The gap implementation module 542 is allows to implement all gaps which was found during assessment and configuration review. Thank to this model all issues will be solved in real time.
[0090] The network monitoring module 543 is responsible for monitoring of network components such us computers, servers, etc inside organisation, to provide information is case of vulnerabilities, case of outages, troubles
[0091] The end point security module 544 is responsible/attempts/is focused on . allows to review and configure End point security tools installed in customer network. Thank to this module 3rd party organisation may access endpoint security server and perform proper configuration or review.
[0092] The network assets monitoring module 545 is allows to focus on specific network asset inside organisation and monitor this asset from security perspective.
[0093] The system hardening module 546 is responsible/attempts/is focused on for hardening customer network in case of cyber security. Module allows to execute different type of activities like automated scripts or manual services performed by 3rd party company to increase cyber security leave.
[0094] The identity and access management module 547 is allows to cooperate with legacy identity and access management system. Using this module it’s possible to configure different type of rights and access for customer organisation employees.
[0095] The security, information and event management module 548 allows to cooperate with legacy system called SIEM. Thanks to this module it’s possible to review and analyse logs from SIEM.
[0096] The DLP management module 549allows 500 to connect and be integrated with existing DLP system in organisation.
[0097] The privileged access management module 550 allows 500 to connect and be integrated with existing PAM system in organisation.
[0098] The firewall monitoring module 551 allows to collect and analyse logs from existing firewalls installed in organisation through 500.
[0099] The malware investigation module 552 allows examining the websites that may be associated with the incident, obtaining reputational data about IP addresses of systems involved in the incident, looking up IP addresses associated with the infected organization in blocklists, performing automated behavioral analysis of malware involved in the incident.
[0100] The patch management module 553 is responsible for managing patches, upgrade software applications, fix existing problems software after new release, fix problems with version of legacy programs, analyse existing programs for potential lack of security features or upgrades, scan systems in order assess whether additional patches are needed. The application monitoring module 554 is is responsible for security monitoring of web and mobile applications. For example monitoring of code injection, broken authentication and session management, cross-site scripting, obtaining file access, security misconfiguration, sensitive data exposure, unvalidated redirects and forwards, rating, repackaging, hooking framework, native code hook and others.
[0101] The policy review module 555 allows to connect to legacy storage of policies, review policies, create policies.
[0102] The risk mitigation module 556, allows to develop options and actions to enhance opportunities reduce threats, it’s also allows to implement mitigation actions and monitor mitigation progress.
[0103] The disaster recovery planning module 557 allows to set and process procedures to recover organisation IT infrastructure in the event of a disaster. Module includes planning, detailed procedures, and disaster monitoring.
[0104] Actions performed by the above mentioned submodules of the security level boost module 540 increase security and minimize risks within the customer organization. The security level boost module 540 provides a more secure environment, both on a technical and organizational level. For example, it can provide a clear patch management process and allows to make sure it is actively followed. It is simply not enough to have a process that no one is following, or to randomly or rarely install security patches on some servers. The security level boost module 540 makes sure that all aspects are there and are properly followed and maintained.
[0105] As shown in Fig. 3c, the security level compliance module 560 comprises at least one of the following modules: compliance awareness module 561 , standard/policies integration module 562, compliance management module 563.
[0106] The compliance awareness module 561 is responsible for increasing awareness about security standards and compliance within the customer organization. This is targeted to system/product owners and department managers. The compliance awareness module 561 gathers and distributes information from/to users within the monitored network 400 about security standards through educational courses, interactive workshops as well as a web application called a Compliance Portal (not shown in Fig.3c).
[0107] The standard/policies integration module 562 is responsible for increasing awareness about security policies withing the customer organisation. All employees need to be informed, learn and follow the security policies so that compliance is maintained, thus the standard/policies module 562 gathers and distributes information from/to users within the monitored network 400 about security standard/policies. This is done through intranet website, educational courses, workshops and again the Compliance Portal.
[0108] The compliance management module 563 is responsible for making the implementation and maintenance work of the security standard a smooth process. This is done through the Compliance Portal, which allows tracking and prioritizing tasks needed to achieve compliance.
[0109] The compliance management module 563 is compatible with any standrad such as IS027001 , PCI/DSS, GDPR or even the customer's own internal standards and policies.
[0110] In the most advantageous embodiment the device 500 for cyber security managing comprises all three modules, namely the security level assessment module 520, the security level boost module 540 and the security level compliance module 560. In said embodiment the customer’s network 400 is monitored in a way the customer can achieve continuous cyber security assurance.
[0111] As shown in Fig. 3d, the remote display module 580 provides presentation and reporting possibilities for different recipients. It comprises two main submodules which are: a dashboard module 581 , and a console 51 1 .
[0112] The console 51 1 is a module for inputting external input data by the staff members of the cyber security managing service provider. Said input data can be the input data provided via input interface means (not shown) of the workstation 200 of the security managing service provider or data acquired from the internal databases (not shown) of the workstation 200 or data acquired from the expertise database 600. For example input data provided via the input interface means of the workstation 200 can be manual commands relating to managing the Linux operating system, executing custom Bash scripts to perform tasks, re-configuring the device 500 for cyber security managing.
[0113] Another exemplary data acquired from the expertise database 600 can be exploit scripts developed by the service provider that will exploit security vulnerabilities. Some vulnerabilities are known, but no public exploit code exists online. In these cases, and other where vulnerabilities are not yet publicly known the service provider can develop exploit scripts that can be stored in the database 600 and pushed (copied) to all device 500 for cyber security managing what was already explained in reference to Fig.l A.
[0114] The workstation 200 is only used to connect to the jump server 300 and remotely control the device 500 for cyber security managing. All output from commands inserted via the console 51 1 and test results are stored on the device 500 for cyber security managing and not on the workstation 200. This ensures sensitive data is not leaving the customer premises and is more secure compared to storing the data on the tester's laptop which might be stolen or lost. In this manner the data will not leave the customer's organisation except if cloud options are used for the dashboard module 581 and ticketing module 584 for information presentation purposes as will be described later on.
[0115] In particular, the console 51 1 acts as a system operator terminal and provides the staff members of the cyber security managing service provider with a full control of the device 500 for cyber security managing. In particular it takes form of a command line. Thanks to the presence of the console 51 1 the staff members of the security managing service provider are able to run programs on and even restart the device 500 for cyber security managing. All network traffic created to/from the device 500 for cyber security managing is sent through the established SSH tunnel. This means that all traffic from/to the workstation 200 of the security service provider via the console 51 1 is encrypted and secure.
[0116] The staff members of the service provider usually use the console 51 1 which is a command-line terminal (command-line Linux shell command prompt) to issue commands on the device 500 for the cyber security managing. However the person skilled in the art will appreciate that, if needed they can also access GUI through Windows Remote Desktop connection or VNC. This is possible due to the SSH tunneling capabilities where the staff members of the service provider (for example security testers) can tunnel port 3389 to access remote desktop and corresponding ports for any other local service running on the device 500 for cyber security managing.
[0117] The second main submodule of the remote display 580, namely the dashboard module 581 which allows engineers and management of the owner of the monitored network 400 to have a high-level view of all security related issues. It displays open/ closed/ assigned/ unassigned issues, risk and business impact ratings, prioritization of issues and more. The dashboard module 581 can have a cloud or local, on-site installation, depending on the customer requirements and needs. The dashboard module 581 uses its own dashboard database stored in the storage device 573. This information is used to present the dashboard module 581 user with a live security picture of the risks that have been discovered during assessments using the security device. Details of the dashboard module 581 are explained in reference to Fig. 4
[0118] Thanks to the remote display module 580 the staff members of the service provider are provided with the desktop of the device 500 for the cyber security managing. On the other hand, thanks to said remote display module 580 the GUI of any workstation used by the customer to manage the security level of his network 400 will provide trained security specialists working for the customer with customized presentation options of the output data generated by the device 500 for the cyber security managing.
[0119] It should be known that depending on the functionality of the submodule of the security level assessment module 520 or security level boost module 540 or the security level compliance module it is executed automatically or manually. It is schematically shown in Fig. 5 to 7.The manual execution is performed by a remote user of the device 500 for cyber security managing. The manual execution of some functionalities is required since the software and test tools often create false-positive results thus a human touch is necessary in order to test and verify if the identified issue is true or not.
[0120] Automation of execution of certain modules can be realized by creating a script or program. An example of the module which is executed automatically is the vulnerability assessments module 521 . Said module can be used to identify which version of a web server software is running on a target network 400. Once identified, the version number is then compared to a database of vulnerabilities stored in the storage device 573 and if the installed web server software is old there might be known vulnerabilities in older versions that have been patched in newer versions. [0121] The automated execution can be supported by a software robotic process automation including cognitive module which is able to learn different scenarios of vulnerabilities. Automated execution includes Al and neural network to make simple decisions while executing vulnerabilities scenarios.
[0122] In some situations the functionality of the device 500 for cyber security managing can be enhanced by a team of security experts with different expertise, said team being called the Red Team. This team performs the security test and is often a combination of remote and on site resources. For example, said team can enhance social engineering tests performed automatically by the Social Engineering Test module 530. The Red Team physically go on site to the customer premises and try to gain access to office buildings using tricks such as pretending to be a printer technician or asking receptionist to help print a document on a USB stick. The results of said external tests are inputted then manually into the Social Engineering Test module 530 with the use of the console 51 1 .
[0123] As shown in details in Fig.4 the dashboard module 581 provides a wide range of means of presentation of important data regarding security issues. The data displayed by the dashboard module 581 comes from two sources, the storage 573 of the device 500 for cyber security managing and the ticketing module 584 database (stored on the storage device 573 or in cloud or on a separate server as will be explained below). These two sources send their data to the dashboard database stored in the storage 573 or also in a cloud. In another embodiment the dashboard module 581 is configured to receive data from the Compliance portal API.
[0124] First the role of the ticketing module 584will be explained. The ticketing module 584 is responsible for collecting any issues, vulnerabilities, comments and interaction between the third party security service provider and the employees of the owner of the monitored network 400. The ticketing module 584 will open a ticket when the device 500 for cyber security managing finds vulnerability, said ticket will be assigned to the staff member of the security service provider and to the customer’s engineer. The ticketing system will automatically assign number of the ticket and date, based on issue found by the device 500 for cyber security managing. Each ticket is labelled: critical, normal, not critical. Since is the employees of the owner of the monitored network 400 are not allowed to access to the device 500 for cyber security managing, the ticketing module 584 is a separate system. The ticketing module 584 can be installed in the cloud or can be a stand-alone server placed within the customer’s premises. The system owners and technicians will create user account in the ticketing system and will through that interact with the security testers of the security service provider. This helps the customer to quickly and efficiently solve security vulnerabilities and issues.
[0125] Regarding the way the ticketing module 584 acquires data, for example a local Linux script enables reading saved security test results in the form of CSV files stored in the storage device 573 and loading it into the ticketing system. All tickets are automatically filled with the data from the loaded CSV files including vulnerability description, recommendation, risk and business impact rating, attachments as screenshots or code snippets and much more. All tickets are automatically assigned to the system owner of the affected system within the customer’s monitored network 400. The output data from the ticketing module 584 are forwarded to the dashboard module 581 . For example, for any activity in the ticketing module 584, such as an issue is closed, the dashboard database will automatically be updated and it will be presented via the dashboard module 581 as the latest status in numbers, charts and graphs to the dashboard user, namely employees of the owner of the monitored network 400.
[0126] The ticketing module is accessible for the staff members of the cyber security service provider, for engineers from the customer’s organization and for CxO’s.
[0127] The dashboard module 581 reads the local database and creates the page based on the data stored there. Data from the ticketing system can be extracted using the API. Data from other databases related to security issues will be gathered by running a script locally on the device 500 for cyber security managing, which will transfer the data stored in an CSV file into the database on the dashboard system.
[0128] Only chosen detailed display options within the dashboard module 581 will be now described. The dashboard module 581 layout consists of an attractive front page (user login), main page (main dashboard) and subpages (pages with more details). The main page is the first page the user sees when successfully logged on. It can consists of statistics and charts, the recent alert window and the timeline graph.
[0129] One of the display options is: 'Total number of tickets (issues)’ which shows simple statistics gathered from vulnerability tracking system. For example it enables seeing number of open tickets, closed tickets and a pie chart showing distribution of red/yellow/green issues.
[0130] Another display option is Total number of scans’ which enable seeing total number of performed automated vulnerability scans and their dates.
[0131] Further display option is Total number of hosts tested/scanned’ which enable seeing information about discovered hosts and information regarding OS, IP etc. It can presented as a pie chart of OS distribution: win %, linux %, other %. It also enable seeing see the number of unsupported OS (such as Windows XP, Server 2000, 2003 and old, unsupported Linux)
[0132] Another display option is‘Timeline’ - the timeline graph highlights data from the beginning to the current date. It can include things such as number of hots, vulnerabilities, open issues and information about when automated scans were performed.
[0133] Another display option is‘Risk assessment’ which is a graph where Business Impact vs.
Risk is shown. All security risk issues are tracked, and the issues are placed somewhere within for example 4 quadrants. If there are too many issues which impact on responsiveness, in this display option only for example 100 of them are displayed and the user is provided with a message that only a few issues are shown. This data can be extracted from the Vulnerability tracking system issue tickets.
[0134] Further display option is‘Recent alerts’
Since the dashboard module 581 creates a recent alert box in this option enables seeing something like a log window and displays current relevant information such as if any administrative users have been added to the domain, if there are any current on-going attacks on the customer, who is currently logged in and working on the device 500 for cyber security managing.
[0135] The dashboard module 581 provides also additional functionality‘Report extraction’ which is provided by a reporting module 582. The reporting module 582 allows dashboard users to modify graphs and pie charts and create their own reports in PDF, PNG, CSV and more. This is a built-in feature included in the dashboard module 581 . This is due to the Angular programming language that the web application is written in. The management user of the monitored network 400 can simply use the tools provided in the dashboard to paint, mark, add text and more to any chart or graph. This custom graph with highlighted things can then be saved as a picture, ready to be imported to a Word or Powerpoint presentation that the manager is working on.
For the security reasons the type of report extraction depends on the type of the user which is using said function.
There can be several different types of reports:‘User reports’ (all issues assigned to user and systems they own),‘Management report’ (all issues, statistics and graphs to be printed into high-level executive report).
[0136] Another important functionality accessible via the dashboard module 581 is the possibility of snapshots generation. The snapshots generation is performed by the security Snapshot module 583 which allows to create a current security snapshot of the security level in the monitored organisation. It also allows for the staff members of the cyber security managing service provider to scan security news online and alert customers of potential new threats and risks. The security snapshot module 583 provides both: data displayed in the dashboard as well as an e-mail in the form of a Newsletter regularly sent to the customer top management. A snapshot can be generated ones per week/month or can be review by CxO 24/7. This allows the customer to always be aware of and track security issues within the organisation. If for example a new critical security vulnerability is discovered in a certain software that is being used by the customer, the security testers of the security service provider can verify the issue using the device 500 for cyber security managing, report the issue through the ticketing module 584 and alert management through the security snapshot module 583.
[0137] The dashboard module 581 must be secure. It is configured so as to avoid risk of any security issues allowing users to extract data from the dashboard database or allowing in other ways gain access to information they are not allowed to view. For this purpose the OWASP Top 10 most common vulnerabilities in web applications is reviewed and secure coding techniques to protect against are adopted. The top 10 list of common issues are: Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE) , Broken Access Control, Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring [0138] Fig. 5 shows schematically exemplary components and systems embedded within the monitored customer’s network 400 with which the device 500 for cyber security managing is able to interact. An exemplary customer’s network 400 can comprise only few of the enumerated components or systems or can comprise all of them or even more. Only popular and typical network components and systems have been enumerated like: applications running on the user computers connected to the monitored network, security devices (e.g. firewalls), endpoint security system, SIEM system, system for assets management, forensic application, network elements like servers, work stations, firewalls, switches, access points, and network and virtual network like virtual servers, virtual machines-workstations.
[0139] The device 500 for cyber security managing is configured to acquire input data about the monitored network 400 for performing security level assessment, for boosting security level as well for checking compliance with security standards. The person skilled in the art will appreciate that some of the enumerated systems can generated pure output data to be analyzed by the device 500 for cyber security managing or can generate already analyzed sets of data with some recommendations like reports from SIEM systems.
[0140] The person skilled in the art will appreciate that for performing security level boosting an access to at least some of the mentioned components and systems of the monitored network is required. For example it is not possible to perform the following actions without accessing internal components and systems of the monitored network 400: Network monitoring, End point security procedures, Network assets monitoring, System hardening, Gap Implementation, SIEM, DLP management, PAM, FW monitoring, Malware investigation, Patch management, Application Monitoring and in relation to assessment procedures: Virtualization technology review
[0141] However at least some security level assessment procedures can be undertaken by the device 500 for cyber security managing without having access to said internal components and systems of the monitored network 400. In particular these are: Vulnerability Assessments, Penetration Tests, Infrastructure Testing, Application Testing, Social Engineering Test, Gap Assessment.
[0142] On the other hand, even if the access granted by the customer, some security level assessment procedures and security level boosting procedures can be undertaken by the device 500 for cyber security managing only in further cooperation with the customer by acquiring additional customer’s data from workshops, documentation, configuration files etc. These are in particular: in relation to assessment - Firewall and Router review, DLP review, Network Architecture Layout review, VPN configuration review, Application threat modeling and design review, Disaster recovery planning and in relation to security level boosting procedures - Identity and Access Management, Policy review, Risk mitigation, DRP, policy implementation, Asset and data classification.
[0143] Said additional customer’s data can be acquired by the device 500 for cyber security managing in one of the following ways: automatically from internal databases of the customer, databases being located within the monitored network 400, and/or can be entered manually with the use of the console 51 1 by the third party security service provider.
[0144] Now a method for cyber security managing will be described in reference to Fig 9-1 1 .
The method for cyber security managing according to the invention comprises at least the following steps:
a security level assessing step performed locally within the monitored network 400 so as the results of said step are stored locally on a device 500 for cyber security managing connected within the monitored network 400
a remote external presentation step of the results of the security level assessing step outside the monitored network 400 with the use of secure connection
a remote internal presentation step of the results of the security level assessing step inside the monitored network 400.
[0145] In one embodiment the method for cyber security managing according to the invention further comprises:
a step of acquiring input data providing additional functionality to at least said security level assessment module 520 by means of a secure connection via a Jumpserver 300 from a remote security service provider workstation 200 which is located beyond the monitored network 400.
[0146] In another embodiment the method for cyber security managing according to the invention further comprises:
a security level boosting step
a remote external presentation step of the results of the security level boosting step outside the monitored network 400 with the use of secure connection
a remote internal presentation step of the results of the security level boosting step inside the monitored network 400.
[0147] In another embodiment the method for cyber security managing according to the invention further comprises:
a security level compliance monitoring step
a remote external presentation step of the results of the security level compliance monitoring step outside the monitored network 400 with the use of secure connection a remote internal presentation step of the results of the security level compliance monitoring step inside the monitored network 400.
[0148] In one embodiment the security level assessing step performed locally within the monitored network 400 is performed by the device 500 for cyber security managing connected within the monitored network 400. For example, this step can comprises an automatic vulnerability scanning substep performed by the vulnerability assessing module 521 in which a security issue can be identified. Such exemplary security issue can be data loss, security breaches, malicious attack. Additionally priori to the security level assessing step, additional data can be inputted to the device 500 for cyber security managing via the console 51 1 from the workstation 200 of the security service provider which is located beyond the monitored network 400.
[0149] The substeps of the security level assessing step can be executed at least in two different ways, namely manually, or automatically. Manual execution is performed by a staff member of the service provider (e.g. a cyber security expert) connected remotely to device 500 for cyber security managing via secure connection. The automatic execution can be performed using specific tool including RPA (robot process automation) and/or Al (artificial intelligent and Neural networks).
[0150] The security level assessing step further comprises security issue ticketing step in which the identified security issue is registered in the ticketing system by the ticketing module 584. Thanks to that the vulnerability is automatically assigned to customer system owner of the affected system within the monitored network 400. The ticket contains all technical details about the security issue and is stored in the ticketing system database in the storage device 573.
[0151] In the remote external presentation step of the results of the security level assessing step the data with identified security issues, once registered by the ticketing module 584, are forwarded to the remote display module 580 of the device 500 for cyber security managing for presentation outside the monitored network 400 with the use of secure connection via Jumpserver 300. In this step only visual data are transferred outside the monitored network 400, but this is enough to inform the remote staff members of the cyber security managing service provider about current security problems to be resolved.
[0152] In the remote internal presentation step of the results of the security level assessing step the data with identified security issues, once registered by the ticketing module 584, are forwarded to the remote display module 580 of the device 500 for cyber security managing for presentation inside the monitored network 400 on a customer’s workstation. The data relating to the identified security issues are presented by the dashboard module 581 on a single dashboard with other types of data to let the customer’s employees monitor in an easy way different aspects of the cyber security managing.
[0153] In the remote internal presentation step of the results of the security level assessing step, as soon as the issue is registered in the ticketing system the dashboard displayed by the dashboard module 581 will also be updated. This gives upper management of the customer a live, high-level overview of all discovered issues and security threats. All issues will have a Risk and Business Impact rating, so the managers can easily see which problems to prioritize. If the manager notices an important issue not being actively addressed, they can escalate and make sure that the system owners start working on the issue.
[0154] As mentioned earlier in another embodiment the method for cyber security managing can further comprise the security level boosting step which aims at modifying current security level so as to improve it as quickly as possible. The security level boosting step is performed in real time based on the data outputted in the step of security level assessment, the data outputted in both steps not leaving the monitored network 400. For example, if the security issue like security breaches has been identified in the security level assessing step, the monitored network 400 requires such security level boosting substeps like verifying security settings in the router or the operating system, verify and check logs from devices such as firewalls and endpoint security, encrypt data for sensitive data, restricting access to the monitored network infrastructure for authorized employees only. If possible those substeps are performed as quickly as possible, namely automatically by appropriate submodules of the security level boost module 540.
[0155] In some situations, the customer’s engineer can interact with the staff members of the service provider (e.g. security tester that discovered the issue manually in the security level assessing step). Thus the method according to the invention can also comprise a step of secure communication via the Jumpserver 300 between a workstation which is located within the monitored network 400 and the remote security service provider workstation 200 which is located beyond the monitored network 400 by remote display means. This is possible thanks to dedicated communication means embedded within the device 500 for cyber security managing like mentioned ticketing module 584 which is a part of remote display means. Each vulnerability need to be solved in specified period, thus if the customer’s engineer cannot solve the issue there will be a raised flag that issue is not solvable from the side of the owner of the monitored network 400. Said flag will trigger alert for the cyber security service provider and automatically said issue will be assigned to the cyber security service provider. Each alert can be comment from both sides. Through this interaction and support, especially in the security level boosting step, the issue can be solved quickly thanks to mutual cooperation.
[0156] Also in this case the substeps of the security level boosting step can be executed at least in two different ways, namely manually, or automatically. Manual execution is performed by a staff member of the service provider (e.g. a cyber security expert) connected remotely to device 500 for cyber security managing via secure connection. The automatic execution can be performed using specific tool including RPA (robot process automation) and/or Al (artificial intelligent and Neural networks).
[0157] In the remote external presentation step of the results of the security level boosting step the data with identified security issues, once registered by the ticketing module 584, are forwarded to the remote display module 580 of the device 500 for cyber security managing for presentation outside the monitored network 400 with the use of secure connection via Jumpserver 300.
[0158] The same is performed in the remote internal presentation step of the results of the security level boosting step. As mentioned earlier the data relating to the resolved security issues are presented by the dashboard module 581 . Each boost activity performed by the security level boost module 540 is registered in a dedicated dashboard as a part of comprehensive security snapshot / cyber security monitoring dashboard.
[0159] As mentioned earlier, in another embodiment, the method for cyber security managing can further comprise the security level compliance monitoring step which aims at managing security level compliance with different standards so as to maintain it or improve it. [0160] One of example situations can be a situation where the customer is going to adopt ISO standard. The Administrator (person responsible for Compliance in monitored organization) by accessing security level compliance module 560 via an appropriate button on the dashboard selects compliance template from the database stored in the storage device 573. If he wants to follow ISO standard directly, the template will be created automatically, if he decides to add or modify declarations he can make it manually. After the substep of template selection in the substep of compliance declaration execution the Administrator chooses a group of people from the monitored organization and executes compliance declarations. Each response for declaration includes proof. The security level compliance module 560 allows to verify received proof from respondents. This verification may be done manually by the Administrator or automatically using robotic process automation. In another substep responses are analyzed and proper measures are provided. In the remote internal presentation step of the results of the security level compliance monitoring risk results are being presented on compliance dashboard.

Claims

Claims
1 . A device for cyber security managing comprising a security level assessment module for assessing current security level of the monitored network,
and configured to be connected within the monitored network so as to cooperate internally with components of the monitored network,
characterized in that it is configured to acquire input data providing additional functionality to at least said security level assessment module (520) by means of a secure connection via a Jumpserver (300) from a remote security service provider workstation (200) which is located beyond the monitored network (400).
2. The device according to claim 1 , wherein it is further configured to acquire input data providing additional functionality to at least security level assessment module to acquire input data providing additional functionality to at least said security level assessment module (520) by means of a secure connection via the Jumpserver (300) from a remote expertise database (600).
3. The device according to claim 1 or 2, wherein it is further configured to remote external presentation of the data outputted at least by said security level assessment module (520) by means of a secure connection via the Jumpserver (300) on the remote security service provider workstation (200) which is located beyond the monitored network.
4. The device according to claim 1 or 2 or 3, wherein it further comprises a security level boost module (540) for modifying current security level of the monitored network (400).
5. The device according to claim 1 or 2 or 3, wherein it further comprises a security level standards compliance module for monitoring current compliance with security level standards of the monitored network (400).
6. The device according to claim 1 or claim 2 or claim 3, wherein it comprises a remote display (580) comprising a console (585) enabling to remotely input data for providing additional functionality to at least said security level assessment module (520).
7. The device according to claim 1 or claim 2 or claim 3 or claim 4, wherein the remote display (580) comprises a dashboard module (581 ) configured to remotely present the data outputted at least by said security level assessment module (520) on a workstation which is located within the monitored network (400).
8. The device according to any of preceding claims, wherein the dashboard module (581 ) comprises a ticketing module (584) enabling secure communication between said workstation which is located within the monitored network (400) and the remote security service provider workstation (200) which is located beyond the monitored network (400).
9. The device according to any of preceding claims, wherein the dashboard module (581 ) comprises a snapshot module (583) for emailing information on the security level to work stations within the monitored network (400).
10. A system for cyber security managing characterized in that it comprises a device (500) for cyber security managing according to any of preceding claims which is connected within a monitored network (400) and a security service provider workstation (200) which is located beyond the monitored network (400) and connected to the device (500) for cyber security by means of secure connection via a Jumpserver (300).
1 1 . The system according to claim 10, wherein it further comprises an expertise database 600 located beyond the monitored network (400) and connected to the security service provider workstation (200) located beyond the monitored network (400).
12. A method for cyber security managing within a monitored network comprising a step of security level assessing within the monitored network and a step of presenting results of security level assessing within the monitored network characterized in that it further comprises a step of acquiring input data providing additional functionality to at least said security level assessment module (520) by means of a secure connection via a Jumpserver (300) from a remote security service provider workstation (200) which is located beyond the monitored network (400).
13. The method according to claim 12, wherein it further comprises a step of acquiring input data providing additional functionality to at least said security level assessment module (520) by means of a secure connection via a Jumpserver (300) from a remote expertise database (600) which is located beyond the monitored network (400).
14. The method according to claim 12 or 13, wherein it comprises a step of remote external presentation of the data outputted at least by said security level assessment module (520) by means of a secure connection via the Jumpserver (300) on the remote security service provider workstation (200) which is located beyond the monitored network.
15. The method according to claim 12 or 13 or 14, wherein it further comprises a step of security level boosting performed in real time based on the data outputted in the step of security level assessment, the data outputted in both steps not leaving the monitored network (400).
16. The method according to any of claims 12-15, wherein it further comprises a step of secure communication via the Jumpserver (300) between a workstation which is located within the monitored network (400) and the remote security service provider workstation (200) which is located beyond the monitored network (400) by remote display means.
PCT/PL2018/050025 2018-06-11 2018-06-11 Device, system and method for cyber security managing in a remote network WO2019240604A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/PL2018/050025 WO2019240604A1 (en) 2018-06-11 2018-06-11 Device, system and method for cyber security managing in a remote network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/PL2018/050025 WO2019240604A1 (en) 2018-06-11 2018-06-11 Device, system and method for cyber security managing in a remote network

Publications (1)

Publication Number Publication Date
WO2019240604A1 true WO2019240604A1 (en) 2019-12-19

Family

ID=66290500

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/PL2018/050025 WO2019240604A1 (en) 2018-06-11 2018-06-11 Device, system and method for cyber security managing in a remote network

Country Status (1)

Country Link
WO (1) WO2019240604A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112380818A (en) * 2020-11-16 2021-02-19 深圳供电局有限公司 Automatic ticket forming system based on graphic operation change order
CN112448949A (en) * 2020-11-12 2021-03-05 武汉空格信息技术有限公司 Computer network monitoring system
CN113326204A (en) * 2021-06-23 2021-08-31 鹏城实验室 Transformer substation system testing method and device, terminal equipment and storage medium
CN114500023A (en) * 2022-01-18 2022-05-13 江苏银承网络科技股份有限公司 Bastion machine access control method under multi-cloud environment
CN114826691A (en) * 2022-04-02 2022-07-29 深圳市博博信息咨询有限公司 Network information safety intelligent analysis early warning management system based on multi-dimensional analysis

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050256883A1 (en) * 2002-06-03 2005-11-17 Greaves Jon D Method and system for remote management of customer servers
US20070192867A1 (en) * 2003-07-25 2007-08-16 Miliefsky Gary S Security appliances
US20090178139A1 (en) * 2008-01-09 2009-07-09 Global Dataguard, Inc. Systems and Methods of Network Security and Threat Management
US20120011077A1 (en) 2010-07-12 2012-01-12 Bhagat Bhavesh C Cloud Computing Governance, Cyber Security, Risk, and Compliance Business Rules System and Method
US20170237752A1 (en) 2016-02-11 2017-08-17 Honeywell International Inc. Prediction of potential cyber security threats and risks in an industrial control system using predictive cyber analytics

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050256883A1 (en) * 2002-06-03 2005-11-17 Greaves Jon D Method and system for remote management of customer servers
US20070192867A1 (en) * 2003-07-25 2007-08-16 Miliefsky Gary S Security appliances
US20090178139A1 (en) * 2008-01-09 2009-07-09 Global Dataguard, Inc. Systems and Methods of Network Security and Threat Management
US20120011077A1 (en) 2010-07-12 2012-01-12 Bhagat Bhavesh C Cloud Computing Governance, Cyber Security, Risk, and Compliance Business Rules System and Method
US20170237752A1 (en) 2016-02-11 2017-08-17 Honeywell International Inc. Prediction of potential cyber security threats and risks in an industrial control system using predictive cyber analytics

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112448949A (en) * 2020-11-12 2021-03-05 武汉空格信息技术有限公司 Computer network monitoring system
CN112380818A (en) * 2020-11-16 2021-02-19 深圳供电局有限公司 Automatic ticket forming system based on graphic operation change order
CN112380818B (en) * 2020-11-16 2024-01-23 深圳供电局有限公司 Automatic ticket forming system based on graphic operation change list
CN113326204A (en) * 2021-06-23 2021-08-31 鹏城实验室 Transformer substation system testing method and device, terminal equipment and storage medium
CN113326204B (en) * 2021-06-23 2023-10-10 鹏城实验室 Substation system testing method and device, terminal equipment and storage medium
CN114500023A (en) * 2022-01-18 2022-05-13 江苏银承网络科技股份有限公司 Bastion machine access control method under multi-cloud environment
CN114826691A (en) * 2022-04-02 2022-07-29 深圳市博博信息咨询有限公司 Network information safety intelligent analysis early warning management system based on multi-dimensional analysis
CN114826691B (en) * 2022-04-02 2023-08-18 上海硕曜科技有限公司 Network information security intelligent analysis early warning management system based on multidimensional analysis

Similar Documents

Publication Publication Date Title
US10091220B2 (en) Platform for protecting small and medium enterprises from cyber security threats
Scarfone et al. Technical guide to information security testing and assessment
WO2019240604A1 (en) Device, system and method for cyber security managing in a remote network
US11902312B2 (en) Security threats from lateral movements and mitigation thereof
Mirjalili et al. A survey on web penetration test
US20240022606A1 (en) An improved computer implemented system and method for cybersecurity management platform of a monitored network
Tayouri et al. White Paper-Cybersecurity in Agile Cloud Computing--Cybersecurity Guidelines for Cloud Access
Permann et al. Cyber assessment methods for SCADA security
Scarfone et al. Sp 800-115. technical guide to information security testing and assessment
US11716345B1 (en) System and method for automating security configuration standards assessments and mitigations
Rawal et al. Cybersecurity and Identity Access Management
Sabnis et al. Intrinsically secure next-generation networks
Shamma Implementing CIS Critical Security Controls for Organizations on a Low-Budget
US20230336573A1 (en) Security threat remediation for network-accessible devices
US20220311805A1 (en) System and Method for Providing and Managing Security Rules and Policies
Siik Management of operating system hardening in industrial control systems
Tabari Human-Centric Cybersecurity Research: From Trapping the Bad Guys to Helping the Good Ones
Collins Assessments and audits
Vasenius Best practices in cloud-based Penetration Testing
Diamond et al. Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing
Singh Application of SIEM/UEBA/SOAR/SOC (Cyber SUSS) Concepts on MSCS 6560 Computer Lab
Eisenmann Can the Microsoft Azure Security Suite be a practical solution for SMBs when analysing and protecting existing IT infrastructure?
Veshne Attack Surface Management: Principles for simplifying the complexity of OT security
Sedlák et al. Assignment Master's Thesis
Culler et al. Cyber-Risk Management Feasibility Study

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18871813

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18871813

Country of ref document: EP

Kind code of ref document: A1