Task
It can be useful to look at cyber-attacks in the news to prepare ourselves for similar events. While the available information may be lacking, by analysing current events we can build scenarios to gain insights into adversary tactics, techniques and procedures as well as defences which we can adopt to mitigate similar attacks.
This assessment will continue from our case study which we started in the SITA cyber-attack part I presentation. This should include: identification of the root cause(s) of the incident; technical solution; non-technical solutions as well as broader impacts on the industry.
Introduction
On February 24, 2021, SITA, a major IT provider to the aviation sector (Farrer, 2021) suffered a cyber-attack, with a breach of their Passenger Service System (PSS) leading to the theft of data of over 2.1 million airline passengers from at least 11 airlines. As outlined in the initial presentation, this data included passenger data from SITA customers and Star Alliances members (Ilascu, 2021). This data was published for sale on the dark web (Securin Inc, 2021).
SITA issued a brief statement following the attack (SITA, 2021a), but given that further information is lacking, a combination of open source intelligence and some speculation will aid us in building our scenario, based on the following:
- A Lufthansa representative claimed “the hackers entered the reservation system of an Asian airline” prior to the SITA breach (Ilascu, 2021).
- While investigating an Air India breach, Group-IB discovered a connection to SITA and claimed it was a result of the SITA attack (Rostovtsev, 2021).
- SITA denied this connection (Brewster, 2021), but stopped short of ruling out any connection.
- Air India is based in Asia, the same location claimed by Lufthansa (Ilascu, 2021).
- Air India had access to the stolen data at the time of the attack, being a SITA customer between at least 2016 (Enterprise IT World, 2016) and 2022 (Joshi, 2022), it has also been a Star Alliance member since 2014 (Star Alliance, 2019).
- Data was exfiltrated from Air India on 25 February 2021 (Rostovtsev, 2021), converting this to Atlanta time (the location of the SITA servers) gives us 24th February, the date of the initial access to SITA systems.
Using these facts, our scenario is:
- Patient zero, a customer of SITA and also a Star Alliance member was breached.
- The adversary used stolen credentials from patient zero to gain initial access to the SITA Passenger Service System.
- These credentials gave the adversary sufficient privileges to maintain a presence in SITA systems for 22 days to undertake discovery, collection and lateral movement.
- The adversary also used these privileges to locate and exfiltrate the data they wanted.
- SITA identified the breach and evicted the adversary from their systems.
While this may not be the actual mechanism of the attack, this plausible scenario can be used for analysis and to draw lessons from. In this report we will identify the root causes of the attack’s success, then recommend mitigations of a technical and non-technical nature for the attack, this will be informed by NIST-CSF, ISO27K and MITRE ATT&CK Enterprise. We will then look at industry wide policy and business implications of the attack before concluding.
Root causes
It may be tempting to include the breach of patient zero as a root cause. However this is not productive because it could have as easily been an insider that undertook the attack on SITA. For the purposes of this report we will limit scope to between when the adversary accessed and when they where evicted from, SITA systems.
Three root causes have been identified in relation to the SITA breach: access with compromised credentials, supply chain data leaks, lack of monitoring of authorised users.
1 Access with compromised credentials
After exfiltrating plaintext passwords from patient zero (Rostovtsev, 2021), the adversary gained access to SITA systems.
This root cause maps to a combination of MITRE ATT&CK Techniques, Valid Account (MITRE, 2023a) and Trusted Relationship (MITRE, 2022d) – the customer was a trusted relationship and their stolen credentials were the valid account. These techniques can be used as part of several Tactics including Initial Access, Maintain Persistence, Privilege Escalation and Defence Evasion, to gain access to remote systems without the need for malware or other tools which makes detection more difficult (MITRE, 2023a). These techniques seem ideal for supply chain attacks as an “overlap of permissions” may enable access between accounts or systems by adversaries (MITRE, 2023a) as well as taking advantage of access that “may not be protected or receives less scrutiny” (MITRE, 2022d). These techniques appear to have delivered, with the patient zero credentials being sufficient for the adversary to gain access to SITA systems and to achieve their goal.
2 Supply chain data leaks
The aviation supply chain is “one of the most complex and relied upon networks in the world.” (Schmidt, 2016, p. 187) which experiences “supply chain risk and cyber attacks” (Koepsel, 2016, p. 60). As we touched on in the introductory presentation, being complex and dynamic, this attack could be classified as a supply network attack, supply networks often involve more than one supply chain and can have connections between active and non-active members (Braziotis et al., 2013, p. 646) which we saw exploited in this attack.
Presumably due to data sharing agreements, SITA was holding passenger data of Star Alliance members – including those who weren’t SITA customers – for frequent flyer recognition purposes. Because patient zero was both a SITA customer and Star Alliance member they had access to both sets of passenger data (Ilascu, 2021). This created a data leak from Star Alliance to SITA, with the adversary able to exfiltrate the data of both of these intersecting supply chains.
3 Lack of monitoring of authorised users
Once the adversary had gained access to SITA servers with stolen credentials, they undertook discovery, lateral movement, collection and finally exfiltration as per the MITRE ATT&CK tactic definitions (MITRE, 2023b). This is a root cause because even if root causes 1 and 2 are mitigated, a lack of authorised user monitoring would allow an insider to conduct this attack. SITA is an IT provider to 90% of the aviation sector (Farrer, 2021) as well as an advocate for civil aviation cybersecurity, particularly detection (Uniting Aviation, 2020, para. 7–10). Considering this, and the fact that they evicted the adversary within 22 days (Sinha, 2021) of initial access – faster than the average of 302 days (IBM, 2023, p. 21) – we will assume they had effective monitoring in place. But it appears that they were focused on monitoring for unauthorised access, probably supplemented by human review of logs or anomalous activity.
Technical solutions
We will now look at technical controls specific to the root causes, in a later section we will look at how these contribute to broader measures to improve cybersecurity. To inform this, we will combine a standards based and attack lifecycle approach.
We will use ISO27K because I agree with SITA that ISO27K is an appropriate standard for ensuring the protection of the aviation sector, it is an international standard and its implementation across the sector would provide common context for cybersecurity (Strong, 2019). We will add business context by overlaying the NIST-CSF (Appendix E contains relevant NIST-CSF and ISO27K mappings), its functions and categories create an intuitive structure to aid understanding of the controls to non-technical stakeholders, this will also contribute to engagement and awareness uplift.
Looking from the adversary’s perspective may identify potential gaps in our standards based controls and add to our defence-in-depth. To aid this we will apply the MITRE ATT&CK Enterprise framework. This was chosen because it is a thorough, tested and maintained framework. MITRE is also actively engaged in aviation cybersecurity with aviation being a “focus area” of theirs (MITRE, 2022b) and their Center for Advanced Aviation System Development (CAASD) “serving as a hub for collaboration across global aviation stakeholders” (MITRE, 2022c), making it an appropriate attack lifecycle framework.
Recommendations
Root cause one: Access with compromised credentials
To prevent adversaries from using compromised credentials to gain access to SITA systems, strong authentication should be implemented. Strong authentication builds on two-factor and multi-factor authentication, requiring that one factor being single use, making it useless if stolen. A number of options are available such as one-time passwords, time-based codes or biometrics. I recommend using an authentication app such as Microsoft Authenticator, these are more secure than other methods of Multifactor Authentication (MFA) because the authentication request is sent via the service (Okta, 2023).
To reinforce strong authentication, Attribute Based Access Control (ABAC) should be implemented. ABAC grants access to systems based on the user’s attributes, for example their role, object (what they are trying to access) attributes such as file labels, and environmental attributes such as location, time, IP address and device ID. A set of policies will then use these attributes to determine access (Hu et al., 2014, p.7). By implementing ABAC with a policy to restrict access of authenticated users based on location, IP address, device ID and time, the adversary’s login attempt could have been detected and prevented.
Enhancing logging would also enable more informed analysis, by including logon attempts, user activity, application and network traffic logs, in the event of a successful attack the security team will be able to use the information to undertake forensics and help prevent future attacks.
Appendix A contains applicable standards and MITRE ATT&CK details which informed these mitigations.
Root cause two: Supply chain data leaks
This root cause is an architectural vulnerability, when coupled with the Valid Account Technique is difficult to protect against, however we can build on the mitigations we put forward for Access with compromised credentials.
Federated identity management would mitigate this root cause. Instead of sharing customer lists and their data, using federated identity management, each airline would retain their data and act as an identity provider with SITA acting as the federation provider, working as such:
- Airline A wants to verify that a passenger is a frequent flyer with Airline B
- Airline A provides Airline B with the customer’s identifier
- Airline B then checks and responds to Airline A, without the need for sharing personal information.
As the data remains with its respective airline, the data is effectively segmented and would require successful attacks on multiple targets to gather.
A federated model could mitigate this particular attack by protecting identities, however other data may still be exposed to theft in this type of breach. Micro-segmentation would help mitigate this root cause at a more general level by limiting the ability of adversaries to undertake discovery, lateral movement, collection and exfiltration. It can also enhance monitoring by informing where and what to monitor and allow security teams to focus on systems and connections of higher value as well as providing more structured data for logs and forensics (CloudFlare, 2022).
Appendix B contains applicable standards and MITRE ATT&CK details which informed these mitigations.
Root cause three: Lack of monitoring of authorised users
Situational-awareness is knowing what’s going on around us so we can be ready to respond, monitoring is key to maintaining this. We have a range of tools available such as firewalls; system logs; intrusion detection and prevention systems for collecting data. We can also monitor anomalous user behaviour with tools such as AWS CloudWatch or Azure User and Entity Behavior Analytics.
This can all be brought together in a Security Incident Event Management (SIEM) system to give a holistic overview, combined with micro-segmentation implemented for root cause 2, to inform our situational awareness. The volume of data collected can present a challenge in itself, we will look at this in more detail in our non-technical mitigations.
Appendix C contains applicable standards and MITRE ATT&CK details which informed these mitigations.
What SITA has done
According to SITA, following the attack, “cybersecurity embedded”, or, security-by-design has been a key motivator in their approach to business (SITA, 2022b, p. 25). This is confirmed in their 2022 Security Technical and Operational Measures which outlines “embedding security into software development” with various standards including the Open Web Application Security Project Software Assurance Maturity Model (OWASP SAMM) as well as Microsoft’s Secure Development Lifecycle (SDL) (SITA, 2022a).
In response to this attack, SITA has introduced a new product offering, partnering with Versa Networks to deploy a Software Defined Network solution called SITA Connect Go (SITA, 2022c) which leverages Secure Access Service Edge (SASE). SASE, pronounced sassy, delivers integrated network-as-a-service and security-as-a-service capabilities (Gartner, 2022) such as Software Defined Wide Area Network, Zero-Trust Network Access, Cloud Access Security Broker, Next Generation Firewall and Secure Web Gateways with a view to close gaps in security which previously existed in the security stack (Ginn & Brown, 2022).
The Versa Networks website states that their SASE product assumes breach and implements zero trust network access which leverages micro-segmentation and isolation and enforces authentication of all devices and users this includes checking policy, users and their context as well as identities of applications and devices. It also restricts network access based on IP address or location, Versa claims this mitigates lateral movement as well as “threats from unmanaged devices connecting to the network”. It also shares threat intelligence to all devices in the network following an attack (Versa Networks, 2022a).
Comparing this to the recommendations above, we can see that SITA have taken a step in the right direction as their new product and approach to security seems capable of mitigating Access with compromised credentials ( with MFA, ABAC, advanced monitoring) and Lack of monitoring of authorised users (with Continuous Diagnostics and Mitigation (CDM), Continuous assessment and monitoring of risk and trust) (Versa Networks, 2022b)) of the attack. SASE can also integrate with external identity providers as well as acting as an identity broker itself (Mehta & Mehta, 2021, pp. 7, 53), given that implementing federated identity would prevent the need for sharing customer identities, combined with the above mentioned micro-segmentation, it may also be able to mitigate Supply chain data leaks.
Non-technical mitigations
Recommendations
There are a number of non-technical mitigations to prevent an attack of this nature occurring again.
Firstly, policies to support the above technical recommendations will need to be created and implemented. Without policy, adoption may stall and the desired outcomes may not be achieved.
Supply chains need to be mapped and cybersecurity policies and agreements made with members up and down stream – both suppliers and customers. This should include education and training so that all supply chain members (including SITA staff) are aware of cybersecurity risks and understand their responsibility to mitigate them.
Security-by-design should be integrated in business processes and ways-of-working, so that business processes will always be in an authorised state – in other words systems and data are secure at each stage and transition of the process – even in the event of a breach. This will add teeth to awareness and training as it means that everyone is living and breathing cyber-awareness just by following the secure processes.
The technical solutions suggested generate a lot of data which needs resources to undertake analysis – resources that are scarce due to a global cyber skills shortage (Oltsik, 2023). In fact, globally we collect security monitoring in such quantities that analysing it is now one of big data’s biggest problems (Amjad et al., 2016, p. 124). A lack of analysis impedes decision making, so we need a way of refining the data we collect. Cyber-risk monitoring (Amjad et al., 2016) enables the definition and monitoring of business events – events that impact business operations – not just IT events. For example, a failed login attempt from a known IP and device from a user with a history of forgetting their password may have a lower priority than a failed login attempt from an unknown IP and device. This will allow security teams to prioritise their resources in a more efficient and effective manner.
These measures will complement the technical mitigations, enhancing their performance and helping to secure against insider attacks as well as against social engineering and other attacks on wetware. Given that these recommendations will have organisational wide impacts, to aid in implementation and adoption, I recommend setting up a cyber fusion centre which will bring together business, IT and security expertise to de-silo and allow sharing of knowledge. This will inform an organisation-wide approach to cybersecurity which is fit for purpose and enables “faster and more effective diagnosis and remediation when incidents occur” (Amjad et al., 2016, p. 130).
Appendix D contains applicable standards and MITRE ATT&CK details which informed these mitigations.
What SITA has done
SITA has initiated a number of organisational wide non-technical solutions.
Their governance structure has changed in response to the attack, with the creation of the Cyber Security Committee (SITA, 2021a, p. 14), which evolved into the Cyber and Privacy Committee which monitors all “enhancements of the Enterprise Security Improvement Plan and Privacy Program” (SITA, 2022b, p. 9). They are also enhancing their mandatory staff training, creating “a better learning experience” which includes privacy and data protection, cybersecurity and privacy-by-design (SITA, 2021a, p. 36) to facilitate an uplift in cyber posture.
They have updated their Security Technical and Operational Measures, which appears to be a high level cybersecurity policy. In 2018 it was a one page document with very high level and generic security guidance including: guarding against unauthorised access, ensuring service continuity and protecting confidentiality and integrity of data (SITA, 2018b).
Following the attack, their 2022 Security Technical and Operational Measures is much more detailed, spanning three pages and including the following security topics (SITA, 2022a):
- Information security governance
- Human resources security
- Security in third party relationships
- Physical security
- Asset management
- Secure development lifecycle
- Incident management
- Independent information security audit and certifications
The document specifies that these apply to SITA at a global level and each topic contains relevant ISO27K controls and GDPR principles.
Implications across the industry
This incident will have implications across the industry. I believe the three most significant will be in supply chain cybersecurity, adopting an attackers mindset in preparing defences and the adoption of zero trust network architecture.
Adopting an attackers mindset in defence
Standards provide an excellent framework for implementing cybersecurity policy, but as we saw in this attack, they can leave vulnerabilities if they aren’t appropriately contextualised to the organisation. ISO27K has applicable standards and controls that could have mitigated this attack for example, ISO27002 Control 6.7 Remote working and Control 8.5 Secure authentication would have seen the use of multi-factor authentication and considerations “such as access from an unusual location, from an unusual device or at an unusual time.” (International Organization for Standardization, 2022), which could have detected the unusual IP address used by the adversary to access their systems (Rostovtsev, 2021). But in SITA’s case, it appears they were applied to defend against unauthorised access, not authorised access with compromised credentials or by insiders. By adopting an attacker’s mindset, we can complement standards by considering the principle of easiest penetration as well as misuse cases, the attack lifecycle and frameworks such as MITRE ATT&CK can help inform this.
Using these different perspectives should provide overlapping controls and help enhance defence-in-depth, as well as an uplift in culture and awareness through enhanced understanding of the nuances of defence.
Supply chain security
Aviation supply chain cybersecurity is an area that needs attention, and is becoming even more important with the introduction of third party application support in next generation Air Traffic Management systems currently being rolled out globally (Thompson, 2019). The ICAO Cybersecurity Action Plan calls for cooperation across the sector to manage supply chain risks and threats (ICAO, 2022, p. 11) indicating that, in alignment with the above non-technical recommendation, “cyber-security standards should exist for the entire supply chain” (Koepsel, 2016, p. 51).
The lack of clear oversight in supply chains creates an environment where “malicious actors thrive” (Muncaster, 2021) making it critical for organisations to include their supply chains in their cybersecurity strategies (Mehan, 2014). This is easier said than done, while Section 4 of Executive Order 14028 called for the enhancement of software supply chain security (Biden, 2021, p.26637), supply chain cybersecurity is still an evolving field, particularly in aviation (Hally, 2022). This is complicated by insufficient attention having been paid to aviation technology supply chains to date (Koepsel, 2018, p. 64) and that they are “one of the most complex and relied upon networks in the world” (Schmidt, 2016, p. 187).
As a starting point, organisations have standards available to guide them on supply chain cybersecurity:
- NIST-CSF Supply Chain Risk Management (ID.SC)
- ISO 27002 5.21 Managing information security in the ICT supply chain
- ICAO SARP 4.9.1 & 4.9.2 of Annex 17 of the Chicago Convention (Pecharromán, 2020)
We will extend on this in the following zero trust section.
Adoption of zero trust network architecture
Many aviation systems “were designed with a significantly weaker threat model in mind” (Dave et al., 2022, p. 10) with open designs (Elmarady & Rahouma, 2021, p. 143997) resulting in insecure systems (Dave et al., 2022, p. 7). I believe this approach was reflected in the way SITA and Star Alliance handled passenger data and the way SITA allowed access to their systems. An “aviation intranet” as outlined in the ICAO’s Global Air Navigation Plan 2012-2030 (GANP) (ICAO, 2016, p. 72) will enable sector growth by connecting all airspace users (Elmarady & Rahouma, 2021, p. 144013), however this level of interconnectivity “presents elevated cyber-attack opportunities” (Latifi, 2016, p. 202).
In order to facilitate this level of interconnection we will see a shift to zero trust network architecture – spanning business systems to aircraft components which will restrict adversaries when they breach. Zero trust network architecture requires explicit verification, least privilege access and assumption of breach. This means that users – humans or otherwise – must authenticate and authorise using all available data points, including anomaly detection to gain the minimum privileges for the minimum period required to undertake a task (Microsoft, 2023b). It also assumes breach, recognising that there is no such thing as perfect security and that the goal is to an adversary’s progress and minimise loss and damage before eviction. Micro-segmentation is key to zero trust, in combination with explicit verification and end-to-end encryption it impedes progression of the attack lifecycle. For defenders it allows isolation of threats before they spread (CloudFlare, 2022).
It could also benefit threat intelligence, since we are expecting and prepared for breach, we can gather more pertinent data when it occurs, perhaps luring the adversary (MITRE, 2022a) to a honeynet for observation. This could lead to clearer definitions of trust boundaries and inform iterative improvements to architecture, practices, monitoring and response.
Conclusion
Following an attack in 2021 SITA made a shift to security-by-design which has impacted their approach to cybersecurity in their: products, with adoption of SASE architecture; governance, creating the Cyber and Privacy Committee; and in awareness, with new staff training.
In this report we have included open source intelligence to build a scenario for analysis, we then presented three root causes for the success of the attack, these were:
- Access with compromised credentials
- Supply chain data leaks
- Lack of monitoring of authorised users
We then presented technical solutions for each of these. We arrived at these through an application of NIST-CSF, ISO27K and MITRE ATT&CK. We looked at each root cause individually with a view to work into a holistic solution. For access with compromised credentials we recommended strong authentication, ABAC and enhancement of logging. To mitigate supply chain data leaks we put forward federated identity management and micro-segmentation. Finally for lack of monitoring of authorised users we looked at improving situational awareness with improved monitoring and a SIEM.
Looking at non-technical mitigations we looked at policy support for the technical mitigations as well as training and education to improve cyber posture. To support this, the integration of security-by-design into business processes was introduced to ensure that systems, processes and data remain in authorised states. To handle the increased data being gathered by our technical mitigations, a shift to cyber risk management was recommended, which brings more focus and relevance to event data collection to allow more efficient and effective use of resources.
We also reported on SITA’s response to the attack, their technical response has been to implement a SASE solution, this has wide ranging implications and includes our technical recommendations. They have also made significant changes to their governance, training and policy.
We brought this all together to look at implications for the sector, exploring the combination of a standards based approach with application of an attack lifecycle to bring rigour to applying an attacker’s mindset to cybersecurity. There is also a need to focus on supply chain cybersecurity, supported by the adoption of zero trust throughout the aviation sector. In SITA’s case, these recommendations could complement their current response and help to generate organisational wide engagement, improved adoption of solutions and uplift. More generally, these recommendations were made to mitigate the threats facing a sector that is modernising and growing while facilitating growing interconnection.
References
Air Inuit. (2021). Notice of cybersecurity incident at former service provider – Sita. https://www.airinuit.com/uploads/alerts/SITA/SITA_INCIDENT_Website_Notice_FINAL.pdf
Amjad, A., Nicholson, M., Stevenson, C., & Douglas, A. (2016). From security monitoring to cyber risk monitoring. Deloitte Review. https://www2.deloitte.com/content/dam/insights/us/articles/future-of-cybersecurity-operations-management/DR19_FromSecurityMonitoringToCyberRiskMonitoring.pdf
ASD. (2021). Implementing network segmentation and segregation. Cyber.Gov.Au. https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/network-hardening/implementing-network-segmentation-and-segregation
Biden, J. (2021, May 17). Improving the nation’s cybersecurity. Federal Register. https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity
Bracken, B. (2021, March 5). Massive supply-chain cyberattack breaches several airlines. Threatpost. https://threatpost.com/supply-chain-cyberattack-airlines/164549/
Braziotis, C., Bourlakis, M., Rogers, H., & Tannock, J. (2013). Supply chains and supply networks: Distinctions and overlaps. Supply Chain Management: An International Journal, 18(6), 644–652. https://doi.org/10.1108/scm-07-2012-0260
Brewster, T. (2021, June 10). Are the FBI’s ‘most wanted’ Chinese spies hacking the airline industry? Forbes. https://www.forbes.com/sites/thomasbrewster/2021/06/10/are-the-fbis-most-wanted-chinese-spies-hacking-the-airline-industry/?sh=54976ea6237d
Brown, R., Ta, van, Bienstock, D., Ackerman, G., & Wolfram, J. (2023, August 9). APT41 targeting U.S. state government networks. Mandiant. https://www.mandiant.com/resources/blog/apt41-us-state-governments
CloudFlare. (2022). What is microsegmentation? Cloudflare. https://www.cloudflare.com/en-au/learning/access-management/what-is-microsegmentation/
Collier, B., Clayton, R., Hutchings, A., & Thomas, D. (2021). Cybercrime is (often) boring: Infrastructure and alienation in a deviant subculture. The British Journal of Criminology, 61(5), 1407–1423. https://doi.org/10.1093/bjc/azab026
Dave, G., Choudhary, G., Sihag, V., You, I., & Choo, K.-K. R. (2022). Cyber security challenges in aviation communication, navigation, and surveillance. Computers & Security, 112, 102516. https://doi.org/10.1016/j.cose.2021.102516
Elmarady, A. A., & Rahouma, K. (2021). Studying cybersecurity in civil aviation, including developing and applying aviation cybersecurity risk assessment. IEEE Access, 9, 143997–144016. https://doi.org/10.1109/access.2021.3121230
Enterprise IT World. (2016). Customer story: Air India | SITA. http://www.enterpriseitworld.com/wp-content/uploads/2017/09/Air-India-Customer-Story-A4-HR-Final-Final.pdf
Farrer, M. (2021, March 5). Airline data hack: Hundreds of thousands of Star Alliance passengers’ details stolen. The Guardian. https://www.theguardian.com/world/2021/mar/05/airline-data-hack-hundreds-of-thousands-of-star-alliance-passengers-details-stolen
Gartner. (2022, September 28). Definition of secure access service edge (SASE) – Gartner information technology glossary. Gartner. https://www.gartner.com/en/information-technology/glossary/secure-access-service-edge-sase
Ghosh, S. (2021, May 30). Air India data breach highlights concerns around third-party risk and supply-chain security. CSO Online. https://www.csoonline.com/article/570797/air-india-data-breach-highlights-concerns-around-third-party-risk-and-supply-chain-security.html
Ginn, J., & Brown, D. H. (2022). Diving into Secure Access Service Edge: A technical leadership guide to achieving success with SASE at market speed. Packt Publishing Ltd.
Hally, L. (2022, June 30). Evolving aviation cybersecurity. A Cyber Security Blog by Luke Hally. https://www.lukehally.com.au/cyber-ops/a-review-of-aviation-cybersecurity/
Hally, L. (2023, June 3). Advanced cyber risk monitoring. A Cyber Security Blog by Luke Hally. https://www.lukehally.com.au/cyber-risk-resilience/advanced-cyber-risk-monitoring/
Hu, V., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., & Scarfone, K. (2014). Guide to attribute based access control (ABAC) definition and considerations. National Institute of Standards and Technology. http://dx.doi.org/10.6028/nist.sp.800-162
Hughes, M. (2021, March 5). Oh SITA: Airline IT provider confirms passenger data leaked after major “cyber-attack.” The Register. https://www.theregister.com/2021/03/05/oh_sita_airline_it_provider/
IBM. (2023). Cost of a data breach report 2023. https://www.ibm.com/downloads/cas/E3G5JMBP
ICAO. (2016). 2016–2030 Global Air Navigation Plan. ICAO. https://www.icao.int/publications/Documents/9750_5ed_en.pdf
ICAO. (2022). Cybersecurity Action Plan. https://www.icao.int/aviationcybersecurity/Documents/CYBERSECURITY%20ACTION%20PLAN%20-%20Second%20edition.EN.pdf
Ikeda, S. (2021, March 8). Aviation IT giant SITA breached in extensive supply chain attack; frequent flier programs of major airline … CPO Magazine. https://www.cpomagazine.com/cyber-security/aviation-it-giant-sita-breached-in-extensive-supply-chain-attack-frequent-flier-programs-of-major-airlines-compromised/
Ilascu, I. (2021, March 5). SITA data breach affects millions of travelers from major airlines. BleepingComputer. https://www.bleepingcomputer.com/news/security/sita-data-breach-affects-millions-of-travelers-from-major-airlines/amp/
Intelligent Discovery. (2020). AWS cloudwatch security alarms best practice. Intelligent Discovery. https://www.intelligentdiscovery.io/controls/cloudwatch
International Organization for Standardization. (2022, February). Who should adopt ISO/IEC 27002? ISO. https://www.iso.org/standard/75652.html
Joshi, G. (2022, July 6). Tech revamp: Air India inks A deal with Amadeus for passenger service system. Simple Flying. https://simpleflying.com/air-india-deal-with-amadeus/
Koepsel, K. M. (2016). Commercial aviation and cyber security: A critical intersection. SAE International.
Koepsel, K. M. (2018). The aerospace supply chain and cyber security: Challenges ahead. SAE International.
Kropotov, V., McArdle, R., & Yarochkin, F. (2020, July 21). Hacker infrastructure and underground hosting 101:where Are cybercriminal platforms offered? Security News. https://www.trendmicro.com/vinfo/au/security/news/cybercrime-and-digital-threats/hacker-infrastructure-and-underground-hosting-101-where-are-cybercriminal-platforms-offered
Latifi, S. (2016). Information technology: New generations: 13th International Conference on Information Technology. Springer.
Mandiant. (2022). Apt41, a dual espionage and cyber crime operation. Mandiant. https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf
Mehan, J. (2014). CyberWar, CyberTerror, CyberCrime and CyberActivism: An i-depth guide to the role of standards in the cybersecurity environment. IT Governance Publishing.
Mehta, K., & Mehta, A. (2021). SASE For Dummies®, Versa Networks Special Edition. John Wiley & Sons, Inc. https://versa-networks.com/documents/ebooks/sase-for-dummies.pdf
Microsoft. (2023a). Enable entity behavior analytics to detect advanced threats. Microsoft Learn. https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics
Microsoft. (2023b). Zero trust model – Modern security architecture. Microsoft Security. https://www.microsoft.com/en-au/security/business/zero-trust
Microsoft. (2023c, February 8). Zero Trust and Windows device health – Windows Security. Microsoft Learn. https://learn.microsoft.com/en-us/windows/security/security-foundations/zero-trust-windows-device-health
MITRE. (2022a). MITRE Engage matrix. MITRE Engage. https://engage.mitre.org/matrix/?activity=lures
MITRE. (2022b, August 24). Aviation & transportation. MITRE. https://www.mitre.org/focus-areas/aviation-transportation
MITRE. (2022c, August 25). CAASD. MITRE. https://www.mitre.org/our-impact/rd-centers/center-advanced-aviation-system-development
MITRE. (2022d, September 21). Trusted relationship, technique T1199 – Enterprise. MITRE ATT&CK®. https://attack.mitre.org/techniques/T1199/
MITRE. (2023a, March 30). Valid accounts, technique T1078 – Enterprise. MITRE ATT&CK®. https://attack.mitre.org/techniques/T1078/
MITRE. (2023b, April 14). Cloud administration command, technique T1651 – Enterprise. MITRE ATT&CK®. https://attack.mitre.org/techniques/T1651/
Muncaster, P. (2021, March 5). SITA supply chain breach hits multiple airlines. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/sita-supply-chain-breach-hits/?__cf_chl_jschl_tk__=pmd_22d96108ea7a7a023a70a6e1ae2d307113653a31-1626767310-0-gqNtZGzNAfijcnBszQp6
Nair, P. (2021, March 5). Supply chain attack jolts airlines. GovInfoSecurity. https://www.govinfosecurity.com/supply-chain-attack-jolts-airlines-a-16123
NIST. (2023, July). NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001. https://csrc.nist.gov/files/pubs/sp/800/53/r5/upd1/final/docs/sp800-53r5-to-iso-27001-mapping.docx
Okta. (2023). Strong Authentication: Definition & Security Factors. https://www.okta.com/au/identity-101/what-is-strong-authentication/
Olenick, D. (2021, June 15). Report: China-Connected APT41 likely behind attacks on airlines. https://www.bankinfosecurity.asia/report-china-connected-apt41-likely-behind-attacks-on-airlines-a-16873
Oltsik, J. (2023, September 11). The global cybersecurity skills shortage: Still crazy after all these years. CSO Online. https://www.csoonline.com/article/651940/the-global-cybersecurity-skills-shortage-still-crazy-after-all-these-years.html
Pecharromán, J. (2020, December 1). Cybersecurity in Annex 17. https://www.icao.int/NACC/Documents/Meetings/2020/ACI/P02-CybersecurityAnnex17-ENG.pdf
Praveer, R. R. (2021, June 16). SITA PSS issues clarification on Air India hacking & involvement of APT41. myLawrd. https://www.mylawrd.com/sita-pss-issues-clarification-on-air-india-hacking-involvement-of-apt41/
PWC. (2021). Cyber Threats 2021: A Year in Retrospect. https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf
Rostovtsev, N. (2021, June 10). Big airline heist. Group-IB. https://www.group-ib.com/blog/colunmtk-apt41/
Schmidt, A. (2016). Cyberterrorism: combating the aviation industry’s vulnerability to cyberattack. Suffolk Transnational Law Review, 39(1).
Securin Inc. (2021, July 9). Back-to-Back air India attacks indicating more than just a data breach? – Securin. Securin – Continuously Improve Your Security Posture. https://www.securin.io/back-to-back-air-india-attacks-indicating-more-than-just-a-data-breach/
Silk, R. (2021, March 19). Airline data breach targets a fraudster favorite Loyalty programs. Travel Weekly. https://www.travelweekly.com/Travel-News/Airline-News/Airline-data-breach-targets-a-fraudster-favorite-Loyalty-programs
Singapore Airlines. (2021, March 4). Data incident at SITA affecting some KrisFlyer members. Latest News and Announcements. https://www.singaporeair.com/en_UK/sg/media-centre/news-alert/?id=kltm93p0
Sinha, S. (2021, May 22). Air India data breach: SITA says cyber attackers ‘accessed some systems for 22 days at Atlanta centre.’ Times Of India. https://timesofindia.indiatimes.com/india/air-india-data-breach-sita-says-cyber-attackers-accessed-some-systems-for-22-days-at-atlanta-centre/articleshow/82864982.cms
SITA. (2017). SITA Information Security Services. SITA Information Security Services. https://www.sita.aero/solutions/sita-at-airports/sita-communications-and-data-exchange/sita-information-security-services/
SITA. (2018a). Horizon the next steps. https://comms.sita.aero/rs/089-ZSE-857/images/SITA_HORIZON_THE_NEXT_STEPS_Interactive.pdf
SITA. (2018b). Security Technical and Operational Measures.
SITA. (2021a). SITA activity report 2021. SITA Activity Report 2021. https://www.sita.aero/sita-activity-report-2021/
SITA. (2021b). SITA statement about security incident. SITA Statement about Security Incident. https://www.sita.aero/pressroom/news-releases/sita-statement-about-security-incident/
SITA. (2022a). Security Technical and Operational Measures.
SITA. (2022b). Sita activity report 2022. https://www.sita.aero/globalassets/docs/surveys–reports/activity-report-2022.pdf
SITA. (2022c, October 3). SITA Connect go. SITA Connect Go. https://www.sita.aero/solutions/sita-at-airports/sita-communications-and-data-exchange/sita-connect/sita-connect-go/
Sorrells, M. (2021, March 5). sita cyber attack accesses passenger data for multiple airlines. PhocusWire. https://www.phocuswire.com/sita-cyber-attack-accesses-passenger-data-for-multiple-airlines
Star Alliance. (2019, May). Star Alliance member airlines. Star Alliance. https://www.staralliance.com/en/members?airlineCode=AI
Strong, T. (2019, March 21). We need complete confidence in data security. We Need Complete Confidence in Data Security. https://www.sita.aero/pressroom/blog/we-need-complete-confidence-in-data-security/
Thompson, I. (2019, February 23). Reach for the Onesky, Australia’s integrated air traffic management system. Australian Aviation. https://australianaviation.com.au/2019/02/reach-for-the-onesky-australias-integrated-air-traffic-management-system/
Uniting Aviation. (2020, April 29). ANC Talks: SITA brings cybersecurity to the discussions. Uniting Aviation. https://unitingaviation.com/news/security-facilitation/anc-talks-sita-brings-cybersecurity-to-the-discussions/
Versa Networks. (2022a, May 4). Top 10 benefits of SASE (secure access service edge). Versa Networks. https://versa-networks.com/sase/benefits/ Versa Networks. (2022b, May 4). What Are the Major SASE components? Versa Networks. https://versa-networks.com/sase/components/
Versa Networks. (2022b, May 4). What Are the Major SASE components? Versa Networks. https://versa-networks.com/sase/components/
Appendix A
Relevant standards for root cause one, access with compromised credentials.
Table A1: Applicable ISO27K / NIST standards
ISO27K | NIST-CSF |
5.16 Identity management | PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
5.17 Authentication information | PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) | |
5.18 Access rights | PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
8.2 Privileged access rights | PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
8.20 Networks security | PR.AC-3 Remote access is managed |
8.22 Segregation of networks | PR.AC-3 Remote access is managed |
8.5 Secure authentication | PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
PR.AC-7 * 3 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
Table A1: Applicable MITRE ATT&CK details
MITRE TT | MITRE Detection | MITRE Mitigations |
Initial Access:Valid Account (ID: T1078) Known procedure of APT41Trusted Relationship (ID: T1199) | • Logon Session (ID:DS 0028)• Logon Session Creation• Logon Session Metadata• User Account (ID: DS0002)• User Account Authentication• Application Log (ID DS0015)• Network Traffic (ID: DS0029) | • Account Use Policies (ID: M1036)• Password Policies (ID: M1027)• Privileged Account Management (ID: M1026)• User Account Management (ID: M1018)• Multi-factor Authentication (ID: M1032) |
Appendix B
Relevant standards for root cause two, supply chain data leaks.
Table B1: Applicable ISO27K / NIST standards
ISO27K | NIST-CSF |
5.13 Labelling of information | PR.DS-5 Protections against data leaks are implemented |
5.14 Information transfer | PR.AC-5 Network integrity is protected (e.g., network segregation, network segmentation) |
5.15 Access control | PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
8.22 Segregation of networks | PR.AC-5 Network integrity is protected (e.g., network segregation, network segmentation) |
8.26 Application security requirements | PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
PR.AC-5 * 2 Network integrity is protected (e.g., network segregation, network segmentation) | |
8.3 Information access restriction | PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
8.20 Networks security | DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed |
PR.DS-5 Protections against data leaks are implemented |
Table A2: Applicable MITRE detection & mitigations
MITRE Detection | MITRE Mitigations |
• User Data Transfer Analysis (D3-UDTA)• Credential Compromise Scope Analysis (D3-CCSA)• Job Function Access Pattern Analysis (D3-JFAPA)• Resource Access Pattern Analysis (D3-RAPA)• Session Duration Analysis (D3-SDA)• User Data Transfer Analysis (D3-UDTA)• User Geolocation Logon Pattern Analysis (D3-UGLPA) | • Local File Permissions (D3-LFP)• Disk Encryption (D3-DENCR}• File Encryption (D3-FE) |
Appendix C
Relevant standards for root cause three, lack of monitoring of authorised users.
Lack of monitoring of authorised users.
Table C1: Applicable ISO27K / NIST standards
ISO27K | NIST-CSF |
5.17 Authentication information | PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
8.15 Logging | DE.CM-3 Personnel activity is monitored to detect potential cybersecurity events |
8.16 Monitoring activities | DE.CM-1: The network is monitored to detect potential cybersecurity events |
8.3 Information access restriction | PR.DS-5 Protections against data leaks are implemented |
5.22 Monitoring, review and change management of supplier services | DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events |
DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed |
Table C2: Applicable MITRE ATT&CK details
Mitre ATT&CK Tactic & Techniques | MITRE Detection | MITRE Mitigations |
Lateral Movement:Remote Services (T1021)Initial AccessValid Account (ID: T1078)Exfiltration:Data Transfer Size Limits (ID: T1030)Transfer Data to Cloud Account (ID: T1537)Exfiltration Over Web Service (ID: T1567)Discovery:File and Directory Discovery (ID: T1083) | • Network Traffic (ID:DS0029)• Cloud Storage (ID: DS0010)• Snapshot (ID: DS0020)• Command (ID: DS0017) – command execution• File (ID: DS0022) – file access• Network Traffic (ID: DS0029) – Network Connection Creation, Network Traffic Content,Network Traffic Flow• Process (DS0009) – OS API Execution, Process Creation | • Network Intrusion Prevention (ID: M1031)• Filter Network Traffic (ID: M1037)• User Account Management (ID: M: 1018)• Data Loss Prevention (ID: M1057) |
Appendix D
Relevant standards for non-technical mitigations for all root causes.
Table D1: Applicable ISO27K / NIST standards
ISO27K | NIST-CSF |
5.10 Acceptable use of information and other associated assets | PR.DS-2 Data-in-transit is protected |
5.14 Information transfer | ID.AM-3 Organizational communication and data flows |
PR.DS-2 Data-in-transit is protected | |
PR.DS-5 Protections against data leaks are implemented | |
5.15 Access control | PR.DS-5 Protections against data leaks are implemented |
5.16 Identity management | PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
5.17 Authentication information | PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
5.19 Information security in supplier relationships | ID.BE-1 The organization’s role in the supply chain is identified and communicated |
ID.SC-1 Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders | |
ID.SC-3 Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. | |
5.20 Addressing information security within supplier agreements | ID.BE-1 The organization’s role in the supply chain is identified and communicated |
ID.SC-3 Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. | |
ID.SC-3 Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. | |
5.21 Managing information security in the ICT supply chain | ID.BE-1 The organization’s role in the supply chain is identified and communicated |
ID.SC-1 Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders | |
ID.SC-3 Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. | |
5.22 Monitoring, review and change management of supplier services | DE.CM-6 External service provider activity is monitored to detect potential cybersecurity events |
DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed | |
ID.BE-1 The organization’s role in the supply chain is identified and communicated | |
ID.SC-2 Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process | |
ID.SC-4 Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. | |
6.3 Information security awareness, education and training | PR.AT-1 All users are informed and trained |
PR.AT-2 Privileged users understand their roles and responsibilities | |
PR.AT-3 Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities | |
8.20 Networks security | DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed |
PR.DS-2 Data-in-transit is protected | |
PR.DS-5 Protections against data leaks are implemented | |
8.21 Security of network services | PR.AC-3 Remote access is managed |
8.22 Segregation of networks | PR.DS-5 Protections against data leaks are implemented |
PR.DS-5 Protections against data leaks are implemented | |
8.24 Use of cryptography | PR.DS-5 Protections against data leaks are implemented |
8.26 Application security requirements | PR.DS-2 Data-in-transit is protected |
PR.DS-5 Protections against data leaks are implemented | |
8.3 Information access restriction | PR.DS-5 Protections against data leaks are implemented |
Appendix E
Table E1: NIST-CSF to ISO27K mapping.
NIST-CSF | ISO27K | Root Cause |
DE.CM-6 External service provider activity is monitored to detect potential cybersecurity events | 5.22 Monitoring, review and change management of supplier services | Other mitigations |
DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed | 5.37 Documented operating procedures | Other mitigations |
8.20 Networks security | ||
8.20 Networks security | ||
8.21 Security of network services | ||
8.32 Change management | ||
ID.AM-3 Organizational communication and data flows | 5.14 Information transfer | Other mitigations |
ID.BE-1 The organization’s role in the supply chain is identified and communicated | 5.19 Information security in supplier relationships | Other mitigations |
5.20 Addressing information security within supplier agreements | ||
5.21 Managing information security in the ICT supply chain | ||
5.22 Monitoring, review and change management of supplier services | ||
ID.SC-1 Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders | 5.19 Information security in supplier relationships | Other mitigations |
5.21 Managing information security in the ICT supply chain | ||
ID.SC-2 Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process | 5.22 Monitoring, review and change management of supplier services | Other mitigations |
ID.SC-3 Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. | 5.19 Information security in supplier relationships | Other mitigations |
5.20 Addressing information security within supplier agreements | ||
5.20 Addressing information security within supplier agreements | ||
5.21 Managing information security in the ICT supply chain | ||
ID.SC-4 Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. | 5.22 Monitoring, review and change management of supplier services | Other mitigations |
PR.AC-3 Remote access is managed | 8.21 Security of network services | Other mitigations |
PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) | 5.16 Identity management | Other mitigations |
5.17 Authentication information | ||
PR.AT-1 All users are informed and trained | 6.3 | Other mitigations |
8.7 Protection against malware | ||
PR.AT-2 Privileged users understand their roles and responsibilities | 5.2 Information security roles and responsibilities | Other mitigations |
6.3 Information security awareness, education and training | ||
PR.AT-3 Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities | 5.2 Information security roles and responsibilities | Other mitigations |
5.4 Management responsibilities | ||
6.3 Information security awareness, education and training | ||
PR.DS-2 Data-in-transit is protected | 5.10 Acceptable use of information and other associated assets | Other mitigations |
5.14 Information transfer | ||
5.8 Information security in project management | ||
8.20 Networks security | ||
8.26 Application security requirements | ||
PR.DS-5 Protections against data leaks are implemented | 5.10 Acceptable use of information and other associated assets | Other mitigations |
5.13 Labelling of information | ||
5.14 Information transfer | ||
5.15 Access control | ||
5.3 Segregation of duties | ||
6.1 Screening | ||
6.1 Screening | ||
6.5 Responsibilities after termination or change of employment | ||
6.6 Confidentiality or non-disclosure agreements | ||
7.5 Protecting against physical and environmental threats | ||
7.6 Working in secure areas | ||
7.8 Equipment siting and protection | ||
8.20 Networks security | ||
8.22 Segregation of networks | ||
8.22 Segregation of networks | ||
8.24 Use of cryptography | ||
8.26 Application security requirements | ||
8.3 Information access restriction | ||
8.4 Access to source code. | ||
New | 8.23 Web filtering | Root Cause 1 |
PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes | 5.16 Identity management | |
5.17 Authentication information | ||
5.18 Access rights | ||
8.2 Privileged access rights | ||
8.5 Secure authentication | ||
PR.AC-3 Remote access is managed | 6.2 Terms and conditions of employment | Root Cause 1 |
6.7 Remote working | ||
7.9 Security of assets off-premises | ||
8.1 User endpoint devices | ||
8.20 Networks security | ||
8.22 Segregation of networks | ||
PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) | 8.5 Secure authentication | Root Cause 1 |
5.17 Authentication information | ||
ID.AM-4 External information systems are catalogued | 7.9 Security of assets off-premises | Root Cause 2 |
PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties | 5.15 Access control | Root Cause 2 |
5.3 Segregation of duties | ||
8.18 Use of privileged utility programs | ||
8.26 Application security requirements | ||
8.3 Information access restriction | ||
8.4 Access to source code. | ||
PR.AC-5 Network integrity is protected (e.g., network segregation, network segmentation) | 8.26 Application security requirements | Root Cause 2 |
5.14 Information transfer | ||
8.22 Segregation of networks | ||
PR.DS-5 Protections against data leaks are implemented | 5.8 Information security in project management | Root Cause 2 |
8.18 Use of privileged utility programs | ||
DE.CM-3 Personnel activity is monitored to detect potential cybersecurity events | 8.15 Logging | Root Cause 3 |
New | 8.16 Monitoring activities | Root Cause 3 |
PR.AC-5 Network integrity is protected (e.g., network segregation, network segmentation) | 8.26 Application security requirements | Root Cause 3 |
5.14 Information transfer | ||
8.20 Networks security | ||
8.22 Segregation of networks | ||
PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi- factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) | 5.34 Privacy and protection of PII | Root Cause 3 |
8.5 Secure authentication | ||
5.16 Identity management | ||
5.17 Authentication information | ||
5.34 Privacy and protection of PII | ||
PR.DS-1 Data-at-rest is protected | 5.10 Acceptable use of information and other associated assets | Root Cause 3 |
PR.DS-2 Data-in-transit is protected | 5.10 Acceptable use of information and other associated assets | Root Cause 3 |
5.14 Information transfer | ||
8.20 Networks security | ||
8.26 Application security requirements | ||
PR.DS-5 Data-in-transit is protected | 5.15 Access control | Root Cause 3 |
PR.DS-5 Protections against data leaks are implemented | 5.10 Acceptable use of information and other associated assets | Root Cause 3 |
5.14 Information transfer | ||
5.3 Segregation of duties | ||
7.5 Protecting against physical and environmental threats | ||
7.6 Working in secure areas | ||
7.8 Equipment siting and protection | ||
8.2 Privileged access rights | ||
8.20 Networks security | ||
8.22 Segregation of networks | ||
8.26 Application security requirements | ||
8.3 Information access restriction | ||
8.4 Access to source code. |