Internet security guidance

The second edition of ISO/IEC 27032 "Cybersecurity - Guidelines for Internet security" has just been published.

The introduction to the new edition commences:

"The focus of this document is to address Internet security issues and provide guidance for addressing common Internet security threats, such as:

— social engineering attacks;

— zero-day attacks;

— privacy attacks;

— hacking; and

— the proliferation of malicious software (malware), spyware and other potentially unwanted software."

Notice the standard is focused on "Internet security issues" which, in practice, means it covers active attacks perpetrated via the Internet. However:

• I have already seen people mistakenly referring to this as a cybersecurity standard, presumably because both the previous and revised titles of the standard include the word 'cybersecurity'. In the second edition, however, it is merely given as the name of ISO/IEC JTC 1/SC 27 which produced the standard. 'Cybersecurity' in the first edition was replaced by 'Internet security' in the second edition standard title.
  
  
• 'Cybersecurity' is defined in '27032 by citing ISO/IEC TS 27100:2020 ...

"safeguarding of people, society, organizations and nations from cyber risks.   Note 1 to entry: Safeguarding means to keep cyber risk at a tolerable level."

"Cyber risk" remains undefined, leaving the definition incomplete, thereby perpetuating confusion about what 'cyber' and hence 'cybersecurity' actually means.

• A scope diagram is intended to clarify the standard's coverage:

According to Figure 1, Internet security is entirely within cybersecurity, which covers other areas.  I have argued for decades that information security goes further still - taking in risks to all forms of information, not just computer data, systems and networks. Knowlege, trade secrets, creative content and intellectual property are all examples of valuable information that deserve or require protection, regardless of any computerisation. As an Internet security standard, '27032 covers only the yellow highlighted bit on this extended scope diagram:

 

• 'Attacks' (in the sense of deliberate, malicious, targeted acts by adversaries) are not the only threats to information, even in the IT context. In particular, there are many accidental and natural threats such as typos, system design flaws, bugs and floods, plus untargeted/general threats such as network worms and mis/dis-information.
  
  
• 'Via the Internet' implies external adversaries or outsider threats. What about malicious insiders and collaboration e.g. in fraud?  And for that matter, what about attacks via non-Internet network or data comms connections, or by other means (such as infected USB sticks, insecure WiFi and unauthorised BYOD equipment)?
  
  
• There are other 'cyber' terms with rather different connotations, such as cyberwar and cyberterrorism. The ordinary everyday kinds of Internet threat covered by this standard are insignificant compared to the high-end extreme threats that are (or definitely should be!) of concern to critical infrastructure organisations, hence the protective measures are comparatively basic - mere hygiene you could say, and some way short of best practice. An example is ICT supply chain security, with genuine concerns about systems being compromised deep within the firmware or silicon for national security/defence/offense/spooky purposes. 

In summary, the new edition is definitely an improvement over the old but needs to be interpreted carefully, particularly in organisations facing more significant and diverse information risks (which most do).