Is There Cyber Risk? How to Assess Risk?

An interesting video from RSA Conference 2018: “There’s no such Thing as a Cyber-risk”

So if you look at possible risk domains  Computer Security (or Cybersecurity is not on there.

  1. Operations: errors – fraud – talent – employee engagement – safety
  2. Service Availability: capacity, resiliency, data integrity, intentional disruption
  3. Product delivery: pre-executions – release executions
  4. Compliance: regulatory, contractual obligations, privacy lane, employment law, other laws

Of course data integrity is there – so if there is a cybersecurity problem data integrity may become an issue.

The definition of “Operational risk” is the prospect of loss resulting from inadequate or failed procedures, systems or policies. Employee errors. System failures. fraud or other criminal activity. Any event that disrupts business processes

The problem with Cyber risk is that it can affect operations but is not always obvious how bad it can get until it happens.  Can you operate without computers? Can it get that bad? What if it does? Just like one may have electricity backup in an area which has frequent power outages, one has to consider what to do if there are no computers to run credit card transactions.

To properly assess operational risk, what is it one must ask in regards to computer assets with regard to cybersecurity? What if I cannot use this device? i.e. it has been hijacked by hackers or otherwise incapacitated.

If credit card processing is stolen, what could be worse is now your reputation can take a hit. Since the news will be filled with stories of Credit card fraud originating at your business.

Consider reputation in assessing operational risk. And reputation does not always mean systems fail or money is lost due to no electronic access.

It all depends on who you claim to be in the public space. Is your business marketing claim to be up-to-date? Then  reputation may have to have a higher impact. Make sure you are spending enough resources in relation to your REAL level of risk.

 

If you need help in assessing risk contact us.

100% Cybersecurity is Impossible

Do you want to use the Internet? Computers? Tablets? Cellphones?

There is no device created that is 100% secure with no risk.

So now what?

Risk management – is what we are supposed to do, where the risk of using something is lower than the value of using it. For example: using a computer for business reasons is worthwhile when the cost to keep it safe is relatively low (own a firewall, anti-virus software and more)

Let’s use a different example. what about if a business has highly confidential banking transactions to perform that are worth hundreds of thousands of dollars?  Now the risk of using the computer and getting infected by malware or other viruses even if low likelihood the impact would be high.  Since Likelihood*Impact = Risk

Low*High= higher risk than

Low * Low = Low  or

Low* Med =Medium-Low

 

If Likelihood is High then a small impact is bad too.

High*Low =  High risk

For High likelihood and medium or high impact it is lights out for many organizations.

High*High = Bad … very bad

This Risk matrix has to be set up to analyze the Risk management of your business.

Paul Holland also discusses this in Bsides London “Understanding your business risks are key”

Paul also discusses ‘Things to consider when making decisions on risk appetite’

  1. What kind of loss would you deem materially damaging (impact)?
  2. What can you live without and for how long(impact)?
  3. What information must not fall into the wrong hands(impact)?
  4. How do you protect your information?

So if you are a business owner or CEO, CFO, CIO then you have to answer the subjective risk questions honestly.

So if you are spending 10% on security and you have millions of dollars in risk impact,  should you spend 11% on security?  This is a difficult question to answer. Since we  cannot be 100% secure. Where do we spend money to improve security? Because of the law of diminishing returns works on everything. Sometimes more money spent is not going to be a major change, just an incremental one.

The above image is useful in letting us know when we should re-evaluate our risk profile. External changes or internal changes should cause you to re-do your matrix.

Internal:

  1. Changing markets
  2. New business areas
  3. New Leadership
  4. Change in risk appetite
  5. Cloud adoption (major technical changes)
  6. Supply chain risks

External

  1. New vulnerabilities
  2. Political changes (local, state, national, international)
  3. Regulatory changes
  4. New technology (quantum breaks encryption — AI makes attacks more sophisticated)

We all know attacks are more sophisticated, since the criminals want to attack more people with new methods to make more money every year.

Talking to an expert to navigate this huge moving target is a good idea:

Contact Us to discuss

Why Is It Cybersecurity Pros Make It Complicated?

We say things like: DO NOT CLICK ON Phishing emails!!

But then Equifax creates www.experianidentityservice.co.uk ???  or creditexpert.co.uk/login/login

Bsides in London earlier this year had a presentation by Meadow Ellis (@notameadow).

Meadow makes a good point, as we as Cybersecurity professionals ask users to be careful what you click, and then  somebody in the company makes a difficult to read domain name, since the easy ones are taken.

So if a user can at times be duped and then clicks on malware (let’s face it users will  never be 100% accurate) then we must assume that the hackers can go into one of our systems inside the firewall.

So this scenario describes why we need to have zero-trust network architecture, and in a zero-trust network, we assume the bad guys are everywhere, so it requires identity management to be hardened.

Assume that phishing will work eventually in your environment

Here is where tyhe phishing domains are actually coming from(Paloaltonetworks.com post):

You see the problem is all the hosting companies are in the USA  so as I mentioned all the attackers are already in our midst.

Your risk management and Cybersecurity plans need to reflect that.

Your marketing efforts should reflect a simple domain structure that makes sense so that when the phishing people try to scam your customers, they will hopefully see through the bad domains.

As per Isaca presentation: “State of Cybersecurity”  90% of all federal (US) breaches are started with a phishing email.

 

Contact us to discuss your cybersecurity risk management profile.

 

Achieve True Privacy Protections

Your data and your customer data must be protected and in such a manner that even a breach in an area is not making it easy for the criminal to get the last link and thus the whole database.  Losing a portion of customer data is bad, but losing all of it is much worse.

So just like we have a layered defense in our network a layered defense of the database  is essential.

Before we  discuss technical details it is good to lay out how we intend to use the customer and employee data.

Because the technical people should look at a document that says how you will use data so that  customers, vendors, and employees know what is happening(or supposed to happen).

Also knowing what to do when there is a failure is important.

So we need to answer the following:

  1. Where is the data?
  2. Who has data?
  3. Why is data kept?
  4. What data is kept?
  5. How is data kept is a technical issue, and should be answered if encryption is answered.
  6. When will data be kept til? Forever? or is there a time lapse?
  7. How much data will be kept? (similar to what?) but can clarify the amount and size.

 

The new data privacy compliance law in the EU is GDPR(General Data protection regulation) and we have discussed this before at “Can European Regulation Help You Design Data Privacy”

In the us there are NIST(National Institute of Standards & Technology) standards – specifically 800-171. Which this company (Imprimis) has a video and discusses the complete process to go through to get yourself compliant for government oversight/ contracts.

The interesting slide is the next one that discusses the continuous compliance state one must build into any program

 

continuous monitoring, training and improvements must be done while performing quarterly periodic scans, and annual assessments.

 

We have discussed periodic scans before: our recon scan and vulnerability assessments

NIST 800-171 is the defacto standard of the US government and all of the contractors, sub-contractors, and anyone who is handling classified or CUI(Controlled Unclassified Information) data.  there are 110 items that one has to write an assessment on. So if your data is classified/unclassified one has a framework to work in.

PCI Payment card industry has a new version out (as of May 2018)  Summary of changes link

basically this latest compliance update is just a confirmation of TLS v1.1 or higher and some errata fixes.  Our post: Internet insecure without TLS

So although everyone has different data to place in the  Who, What, When, Why, Where, and how/how much we need to review and constantly improve our data storage and redemption states.

 

Contact Us to review this.

 

100 days to find adversary in Network: Do I hear 50?

How can we improve the odds of finding a criminal hacker in our networks?   (My old blogpost in 2017 discusses some threats in your network “Insider Threats: No1 Cybersecurity Problem” in case you want to review)

A great video on this topic is the following Irongeek.com video from BSides Charm2018

In this part of the video they are explaining all the logs and where the logs should be sent.  The idea to send the logs to Splunk is to then create a ticket or an SMS alert to a team.  After Splunk receives data you have to configure Splunk to  create SMS alerts and tickets.

There are specific items to look for in your logs to help you find the criminal hacker.monitoring email

monitor who accesses OWA (Outlook Web Access), monitor the attachments sent out, file transfers.

Web traffic, monitor proxy logs – what sites get accessed? Who is trying to go to dangerous websites.

 

Create daily reports and then you will see what is normal.

Every environment is different, with varying needs for compliance and other needs (HIPAA compliance is likely not needed from a Flower retailer).

The above diagram in the video is the most important diagram for you to understand and digest:

I.e. most companies and people end up logging everything and thus do not check anything (because you cannot drink from a firehose) OR log very little – nothing.   So this is why one must understand what is important in logging to you.

Even though it may be different with every company there will be a specific report that will become a goto report that you will review daily for suspicious behavior. Do not become a statistic which says you do not see the criminal hacker in your network for 100 days, or are told of a breach by law enforcement.  That means you will know at that time that IT has not done their job (too late of course).

 

Get ahead of future problems, and contact us to review your logging environment.