Is There Cyber Risk? How to Assess Risk?

An interesting video from RSA Conference 2018: “There’s no such Thing as a Cyber-risk”

So if you look at possible risk domains  Computer Security (or Cybersecurity is not on there.

  1. Operations: errors – fraud – talent – employee engagement – safety
  2. Service Availability: capacity, resiliency, data integrity, intentional disruption
  3. Product delivery: pre-executions – release executions
  4. Compliance: regulatory, contractual obligations, privacy lane, employment law, other laws

Of course data integrity is there – so if there is a cybersecurity problem data integrity may become an issue.

The definition of “Operational risk” is the prospect of loss resulting from inadequate or failed procedures, systems or policies. Employee errors. System failures. fraud or other criminal activity. Any event that disrupts business processes

The problem with Cyber risk is that it can affect operations but is not always obvious how bad it can get until it happens.  Can you operate without computers? Can it get that bad? What if it does? Just like one may have electricity backup in an area which has frequent power outages, one has to consider what to do if there are no computers to run credit card transactions.

To properly assess operational risk, what is it one must ask in regards to computer assets with regard to cybersecurity? What if I cannot use this device? i.e. it has been hijacked by hackers or otherwise incapacitated.

If credit card processing is stolen, what could be worse is now your reputation can take a hit. Since the news will be filled with stories of Credit card fraud originating at your business.

Consider reputation in assessing operational risk. And reputation does not always mean systems fail or money is lost due to no electronic access.

It all depends on who you claim to be in the public space. Is your business marketing claim to be up-to-date? Then  reputation may have to have a higher impact. Make sure you are spending enough resources in relation to your REAL level of risk.

 

If you need help in assessing risk contact us.

NIST 800-171 rev1 (Updated 6/7/2018)

This document was updated and created to protect CUI – Controlled Unclassified Information for all government entities. So if you want to have a contract with the government you better have a plan in place. Due to Executive order 13556 (Nov 4, 2010), Controlled Unclassified Information program to standardize unclassified information and designated the NARA (National Archives and Records Administration).

Interesting to note all this standardization comes from a long list of departments in charge of classifying information. But the reality is there are many things similar to standards like PCI, COBIT 5, and others.

Notice that in 800-171 requires a Security Assessment:

  1. Assess security controls in the organization- are they effective?
  2. Develop and implement plans of action to fix deficiencies and reduce or eliminate vulnerabilities.
  3. Monitor security controls on an ongoing basis
  4. Develop, document, and periodically update system security plans that describe system environments as changes occur, system environments, how they are implemented, and relationships to other systems.

So essentially common sense security functions.

Anytime a change occurs (new device, moving, adding, subtracting) one has to re-evaluate security posture.

How about Risk assessment:

  1. Periodically assess risk to organizational operations(mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
  2. Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
  3. Remediate vulnerabilities  in accordance with risk assessments.

 

So if you look at the document – it just means what all respectable requirements have.

  1. Document and inventory your stuff.
  2. create risk assessments and impact assessments
  3. set up vulnerability scans
  4. remediate vulnerabilities!

 

 

 

Talk about change, the document 800-171 has recently been revised and updated, Both in February and June 2018:

  1. February: 16 editorial changes and 42 substantive
  2. June: 27 editorial changes and 5 substantive.

Most of the changes were deletions and some clarifications.

There is a change in authentication, now MFA(Multi Factor Authentication) is required instead of two-factor or regular password authentication.

Above is the section (Identification and Authentication) where MFA is shown.

If you need help in performing risk and security assessments Contact Us.

 

Tuesday July 10th patch Tuesday #7 of 2018

53 vulnerabilities in today’s Patch Tuesday

There is a Dashboard set up by Morphus Labs

3 publicly disclosed and 17 critical.

It is always important to keep up on your patching regimen, as today’s vulnerabilities become more and more dangerous in the future.

But one has to assess the current and older vulnerabilities with what is going on in _your_ environment.  Here is another article on what type of updates there are in this month’s updates Dark Reading: “July Security Updates”

Since most of these updates are browser based except for the latest update for the Meltdown and Spectre type of fix.

Looking over the updates one has to look at the remote code execution vulnerabilities to find the issues to patch first.

Because Microsoft has put out patches once a month on the 2nd Tuesday, some other software companies also do the same, so IT departments have a consistent review of the patches to be installed. Adobe has released 105 vulnerabilities for Reader and Acrobat, as well as some Flash. One thing that comes out of these situations is the planning of downtime for cloud systems which have to have all patches installed for the users who wish to run their applications.

So even if most of the vulnerabilities are browser based then some servers may need to have a number of patches.

In my opinion this Vulnerability “CVE-2018-8327” is very dangerous, as it is a remote code execution malicious code  potential. Microsoft Security TechCenter goes into some details.

Since this is a new vulnerability as of July10 there is a race now on, the race is as to who will install patches or who will download malicious software (Malware) first.

 

Image is from the SanS.edu website.

Also an update today – 7/12/18:

Lists the vulnerabilities in a different manner than Internet Storm center.

From Talos Blog:
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month’s release addresses 53 new vulnerabilities, 17 of which are rated critical, 34 are rated important, one is rated moderate, and one is rated as low severity. These vulnerabilities impact Windows Operating System, Edge, Internet Explorer and more.
Reference: https://blog.talosintelligence.com/2018/07/ms-tuesday.html
Snort SID: 47111-47114, 47091-47092, 47107-47110, 47100-47103, 47096-47099

 

Contact Us to discuss the current patches within your environment.

100% Cybersecurity is Impossible

Do you want to use the Internet? Computers? Tablets? Cellphones?

There is no device created that is 100% secure with no risk.

So now what?

Risk management – is what we are supposed to do, where the risk of using something is lower than the value of using it. For example: using a computer for business reasons is worthwhile when the cost to keep it safe is relatively low (own a firewall, anti-virus software and more)

Let’s use a different example. what about if a business has highly confidential banking transactions to perform that are worth hundreds of thousands of dollars?  Now the risk of using the computer and getting infected by malware or other viruses even if low likelihood the impact would be high.  Since Likelihood*Impact = Risk

Low*High= higher risk than

Low * Low = Low  or

Low* Med =Medium-Low

 

If Likelihood is High then a small impact is bad too.

High*Low =  High risk

For High likelihood and medium or high impact it is lights out for many organizations.

High*High = Bad … very bad

This Risk matrix has to be set up to analyze the Risk management of your business.

Paul Holland also discusses this in Bsides London “Understanding your business risks are key”

Paul also discusses ‘Things to consider when making decisions on risk appetite’

  1. What kind of loss would you deem materially damaging (impact)?
  2. What can you live without and for how long(impact)?
  3. What information must not fall into the wrong hands(impact)?
  4. How do you protect your information?

So if you are a business owner or CEO, CFO, CIO then you have to answer the subjective risk questions honestly.

So if you are spending 10% on security and you have millions of dollars in risk impact,  should you spend 11% on security?  This is a difficult question to answer. Since we  cannot be 100% secure. Where do we spend money to improve security? Because of the law of diminishing returns works on everything. Sometimes more money spent is not going to be a major change, just an incremental one.

The above image is useful in letting us know when we should re-evaluate our risk profile. External changes or internal changes should cause you to re-do your matrix.

Internal:

  1. Changing markets
  2. New business areas
  3. New Leadership
  4. Change in risk appetite
  5. Cloud adoption (major technical changes)
  6. Supply chain risks

External

  1. New vulnerabilities
  2. Political changes (local, state, national, international)
  3. Regulatory changes
  4. New technology (quantum breaks encryption — AI makes attacks more sophisticated)

We all know attacks are more sophisticated, since the criminals want to attack more people with new methods to make more money every year.

Talking to an expert to navigate this huge moving target is a good idea:

Contact Us to discuss

Why Is It Cybersecurity Pros Make It Complicated?

We say things like: DO NOT CLICK ON Phishing emails!!

But then Equifax creates www.experianidentityservice.co.uk ???  or creditexpert.co.uk/login/login

Bsides in London earlier this year had a presentation by Meadow Ellis (@notameadow).

Meadow makes a good point, as we as Cybersecurity professionals ask users to be careful what you click, and then  somebody in the company makes a difficult to read domain name, since the easy ones are taken.

So if a user can at times be duped and then clicks on malware (let’s face it users will  never be 100% accurate) then we must assume that the hackers can go into one of our systems inside the firewall.

So this scenario describes why we need to have zero-trust network architecture, and in a zero-trust network, we assume the bad guys are everywhere, so it requires identity management to be hardened.

Assume that phishing will work eventually in your environment

Here is where tyhe phishing domains are actually coming from(Paloaltonetworks.com post):

You see the problem is all the hosting companies are in the USA  so as I mentioned all the attackers are already in our midst.

Your risk management and Cybersecurity plans need to reflect that.

Your marketing efforts should reflect a simple domain structure that makes sense so that when the phishing people try to scam your customers, they will hopefully see through the bad domains.

As per Isaca presentation: “State of Cybersecurity”  90% of all federal (US) breaches are started with a phishing email.

 

Contact us to discuss your cybersecurity risk management profile.