Does the definition of unknown make measuring risk also unknown?
Let’s assume a cloud account has been created on Amazon Cloud(AWS – Amazon Web Services) or elsewhere (Rackspace, Azure, or Google cloud)
This cloud account will always be the Achilles heel of your Internet presence. I.e. if someone gets a hold of he main account instead of who is supposed to take care of it, the criminal hacker can modify and add users so as to make imperceptible changes to your website until it is too late.
Then let’s dissect an interesting interview with Bruce Schneier at Threatpost about “Going Dark”
Specifically “people’s long tail of digital metadata.
A person’s metadata will include the phone’s gmail account, all the places you have been using Google’s map app, and many other apps that are on your phone and soon your car. How will it all look once everything in your house, car, and work is interconnected? Identity Access Management will be that much more important.
I.e. how you can access the phone and all the apps. Every time an app says you can reset your password by sending an email, that means the email is the one thing that has to be defended without fail.
So if the cloud account was set up with a specific email, that email account has to be defended without a hacker even remotely able to access it. Of course one has to keep operational intelligence about various company actions out of social media. I.e. a new promotion in IT in charge of cloud accounts is not something to discuss in social media(in fact anywhere). You can say you have understanding in cloud architecture, but I would not get into details. It is important to keep many details about your environment out of any site on the Internet.
Notice how a Facebook “friend” can send you phishing requests via SMS (text or messages via Facebook) and try to get access to your computer that way. if you click on link then it goes to a website that looks like Facebook but is really a scam. notice the URL: facebook.ssbh.edu.bd (a Bulgarian university server) This example is from today’s post in Internet Storm Center: Facebook Phishing via SMS
There are many ways somebody can get access to your credentials, including if you just give them away.
My policy is to never follow a link if they are asking for my credentials I just do not enter them. Answering a bunch of questions about some quiz on Facebook, on whether you are Italian or not… is generally a bad idea as Kirstin Fawcett wrote in mentalfloss.com :“taking Facebook Quizzes Could Put You at Risk For Identity Theft”
Or maybe they are called ‘surveys’ , either way they constitute a risk that may not be worth taking. Every action on the Internet increases your risk of a potential attacker gaining more insight into your environment / personal life/ or other facet that advances an attacker.
Spam email is a perfect phishing attack by hackers to gain information or credentials from you. – never click on a link that then asks for credentials to be entered. Are there exceptions to this rule? unfortunately yes, as some reset procedures require you to click and reset your credentials in some environments. So how does one get past this? Not every user is going to be well versed in Domain name methods of hackers. And to some degree there will never be a 100% foolproof way to differentiate good sites from bad.
So do your social engineering training and keep up with attacks, and you have to accept some risk.
Back to my original question are unknown risk possible to gauge? I think that some risk is impossible to put a number on it. But we can mitigate and accept some unknown risk, and keep vigilance. Knowing as much as we can about potential unknowns is the est we can do – Some Unknown unknowns are inevitable, but no point fretting on those.
contact Us to discuss this.