Addressing Cyber Threats
28th December 2018 by Bachir El Nakib (CAMS, ACFE, CFAP), Senior Consultant, Instructor.
By Definition:
'Cyber risk' means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems
For a cybersecurity expert, the Oxford Dictionary definition of cyber threat is a little lacking: "the possibility of a malicious attempt to damage or disrupt a computer network or system." This definition is incomplete without including the attempt to access files and infiltrate or steal data.
In this definition, the threat is defined as a possibility. However, in the cybersecurity community, the threat is more closely identified with the actor or adversary attempting to gain access to a system. Or a threat might be identified by the damage being done, what is being stolen or the Tactics, Techniques and Procedures (TTP) being used.
In August 2017, Roger A. Grimes provided this list, published in Infoworld, of the top five most common cyber threats:
1. Social Engineered Trojans
2. Unpatched Software (such as Java, Adobe Reader, Flash)
3. Phishing
4. Network traveling worms
5. Advanced Persistent Threats
But since the publication of this list, there has been widespread adoption of several different types of game-changing technology: cloud computing, big data, and adoption of mobile device usage, to name a few.
In September 2016, Bob Gourley shared a video containing comments from Rand Corporation testimony to the House Homeland Security Committee, Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies regarding emerging cyber threats and their implications.(video).The related video highlights two technology trends that are driving the cyber threat landscape in 2016:
1. Internet of things – individual devices connecting to internet or other networks
2. Explosion of data – stored in devices, desktops and elsewhere
Today, the list of cyber threats may look more like this, and cyber threats are typically composed of a combination of these:
· Advanced Persistent Threats
· Phishing
· Trojans
· Botnets
· Ransomware
· Distributed Denial of Service (DDoS)
· Wiper Attacks
· Intellectual Property Theft
· Theft of Money
· Data Manipulation
· Data Destruction
· Spyware/Malware
· Man in the Middle (MITM)
· Drive-By Downloads
· Malvertising
· Rogue Software
· Unpatched Software
Unpatched software, seemingly the simplest vulnerability, can still lead to the largest leaks, such as the case of Panama Papers.
Sources of Cyber Threats
In identifying a cyber threat, more important than knowing the technology or TTP, is knowing who is behind the threat. The TTPs of threat actors are constantly evolving. But the sources of cyber threats remain the same. There is always a human element; someone who falls for a clever trick. But go one step further and you will find someone with a motive. This is the real source of the cyber threat.
For example, in June of 2016, SecureWorks revealed tactical details of Russian Threat Group-4127 attacks on Hillary Clinton's presidential campaign emails. Then, in September 7, 2016, Bill Gertz of The Washington Times reported on another cyber attack on Hillary Clinton's emails, presumed to be the work of "hostile foreign actors," likely from either China or Russia. There currently exists a U.S. policy on foreign cyber threats known as "deterrence by denial." In this case, denial means preventing foreign adversaries from accessing data in the U.S.
But not all cyber threats come from foreign countries. Recently, Pierluigi Paganini @securityaffairs reported that police arrested two North Carolina men who are alleged to be members of the notorious hacking group called 'Crackas With Attitude' which leaked personal details of 31,000 U.S. government agents and their families.
Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurityand physical security.
Top Five Cybersecurity Risks for 2019. From identity theft and fraud to corporate hacking attacks, cybersecurity has never been more important for businesses, organizations and governments. Hacking experts warn there are plenty more security risks ahead in 2019 as cyber criminals become more sophisticated.
Cyber Risk Management
The risks and opportunities which digital technologies, devices and media bring us are manifest. Cyber risk is never a matter purely for the IT team, although they clearly play a vital role. An organisation's risk management function need a thorough understanding of the constantly evolving risks as well as the practical tools and techniques available to address them.
What do we mean by cyber risk?
Cyber Risk means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.
It will never happen to us….
All types and sizes of organisations are at risk, not only the financial services firms, defence organisations and high profile names which make the headlines.
Cyber risk practical guidance
Cyber and Information Management Special Interest Group (SIG) conducted extensive research into the dynamic issue of cyber threats to business, governments and global enterprises. They have produced a practical guide for risk professionals and senior executives to help demystify the issue of cyber risk.
Members of the group commented ‘the true extent of the risk has yet to be assessed – let alone managed. And the threat is very real. Risk professionals need to wake up and smell the coffee before it is too late’.
Cyber risk: Nightmare or opportunity?
According to a Tripwire study, 93% of security professionals are concerned about the cyber security skills gap, while 72% believe it is more difficult to hire skilled security staff to defend against today’s complex cyber attacks compared to two years ago.
The changing face of cyber security has impacted the necessary skills required – indeed, 81% of those surveyed believe that the skills required to be a great security professional have changed in the past few years. The report found that 20% of respondents said their organisations had hired people with expertise not specific to security over the past two years, and another 17 percent stated they plan to do the same in the next two years.
Additionally, Tripwire’s study found that 50% plan to invest more heavily in training their existing staff to help with the looming skills shortage.
“It’s evident that security teams are evolving and maturing with the rest of the cyber security industry, but the pool of skilled staff and training simply aren’t keeping up,” said Tim Erlin, vice president of product management and strategy at Tripwire.
“For example, beyond their technical duties, security practitioners may now be expected to spend more time in boardrooms or in the CFO’s office to secure more budget. While the makeup of the cyber security workforce may be changing, the fundamentals of protecting an organisation have not. It will be critical during this transition to ensure there’s a long-term strategy in place around maintaining their foundational security controls.”
Critical issues Cisco planned addressing head-on in it’s 2017 Annual Cybersecurity Report unveiled startling insights into the damage that breaches are inflicting: 22 percent of breached organizations lost customers and 29 percent lost revenue, with 38 percent of that group losing more than 20 percent of revenue. Those are big hits, and such high stakes demand a strategic, proactive approach to defense rather than reactive responses commonly seen.
There are three elements necessary for a comprehensive cyber strategy:
Get the Board on board
Board-level support is essential, and corporate executives must be prepared to make their case for it. Board directors should be asking their leaders about people and process as well as technology and policy to ensure a comprehensive cyber resilience strategy.
People and Process:
- Are we evolving our culture (talent, skills, training, and adaptability)?
- Do we have a process for continuous improvement for cyber resilience?
- Do we have formalized response processes and capabilities?
- Are core business and financial processes adequately secure and how do we know?
- Are we using the right metrics to determine effectiveness of efforts?
Technology and Policy:
- Have we performed a thorough cyber risk assessment of our use of technology?
- What is our current level of cyber risk, and its potential business impact?
- Are our systems of controls equal to the risks?
- Is our cyber resilience strategy focused on our business objectives, protecting our most critical assets and providing business continuity?
- How does our cybersecurity program apply industry standards and best practices, and compare with industry peers?
- How do we measure our program’s effectiveness?
Answering these questions involves substantial effort, but the results will provide a solid foundation for the cyber resilient architecture that will be needed as companies invest in new technologies.
Securely Approach Digitization
An organization and its Board must understand that the business will digitize and use technology rapidly in order to keep the business agile – it is inevitable. Organizations must seize the opportunity to look at this digital disruption to hone focus and investment on associated security risks and challenges. While digitalization creates and expands business opportunities for organizations, evaluating the security considerations must be an essential part of the process. Savvy organizations are shifting from merely focusing on cyber security controls to building cyber resilient architectures that can stand up to today’s attacks. With such an architecture, a compromised system will resist failure—but if it is forced to fail, it will do so gracefully. Visibility across the network will enable the system to sense if it has been compromised, respond quickly and recover to an operational state.
Norman Swarzcopf - Battle Plan For Action
During the Gulf War Storming Norman Swarzcopf said that the most important thing to have was a plan for action rather than a plan of action. The difference being that your plan has to malleable so that it can adapt to the actual threat. The same applies to cybersecurity. While, it's critical to have the right defenses in place to address viruses and malware, that represents only about 5% of the threats. It's even more important to have a plan that details how you will respond in the face of a cyber attack that includes unknown threats.
The fact is that vast majority of damage done in cyber attacks is due to an inability of the party being attacked to respond because they have not adequately planned out and practiced a cyber response strategy. This is where your brand is most susceptible to long term or potentially irrecoverable damage. When you look at why 60% of small to medium sized businesses that suffer a significant cyberattack never recover and go out of business, it's almost always because they failed to accept the importance of having a plan in place.
"It's like putting a guard at the front door to ward of bank robbers without giving him or her training on what to do in the event of an actual robbery!"
In many cases that's because while they had all of the right defenses, such as anti-virus, malware detection, encryption, and firewalls they did not have in place the right systems and processes to deal with an actual attack and it's aftermath. It's like putting a guard at the front door to ward of bank robbers without giving him or her training on what to do in the event of an actual robbery! In the case of a business it usually means that they do not have a fully redundant system for accessing their applications and data, both live and online as well as regular offline backups stored in multiple onsite and offsite locations. Stop and think about it. If your ecommerce system, web site, email, or customer data was suddenly inaccessible because of an attack would you be able to get back up and running within minutes, hours, or days, or at all?
In the borderless world of information technology, in fact, computer-security specialists and corporate risk managers have begun working under the assumption that it’s impossible for companies to keep their networks completely free from penetration, according to the lead story of our package, “What’s the Cost of a Cyber Attack?” Given that reality, they’re zeroing in on the need to detect hackers once they’re inside the system and to respond to the attack, rather than just focusing on sealing networks from every possible breach.
“Traditionally, cybersecurity has been focused on the front protection piece,” including internal controls, employee training, and firewalls, according to Heather Crofford, CFO of shared services at Northrop Grumman, the big aerospace and defense contractor. For Northrop and many other companies, however, “detection, response, and recovery are where the increasing investment needs to be,” she says.
Since the risk can’t be completely, eliminated, CFOs are wondering if insurance policies targeted solely at cyber risk can help stem the tide of financial loss once a breach occurs. Some companies have, in fact, bought “dedicated” cyber insurance policies that provide coverage for such risk exposures, writes Lynda Bennett, an attorney who represents corporate policyholders, in “Cyber Insurance Policies: Are They Worth the Money?” Other companies are still in the evaluation phase and are appropriately wondering whether such policies are needed, and, if so, whether insurers are paying claims under them, according to Bennett.
The remaining articles discuss the increasing interest of regulators in cyber risk, how to hire the right people to stop the bleeding if a breach occurs, and the CFO’s unique role in cyber security. We hope our coverage will help you put together effective strategies and tactics to cope with the Brave New World of cyber peril.
What’s the Cost of a Cyberattack?
A flurry of attempts to model the risk of a corporate cyberattack hasn’t provided many answers.
Cyber Insurance Policies: Are They Worth the Money?
Under a dedicated cyber insurance policy is there is no “standard” liability coverage available.
Regulators Leaping into the Cyber Breach
Many regulators consider the growing tide of cyber incidents to be more of an abdication of corporate responsibility than a threat to national security.
Building a Cyber Security Team from Within
While building an in-house cyber security operations center can be resource-intensive, it can safeguard your data.
The CFO’s Role in Cyber Security
Many finance chiefs are being called upon to help promote cyber security and identify threats