Addressing Cyber Threats
28th December 2018 by Bachir El Nakib (CAMS, ACFE, CFAP), Senior Consultant, Instructor.
For a cybersecurity expert, the is a little lacking: "the possibility of a malicious attempt to damage or disrupt a computer network or system." This definition is incomplete without including the attempt to access files and infiltrate or steal data.
In this definition, the threat is defined as a possibility. However, in the cybersecurity community, the threat is more closely identified with the actor or adversary attempting to gain access to a system. Or a threat might be identified by the damage being done, what is being stolen or the Tactics, Techniques and Procedures (TTP) being used.
1. Social Engineered Trojans
2. Unpatched Software (such as Java, Adobe Reader, Flash)
4. Network traveling worms
5. Advanced Persistent Threats
But since the publication of this list, there has been widespread adoption of several different types of game-changing technology: cloud computing, big data, and adoption of mobile device usage, to name a few.
In September 2016, Bob Gourley shared a video containing comments from Rand Corporation testimony to the House Homeland Security Committee, Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies regarding .(video).The related video highlights two technology trends that are driving the cyber threat landscape in 2016:
1. Internet of things – individual devices connecting to internet or other networks
2. Explosion of data – stored in devices, desktops and elsewhere
Today, the list of cyber threats may look more like this, and cyber threats are typically composed of a combination of these:
· Advanced Persistent Threats
· Distributed Denial of Service (DDoS)
· Wiper Attacks
· Intellectual Property Theft
· Theft of Money
· Data Manipulation
· Data Destruction
· Man in the Middle (MITM)
· Drive-By Downloads
· Rogue Software
· Unpatched Software
Sources of Cyber Threats
In identifying a cyber threat, more important than knowing the technology or TTP, is knowing who is behind the threat. The TTPs of threat actors are constantly evolving. But the sources of cyber threats remain the same. There is always a human element; someone who falls for a clever trick. But go one step further and you will find someone with a motive. This is the real source of the cyber threat.
For example, in June of 2016, SecureWorks revealed tactical details of . Then, in September 7, 2016, reported on another cyber attack on Hillary Clinton's emails, presumed to be the work of "hostile foreign actors," likely from either China or Russia. There currently exists a U.S. policy on foreign cyber threats known as "." In this case, denial means preventing foreign adversaries from accessing data in the U.S.
But not all cyber threats come from foreign countries. Recently, that police arrested two North Carolina men who are alleged to be members of the notorious hacking group called 'Crackas With Attitude' which leaked personal details of 31,000 U.S. government agents and their families.
The risks and opportunities which digital technologies, devices and media bring us are manifest. Cyber risk is never a matter purely for the IT team, although they clearly play a vital role. An organisation's risk management function need a thorough understanding of the constantly evolving risks as well as the practical tools and techniques available to address them.
What do we mean by cyber risk?
Cyber Risk means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.
It will never happen to us….
All types and sizes of organisations are at risk, not only the financial services firms, defence organisations and high profile names which make the headlines.
Cyber risk practical guidance
Cyber and Information Management Special Interest Group (SIG) conducted extensive research into the dynamic issue of cyber threats to business, governments and global enterprises. They have produced a practical guide for risk professionals and senior executives to help demystify the issue of cyber risk.
Members of the group commented ‘the true extent of the risk has yet to be assessed – let alone managed. And the threat is very real. Risk professionals need to wake up and smell the coffee before it is too late’.
Cyber risk: Nightmare or opportunity?
Additionally, Tripwire’s study found that 50% plan to invest more heavily in training their existing staff to help with the looming skills shortage.
“It’s evident that security teams are evolving and maturing with the rest of the cyber security industry, but the pool of skilled staff and training simply aren’t keeping up,” said Tim Erlin, vice president of product management and strategy at Tripwire.
“For example, beyond their technical duties, security practitioners may now be expected to spend more time in boardrooms or in the CFO’s office to secure more budget. While the makeup of the cyber security workforce may be changing, the fundamentals of protecting an organisation have not. It will be critical during this transition to ensure there’s a long-term strategy in place around maintaining their foundational security controls.”
Critical issues Cisco planned addressing head-on in it’s 2017 Annual Cybersecurity Report unveiled startling insights into the damage that breaches are inflicting: 22 percent of breached organizations lost customers and 29 percent lost revenue, with 38 percent of that group losing more than 20 percent of revenue. Those are big hits, and such high stakes demand a strategic, proactive approach to defense rather than reactive responses commonly seen.
There are three elements necessary for a comprehensive cyber strategy:
Get the Board on board
Board-level support is essential, and corporate executives must be prepared to make their case for it. Board directors should be asking their leaders about people and process as well as technology and policy to ensure a comprehensive cyber resilience strategy.
People and Process:
- Are we evolving our culture (talent, skills, training, and adaptability)?
- Do we have a process for continuous improvement for cyber resilience?
- Do we have formalized response processes and capabilities?
- Are core business and financial processes adequately secure and how do we know?
- Are we using the right metrics to determine effectiveness of efforts?
Technology and Policy:
- Have we performed a thorough cyber risk assessment of our use of technology?
- What is our current level of cyber risk, and its potential business impact?
- Are our systems of controls equal to the risks?
- Is our cyber resilience strategy focused on our business objectives, protecting our most critical assets and providing business continuity?
- How does our cybersecurity program apply industry standards and best practices, and compare with industry peers?
- How do we measure our program’s effectiveness?
Answering these questions involves substantial effort, but the results will provide a solid foundation for the cyber resilient architecture that will be needed as companies invest in new technologies.
Securely Approach Digitization
An organization and its Board must understand that the business will digitize and use technology rapidly in order to keep the business agile – it is inevitable. Organizations must seize the opportunity to look at this digital disruption to hone focus and investment on associated security risks and challenges. While digitalization creates and expands business opportunities for organizations, evaluating the security considerations must be an essential part of the process. Savvy organizations are shifting from merely focusing on cyber security controls to building cyber resilient architectures that can stand up to today’s attacks. With such an architecture, a compromised system will resist failure—but if it is forced to fail, it will do so gracefully. Visibility across the network will enable the system to sense if it has been compromised, respond quickly and recover to an operational state.
In the borderless world of information technology, in fact, computer-security specialists and corporate risk managers have begun working under the assumption that it’s impossible for companies to keep their networks completely free from penetration, according to the lead story of our package, “What’s the Cost of a Cyber Attack?” Given that reality, they’re zeroing in on the need to detect hackers once they’re inside the system and to respond to the attack, rather than just focusing on sealing networks from every possible breach.
“Traditionally, cybersecurity has been focused on the front protection piece,” including internal controls, employee training, and firewalls, according to Heather Crofford, CFO of shared services at Northrop Grumman, the big aerospace and defense contractor. For Northrop and many other companies, however, “detection, response, and recovery are where the increasing investment needs to be,” she says.
Since the risk can’t be completely, eliminated, CFOs are wondering if insurance policies targeted solely at cyber risk can help stem the tide of financial loss once a breach occurs. Some companies have, in fact, bought “dedicated” cyber insurance policies that provide coverage for such risk exposures, writes Lynda Bennett, an attorney who represents corporate policyholders, in “Cyber Insurance Policies: Are They Worth the Money?” Other companies are still in the evaluation phase and are appropriately wondering whether such policies are needed, and, if so, whether insurers are paying claims under them, according to Bennett.
The remaining articles discuss the increasing interest of regulators in cyber risk, how to hire the right people to stop the bleeding if a breach occurs, and the CFO’s unique role in cyber security. We hope our coverage will help you put together effective strategies and tactics to cope with the Brave New World of cyber peril.
A flurry of attempts to model the risk of a corporate cyberattack hasn’t provided many answers.
Under a dedicated cyber insurance policy is there is no “standard” liability coverage available.
Many regulators consider the growing tide of cyber incidents to be more of an abdication of corporate responsibility than a threat to national security.
While building an in-house cyber security operations center can be resource-intensive, it can safeguard your data.
Many finance chiefs are being called upon to help promote cyber security and identify threats