Categories
Incident Response

The Benefits of a Cyber Security Risk Assessment

As organizations rely more on information technology and data systems to conduct business and manage operations, the inherent risks of using those technology assets increase. Several effective frameworks exist for managing those risks, to help enterprises and small businesses reduce exposure to threats, meet compliance obligations and compete in the marketplace.

 

A cyber risk assessment is an increasingly common, often mandatory operation for businesses of all sizes. An assessment can be applied to any application, function, or process within an organization. Conducting a cyber security risk assessment is often a detailed and complex process that requires expert planning, specialist knowledge, and stakeholder buy-in to deliver appropriate and actionable results. If you’re new to IT risk governance in general, here is what you need to know.

 

What Is a Cyber Risk Assessment?

Assessing and quantifying cyber risk is required for compliance with all commonly accepted US and international standards, including HIPAA, ISO 27000, GDPR, and NIST:

 

“Risk assessment is one of the fundamental components of an organizational risk management process as described in NIST Special Publication 800-39. Risk assessments are used to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.” – NIST Special Publication 800-30

 

A cyber risk assessment is a tool used to inform decision-makers and support appropriate risk responses. It’s a comprehensive evaluation, testing and auditing process that asks and seeks to answer critical questions about your cyber security posture, including:

  • What are our most important IT assets?
  • What are the most relevant threats and vulnerabilities for our organization?
  • How likely is it that vulnerabilities can be exploited, and what would the impact be?
  • What is our organization’s attitude toward risk, and how can it be managed?
  • What are the highest priority security risks we face? 

The cyber assessment process helps you fully understand these questions, reveals answers and provides suggestions how best to proceed. Your organization will emerge with a better understanding of the value of the data you are trying to protect, the cost of that protection, and the potential consequences of failure.

 

One important note: cyber risk assessment should be an ongoing process. Continually monitoring and reviewing your risk environment is required to detect changes and maintain an effective overview of your evolving risk stance and security environment.

 

 

Why Enterprises Perform Cyber Risk Assessments

 

Cyber risk assessments are increasingly necessary, and often required, in the 21st century digital marketplace. They are an integral feature of any wider risk management strategy. Additional reasons enterprises regularly perform cyber risk assessments include:

 

  • Avoid data breaches, IT incidents and adverse security events: The costs and reputational impact of an incident can be substantial.
  • Reduce long-term costs: Mitigating threats and eliminating vulnerabilities can save money in the long-run, not just by preventing costly incidents but also by creating a foundation for continuous improvement, by better understanding and more effectively managing the data and security environment.
  • Create a template for future assessments: Cyber risk assessments should be conducted regularly, completing one assessment supports continued evaluation of the evolving risk and security environment.
  • Meet regulatory and compliance requirements: Organizations have increasing obligations to meet rigorous standards for data management and security performance, including from HIPAA, PCI DSS, GDPR and others. 
  • Establish a competitive advantage: Organizations with best-in-class cyber security posture enjoy increased productivity, improved public relations, enhanced capability to gain and retain employees, and have a leg up over other firms in their space.
 

 

Internal vs. External Assessment: Which Is Right for You? 

If you have sufficient resources in-house, along with an experienced and capable security team available to manage those resources, then the full range of security operations is within reach. Enterprises of suitable scale, with the assets in place and the know-how to command them, can successfully conduct cyber risk assessment operations in-house. 

 

With that said, large organizations with internal capabilities often want a fresh look at their cyber security program. In such cases they opt for an independent expert to provide support for conducting assessments and formulating new policies and standards. 

 

On the other hand, if you are a startup or SME, you may face challenges to effectively manage cyber risk assessments in-house: limited budget, insufficient staff and time resources, and the need to have all hands on deck for mission-critical operations are all barriers not just to success, but to even launching an operation. Conducting an assessment in-house can be insurmountable in these circumstances.

Engaging an external security provider allows these organizations to access cyber risk assessment leadership and best practices, without diverting limited resources away from core operations. You can have effective information security guidance and oversight, but not have to make sacrifices that might stand in the way of your goals. Other advantages include:

  • Independent perspective on threats, vulnerabilities and improvement opportunities
  • Access to enhanced capabilities, skill levels and knowledge of best practices
  • Reduce overall costs
  • Provide confidence for clients, vendors, shareholders and other stakeholders

What an Assessment Should Look Like

The foundation for an effective cyber risk assessment is framed as a comprehensive, iterative, and well-defined process aimed at identifying all risk types: operational, strategic, transactional, compliance and reputational risk. The basic steps include:

 

System categorization includes an assessment of each system to determine the type, internal and external interfaces, who uses the system, data flow, and more. This process reveals likely threats.

 

Threat identification begins in the previous process and is formalized in this step. Threat types include:

  • Unauthorized access 
  • Information misuse 
  • Data exposure 
  • Data loss 
  • Service or productivity disruption 

Risk determination and impact is assessed independent of the control environment. High, medium and low risk levels are assigned to create a prioritization schedule. 

 

Control analysis identifies the available threat prevention, mitigation, detection and/or compensating controls, and assesses their effectiveness. Recommendations for added controls emerge from this analysis. 

 

Threat scoring determines the likelihood of a given exploit, within the context of the control environment. Threats with a “low” rating have insufficient motivation or capability to exploit a vulnerability, or current controls are adequate to meet the threat. “High” rating threats have dangerous motivation and capability, and there is also a lack of adequate controls to prevent or impede the threat. 

 

Calculation of final risk ratings creates a cyber risk assessment report with deep insights, actionable data, and recommendations for necessary adjustments. Risk assessment reporting is a fundamental element of an effective risk management process and allows enterprises to manifest an acceptable risk environment, while highlighting required control measures. The cyber risk assessment process is continuous, and should be reviewed regularly to ensure the relevance of findings. 

 

Partner with SecurIT360 to Successfully Manage Your Risk Environment 

Cyber risk assessments are integral to information risk management, compliance and enterprise performance. SecurIT360 is trusted by organizations just like yours to provide sensible risk analysis that catalogs relevant assets and their value, identifies threats and vulnerabilities, analyzes controls, and then prioritizes and fully documents risks in a report that includes recommendations for how to proceed. Assessment and reporting is customized to your organization’s needs, to ensure your team has complete support to make the best, most informed decisions. 

 

SecurIT360 is a trusted advisor to small businesses and enterprises that are motivated to meet complex and evolving security challenges. We are available to help you compete and thrive in today’s digital environment – contact us to learn more. 

Categories
Webinar

Arriving at the Scene of a Cyber Attack


In this 1-hour webinar, SecurIT360 experts describe what’s like to arrive at the scene of a cyber attack and how to respond.

Watch the full webinar recording below.

Webinar Speaker:

  • David Forrestall, Managing Partner, SecurIT360
Categories
Webinar

Conversations with a Hacker


Webinar Speaker:

  • David Forrestall, Managing Partner, SecurIT360

Contact SecurIT360 Today

Categories
Webinar

How to Respond to a Data Breach & Cyber Security Incidents

In this 1-hour webinar, SecurIT360 experts discuss how to prepare for cyber security incidents and respond to a data breach.

  • What to do when you arrive at the scene of a cyber attack
  • The legal impact of cyber attacks and how to be prepared
  • How to conduct a post-attack data breach review

Watch the full webinar recording below.

Webinar Speakers:

  • David Forrestall, Managing Partner, SecurIT360
  • Bruce Radke, Shareholder, Polsinelli
  • James Jansen, Senior Director, Consilio
  • Maureen O’Neill, Senior Vice President, Consilio
Categories
Incident Response

The Benefits of Preparing for Cyber Security Incidents

Now, More Than Ever, Enterprises Are Learning the Benefits of Preparing for Cyber Security Incidents

2020 isn’t likely to be on anyone’s list of “Best Years of All-Time” and the sentiment is double for anyone involved in cyber security: the year is barely halfway over, and it’s already been full of frustrations and headaches for cyber experts.

When you look at the cyber attacks costs to business and the continuing high rate of incidents in 2020, there’s only one conclusion: there’s a need for enterprises to demonstrate readiness and embark on a journey toward cyber security resiliency.

To start, let’s look at some numbers to help underline why proper cyber security is a value-add and can help a business protect against losses.

Cyber Attack Costs to Businesses

There’s no question that enterprises are being challenged to keep up with a security environment that is showing no signs of becoming friendlier any time soon. The highlights of the 2020 Cost of a Data Breach Report paint a picture that can be eye-opening for both enterprises and small businesses:

  • $3.9 million average cost of a data breach
  • Time to identify and contain a data breach averages 280 days
  • $150 average cost per lost record
  • 43% of all attacks target small businesses
  • 86% of small businesses have no effective defenses against cyber attack
  • 60% of all small businesses close their doors within 6 months following a cyber attack

[Source for all statistics: IBM, 2020 Cost of a Data Breach Report]

These statistics show larger enterprises typically have the resources to at least maintain (though they are certainly not immune, as we will detail later), while small businesses generally have more difficulty managing the proliferation of cyber threats, vulnerabilities, and incidents. The findings of the report definitely shed light on the risk to small businesses, though there is a lot of positive insight that can be distilled.

For instance, the fifth bullet calls out that 86% of small businesses have no effective cyber attack defenses. The conclusion that should be drawn is businesses with proper cyber security measures in place are far less likely to suffer a cyber attack. A high level of organizational preparation and sufficient investment in cyber security resources can create enhanced resiliency and diminish the threat of damaging incidents.

Two of 2020’s most noteworthy security stories – the hack of high-profile accounts on Twitter and the troubles that have plagued the Zoom app – demonstrate how an ounce of prevention is worth a pound of cure.

Twitter Gets Hacked

2020 Twitter Hack Image

The most spectacular security event of the year is the recent Twitter hack. On July 15, 2020, 130 of the highest profile Twitter accounts – including those of Barack Obama, Joe Biden, Apple, Uber, Bill Gates, and Elon Musk – were hacked and used to push a bitcoin scam.

Federal and local law enforcement responded quickly and the investigation has led to several arrests in Florida, including a juvenile as the alleged ring leader. The actual monetary damages to victims are relatively small, probably less than $200,000. However, the implications of this breach are disconcerting.

The hack’s apparent lack of technical sophistication and small-potatoes level of ambition – prestigious Twitter handles were apparently more coveted than compromising sensitive accounts – leads to more questions. What if this was a more sophisticated operation, mounted by a genuine criminal enterprise and with more destructive goals? What if the private messages logs of the hacked accounts were shared with significant threat actors, including unfriendly nation states, corporate spies, and blackmailers?

Twitter has emerged from this relatively unscathed, but the accountholders appear unprepared for the future. If privileged information from those accounts is released, or if a similar attack is launched by someone with a more sinister agenda, the potential for damage is immense.

Lesson: With so many technology partners integral to operations, there are endless vulnerabilities outside of your control. Enterprises can’t rely solely on their own best efforts to maintain data security and must be prepared for catastrophic events that are external, unexpected, and unknowable. Align your behaviors, processes, operations, and strategies with the understanding that no amount of diligence can insulate against an incident that originates outside your organizational perimeter – disaster can strike and you must have a response framework and recovery process ready.

“Zoom Bombing” and Other Zoom Issues

2020 Zoom Bomb Hack Image

Before March, Zoom was just a little-known teleconferencing app. When the pandemic hit, it was suddenly vaulted into the spotlight as the go-to choice for virtual work meetings, school classroom sessions, or just friendly gatherings. For a while it worked, and then all the attention and traffic made Zoom’s incomplete approach to security noticeable, and malicious actors launched a series of attacks that exploited the app’s shortcomings.

Insecure meetings were frequently crashed by uninvited “Zoom bombers,” in a wave of incidents that were serious enough to merit an FBI warning. More unsettling were the multiple security flaws discovered by sharp-eyed researchers, including UNC path injection and local privilege escalation and code injection. The icing on the cake was the discovery of privacy concerns regarding misleading end-to-end encryption protection claims and undisclosed sharing of data with Facebook.

Zoom responded by issuing practical instructions for making meeting rooms more secure against bombing, patching multiple flaws, clarifying its use of encryption (it doesn’t use “end-to-end encryption” in the commonly understood sense), and addressing privacy concerns by promising to review its “processes and protocols for implementing… features in the future.” In retrospect, these incidents point to the human element as a source of vulnerability and the need for appropriate security training and controls.

Lesson: Crisis situations, like the rapid and ubiquitous move to remote workforces, can deprioritize normal precautions that support proper vetting of new technologies and services, which might be incompletely understood or poorly secured. Vulnerabilities in these solutions will eventually be exposed, which can create a snowballing crisis chain. Don’t allow a disruption to your normal operations interrupt your procedures for evaluating change, understanding risk, and integrating new services or partners into your enterprise environment. Proper employee training in encryption protocols, password sharing, and link sharing outside of your enterprise can eliminate many common vulnerabilities and threats.

Why Enterprises Might Underinvest in Threat Mitigation

Many enterprises were caught flatfooted by 2020’s security incidents. Companies with hacked Twitter accounts worked to understand how they had been compromised and likely still don’t know the complete tally of damages. Organizations that relied on Zoom to conduct business as normally as possible during the pandemic are struggling to contain the fallout from operations disrupted by Zoom’s failures, while scrambling to find alternative solutions.

Many of these organizations – or more accurately, the people within the organizations – did not to invest in sufficient cyber security assessment, response and recovery resources. Why is that? One common culprit is prospect theory.

In short, prospect theory demonstrates that our decision making is weighted toward loss aversion: people are more fearful of losses then they are encouraged by equivalent gains, and therefore will choose the option of loss avoidance when all things are perceived equal.

Cost Benefit Scale Image

In the context of whether or not to invest in enterprise cyber security, an organization’s decision makers might evaluate two possibilities:

  1. the cost (immediate loss) of implementing more resilient cyber security (long-term gain), or
  2. the savings (immediate gain) of not mitigating a potential cyber incident (long-term loss).

By prioritizing loss aversion (option 2), decision makers might overlook not only the likelihood that an event will occur, but also the potential value gains of being prepared and having a mitigation plan in place.

Here’s a Suggestion: Invest in Your Security Posture

The overall lesson here for enterprises is to make certain that, when deciding on a cyber security investment, you are properly evaluating the upside of hardening cyber security capabilities, preparing for security events, and having plans in place for response and recovery. Yes, this is an expense that shows up on the ledger as red ink. But it’s also an investment that returns its cost, and more: proper cyber security delivers value in the long term.

You can’t predict when an attack could happen and systems can be breached without you knowing you’ve been compromised, allowing malicious actors to thoroughly investigate your system and plan the most effective means of attack. The aforementioned IBM report demonstrates the precise value of preventing such a scenario.

Don’t let your only value determinant be loss (cost) aversion. Instead, perform a sensible risk analysis that spotlights the value benefit of a cyber security investment, and recommend the changes necessary to harden your defenses, install a response process, and create a recovery plan.

At SecurIT360, we are trusted advisors to small businesses and enterprises that are motivated to meet the security challenges of today’s digital environment. Contact us today to talk about your cyber security concerns and challenges.

Categories
Incident Response

Incident Response: We’ve Been Breached – Now What?

It’s a common scenario and one every enterprise should be ready for: you’ve just learned your business has experienced a data incident, now what? However your data has been compromised, if it involves enterprise or customer assets (or both), regardless of the attack vector—which may be unknown at the outset of an incident—your response should be structured, efficient and rapid.

Here’s what your “Now what?” should look like.

Incident Response Basics – NIST Computer Security Incident Handling Guide

A picture containing drawing

Description automatically generated
NIST Incident Response Life Cycle, p. 21 Figure 3-1

The National Institute of Standards and Technology (NIST) has respected and oft-emulated guidelines for incident response. Many organizations use NIST guidelines by the book, or similar guidelines developed using NIST as a basis for action. The NIST incident response life cycle includes four elements:

1. Preparation is a two-pronged operation: incident prevention works hand-in-hand with establishing an incident response capability, although typically different teams handle each program. Primary practices for both prevention and response include:

  • Risk assessments
  • Host security
  • Network security
  • Malware prevention
  • User awareness and training

2. Detection & analysis determines the response strategies deployed in a given incident response. Understanding attack vectors can provide a basis for activating specific handling procedures, according to a pre-developed action plan. Some of the most common attack vectors include:

  • External/removable media
  • Attrition
  • Web
  • Email
  • Impersonation
  • Improper usage
  • Equipment loss or theft

3. Containment, eradication & recovery strategies are activated according to analytic criteria: What is the potential damage? Can evidence be preserved? What services are available? How much time and what resources are required? What is the solution duration? All actions should be accomplished in a phased approach that prioritizes remediation steps.

4. Post-incident activity engages processes aimed at learning and improving, which are critical in creating a framework for continual improvement of security response. Collecting incident data allows for both subjective and objective assessment exercises, to better understand what worked and what didn’t. Preserving evidence is required for not only potential prosecution, but also compliance purposes. If notification of all stakeholders (including the general public, in most instances) has not already occurred, that should be completed now.

NIST Incident Handling Checklist

NIST guidelines helpfully condense incident handling into a convenient checklist of actions to be engaged across the process spectrum, from detection through to lessons learned. This is an invaluable tool to help guide response preparation, planning, handling and resolution.

Action
Detection and Analysis
Determine whether an incident has occurred
 Analyze the precursors and indicators
 Look for correlating information
 Perform research (e.g., search engines, knowledge base)
 As soon as the handler believes an incident has occurred, begin documenting  the investigation and gathering evidence
Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.)
Report the incident to the appropriate internal personnel and external organizations
Containment, Eradication, and Recovery
Acquire, preserve, secure, and document evidence
Contain the incident
Eradicate the incident
 Identify and mitigate all vulnerabilities that were exploited
 Remove malware, inappropriate materials, and other components
 If more affected hosts are discovered (e.g., new malware infections), repeat  the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then  contain (5) and eradicate (6) the incident for them
Recover from the incident
 Return affected systems to an operationally ready state
 Confirm that the affected systems are functioning normally
 If necessary, implement additional monitoring to look for future related activity
Post-Incident Activity
Create a follow-up report
Hold a lessons learned meeting (mandatory for major incidents, optional otherwise)
NIST Computer Security Incident Handling Guide, p.42 Table 3

Study in Incident Response Success: Chili’s

A store front at day

Description automatically generated

What does a NIST-guided approach to incident handling look like? Chili’s might be famous for its baby back ribs and Awesome Blossom’s, however it’s equally deserving of merit for its response to a potentially devastating data breach in 2018. What did they do right? Just about everything:

  • Brinker International, the Chili’s chain operating entity, discovered the breach on May 11. They made an announcement to the public on May 12, sharing what they knew and (importantly) what they didn’t yet know – that level of swiftness and transparency established an immediate relationship of trust with potential victims and the public.
  • “We immediately activated our response plan upon learning of this incident,” Chili’s said, which included a forensics audit that revealed the incident took place more than a month earlier and “may have resulted in unauthorized access or acquisition of [customer] payment card data.” Mishandled discovery and investigation can cripple an effective response effort, so this created a strong foundation to build on.
  • Brinker contracted a third-party forensics specialist to manage the response and notified law enforcement immediately. Where many enterprises try to go it alone in these situations, typically in a misguided attempt to keep a lid on the situation, Brinker recognized the need for a diverse, expert, highly structured response and valued communication and collaboration in their process.
  • Recommendations and continuous action were accomplished as part of the remediation process. Chili’s recommended customers review their credit reports and notify relevant agencies and organizations of suspicious activity. Brinker filed a Form 8-K with the US Securities and Exchange Commission, which is used to notify shareholders of a significant event. They also set up a notification site dedicated to sharing news, information about the incident and their response, and a customers/potential victims FAQ.

Brinker’s successful incident response ensured that damage was minimized, especially to the Chili’s brand and customer loyalty, recovery was rapid, and baby back ribs with a side of Awesome Blossoms were back on the menu.

Study in Incident Response Failure: Equifax

Analyzing a bungled response can be more illuminating than reviewing a success story – hello Equifax! Let’s take a look at the low lights of how that company managed response to its notorious breach of November 2017:

  • The full scope of the breach – exposure of the personal data of up to 147 million Americans – was withheld from customers, regulators and the media. Instead, a slow drip of increasingly dire revelations created the impression of a snowballing catastrophe and a crisis the company was unable to get ahead of.
  • Company officers who knew the details of the breach and its potential severity sold their stock in the company before the incident was announced.
  • A separate support website outside the corporate domain was created to inform potential victims and connect them with remediation resources. This website was itself riddled with serious security flaws, and relocating outside the corporate domain spotlighted a lack of trust and accountability.
  • Equifax mistakenly tweeted a phishing link four times, instead of the correct support website.
  • When the company finally revealed that the breach had been caused by an unpatched server targeted by a pervasive security flaw, the company lost its final chance to rally trust in its security and response processes.

Equifax botched its response from the outset, which has led to an endless cycle of lawsuits, prosecutions, bad press, a $425 million settlement, and irreversible reputational damage (assuming that credit bureaus have positive reputations capable of sustaining damage, which is not an iron-clad argument). Other than those issues, everything went fine!

It’s Not If, It’s When You Will Suffer an Incident

The threat environment for enterprises is perilous and relentless: most organizations understand that experiencing a data breach incident is not something that’s a matter of bad luck or circumstance, it’s a given.

Preparation is crucial to meeting these moments: planning your response in the midst of a crisis is exponentially more challenging and prone to failure than having a response procedure and resources ready when the time is at hand. Having that response procedure ready can enable you to make informed, sound decisions that pay off and return you to a baby back ribs state-of-mind.

As NIST points out, preparation is everything. For a limited time, SecurIT360 is offering a free cyber security scorecard to provide businesses a snapshot of their cyber security posture. Your organization can use its scorecard results to understand if some basic vulnerabilities exist and make adjustments before a breach occurs.