Why Risk Analysis

I like to browse the internet before posting on here in an attempt to relate the week’s lessons to current trends in Cyber Security.  This link: http://www.securityweek.com/cost-cyber-attacks-jumps-us-firms-study really fits the bill in my eye.  According to the Security Week Report “A survey of 59 US firms by the Ponemon Institute with Hewlett-Packard found the average annual cost of responding to cyber attacks was $12.7 million, up 96 percent over the previous five years.  The organizations saw a 176 percent increase in the number of cyber attacks, with an average of 138 successful attacks per week, compared to 50 attacks per week when the study was initially conducted in 2010.”

We know that attacks are on the rise each year, and protecting your assets and recovering from the attacks that do succeed is becoming a very expensive bill.  Comprehensive risk analysis through asset identification, classification, and listing associated vulnerabilities with their chance of occurrence is a task that absolutely must be accomplished no matter the company.  You must know which assets you have that are most critical to your operations and what current threats exist to your organization.  These assets must be ranked based on their attack surface, the likelihood of an attack, and the criticality of the asset.  Only then can you know where to investigate and place your security countermeasures.  Any other method is just guessing.

Even if you have an unlimited security budget a comprehensive asset valuation and risk analysis must be done.  If you aren’t spending your security budget on protecting the most important assets in your organization from the attacks that are the most likely to occur then you might as well give that money away because “hope” most likely isn’t a reliable security stance for your company.

Information Security Metrics Conundrum

Me: “My patch compliance is at 99.75% and my user education percentage is 100.”

CEO:  “Wonderful, but we just got taken for 18 million records containing customer accounts.  Those metrics sure do look nice, make sure you and your dedicated pie chart creator take those reports with you on your way out the front door!”

To determine the effectiveness of any process used by a company it is always good to record metrics for future analysis.  In the InfoSec world it is also true that using metrics can be especially helpful in showing if your policies, procedures, and controls are actually keeping your network safe.  Unfortunately in InfoSec you can research and develop great policy, train your users to not be a victim and maintain vigilance, and reduce the known vulnerabilities on your network to a near perfect level, but you cannot always prevent an attack.  New exploits are constantly surfacing, and it only takes one slip up by a user to lead to data compromise.  And we all know that successful data attacks and compromise are the real metrics that leadership will be reviewing when determining InfoSec program effectiveness, not the multitude of pie charts you have detailing training status and patch compliance. 

I don’t make the argument against keeping InfoSec metrics, they are essential for tracking progress and status of the program, but I don’t know if they can really be relied upon when used to prove overall effectiveness.  You could reduce the number of successful attacks by 90%, but what if the attacks that did get through were more severe than anything before?  I think metrics for the most part should be kept internal to the InfoSec division.  Instead of trotting out charts with percentages and numbers to leadership, I think the InfoSec team should use their collected metrics to translate the numbers into a big picture view of the company’s security posture to prove that the program is truly effective and is constantly getting better.

 I guess the key here is to make sure you research and develop metrics that will actually contribute to a more secure network, while identifying and removing metrics that may generate interesting stats while not necessarily enhancing the security posture.  So you are at 100% for security training, but is the program adapting to the environment and still effective?  You have 99% patch compliance, but is our web server and database secure against SQL injection?  The metrics must be constantly analyzed for effectiveness and trends so effort is not wasted, because taking and evaluating metrics can be rather time intensive and focusing energy in the wrong spot can be fatal.

JP Morgan Attacked, User Attacks Pending

Seems like every week there is a cyber attack in the headlines.  This week it is the compromise of 83 million customer records from JP Morgan Chase sometime this year.  The attack methods are not as of yet released, but this incident checks many of the boxes that are all too common these days.  First, it was going on for an extended period of time undetected, second the fact that there was a leak was not made public until absolutely necessary (a regulatory finding), and finally the motives of the attack were financial.  There were reports of this potentially being politically motivated, but based on what I have learned throughout this course, this is probably not the case.  A vast majority of cyber attacks are financially motivated, and the political angle serves to make a story where there probably isn't one.

So what does one do with 83 million customer records?  Usually, they sell it on the black market.  These records did not contain account information such as usernames or passwords.  They did contain customer names, addresses, phone numbers and email addresses.  The exact kind of information for spamming or phishing purposes.  This is not as valuable as passwords and usernames, but it can be valuable to hackers because it fills in a piece of the puzzle.  They don't know what your account information is, but they know two important pieces of information:

1. They know who you are and how to contact you via e-mail, phone, or postal.
2. They know that you have an account with JP Morgan Chase.

This makes anyone with an account with this bank a prime candidate for a phishing attack.  You can change your passwords immediately, but most likely the attack is yet to occur.  What these people must do is educate themselves and their family on phishing protection and be extra vigilant towards anything they receive from the bank, because the attack is most definitely coming.   With that many records compromised the hackers who end up with the information can cast a very wide net.  I found This Reuters link  interesting.  It goes into some of the ways this information is broken up and sold based on location with wealthy demographics going for more money on the market.