Book Excerpt: Recognize the ThreatsPart 1 of a Chapter of the New Book 'Heuristic Risk Management' by Michael Lines
Learn about an effective approach for setting up a risk-based information security program from CyberEdBoard executive member Michael Lines.
See Also: MITRE ATT&CK Evals Explained
Michael Lines is working with Information Security Media Group to promote awareness of the need for cyber risk management, and as a part of that initiative, the CyberEdBoard will post draft chapters from his upcoming book, "Heuristic Risk Management: Be Aware, Get Prepared, Defend Yourself." The last chapter we published is here.
Recognize the Threats
All too often, when discussing what could happen should a company suffer a cyberattack, security leaders will fall back into techno-babble and discuss the technical details of the potential incident. This is frustrating for business leaders who do not have a technical background, and this damages executive support for the security function. If the business leaders cannot understand why you need funding in terms that they understand, you are not likely to get it. This chapter will discuss the potential harms that can result from cyberattacks and how to prioritize them based on what your business does.
The threats of cyberattacks at a business level can almost always can be categorized into the following eight groups, which can be remembered by the acronym FELT DIES. This acronym is useful in not only helping remember what these risks are but also their relative likelihood for most companies.
In this blog post, I will discuss the first four threats. Fraud, Extortion and Theft are first order threats, in that the threat actors discussed in the chapter "Know Your Enemy" are directly behind them. Loss is a second order threat because while the threat actors are not directly behind the loss - if they were, it would be theft or one of the other threats, this event is cyber-related and can cause significant harm to the business.
When discussing risk with your business leaders, be sure to use the following terms for the threats that your company is most vulnerable to. This keeps the conversation at a level that most executives can understand, as these threats are nontechnical issues most business leaders can relate to.
Fraud is theft using manipulation and deceit, as opposed to the use of force as in a robbery.
Examples of fraud include payroll fraud, benefits fraud, bank account takeover and wire transfer fraud, etc. Fraud is a cyber-related risk because criminals typically use phishing, social engineering and other means to gain employee credentials or trick employees into giving them access they need to carry out the fraud.
According to the FBI’s Internet Crime Complaint Center (IC3), 2020 Internet Crime Report, victims lost the most money to business email compromise (BEC) scams, romance and confidence schemes, and investment fraud. With almost 800,000 reported complaints to the IC3 and over $4.1 billion in reported losses in 2020 - which is estimated to represent only a small fraction of the actual losses and incidents, all businesses, regardless of their size, are targets for fraud attacks. Small organizations are targets because of their lack of sophistication in spotting the attacks, while large organizations are targets because of their lack of internal controls to help spot the attacks. The increase in people working remotely is speeding up these trends as more work is conducted via phone and email, making physical verification of identifies more difficult.
Extortion is the threat of harm to extract money or some concession from a company.
Ransomware is probably the most common example of this today in that companies are forced to pay a ransom to get their data returned to them or not released to the public. Other examples of extortion are denial-of-service attacks, where companies are extorted to pay to regain access to their online services or the theft and threat of release of sensitive information stolen from a company unless a ransom is paid.
Worldwide, ransomware cases are rising sharply, with 68% of organizations now estimated to have been affected by ransomware. Governments, businesses large and small, and companies designated as critical infrastructure have all been victims of ransomware - no organization is immune. Not only are ransomware attacks pervasive, they can also be deadly. Businesses can be severely damaged if not destroyed by a ransomware attack. In addition, lives have been lost because of the disruption of IT systems caused by an attack.
The default expectation of most executives, that their cyber insurance would cover the losses or damages from a ransomware attack, is increasingly no longer the case. Insurance companies are specifically writing coverage for ransomware out of their policies, and where insurance is still available, the premiums are rising sharply.
Loss covers any loss of information that causes financial harm to companies.
Examples range from sending sensitive data to the wrong people all the way through to losing sensitive and reportable data when laptops or USB devices are lost or information is sent via insecure means. For health care information in particular, the penalties can be severe even for relatively small numbers of records.
Security leaders need to understand what sensitive information their organization may receive, process, or have access to; who within their organization has access to it; where it is located and how it is protected. Finally, they need to know, or at least know where to find if needed, the reporting requirements and consequences of failure to report to regulators or customers should there be a breach of this information, regardless of the cause -intentional or unintentional.
Theft is the direct theft of information or resources from a company for financial gain.
This typically occurs when criminals or nation-states hack computer systems to gain access to sensitive information that can be resold on the dark web, such as cardholder data. This can occur both directly when a company’s systems are attacked, and indirectly when information that they have shared with a third party is stolen from the third party.
Besides theft of information, attackers can also steal resources for the company by hijacking the company’s devices for their own purposes. Usually, this purpose is the mining of cryptocurrency (cryptojacking), but these devices can also be incorporated into massive botnets that are rented to other criminals to conduct malicious activities such as denial-of-service attacks as part of an extortion attempt, or as part of phishing campaigns to host illegitimate websites to steal information from unsuspecting users who have been directed to them. It is not only servers and PCs that are used in these attacks - vulnerable commercial and consumer routers are often compromised and incorporated into botnets in order to conduct criminal activities.
Increasingly, theft is becoming a two-sided problem. One side is direct theft when a company is targeted specifically because of the data that they hold that can be resold. The second side is when sensitive data is stolen as part of a ransomware attack. Companies are now facing the need to pay to get access to their encrypted files restored, and they are being forced to pay so that data that was stolen as part of the attack is not released or sold on the dark web. The consequences of such a release could ruin the company’s reputation with its customers and expose it to customer lawsuits and regulatory sanctions and fines.
In Part 2 of this blog post, I will discuss the four remaining threats - Damage, Infractions, Espionage and Sabotage.
CyberEdBoard is ISMG’s premier members-only community of seniormost executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Michael Lines is an information security executive with over 20 years of experience as a Chief Information Security Officer, or CISO, for large global organizations, including PricewaterhouseCoopers, Transition and FICO. In addition, he has led several advisory services practices, delivering security, risk and privacy professional services to major corporations. Lines writes, blogs, speaks at conferences and webinars, and provides interviews on a wide variety of information security topics, primarily concerning what it takes to develop and run effective information security programs and why so many companies continue to suffer security breaches due to ineffective risk management.