Can a single number, Value at Risk or VaR, summarize financial risk of cyber attacks? Of course not! I may have left the impression from the previous post in this series that VaR is a very precise measurement. Sure … in theory.
Under the assumptions of a model, a VaR makes perfect sense. The numbers I came up with had a few digits to the right of the decimal place. As statisticians will tell you, don’t confuse precision with accuracy or truthfulness. The RiskLens people have a nice explanation of the difference between the two in their blog post.
The Fog of Precision
In short: you can be very precise and wrong! If your assumptions are off, the VaR number can give you a false sense of confidence. You really want a fuller picture of the range of risk. Remember that 95% VaR and above is the worst that can happen.
The median number is helpful here — the cost below which 50% of the attacks occur. You can still see a lot of damage from a few smaller attacks depending on the heaviness of the curve. In my own Monte Carlo model spreadsheet, I added additional metrics including the average and the most frequent value or mode, along with a histogram. It’s extra information that gives a more complete picture and is useful for decision makers. In short: don’t miss the risk forest because of the trees.
Let me also emphasize that there’s value in the actual exercise of working out a VaR: finding out what data is at risk, its value, and then the probability of an attack. Most of this can be accomplished through a formal risk assessment. In any case, the key lesson is learning what you don’t know: known unknowns. (Let’s not scare ourselves with the unknown unknowns.) Deloitte has a very worthwhile article on cyber VaR. They point out it took the banking industry over 30 years to refine financial VaR for it to be a practical measurement. Cyber VaR is not yet at that level of refinement.
Hacking 101 for CEOs
The last section in this series — what CEOs need to know about hacking — can be accomplished in much less space. The takeaway is that hacking of valuable data from companies is far easier to accomplish than most C-levels think.
Unfortunately, the fear factor, spurred on by Stuxnet and other exotic malware, may have shaped more than a few CEOs’ views. No, you don’t need a PhD in cybersecurity to understand how most attacks work their dark magic.
The Verizon Data Breach Investigations Report (DBIR), this blog’s second favorite source of stats outside of our own Data Risk Report, has some fascinating numbers to consider. The 2017 DBIR points out that 66% of malware was installed by email attachments as part of social engineered or phishing attack. In fact, our research team recently discovered banking malware that was launched by, you guessed it, clicking on an attachment.
In a series of posts on malware-free hacking, I showed how easy it is to slip a payload script into a Word document. This a very simple attack to accomplish — a clever 13-year old, unfortunately, can pull it off — and effectively lets hackers go around firewalls and evade virus scanners.
Once inside, it is again very easy for them to look around for information, guess or steal existing user credentials, and then hop to interesting servers to get and exfiltrate the data.
Don’t believe me?
Last month as part of our Coffee Series of infosec presentations we invited the clever security analysts from Black Hills Information Security to demonstrate just how simple it is to move around a system during post-exploitation. One technique they employ to discover user passwords is called password spraying. Watch this brief clip to get sense of how this is done:
Got that, C-levels? It takes only one person in your organization to have an easy-to-guess password, and the hackers will find and exploit this weak link. The Blacks Hills gang have even stealthier ways to steal credentials. Register and watch (or get someone on your staff to) the entire presentation.
CISOs need to understand what it is they’re protecting (data and operations), what its value is, and be able to give likelihood estimates over a range of possible breach scenarios. And CEOs and CFOs should understand the realities of the new threat environment: phishing attacks are cheap, easy, and effective.
If you’re a regular IOS blog reader, you know where this is going. There are some simple ideas requiring some not-so-simple technology that will greatly lower risk and achieve lower VaR numbers.
First, find out where the valuable information is located in your file systems, and then restrict access to the fewest employees possible. This reduces your exposed surface visible to attackers searching for desirable data, and help limit your overall breach risk.
Second, you’ll need special monitoring technology to learn the files that have been accessed and copied by the attackers, and then alert your IT so they can investigate and disable accounts if needed.
While it may be easy for attackers to enter your IT systems, there’s no reason why we can’t make it harder or impossible for them to find and remove the data.