search.noResults

search.searching

note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
C


ybercrime, including ransomware, is a growing phenomenon in the


developed world where some $80 billion is spent annually countering this multi- trillion dollar threat. However, success can have more to do with awareness than computers and often businesses forget traditional security, including the “Method, Motive, Opportunity” model.


Expensive, technical security might provide limited protection, given the actual digital threats.


Understand the Risk


To allocate budgets, resources and protective measures effectively, cyberthreats should be seen not as alien concepts, but as extensions of threats and risks in the physical world. First, understand the risk. The risk of attacks, physical or cyber, is defined in ISO 31000 (risk management) and repeated in ISO 27000 series (information assets) as: the Effect of Uncertainty on Objectives. Something unexpected, caused by something we are under-informed about, happening to something we care about: e.g. a hacking attack by overseas criminals on our servers.


Managing such risk means coming to grips with those uncertainties and effects to make our servers safer. The core components are:


• Context: for example, the value of the data to our client and the internal processes that protect it.


• Identification: for example, theft of intellectual property with consequent loss of revenue.


• Analysis: for example, what we know about hostile parties, the damage they could do, how likely such damage is to occur, what our IT controls and human vulnerabilities are, and what resulting levels of risk we face.


• Evaluation: what analysis tells us about risk levels (for example, ‘high’ for hacking because of poor password controls and possible collusion by disaffected insiders) versus our tolerance for risk (for example, ‘low’ because the client would cancel the contract) and thus how far we need to treat the risk.


• Treatment: for example, strengthen password protocols; strengthen vetting and re-vetting regimes; sign-off residual levels of risk.


Apply sound principles


Despite portrayals of teenagers launching technological attacks on unsuspecting organisations run by behind-the-times adults, some established principles remain valid. Who has the motive to attack; what methods do they possess; what exploitable opportunities exist? Analysing attacks in that way underwrites


6 © CI TY S ECURI TY MAGAZ INE – SUMME R 2017


Cyber


investigatory and preventive techniques, cybercrime included, in many jurisdictions: the Motive x Method x Opportunity approach. To use this formula to reduce risk, we can try to reduce one or more elements as close as possible to zero.


Motive


If attackers have enough motive and method, no system is invulnerable. Even if opportunity is almost zero, a combination of motive and method can still be too high for an attack to be withstood. The US-Israeli breach of Iran’s nuclear programme was an example, as the 2016 documentary Zero Hours showed. Insider agents with physical access to Iranian systems were needed to breach their considerable security. Despite low opportunity, the attackers had sophisticated methodology and the overriding motive of preventing Iran developing nuclear weapons.


Few businesses face such extremes, but the principles remain valid: appropriately inexpensive options provide sufficient security to mitigate the threats.


Cyber Attacks: Ease v Success likelihood •1 •9


•5 •7


Difficult •2 •6 •10 •8 •11 •12 Effort and risk •13 Easy


1. Organised crime 2. IP theft 3. Extortion 4. Ad fraud 5. Bank fraud 6. Payment system fraud 7. Bug bounty 8. Medical records fraud 9. Cyber warefare 10. Identity fraud 11. Credential harvesting 12. Credit card fraud 13. Hacktivism.


Source: Hewlett Packard Enterprise


Method Method examines attackers’ tools and their effectiveness, from sophisticated remote hacks (difficult and expensive for the attacker) to spam emails (cheaper but less effective). Cheaper, more effective methods are more


www. c i t y s e cu r i t yma ga z i ne . c om •3 •4


likely, so cyber security should respond accordingly.


The company’s risk assessment determines which methods of attack are most likely to succeed, determining the mitigations needed to reduce the method factor acceptably.


Opportunity


Insider threats provide opportunity for attackers; GCHQ assesses 75% of attacks are wholly or partly in this category, breaking down roughly as follows:


• Employees breaching security for personal gain (malicious insiders);


• Employees coerced by bribery or blackmail (vulnerable insiders);


• Employees circumventing security to make life easier (WIMPs: Well Intentioned but Misguided People);


• Employees unwittingly lured by phishing and other cyber fraud;


• Employee and management staff inefficiency, and failure to learn lessons.


Insider threats can lead to financial and reputational loss. TalkTalk lost £60 million, 100,000 customers and 20% of share value after a cyber attack in 2015. Staff inattention and failure to comprehend the developing crisis were likely causes of the most impactful consequences.


Different risk profiles exist for each insider type, which need to be approached accordingly. Generic risk profiles are:


Malicious insider (high motive, high opportunity, low method)


With some internal grievance, 80% of attackers are already known to management for negative behaviour, and make their highly motivated attacks after admonishment, demotion, or firing (US Government/Carnegie Mellon report 2005). Opportunity might be high due to insider knowledge, but method might be low, especially if already under preventive control measures.


The best defences are strongly implemented Standard Operating Procedures (SOPs) derived substantially from standard human resources and physical security SOPs.


Low Payout potential High


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39