Cyber-Attacks - Managing Cyber Risk

By Bachir El Nakib (CAMS), Senior Consultant, Compliance Alert (LLC).

By Definition

'Cyber risk' means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems

For a cybersecurity expert, the Oxford Dictionary definition of cyber threat is a little lacking: "the possibility of a malicious attempt to damage or disrupt a computer network or system." This definition is incomplete without including the attempt to access files and infiltrate or steal data.

In this definition, the threat is defined as a possibility. However, in the cybersecurity community, the threat is more closely identified with the actor or adversary attempting to gain access to a system. Or a threat might be identified by the damage being done, what is being stolen or the Tactics, Techniques and Procedures (TTP) being used.

In 2012, Roger A. Grimes provided this list, published in Infoworld, of the top five most common cyber threats:

  1. Social Engineered Trojans
  2. Unpatched Software (such as Java, Adobe Reader, Flash)
  3. Phishing
  4. Network traveling worms
  5. Advanced Persistent Threats 

But since the publication of this list, there has been widespread adoption of several different types of game-changing technology: cloud computing, big data, and adoption of mobile device usage, to name a few.

In September 2016, Bob Gourley shared a video containing comments from Rand Corporation testimony to the House Homeland Security Committee, Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies regarding emerging cyber threats and their implications. The video highlights two technology trends that are driving the cyber threat landscape in 2016:

  1. Internet of things – individual devices connecting to internet or other networks
  2. Explosion of data – stored in devices, desktops and elsewhere 

Today, the list of cyber threats may look more like this, and cyber threats are typically composed of a combination of these:

  • Advanced Persistent Threats
  • Phishing
  • Trojans
  • Botnets
  • Ransomware
  • Distributed Denial of Service (DDoS)
  • Wiper Attacks
  • Intellectual Property Theft
  • Theft of Money
  • Data Manipulation
  • Data Destruction
  • Spyware/Malware
  • Man in the Middle (MITM)
  • Drive-By Downloads
  • Malvertising
  • Rogue Software
  • Unpatched Software

Unpatched software, seemingly the simplest vulnerability, can still lead to the largest leaks, such as the case of Panama Papers.

Sources of Cyber Threats

In identifying a cyber threat, more important than knowing the technology or TTP, is knowing who is behind the threat. The TTPs of threat actors are constantly evolving. But the sources of cyber threats remain the same. There is always a human element; someone who falls for a clever trick. But go one step further and you will find someone with a motive. This is the real source of the cyber threat.

For example, in June of 2016, SecureWorks revealed tactical details of Russian Threat Group-4127 attacks on Hillary Clinton's presidential campaign emails. Then, in September, Bill Gertz of The Washington Times reported on another cyber attack on Hillary Clinton's emails, presumed to be the work of "hostile foreign actors," likely from either China or Russia. There currently exists a U.S. policy on foreign cyber threats known as "deterrence by denial." In this case, denial means preventing foreign adversaries from accessing data in the U.S.

But not all cyber threats come from foreign countries. Recently, Pierluigi Paganini @securityaffairs reported that police arrested two North Carolina men who are alleged to be members of the notorious hacking group called 'Crackas With Attitude' which leaked personal details of 31,000 U.S. government agents and their families.

Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurityand physical security.

Top 5 cybersecurity risks for 2015. From identity theft and fraud to corporatehacking attacks, cybersecurity has never been more important for businesses, organizations and governments. Hacking experts warn there are plenty moresecurity risks ahead in 2015 as cyber criminals become more sophisticated.Dec 19, 2014 

Cyber Risk Management

The risks and opportunities which digital technologies, devices and media bring us are manifest.  Cyber risk is never a matter purely for the IT team, although they clearly play a vital role. An organisation's risk management function need a thorough understanding of the constantly evolving risks as well as the practical tools and techniques available to address them.

What do we mean by cyber risk?

Cyber Risk means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems. 

It will never happen to us….

All types and sizes of organisations are at risk, not only the financial services firms, defence organisations and high profile names which make the headlines. 

Cyber risk practical guidance

Cyber and Information Management Special Interest Group (SIG) conducted extensive research into the dynamic issue of cyber threats to business, governments and global enterprises. They have produced a practical guide for risk professionals and senior executives to help demystify the issue of cyber risk.

Members of the group commented ‘the true extent of the risk has yet to be assessed – let alone managed. And the threat is very real. Risk professionals need to wake up and smell the coffee before it is too late’.

Cyber risk: Nightmare or opportunity?

BAE Systems Applied Intelligence and IRM present a journey in cyber risk perception – from doom and gloom to added value in the boardroom.

A crossroads has been reached. Cyber risk can either continue to be seen as negative – as another potential set of costs, complicate procedures and incoming legislative demands – or firms can use good cyber risk management as a differentiator from competitors as a selling point to clients, and as a measure of reassurance to stakeholders. 

In the borderless world of information technology, in fact, computer-security specialists and corporate risk managers have begun working under the assumption that it’s impossible for companies to keep their networks completely free from penetration, according to the lead story of our package, “What’s the Cost of a Cyber Attack?” Given that reality, they’re zeroing in on the need to detect hackers once they’re inside the system and to respond to the attack, rather than just focusing on sealing networks from every possible breach.

“Traditionally, cybersecurity has been focused on the front protection piece,” including internal controls, employee training, and firewalls, according to Heather Crofford, CFO of shared services at Northrop Grumman, the big aerospace and defense contractor. For Northrop and many other companies, however, “detection, response, and recovery are where the increasing investment needs to be,” she says.

Since the risk can’t be completely, eliminated, CFOs are wondering if insurance policies targeted solely at cyber risk can help stem the tide of financial loss once a breach occurs. Some companies have, in fact, bought “dedicated” cyber insurance policies that provide coverage for such risk exposures, writes Lynda Bennett, an attorney who represents corporate policyholders, in “Cyber Insurance Policies: Are They Worth the Money?” Other companies are still in the evaluation phase and are appropriately wondering whether such policies are needed, and, if so, whether insurers are paying claims under them, according to Bennett.

The remaining articles discuss the increasing interest of regulators in cyber risk, how to hire the right people to stop the bleeding if a breach occurs, and the CFO’s unique role in cyber security. We hope our coverage will help you put together effective strategies and tactics to cope with the Brave New World of cyber peril.

Download File