Tag Archives: risk

How to get the best ROI for investments in cyber security?

28 September 2019

During a workshop this week we had a discussion on risk management and investment in cyber security. Risk is the product of likelihood of occurrence (LoO) and severity of impact (SoI). So, to reduce the risk we can either try to reduce the SoI, or the LoO, or both.

We do risk management because we have limited resources. The big question is always: Where shall I spent my resources?  Or, where can I gain the best ROI? Shall I reduce the likelihood of occurrence or the severity of the impact? Or both?

The Cyber Kill Chain is a great model to study this.

Cyber Kill Chain - Risk Management - Cost

Cyber Kill Chain – Risk Management – Cost

We can reduce the likelihood of occurrence starting during the delivery phase up to the command & control phase. Once the attacker crosses the red line the LoO is 100 %.

The severity of impact can be reduced starting at the midst / end of the exploitation phase. WannaCry, for example, started the encryption immediately during installation of the malware and contacted in parallel its command & control server. Once the attacker crosses the red line, the impact and thus the costs for recovery are high.

The big problem with reducing the likelihood of occurrence is that we have in the best case only some seconds to minutes until the attacker crosses the red line. For efficient use of this time we need to invest in preventive or proactive means.

Cyber security awareness training, for example, is a very efficient preventive measure to reduce the LoO during the delivery and exploitation phase, because the exploitation of about 35% (Data NIST NVD, CVSS V3, UI:R) of vulnerabilities published in 2018 requires user interaction. Priority patching is another preventive measure with can stop an attacker early.

Backup and emergency recovery are great means to reduce the severity of impact. But the latest attack on Norsk Hydro makes clear that, even with the best crisis management, the recovery of some thousand systems from scratch takes some time.

When used in context with the existing security controls, the Cyber Kill Chain provides support in setting priorities in cyber security investment. The Mitre ATT@CK framework, which is based on the Cyber Kill Chain, brings the required methodology in the planning process. Give it a try.

Have a great weekend.

Advertisements

Review: Poor password practices put 60% of UK citizens at risk

4 December 2014

Poor password practices put 60% of UK citizens at risk.

Warwick Ahsford’s report is really alarming.  ‘More than six in 10 UK consumers put their data at risk by using a single password across multiple online accounts, a study has shown.’

But the worst is yet to come. They are using also weak passwords: ‘Trustwave analysed more than 625,000 password hashes and found 54% were cracked in just a couple of minutes and 92% in 31 days.’

Passwords are definitely inappropriate for authentication in the age of cyber crime. The news of the past weeks show that major players on the IT market like Twitter, Microsoft or Google developed technologies to address this problem.

FIDO U2F Security Key

FIDO U2F Security Key

The FIDO U2F standard (FIDO = Fast Identity Online Alliance, U2F = Universal second Factor) appears to be a quantum leap towards secure authentication in the world-wide web. Google has already integrated this standard in the Chrome browser. The second factor is established by a security key attached to a USB port.

Unfortunately it comes to fruition only after login into your computer, phone or tablet Computer, and only for Chrome.

And that’s in my opinion the crux of the matter. In a perfect world, I would like to login to my computer with a PIN or fingerprint and the FIDO U2F security key attached to the device.

A central, world-wide available and trusted identification authority verifies my identity and creates my identity token, which is valid for the duration of my session.

All services like Google, Home Depot, Amazon, the city council or the tax office rely on this identity token. For reasons of security the identity must be checked again before critical transactions are carried out.

Sounds fantastic, doesn’t it?

Look forward to a world without passwords!