Today, most business leaders know they are responsible for cybersecurity and privacy threats, wherever they occur. What most don’t understand is how to design, implement, and manage threat-intelligent business strategies and risk management plans to prevent data breaches and protect IT and business resources.
In the digital economy, organizational data is typically available on demand 24/7 to enable companies to benefit from opportunities for productivity improvement and data sharing with customers, suppliers, and business partners. The concept of data on demand is an operational and competitive necessity for global companies, but unfortunately, it also opens them up to cyberattacks.
New vulnerabilities are continuously being found in operating systems, applications, and wired and wireless networks. Left unaddressed, vulnerabilities provide an open door for cyberattacks that can cause business disruptions and devastating financial consequences. Managers no longer question whether their networks will be breached, but when it will happen, how much damage will be done, how long the investigation will take, and how much the investigation and fines will cost.
For example, after detecting a network hack, credit card processing company Global Payments, Inc. spent 14 months investigating the resulting data breach that exposed 1.5 million U.S. debit and credit card accounts. Global’s damages totaled $93 million. This loss consisted of $36 million in fraud losses and fines and $77 million for the investigation, remediation, credit monitoring, and identity theft insurance for affected consumers. And this is not an unusual occurrence, according to a global study conducted by the Ponemon Institute, the average cost of a breached record is $141 and the average cost of an overall data breach is $3.62 million (Ponemon Institute, 2017).
These reports of data breaches focus primarily on what companies are required to report publicly—theft of personally identifiable information (PII), payment data, and personal health information (PHI). Consequently, the costs commonly associated with data breaches only take into consideration these more easily understood impacts. But these are not always an attacker’s objective. Rarely brought into full view are theft of intellectual property (IP), espionage, data destruction, attacks on core operations, or attempts to disable critical infrastructure. These attacks can have a much more significant impact on organizations. But the damage they cause is not widely understood and is much more difficult to quantify.
As a result, organizations need to acquire a deeper knowledge of cyberattacks and combine it with business context, valuation techniques, and financial quantification to establish the true costs of their losses. Applying this more accurate knowledge of potential business impacts, leaders can be much more effective in managing and controlling cyber risk and improve their ability to recover from a cyberattack.
In Chapter 5, you will learn about cybersecurity terminology, the rising number of data breaches, sources of cyberthreats, damage caused by cybercriminals’ aggressive tactics and their impacts on organizations. You will also learn how organizations can defend against cyberattacks, correctly assess the damage they cause, and ensure the actions needed for business continuity. But, first, let’s take a look at two of the biggest cyberattacks ever reported.
Over the past several years, the number of cyberattacks in which data records have been stolen by hackers has increased at an alarming rate. In 2016, the total number of U.S. data breaches hit an all-time record high of 1,093 according to a report released on January 19, 2017, by the Identity Theft Resource Center (ITRC) (Goldman, 2017). This represents a 40% increase over the previous year. The general business sector reported the highest number of cyberattacks with 494 reported incidents, followed by the healthcare/medical industry with 377, education sector with 98, government/military with 72, and the banking/credit/financial sector with 52 breaches (see Figure 5.1).
Vulnerability is a gap in IT security defenses of a network, system, or application that can be exploited by a threat to gain unauthorized access. Vulnerabilities can be exemplified by lack of controls around people (user training, inadequate policies), process (inadequate separation of duties, poor process controls), or tools (lack of technical controls enforcement or monitoring).
Data incidents and breaches in 2016 exposed everything from usernames to passwords to Social Security numbers and are caused by the successful exploitation of vulnerabilities in information systems by a threat (risk = threat × vulnerability). Vulnerabilities threaten the confidentiality, integrity, or availability (CIA) of data and information systems, as defined in Figure 5.2.
Fifty-six percent of all breaches were phishing attacks, where hackers trick an employee into clicking a specially crafted e-mail link or attachment which then provides the hackers access to the user’s system and ultimately corporate network and data. These attacks were up 38% from 2015. Table 5.1 lists the top five data breaches worldwide in 2016. Although these numbers are high, it’s important to remember that a vast majority of data breaches go unreported, according to cybersecurity experts, because corporate victims fear that disclosure would damage their stock price, or because they never knew they were hacked in the first place.
TABLE 5.1 2016 Biggest Data Breaches Worldwide, in Terms of Number of Data Records Breached
Source: Breach Level Index (2016).
Company | Type of Data Breach | Records Breached |
Anthem Insurance | The attack against U.S.-based health insurer Anthem was an identity theft breach that resulted in the theft of 78.8 million records, making it the largest data breach of the year in terms of records compromised. Current and former members of one of Anthem’s affiliated health plans, as well as some members of other independent Blue Cross and Blue Shield plans who received health-care services in any of the areas that Anthem serves, were said to be affected. | 78.8 Million |
Turkish General Directorate of Population and Citizenship Affairs | The Turkish government agency experienced an identity theft attack at the hands of a malicious outsider. The attack exposed 50 million records, and information pertaining to citizens was stolen. | 50 Million |
Korean Pharmaceutical Information Center | The South Korean organization that distributes pharmacy management software to many of the country’s pharmacies was hit by an identity theft breach launched by a malicious insider. The result was the exposure of 43 million records. According to the Korea Herald, medical information of nearly 90% of the South Korean population was sold to a multinational firm, which processed and sold the data. | 43 Million |
U.S. Office of Personnel Management | The state-sponsored attack, which was described by federal officials as being among the largest breaches of government data in the history of the United States, scored a 9.6 on the risk assessment scale. The attack exposed data including PII such as Social Security numbers, names, dates and places of birth, and addresses. | 22 Million |
Experian | The U.S.-based credit bureau and consumer data broker experienced an identity theft breach by a malicious outsider that resulted in the theft of 15 million records. The data included some PII about consumers in the United States, including those who applied for T-Mobile services or device financing. | 15 Million |
The consequences of insufficient cybersecurity include damaged reputations, consumer backlash, lost market share, falling share prices, financial penalties, and federal and state government fines. As a result, companies are investing heavily in security-related technologies—worldwide spending on security-related hardware, software, and services rose to $73.7 billion in 2016 from $68.2 billion a year earlier and that number is expected to approach $90 billion in 2018.
Hacks of high-tech companies like Yahoo, LinkedIn, Google, Amazon, eBay, and Sony, and top security agencies like the CIA and FBI are proof that no one is safe. Cyberwarriors are too well funded and motivated. Taking a global perspective, Verizon’s 2016 Data Breach Investigations Report (DBIR) examined over 100,000 incidents, including 3,141 confirmed data breaches across 82 countries. Of these, 89% of the breaches were motivated by financial gain or espionage. In over 90% of the breaches, it took attackers mere minutes (or less) to compromise a system. On the other hand, it took companies weeks to months to discover that a breach had occurred and in most cases it was external sources, such as customers or law enforcement that sounded the alarm! Cyberthreats can be intentional or unintentional.
Table 5.2 lists eight sources of intentional and unintentional cyberthreats that account for the vast majority of data breaches and other cybersecurity incidents.
TABLE 5.2 Major Sources of Cyberthreats
Source: Verizon (2016).
Source/Type | Characteristics | Solution |
Intentional Cyberthreat | ||
Hacking | Unauthorized access of networks, systems or applications for economic, social, or political gain. Use of programs such as backdoor services to promote reentry or further incursion into target environment | Train your staff Change password frequently Have “strong” passwords |
Phishing | Social engineering, targeting human behavior rather than computer technology | Train your staff Monitor activity |
Crimeware | Use of malware and ransomware | Use antimalware/AV software Patch promptly Monitor change and watch key indicators Back-up system regularly Capture data on attacks Practice principle of least privilege |
Distributed denial-of-service | Use of compromised systems to overwhelm a system with malicious traffic | Segregate key servers Choose your providers carefully Test your anti-DDoS service |
Insider and privilege misuse | Employees, contractors, partners, suppliers, and other external entities with specific insider roles abusing access granted to systems for legitimate business purposes. | Monitor user behavior Track mobile media usage Know your data |
Physical theft | Theft of laptops, tablets, peripherals, printed material, etc. | Encrypt your data Train your staff Reduce use of paper |
Unintentional Cyberthreat | ||
Physical loss | Theft of laptops, tablets, and peripheral devices | Encrypt your data Train your staff |
Miscellaneous errors | Any unintentional action that compromises security, except theft, and loss of assets | Learn from your mistakes Strengthen controls Ensure all assets go through a rigorous check by IT before they are decommissioned or disposed of |
Select the caption to view an interactive version of this figure online.
Examples of intentional threats include data theft such as inappropriate use of data (e.g., manipulating inputs); theft of computer time; theft of equipment and/or software; deliberate manipulation in handling, entering, programming, processing, or transferring data; sabotage; malicious damage to computer resources; destruction from malware and similar attacks; and miscellaneous computer abuses and Internet fraud.
Unintentional threats fall into three major categories: human error, environmental hazards, social unrest and computer system failures.
In the next sections, you will learn more about the various sources of cyberthreats and their potential impact on organizations.
Hacking is a very profitable industry. In 2016, 56% of reported data breaches were reported to be the result of hacking, which is 18% higher than those reported for 2015 (Verizon, 2016). Hacking is a big part of underworld cybercrime, and a way for hacktivists to protest. Both the anonymity of the Internet and lack of international treaties provide hackers with a feeling of near invincibility because they face very low risk of capture and punishment.
It is important to note that in the Hacker culture there are three classes of Hackers, shown in Table 5.3.
TABLE 5.3 Three Classes of Hackers
Type | Characteristics | Outcome |
White hat | Computer security specialist who breaks into protected systems and networks to test and assess their security. | Use their skills to improve security by exposing vulnerabilities before malicious hackers (black hats) can detect and exploit them. |
Black hat | Person who attempts to find computer security vulnerabilities and exploit them for personal financial gain or other malicious reasons. | Can inflict major damage on both individual computer users and large organizations by stealing personal financial information, compromising security of major systems, or shutting down or alerting the function of websites and networks. |
Gray hat | Person who may violate ethical standards or principles, but without the malicious intent ascribed to black hat hackers. | May engage in practices that are less than ethical, but are often operating for the common good, e.g., exploits a security vulnerability to spread public awareness that the vulnerability exists. |
Hacking is an industry with its own way of operating, a workforce, and support services. Hackers use social networks, underground forums, and the Deep Web to rate and promote services, share exploits, and recruit others. In certain forums and in the Deep Web, hackers can purchase the use of any number of services. These include the following:
Experts believe the greatest cybersecurity dangers over the next few years will involve persistent threats, mobile computing, and the use of social media for social engineering. From an IT security perspective, social engineering is a hacker’s clever use of deception or manipulation of people’s tendency to trust, be helpful, or simply follow their curiosity. Powerful IT security systems cannot defend against what appears to be authorized access.
Notorious hacker Kevin Mitnick, who served time in jail for hacking, used social engineering as his primary method to gain access to computer networks. In most cases, the criminal never comes face-to-face with the victim, but communicates via the phone or e-mail.
Humans are easily hacked, making them and their social media posts high-risk attack vectors. For instance, it is often easy to get users to infect their corporate network or mobile devices by tricking them into downloading and installing malicious applications or backdoors.
Phishing is the term used to describe a social-engineering attack that can use e-mail sent to the recipient under false pretense to steal confidential information from the target. This is done by the sender pretending to be a known person or legitimate organization, such as PayPal, a bank, credit card company, or other trusted source and asking the user to perform an action that would expose his or her computer to a cyberthreat or reveal credentials, personal, financial, or business-related private information. Phishing messages are either sent in mass campaigns or they are specifically targeted at a particular group of people or person. The former requires no front work to gain context for the target but relies on sheer volume of messages (millions to tens of millions) to achieve returns.
The latter requires more effort to gather relevant context about the message target and is therefore sent out in far smaller batches but has a higher rate of return on both the number of opened messages and the payback per message for that effort. The latter approach is discussed later in this section.
Phishing messages include a request to respond with information of some kind or a link to a fraudulent website that often looks like an authentic site the user works with. When the user clicks the link to the site, he or she falls victim to a malware download, drive-by attack, or information skimming such as being asked for a credit card number, Social Security number, account number, or password.
Criminals use the Internet and private networks to hijack large numbers of systems including PC’s mobile devices, servers, and Internet of Thing (IoT) devices to spy on users, spam them, shake down businesses, and steal identities. Once captured, they are called Bots, short for robots or Internet Robots. But why are they so successful? The Information Security Forum, a self-help organization that includes many Fortune 100 companies, compiled a list of the top information problems and discovered that nine of the top 10 incidents were the result of three factors:
Unfortunately, these factors can too easily create gaps in cybersecurity controls that companies and individuals use to protect their information.
Spear phishing targets select groups of people who have something in common. They can work at the same company, bank at the same financial institution, use a specific Internet provider, or attend the same church or university. The scam e-mails appear to be sent from organizations or people the potential victims normally receive e-mails from, making them even more deceptive.
Here is how spear phishing works:
When spear phishing targets are executives or persons of significant wealth, power, influence, or control the activity is known as “whaling.”
IT security researchers discover almost 1 million malicious programs every day. Why would so many hackers be spending so much time generating or launching these programs? The answer is simple—it pays well! Crimeware can be broken down into several categories, including spyware, adware, malware, and ransomware.
There have been numerous test cases of malware overheating devices, causing them to physically distort or worse. These attacks, bundled into a cyberattack, could have devastating and lasting effects beyond what we commonly associate with an aggravating distributed denial-of-service (DDoS) attack.
Viruses, worms, trojans, rootkits, backdoors, and keyloggers are types of malware. Most viruses, trojans, and worms are activated when an attachment is opened or a link is clicked. But when features are automated, they may trigger malware automatically, too. For example:
Remote access trojans (RATS) are a form of Trojan horse that creates an unprotected backdoor into a system through which a hacker can remotely control that system. As the name implies, a backdoor provides easy access to a system, computer, or account by creating the access that may or may not require authentication.
However, hackers are very territorial and don’t want someone else using systems they worked to compromise, so RATS often require some form of access control to eliminate the need to authenticate with a username and password.
A malware’s payload is code that is dropped on the system that performs any or all of the following functions: facilitates the infection or communicates with the command and control server or downloads more code. In doing so, the payload carries out the purpose of the malware. The payload could cause damage that is visible or operate in stealth mode so as to remain undetected. A vector is the specific method that malware uses to propagate, or spread, to other machines or devices. Malware may also replicate to make copies of itself.
Malware creators often use social engineering to maximize the effective distribution of their creations. For example, the ILoveYou worm, released in May, 2000, used social engineering to entice people to open malware-infected e-mail messages. It successfully attacked tens of millions of Windows computers when it was sent as an e-mail attachment with the subject line: ILOVEYOU. Within nine days, the worm had spread worldwide, crippling networks, destroying files, and causing an estimated $5.5 billion in damages.
When a host computer is infected, attempts to remove the malware may fail—and the malware may reinfect the host for these two reasons:
Most antivirus (AV) software relies on signatures to identify and then block malware. According to the Worldwide Malware Signature Counter, at the start of 2013, there were an estimated 19 million malware signatures. Detecting and preventing infections are not always a possibility. Zero-day exploits—malware so new their signatures are not yet known—are an example. Malware authors also evade detection by AV software and firewalls by altering malware code to create variants, which have new signatures. But not all procedures or AV tools are capable of removing every trace of the malware. Even if the malicious parts of the infection can be cleaned from a system, the remaining pieces of code could make the system unstable or expose to future infection.
Today’s malware is often designed for long-term control of infected machines. Advanced malware sets up outbound communication channels in order to upload stolen data, download payloads, or do reconnaissance.
In contrast, a botnet is a group of external attacking entities and is a totally different attack method/vector from malware which is internal to the system. Infected computers, called zombies, can be controlled and organized into a network of zombies on the command of a remote botmaster (also called bot herder). Storm worm, which is spread via spam, is a botnet agent embedded inside over 25 million computers. Storm’s combined power has been compared to the processing might of a supercomputer. Storm-organized attacks are capable of crippling any website. Zombies can be commanded to monitor and steal personal or financial data—acting as spyware. Botnets are used to send spam and phishing e-mails and launch DDoS attacks. Botnets are extremely dangerous because they scan for and compromise other computers, which then can be used for every type of crime and attack against computers, servers, and networks.
Ransomware has been around for more than a decade. The problem began on a fairly small scale, targeting individual users, but the ransomware cyberthreat has been growing in the last couple of years and the attacks have become large scale. Now, some company executives fear entire companies will be shut down by ransomware until they pay up, or risk losing all their data.
Ransomware works by first infiltrating a computer with malware and then encrypting all the files on the disk. The malware used to encrypt files can be difficult to defend against, and the encryption in most cases can’t be broken. Then, the user is presented with a limited time offer: Lose all your data or send money with the promise the data will be unlocked. The fee typically varies from a few dollars to hundreds of dollars and often has to be transmitted in Bitcoin. One hospital in Los Angeles, whose electronic medical record system was locked out for 10 days, was forced to pay cyberattackers 40 Bitcoins to get its system unlocked when law enforcement and computer experts were unable to help in restoring the hospital’s data files.
Computer security experts have theorized that this type of attack has a higher rate of success versus other cybercrime activity that has become more difficult. The best insurance against ransomware is to have offline or segregated backups of data.
Cybersecurity experts warn that battling the increasing number of Denial-of-Service (DoS) threats needs to be a top priority. DoS threats come in a number of “flavors,” depending on their target. The three most prominent forms are:
A “chilling” example of the havoc that PDoS can cause was demonstrated when a PDoS attack took the building management system offline in a block of residential apartments in Finland. The system’s Internet connection was blocked causing the system to repeatedly try to reconnect by rebooting itself. During this downtime, the system was unable to supply heat at a time when temperatures were below freezing! Fortunately, the energy company was able to find alternate accommodations for residents until the system was brought back online.
Threats from employees, referred to as internal threats, are a major challenge largely due to the many ways an employee can carry out malicious activity. Insiders may be able to bypass physical security (e.g., locked doors) and technical security (e.g., passwords) measures that organizations have put in place to prevent unauthorized access. Why? Because defenses such as firewalls, intrusion detection systems (IDSs), and locked doors mostly protect against external threats. Despite the challenges, insider incidents can be minimized with a layered defense-in-depth strategy consisting of security procedures, acceptable use policies (AUPs), and technology controls.
Data tampering is a common means of attack that is overshadowed by other types of attacks. It refers to an attack during which someone enters false or fraudulent data into a computer, or changes or deletes existing data. Data tampering is extremely serious because it may not be detected. This is the method often used by insiders.
The threat of an information asset going missing, whether through negligence or malice can send companies into a panic. The “miniaturization” of computing has led to an increase in physical theft or loss. Laptops, tablets, modems, routers, and USBs are much more easily transportable than mainframes or servers! When a laptop or tablet with unencrypted sensitive documents on it goes missing it’s difficult to determine if a data breach has actually occurred, but precautions must always be taken. Theft of laptops occurs primarily in victims’ own work area or from their vehicles. On the positive side, lost items are much more prevalent than theft. Theft is more likely to be related to the procurement of USB drives and printer paper.
The main concern related to this source of cyberthreat is a shortage of capacity, thus preventing information from being available when needed. Other threat actions that fall within this category of miscellaneous errors are shown in Table 5.4.
TABLE 5.4 Threat Actions Classified as Miscellaneous Errors
Misdelivery | Information delivered to the wrong person, when e-mails or documents are sent to the wrong people |
Publishing error | Information published to an unintended audience, such as the entire Internet, enabling them to view it |
Misconfiguration | A firewall rule is mistyped allowing access to a sensitive file server from all internal networks rather than a specific pool of hosts |
Disposal error | A hard drive is not “wiped” on decommissioned devices |
Programming error | Code is mistyped or logic is flawed |
Date entry error | Data is entered incorrectly or into the incorrect file or duplicated |
Omission | Data is not entered; document is not sent |
Vulnerabilities exist in networks, operating systems, applications, databases, mobile devices, and cloud environments. These vulnerabilities are attack vectors or entry points for malware, hackers, hacktivists, and organized crime. Mobile devices and apps, social media, and cloud services introduce even more attack vectors for malware, phishing, and hackers. As a result, new cyberthreats are on the horizon.
The number of malicious Android applications is growing at an alarming rate. According to a report by AV provider and software analysis group Trend Micro, more than 850,000 Android phones worldwide have been infected by the new “Godless” malware, as of June, 2016 (Goodin, 2016). The malware is transferred to users’ phones through rogue applications in the Google Play store. According to mobile security cloud service providers Marble Security and Trend Micro, over 42% of the more than 300 rogue mobile applications found in the Google Play store are published in the United States (RT.com, 2015; Duan, 2016). Almost all of these applications were found in unreliable third-party stores. Rogue mobile applications can serve up trojan attacks, other malware, or phishing attacks.
Companies offering legitimate applications for online banking, retail shopping, gaming, and other functions might not be aware of threats lurking in their app stores. And despite their best efforts, legitimate app store operators cannot reliably police their own catalogs for rogue apps.
With a single click on a malicious link, users can launch a targeted attack against their organizations.
Every enterprise has data that profit-motivated criminals want. Customer data, networks, websites, proprietary information systems, and patents are examples of assets—things of value that need to be protected. However, it would appear that management may not be doing enough to defend against cyberattacks. Even high-tech companies and market leaders appear to be detached from the value of the confidential data they store and the ways in which highly motivated hackers will try to steal them.
One of the biggest mistakes managers make is underestimating IT vulnerabilities and threats. For example, workers use their laptops and mobiles for both work and leisure, and in an era of multitasking, they often do both at the same time. Yet off-time or off-site use of devices remains risky because, despite policies, employees continue to engage in dangerous online and communication habits. Those habits make them a weak link in an organization’s otherwise solid security efforts.
Some of the most prevalent and deadly targets that cyber criminals will attack in companies and governmental agencies include: critical infrastructure; theft of IP; identity theft; bring your own device (BYOD); and social media. Some of these attacks will be conducted as high-profile attacks while others will fall into the category of “under-the-radar” attacks. Before discussing the different cyberattack targets, let’s take a look at the differences between these two approaches.
Advanced persistent threat (APT) attackers operate “under the radar” so they can continue to steal data, as described in IT at Work 5.1 and profit from it. These APT attackers are profit-motivated cybercriminals who often operate in stealth mode. In contrast, hackers and hacktivists with personal agendas carry out high-profile attacks to gain recognition and notoriety.
Hacktivist groups, such as Anonymous, a loosely associated international network of activist and hacktivist entities and its spin-off hacker group, LulzSec, have committed daring data breaches, data compromises, data leaks, thefts, threats, and privacy invasions. Consider the following three examples:
In contrast, APTs typically steal corporate and government secrets. Most APT attacks are launched through phishing. Typically, this type of attack begins with some reconnaissance on the part of attackers. This can include researching publicly available information about the company and its employees, often from social networking sites. This information is then used to create targeted phishing e-mail messages. A successful attack could give the attacker access to the enterprise’s network.
APTs are designed for long-term espionage. Once installed on a network, APTs transmit copies of documents, such as Microsoft Office files and PDFs, in stealth mode. APTs collect and store files on the company’s network; encrypt them; then send them in bursts to servers often in China or Russia. This type of attack has been observed in other large-scale data breaches that exposed significant numbers of identities.
Both high-profile and under-the-radar attacks can be launched against a number of different targets. We will discuss those next.
Hackers, hacktivists, crime syndicates, militant groups, industrial spies, fraudsters, and hostile governments continue to attack networks for profit, fame, revenge, or an ideology; to wage warfare and terrorism, fight against a terrorist campaign, or disable their target. For example, the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned that attacks against critical infrastructure are growing. In 2015, more than 427 vulnerability incidents were reported, far surpassing the 245 total attacks reported in 2014. The most affected industry was the energy sector.
Figure 5.3 shows the 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
Attacks on critical infrastructure sectors can significantly disrupt the functioning of government and business—and trigger cascading effects far beyond the targeted sector and physical location of the incident. These cyberattacks could compromise a country’s critical infrastructure and its ability to provide essential services to its citizens.
For example, the first cyberattack against a nation’s power grid occurred in December, 2015, when a cyberattacker successfully seized control of the Prykarpattyaoblenergo Control Center (PCC) in the Western Ukraine leaving 230,000 citizens without power for up to six hours. The attackers carefully planned their assault over many months. They studied the networks and siphon operator credentials and finally launched their devastating synchronized assault in the middle of winter. The PCC operated a supervisory control and data acquisition (SCADA) system, which is a common form of industrial control system, that distributed electricity. The critical devices at 16 substations became unresponsive to any remote command by its operators after attackers overwrote its firmware. This type of control system is surprisingly more secure than some used in the United States since they have robust firewalls that separate them from control center business networks. Governments around the world have plans in place to deal with the consequences of natural disasters, yet none have disaster relief plans for a downed power grid. Clearly, this must change. Local and state governments must work together with their national counterparts to produce and quickly implement plans to address future attacks.
In response to the consistently growing number of cyberattacks over the past decade, the Inter-American Committee Against Terrorism (CICTE) issued a formal declaration to protect critical infrastructure from emerging threats and a Presidential executive order was signed in May 2017 to strengthen the cybersecurity of Federal networks and critical infrastructure.
Intellectual property (IP) can represent more than 80% of a company’s value and as such is a critical part of all 21st-century organizations. Losing customer data to hackers can be costly and embarrassing but losing IP, commonly known as trade secrets, could threaten a company’s existence. It’s a business leaders’ nightmare—that gut-wrenching realization that a corporate network has been breached and valuable intellectual assets have been stolen by unknown cybercriminals (Gelinne et al., 2016).
Theft of IP has always been a threat from corporate moles, disgruntled employees, and other insiders. While some IP may still be obtainable exclusively through physical means, digitization has made theft easier. Advancements in technology, increased mobility, rapid globalization, and the anonymous nature of the Internet create growing challenges in protecting IP. Hackers’ preferred modus operandi is to break into employees’ mobile devices and leapfrog into employers’ networks—stealing trade secrets without a trace.
Cybersecurity experts and government officials are increasingly concerned about breaches from other countries into corporate and government networks either through mobile devices or other means. For example, a government agency could have blueprints for a secret new weapon system stolen by foreign agents, or an employee of a popular game developer might steal their latest game before it is released to the public.
In May of 2016, President Barack Obama signed the Defend Trade Secrets Act (DTSA), to allow “the owners of trade secrets to bring a civil action in federal court for trade secret misappropriation” (Gibson Dunn, 2016). Until the signing of the DTSA, corporations had to rely on state law regarding trade secrets. Now, every American corporation is equally protected under federal law. Moreover, it extends the power of the federal government in regulation of trade secrets through interstate and foreign commerce while maintaining existing trade secret laws.
A famous example of theft of IP is the APT attack named Operation Aurora perpetrated against Google, described in IT at Work 5.1.
One of the worst and most prevalent cyberthreats is identity theft. Thefts where individuals’ Social Security and credit card numbers are stolen and used by thieves are not new. Criminals have always obtained information about other people—by stealing wallets or dumpster diving. But widespread electronic sharing and databases have made the crime worse. Because financial institutions, data-processing firms, and retail businesses are reluctant to reveal incidents in which their customers’ personal financial information may have been stolen, lost, or compromised, laws continue to be passed that force those notifications.
Another, more recent, vulnerability is bring your own device (BYOD). Roughly 74% of U.S. organizations are either already using or planning to use BYOD. It’s an appealing concept because BYOD enables companies to cut costs by not having to purchase and maintain employees’ mobile devices. Unfortunately, many companies have rushed into it without considering issues relating to security. Mobile devices rarely have strong authentication, access controls, and encryption even though they connect to mission-critical data and cloud services. For example, only 20% of androids have a security app installed.
The BYOD trend is driven by employees using their own devices for business purposes because they are more powerful than those the company has provided. Another factor is mobility. In the past, and before the BYOD push, employees worked at their desks on a landline and on a computer plugged into the wall with a network cable. This change in exposure requires greater investment to defend against BYOD risks. As more and more people work from home and on the go, the office-bound traditional 9-to-5 workday has become a thing of the past.
Users bringing their personal mobile devices and their own mobile applications to work and connecting them to the corporate network is part of the larger consumerization of information technology (COIT) trend. Bring your own device (BYOD) and bring your own apps (BYOA) are practices that move enterprise data and IT assets to employees’ mobile devices and the cloud, creating a new set of tough IT security challenges. Figure 5.5 summarizes how apps, mobile devices, and cloud services put organizations at a greater risk of cyberattack. Widely used applications that are outside of the organization’s firewall are Twitter, Google Analytics, Dropbox, WebEx, and Salesforce.com.
Enterprises take risks with BYOD practices that they never would consider taking with conventional computing devices. One possible reason is that new devices, apps, and systems have been rolled out so quickly. As a result, smartphones are not being managed as secure devices, with fewer than 20% of users installing antimalware and 50% using some type of data encryption. In fact, employees expected instant approval of (or at least no disapproval of) and support for their new tablet computers within hours of the product’s release.
Hackers break into employees’ mobile devices and leapfrog into employers’ networks—stealing secrets without a trace. New vulnerabilities are created when personal and business data and communications are mixed together. All cybersecurity controls—authentication, access control, data confidentiality, and intrusion detection—implemented on corporate-owned resources can be rendered useless by an employee-owned device. The corporation’s mobile infrastructure may not be able to support the increase in mobile network traffic and data processing, causing unacceptable delays or requiring additional investments.
Another serious problem arises when an employee’s mobile device is lost or stolen. The company can suffer a data breach if the device is not adequately secured by a strong password and the data on the BYOD is not encrypted.
Tech Note 5.1 demonstrates why users should only download applications from trusted sources and check reviews to verify the legitimacy of the application being downloaded.
Companies’ poor social media security practices put their brands, customers, executives, and entire organizations at serious risk. According to Cisco, Facebook scams are the most common form of malware distributed in 2015. The FBI reported that social media-related events had quadrupled over the past five years and PricewaterhouseCoopers (2015) found that more than one in eight enterprises has suffered at least one security breach due to a social media-related cyberattack.
Social networks and cloud computing increase vulnerabilities by providing a single point of failure and attack for organized criminal networks. Critical, sensitive, and private information is at risk, and like previous IT trends, such as wireless networks, the goal is connectivity, often with little concern for security. As social networks increase their offerings, the gap between services and information security also increases. For example, virus and malware attacks on a well-established service such as e-mail have decreased as e-mail security has improved over the years. Unfortunately, malware is still finding ways to successfully disrupt new services and devices, such e-readers, netbooks, Google’s Chrome OS, Facebook, YouTube, Twitter, LinkedIn, and other cloud-based social media networks. For example, in Twitter and Facebook, where users build relationships with other users, cybercriminals are hacking in using stolen logins. These types of attacks that take advantage of user trust are very difficult to detect. Facebook recently reported that up to 2% of its 31 million accounts are false, Twitter estimates 5%, and LinkedIn openly admitted, that they don’t have a reliable system for identifying and counting duplicate or fraudulent accounts.
To combat these cyberthreats, Web filtering, user education, and strict policies are key to preventing widespread outbreaks.
An overriding reason why these networks and services increase exposure to risk is the time-to-exploitation of today’s sophisticated spyware and mobile viruses. Time-to-exploitation is the elapsed time between when vulnerability is discovered and when it is exploited. That time has shrunk from months to minutes so IT staff have ever-shorter timeframes to find and fix flaws before they are compromised by an attack. Some attacks exist for as little as two hours, which means that enterprise IT security systems must have real-time protection.
When new vulnerabilities are found in operating systems, applications, or wired and wireless networks, patches are released by the vendor or security organization. Patches are software programs that users download and install to fix a vulnerability. Microsoft, for example, releases patches that it calls service packs to update and fix vulnerabilities in its operating systems, including Vista, and applications, including Office 2010. Service packs can be downloaded from Microsoft’s website.
Left undetected or unprotected, vulnerabilities provide an open door for IT attacks and business disruptions and their financial damages. Despite the best technology defenses, information security incidents will occur mostly because of the users who do not follow secure computing practices and procedures. IT at Work 5.2 illustrates how Google’s new automated cybersecurity initiative is poised to reduce Google’s losses suffered due to cyberattacks in the cloud.
Top management needs to sponsor and promote security initiatives and fund them as a top priority. As you will read in this section, robust data security is not just the responsibility of IT and top management, but the ongoing duty of everyone in an organization.
It is becoming more important than ever that security is viewed as a high priority as the growth of mobile technologies and the IoT threaten to provide attackers with new opportunities. The five key factors contributing to the rising number of data breaches that must be addressed in a cyber risk management program are listed in Table 5.5.
TABLE 5.5 Five Key Factors Leading to an Increase in Cyberattacks
1. | Interconnected, interdependent, wirelessly networked business environment |
2. | Smaller, faster, cheaper computers and storage devices |
3. | Decreasing skills necessary to be a computer hacker |
4. | International organized crime taking over cybercrime |
5. | Lack of management support |
Keep in mind that security is an ongoing, unending process—something akin to painting the Golden Gate Bridge in San Francisco—and not a problem that can be solved with just hardware or software. Hardware and software security defenses cannot protect against irresponsible business practices. These are organizational and people issues.
Since malware and botnets use many attack methods and strategies, multiple tools are needed to detect them and/or neutralize their effects. Three essential defenses are the following:
Business policies, procedures, training, and disaster recovery plans as well as hardware and software are critical to cybersecurity. Table 5.6 lists the characteristics of an effective cybersecurity program.
TABLE 5.6 Characteristics of an Effective Cybersecurity Program
Make data and documents available and accessible 24/7 while simultaneously restricting access. |
Implement and enforce procedures and AUPs for data, networks, hardware, and software that are company or employee owned, as discussed in the opening case. |
Promote secure and legal sharing of information among authorized persons and partners. |
Ensure compliance with government regulations and laws. |
Prevent attacks by having network intrusion defenses in place. |
Detect, diagnose, and respond to incidents and attacks in real time. |
Maintain internal controls to prevent unauthorized alteration of data/records. |
Recover from business disasters and disruptions quickly. |
To help keep managers updated on the latest cyberthreats and prioritize defenses, KPMG publishes its Data Loss Barometer. The annual report describes the latest trends and statistics for data losses worldwide. Key findings and predictions are listed in Table 5.7.
TABLE 5.7 Worldwide Data Loss Key Findings and Predictions
Source: KPMG (2016).
Key findings from KPMG Data Loss Barometer Report and its predictions for the next few years:
|
The higher the value of the asset to the company and to cybercriminals, the greater the risk is to the company and the higher the level of security needs to be. The smart strategy is to invest more to protect the company’s most valuable assets rather than trying to protect all assets equally, as discussed in IT at Work 5.2. The IT security field—like sports and law—has its own terminology, which is summarized for quick reference in Figure 5.7 and Table 5.8.
TABLE 5.8 IT Security Terminology
Term | Definition |
Exposure | Estimated cost, loss, or damage that can result if a threat exploits a vulnerability |
Access control | Security feature designed to restrict who has access to a network, IS, or data |
Audit | Procedure of generating, recording, and reviewing a chronological record of system events to determine their accuracy |
Encryption | Transforming data into scrambled code to protect them from being understood by unauthorized users |
Plaintext or clear text | Readable text |
Ciphertext | Encrypted text |
Authentication | Method (usually based on username and password) by which an IS validates or verifies that a user is really who he or she claims to be |
Biometrics | Methods to identify a person based on a biological feature, such as a fingerprint or retina |
Firewall | Software or hardware device that controls access to a private network from a public network (Internet) by analyzing data packets entering or exiting it |
Intrusion detection system (IDS) | A defense tool used to monitor network traffic (packets) and provide alerts when there is suspicious traffic, or to quarantine suspicious traffic |
Fault tolerance | The ability of an IS to continue to operate when a failure occurs, but usually for a limited time or at a reduced level |
Minimum security defenses for mobile devices are mobile biometrics, rogue app monitoring, remote wipe capability, and encryption. For travelers, do-not-carry rules may be a necessary defense.
A biometric control is an automated method of verifying the identity of a person, based on physical or behavioral characteristics. The most common biometrics are a thumbprint or fingerprint, voice print, retinal scan, and signature.
Mobile biometrics, such as voice and fingerprint biometrics, can significantly improve the security of physical devices and provide stronger authentication for remote access or cloud services. Biometric controls have been integrated into e-business hardware and software products. Biometric controls do have some limitations: They are not accurate in certain cases, and some people see them as an invasion of privacy. Most biometric systems match some personal characteristic against a stored profile.
When Apple acquired Siri, Inc., the voice-based personal assistant Siri was integrated into its Apple’s operating system, Siri gave Apple the potential to move into voice biometrics.
Voice biometrics is an effective authentication solution across a wide range of consumer devices including smartphones, tablets, and TVs. Future mobile devices are expected to have fingerprint sensors to add another authentication factor.
Another type of defense is rogue app monitoring to detect and destroy malicious applications in the wild. Several vendors offer 24/7 monitoring and detection services to monitor major app stores and shut down rogue applications to minimize exposure and damage.
In the event of loss or theft of a device, a mobile kill switch or remote wipe capability as well as encryption are needed. All major smartphone platforms have some kind of remote-erase capability and encryption option.
In response to mobile security threats, many U.S. companies and government agencies are imposing do-not-carry rules on mobiles to prevent compromise. Travelers can bring only “clean” devices and are forbidden from connecting to the government’s network while abroad.
The U.S. Chamber of Commerce did not learn that it and its member organizations were the victims of a cybertheft for months until the FBI informed the Chamber that servers in China were stealing data from four of its Asia policy experts, individuals who frequently travel to Asia. Most likely, the experts’ mobile devices had been infected with malware that was transmitting information and files back to the hackers. By the time the Chamber hardened (secured) its network, hackers had stolen at least six weeks of e-mails, most of which were communications with the largest U.S. corporations. Even later, the Chamber learned that its office printer and a thermostat in one of its corporate apartments were communicating with an Internet address in China. The Chamber did not disclose how hackers had infiltrated its systems, but its first step was to implement do-not-carry rules.
U.S. companies, government agencies, and organizations are now imposing do-not-carry rules, which are based on the assumption that devices will inevitably be compromised according to Mike Rogers, current chairman of the House Intelligence Committee. For example, House members can bring only “clean” devices and are forbidden from connecting to the government’s network while abroad. Rogers said he travels “electronically naked” to ensure cybersecurity during and after a trip. IT at Work 5.3 explains how one cybersecurity expert complies with do-not-carry rules while traveling.
Risk management is not complete without a business continuity plan that has been tested to verify that it works. Business continuity refers to maintaining business functions or restoring them quickly when there is a major disruption. The plan covers business processes, assets, human resources, business partners, and more. Fires, earthquakes, floods, power outages, malicious attacks, and other types of disasters hit data centers. Yet, business continuity planning capabilities can be a tough sell because they do not contribute to the bottom line—that is, until it is too late. Compare them to an insurance policy: If and only if a disaster occurs, the money has been well spent. And spending on business continuity preparedness is an ongoing process because there is always more that could be done to prepare better.
The purpose of a business continuity plan is to keep the business running after a disaster occurs. Each function in the business should have a feasible backup plan. For example, if the customer service center or call center was destroyed by a storm or lost all power, would anyone know how the reps would continue to answer customer calls? The backup plan could define how to provide necessary network access to enable business to continue.
Cyberattacks are now the number one type of danger facing many countries around the globe. As a result, international, federal, and state laws and industry regulations mandate that enterprises invest in cybersecurity defenses, audits, and internal controls to help secure confidential data, prevent attacks, and defend against fraud and unauthorized transactions such as money laundering (Morris 2016).
IT defenses must satisfy ever-stricter government and international regulations. All mandate the protection of PII. To protect consumers, some countries require strict compliance with these regulations. For example, in the United States the director of the Bureau of Consumer Protection at the Federal Trade Commission (FTC) warned that the agency would bring enforcement action against small businesses lacking adequate policies and procedures to protect consumer data. Some examples of major national security regulations are listed in Figure 5.8. Some of these regulations also apply to occupational fraud that is described in the next section.
Select the caption to view an interactive version of this figure online.
To ensure compliance with these regulations in United Sates, the SEC and FTC impose huge fines for data breaches to deter companies from underinvesting in data protection.
Not all cybercrimes are “attacks” conducted from outside the organization. Some are conducted by employees within the organization. This is called fraud. Fraudsters carry out their crime by abusing the power of their position or by taking advantage of the trust, ignorance, or laziness of others. According to the latest Annual Global Fraud Survey, 81% of organizations have been victims of frauds perpetrated by insiders. Of these, 36% were carried out by senior or middle managers and 45% were attributed to junior employees. Only 23% of the reported frauds resulted from actions of an agent or nonemployee with access.
High-profile cases of occupational fraud committed by senior executive have led to an increase in government regulations. Unfortunately, this increased legislation has not put an end to fraud.
The single most effective fraud prevention tactic is making employees aware that fraud will be detected by IT-monitoring systems and punished, with the fraudster possibly turned over to the police or FBI. The fear of being caught and prosecuted is a strong deterrent. IT must play a visible and major role in detecting fraud. A strong corporate governance program and internal audits and controls are essential to the prevention and detection of occupational fraud.
Several examples of occupational fraud, their characteristics and the extent to which they impact corporate financial statements are illustrated in Figure 5.9.
Type of Fraud | Impacts Financial Statements? | Typical Characteristics |
Operating Management Corruption | No | Occurs off the books. Median loss due to corruption is 6X median loss due to misappropriation |
Conflict of Interest | No | Breach of confidentiality, such as revealing competitor bids. Often occurs coincident with bribery. |
Bribery | No | Uses positional power or money to influence others |
Embezzlement or “misappropriation” | Yes | Employee theft. Employee access to company property creates the opportunity for embezzlement |
Senior management financial reporting fraud | Yes | Involves massive breach of trust and leveraging of positional power |
Accounting Cycle fraud | Yes | Also called “earnings management” or “earnings engineering.” Violates generally accepted accounting principles (GAAP) and other all other accounting principles. See aicpa.org |
FIGURE 5.9 Types, impact, and characteristics of occupational fraud.
Select the caption to view an interactive version of this figure online.
An enterprise-wide approach that combines risk, security, compliance, and IT specialists greatly increases the prevention and detection of fraud. Prevention is the most cost-effective approach, since detection and prosecution costs are enormous in addition to the direct cost of the loss. It starts with corporate governance culture and ethics at the top levels of the organization.
IT monitoring and control also demonstrate that the company has implemented effective corporate governance and fraud prevention measures. Regulators look favorably on companies that can demonstrate best practices in corporate governance and operational risk management. Management and staff would then spend less time worrying about regulations and more time adding value to their brands and business.
Internal fraud prevention measures are based on the same controls that are used to prevent external intrusions—perimeter defense technologies, such as firewalls, e-mail scanners, and biometric access. They are also based on human resource (HR) procedures, such as recruitment screening and training.
Most detection activity can be handled by intelligent analysis engines using advanced data warehousing and analytics techniques. These systems take in audit trails from key systems and personnel records from the HR and finance departments. The data are stored in a data warehouse where they are analyzed to detect anomalous patterns, such as excessive hours worked, deviations in patterns of behavior, copying huge amounts of data, attempts to override controls, unusual transactions, and inadequate documentation about a transaction. Information from investigations is fed back into the detection system so it learns of any anomalous patterns. Since insiders might work in collusion with organized criminals, insider profiling is important to find wider patterns of criminal networks.
It is also important to have a set of general controls in place. The major categories of general controls are physical controls, access controls, data security controls, communication network controls, and administrative controls.
Physical security refers to the protection of computer facilities and resources. This includes protecting physical property such as computers, data centers, software, manuals, and networks. It provides protection against most natural hazards as well as against some human hazards. Appropriate physical security may include several physical controls such as the following:
Access control is the management of who is and who is not authorized to use a company’s hardware and software. Access control methods, such as firewalls and access control lists, restrict access to a network, database, file, or data. It is the major line of defense against unauthorized insiders as well as outsiders. Access control involves authorization (having the right to access) and authentication, which is also called user identification (proving that the user is who he or she claims to be).
Authentication methods include:
While the previously discussed general controls are technical in nature, administrative controls deal with issuing guidelines and monitoring compliance with the guidelines. Examples of controls are shown in Table 5.9.
TABLE 5.9 Representative Administrative Controls
|
To guard against fraud and protect clients, customers, and constituents, all public and private enterprises are subject to federal and state laws and regulations, some of which are shown in Figure 5.8. In the United States, the Sarbanes–Oxley Act requires that companies prove that their financial applications and systems are controlled (secured) to verify that financial reports can be trusted. It is intended to discourage fraud at the corporate and executive levels.
The Sarbanes–Oxley Act (SOX) mandates more accurate business reporting and disclosure of generally accepted accounting principles (GAAP) violations. Section 302 deters corporate and executive fraud by requiring that the CEO and CFO verify that they have reviewed the financial report, and, to the best of their knowledge, the report does not contain an untrue statement or omit any material fact. To motivate honesty, executive management faces criminal penalties including long jail terms for false reports. Section 805 mandates a review of the Sentencing Guidelines to ensure that “the guidelines that apply to organizations . . . are sufficient to deter and punish organizational criminal conduct.” The Guidelines also focus on the establishment of “effective compliance and ethics” programs. As indicated in the Guidelines, a precondition to an effective compliance and ethics program is “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”
Among other measures, SOX requires companies to set up comprehensive internal controls. There is no question that SOX, and the complex and costly provisions it requires public companies to follow, have had a major impact on corporate financial accounting. For starters, companies have had to set up comprehensive internal controls over financial reporting to prevent fraud, catching it when it occurs. Since the collapse of Arthur Andersen, following the accounting firm’s conviction on criminal charges related to the Enron case, outside accounting firms have gotten tougher with clients they are auditing, particularly with regard to their internal controls.
SOX and the SEC are making it clear that if controls can be ignored, there is no control. Therefore, fraud prevention and detection require an effective monitoring system. If a company shows its employees that it can find out everything that every employee does and use that evidence to prosecute a wrongdoer to the fullest extent possible under the law, then the likelihood of any employee adopting an “I can get away with it” attitude drops drastically.
Approximately 85% of occupational fraud could be prevented if proper IT-based internal controls had been designed, implemented, and followed.
The internal control environment is the work atmosphere that a company sets for its employees. Internal control (IC) is a process designed to achieve:
The objective of IT security management practices is to defend all of the components of an information system, specifically data, software applications, hardware, and networks, so they remain in compliance. Before they make any decisions concerning defenses, the people responsible for security must understand the requirements and operations of the business, which form the basis for a customized defense strategy.
The defense strategy and controls that should be used depend on what needs to be protected and a cost–benefit analysis. That is, companies should neither underinvest nor overinvest. The major objectives of defense strategies are listed in Table 5.10.
TABLE 5.10 Major Objectives of Defense Strategies
Action | Details |
Prevention and deterrence | Properly designed controls may prevent errors from occurring, deter criminals from attacking the system, and, better yet, deny access to unauthorized people. These are the most desirable controls. |
Detection | Like a fire, the earlier an attack is detected, the easier it is to combat, and the less damage is done. Detection can be performed in many cases by using special diagnostic software, at a minimal cost. |
Contain the damage | This objective involves minimizing or limiting losses once a malfunction has occurred. It is also called damage control. This can be accomplished, for example, by including a fault-tolerant system that permits operation in a degraded mode until full recovery is made. If a fault-tolerant system does not exist, a quick and possibly expensive recovery must take place. Users want their systems back in operation as fast as possible. |
Recovery | A recovery plan explains how to fix a damaged information system as quickly as possible. Replacing rather than repairing components is one route to fast recovery. |
Correction | Correcting the causes of damaged systems can prevent a problem from occurring again. |
Awareness and compliance | All organization members must be educated about the hazards and must comply with the security rules and regulations. |
A defense strategy is also going to require several controls, as shown in Figure 5.10. General controls are established to protect the system regardless of the specific application. For example, protecting hardware and controlling access to the data center are independent of the specific application. Application controls are safeguards that are intended to protect specific applications. In the next two sections, we discuss the major types of these two groups of information system controls.
Some companies rely on surprise audits. But being proactive about searching for problems is more effective and can stop frauds early on, before the losses mount. An audit is an important part of any control system. Auditing can be viewed as an additional layer of controls or safeguards. It is considered as a deterrent to criminal actions, especially for insiders. Auditors attempt to answer questions such as these:
Auditing a website is a good preventive measure to manage the legal risk. Legal risk is important in any IT system, but in Web systems it is even more important due to the content of the site, which may offend people or be in violation of copyright laws or other regulations (e.g., privacy protection). Auditing e-commerce is also more complex since, in addition to the website, one needs to audit order taking, order fulfillment, and all support systems.
A number of frameworks, standards, and models have been developed to guide cyber defense strategies.
Two widely accepted frameworks that guide risk management and IT governance are Enterprise Risk Management (ERM) and Control Objectives for Information and Related Technology (COBIT) 5.
ERM is a risk-based approach to managing an enterprise developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). ERM integrates internal control, the Sarbanes–Oxley Act mandates, and strategic planning.
ERM consists of eight components, listed in Table 5.11.
TABLE 5.11 Enterprise Risk Management Components
Component | Description |
Internal environment | Assess risk management philosophy and culture |
Objective setting | Determine relationship of risk to organizational goals |
Event identification | Differentiate between risks and opportunities; negative/positive impact |
Risk assessment | Assess risk probability and impact |
Risk response | Identify and evaluate risk responses |
Control activities | Develop policies and procedures to ensure implementation of risk responses |
Information and communication | Identify, capture, and communicate information |
Monitoring | Conduct ongoing and separate evaluations of risk-related activities |
These eight components can be viewed from a strategic, operations, reporting, and compliance perspective at all level of the organizations. Taking a portfolio view of risk, management must consider how individual risks are interrelated and apply a strong system of internal controls to ensure effective enterprise risk management. Those involved in ERM include management, Board of Directors, Risk officers, and internal auditors. ERM is intended to be part of routine planning processes rather than a separate initiative. The ideal place to start is with buy-in and commitment from the board and senior leadership.
COBIT 5, is the internationally accepted IT governance and control framework created by the International Systems Audit and Control Association (ISACA) to align IT with business objectives, delivering value, and manage associated risks. It provides a framework for management, users, and IS audit, control, and security practitioners that allows them to bridge the gap between control requirements, technical issues, and business risks.
COBIT 5 is the leading framework for the governance and security of IT. COBIT 5, the most current version of the COBIT 5 framework is based on five principles, shown in Figure 5.11. COBIT 5 contains highly relevant guidance for IT practitioners and business leaders regarding governing and protecting data and information. COBIT 5 encourages each organization to customize COBIT to fit its priorities and circumstances and can be downloaded from isaca.org.
Three of the five COBIT 5 principles are most applicable to security:
By following these three principles, using a specified set of IT-enabling processes, and taking additional steps to move from an application centric focus to a data centric focus, organizations that use COBIT 5 can improve the governance and protection of their data and information.
While COBIT 5 provides sound and comprehensive improvement recommendations to start the security governance journey, organizations clearly need to move beyond reactive compliance and security to proactively mandating the need for data privacy and security enterprise-wide. In this way data are always protected.
ERM and COBIT 5 can be used separately or jointly. As with most improvement methodologies, the key to success is to start using them one step at a time.
Industry groups impose their own standards to protect their customers and their members’ brand images and revenues. One example is the Payment Card Industry Data Security Standard (PCI DSS) created by Visa, MasterCard, American Express, and Discover. PCI is required for all members, merchants, or service providers that store, process, or transmit cardholder data. PCI DSS requires merchants and card payment providers to make certain their Web applications are secure. If done correctly, this could reduce the number of Web-related security breaches.
The purpose of the PCI DSS is to improve customers’ trust in e-commerce, especially when it comes to online payments, and to increase the Web security of online merchants. To motivate following these standards, the penalties for noncompliance are severe. The card brands can fine the retailer, and increase transaction fees for each credit or debit card transaction. A finding of noncompliance can be the basis for lawsuits.
The Defense-in-Depth Model encourages a multilayered approach to information security. The basic principle is that when one defense layer fails, another layer provides protection. For example, if a wireless network’s security was compromised, then having encrypted data would still protect the data, provided that the thieves could not decrypt it.
The success of any type of IT project depends on the commitment and involvement of executive management, also referred to as the tone at the top. The same is true of IT security. This information security tone makes users aware that insecure practices and mistakes will not be tolerated. Therefore, an IT security model begins with senior management commitment and support, as shown in Figure 5.12. The model views information security as a combination of people, policies, procedures, and technology.
To use the Defense-in-Depth Model an organization must carry out four major steps:
For instance, management may decide to forbid employees from using company e-mail accounts for nonwork purposes, accessing social media during work hours, or visiting gambling sites. These decisions will then become rules stated in company policy, integrated into procedures, and implemented with technology defenses. Sites that are forbidden, for instance, can be blocked by firewalls.
When an incident occurs, the organization is ready to respond intelligently—having the correct information to be honest, open, and accountable, and to communicate with consumers and other important audiences as quickly as possible.
How much does a cyberattack really cost an organization? Regulatory fines, public relations costs, breach notification and protection costs, and other consequences of large-scale data breaches are easy to see and quantify. However, the effects of a cyberattack can linger for years, resulting in a wide range of intangible costs tied to a damaged reputation, disruption of operations, loss of IP or other strategic assets. The latter are much more difficult to measure since they are not easily quantifiable.
No matter which frameworks, standards, and controls are used to assess, monitor, and control cyber risk, a balanced approach to measuring direct costs and intangible impacts associated with cyberattacks must be used to paint an accurate picture of the damage sustained and to guide the creation of increased security measures going forward.
acceptable use policy (AUP)
access control
administrative controls
advanced persistent threat (APT)
adware
Anonymous
application controls
assets
attack vector
audit
backdoor
biometric control
black hat
botnet
bring your own apps (BYOA)
bring your own device (BYOD)
business continuity plan
business impact analysis (BIA)
command and control (C&C) channel
consumerization of information technology (COIT)
contract hacker
Control Objectives for Information and Related Technology (COBIT) 5
corporate governance
critical infrastructure
cyberthreat
data breach
Data incident
data tampering
distributed denial-of-service (DDoS) attack
do-not-carry rules
enterprise risk management (ERM)
fraud
general controls
gray hat
hacking
hacktivist
intellectual property
internal control (IC)
internal threats
intrusion detection system (IDS)
intrusion prevention system (IPS)
IT governance
LulzSec
malware
mobile biometrics
occupational fraud
patches
payload
Payment Card Industry Data Security Standard (PCI DSS)
permanent denial-of-service (PDoS)
phishing
physical controls
ransomware
remote access trojan (RAT)
remote wipe capability
risk
rogue app monitoring
rootkit
service pack
signature
social engineering
spam
spear phishing
spyware
telephony denial-of-service (TDoS)
threat
time-to-exploitation
trojan
Trojan horse
vector
Virus
voice biometrics
vulnerability
white hat
worm
zero-day exploit
zombie