The complicated, multi-faceted world of risk assessment

Prabai speaking during his session, titled the Art of Performing Risk Assessments.

Uday Ali Pabrai, Chief Executive of ecfirst as well as a cybersecurity and compliance expert, said that accurate risk assessments are crucial to determining next steps when a security incident occurs.
In his session he shared some hard truths about cybersecurity and risk. "No business is was or will be 100% secure, we are surrounded by risk, we will be surrounded by risk," he said. "If you don't have incidents you don't have good discovery capabilities."

Speaking during the inaugural CSX 2016 Asia Pacific conference in Singapore, Pabrai also noted that security is only as strong as your weakest link, except that uncovering that link can be challenging. "We do a very poor job of accurately identifying what the risks are that can be exploited," he said.

One problem, Prabai noted, is that most organisations have IT people doing cyber security, although general IT skills are not the same as cyber security skills. "There is a difference in knowledge and skillset," he pointed out. "You have got to make sure you are investing in skilled resources."

The goal, Prabai said, is a 10- to 20-page document that a senior executive can read and understand, stating "where we are today and where it is you want to take it in the next 12 months". "Clearly articulate all the regulations your organisation has to comply with," he said. "The bar should be set based on the strictest regulations your organisation has to follow."

"You don't want to be in the business of breaches," he said, pointing out that settlements as a result of breaches in the US have cost up to US$130 million. "For the C-level suite, (explain that) the cybersecurity risk is an eight-figure risk for the business."

He recommended the audience refer to the Verizon Data Breach Investigations Report for its "fantastic statistics for C-level people". Among the findings from the report:

• In 93% of cases, it took attackers minutes to compromise systems that are typically not discovered till weeks or months later
• Six in 10 (63%) data breaches involved leveraging weak, default or stolen passwords
• Almost all (95%) of web attacks where criminals stole data were financially motivated
• Criminals in Iran, North Korea, and China use techniques* like SQL injections, spear phishing and sophisticated malware to gain initial access, then use privilege escalation exploits to compromise additional systems and move deeper inside the compromised firm

Concrete steps to take in improving risk assessments include setting goals on improving the strategy, Pabrai added. "What can you do in the next six weeks to improve the quality of your cybersecurity assessment programme?" he asked.

Policies have to be put in place for potential incidents "so you know what to do immediately", Prabai said. "Build a credible IT disaster recovery plan, build a backup plan," he said.

There are many potential oversights for security. Pabrai stressed that third party suppliers are often overlooked as a risk on loss of personally identifiable information (PII). "What are your external contractors doing with your information and are you documenting the scope of that activity?" he asked.

New technologies including the Internet of Things (IoT) threaten to give attackers new opportunities and new attack surfaces, Prabai warned.  "The Dyn cyber assault** will happen many times in 2017 because of weak passwords in IoT," he said.

Prabai also highlighted a gap between securing hardware, which is better understood, and securing software. "We do a poorer job of assessing application security - though they are connected to databases with terabytes of information," he cautioned.

Third party testing are crucial to validate and remediate findings, Pabrai added. "No risk assessment on operation earth can be credible if it is not married with a vulnerability assessment and a penetration test," he said, recommending that both be done regularly - vulnerability assessments be done at least quarterly and penetration tests done annually.

Likening a vulnerability assessment to snorkelling and a penetration test to diving, Pabrai explained that vulnerability assessments show potential vulnerabilities that can be exploited, but penetration tests, actually check to see if the vulnerabilities can indeed be exploited.

According to Pabrai, there are seven steps to better enterprise security, and the risk strategy should be updated annually.

Pabrai shared that enterprise security can be assessed continuously.

*SQL injections refers to adding SQL code into legitimate code that makes the software take unauthorised actions, such as sending data to an attacker. 
Spear phishing is a faked communication that appears to be from someone trusted, duping the recipient into visiting fake sites and sharing confidential data like passwords that can be used for hacking. 
Privilege escalation refers to hacking into the accounts of employees who have more 'privileges' which would allow hackers to penetrate farther into a company. Typically senior management and the IT department would have more privileges - the ability to allow sensitive actions like sharing of money, the capability to access more data and more confidential data - than junior employees. 

**Dyn maintains domain name (DNS) servers that control access to some of the best known websites today, including Twitter, Spotify and Reddit. The Dyn attack occurred in 2016 and basically made the sites go down because Dyn's DNS servers were overwhelmed with fake requests from a distributed denial of service (DDoS) attack. The DDoS requests were sent by compromised surveillance cameras - a 'thing' in the IoT - which had been designed such that their passwords could not be changed. This made it very easy for a hacker to take control of the cameras for their own purposes.

posted from Bloggeroid