Most likely vs most dangerous
“You have enemies? Good. That means you’ve stood up for something, sometime in your life” Winston Churchill
At Theta we ‘game’ the cyber security threat by considering the most likely adversary course of action versus the most dangerous, each with their own types of costs and probabilities. As there are multiple threats, iteratively we establish a blend of possible outcomes, with an often unforeseen amount of risk being quantified. Attributing expected costs to certain outcomes assists in focussing defensive activity on areas with the greatest risk. A simple example might be if we identify that a data breach is the most costly expected event then security controls should be put in place preferentially to other risk areas (say, preventing a distributed denial of service).
Those who have endured Certified Information System Security Professional (CISSP) training may recognise this as a form of annualised loss expectancy. There is not a lot of publicly available data on cyber security incidents in New Zealand so quantifying the risk can be tricky. The interesting deduction from doing this type of analysis is that even if your assumptions are only accurate to an order of magnitude, the risk calculations tend to balance themselves out because of the effects of Fermi estimation and can be surprisingly accurate.
Quantifying cyber risk for Board-level discussions is vital and as long as your assumptions are valid then the cost of protection can be low in comparison.
“It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” Mark Twain
The attack surface is the sum of all vulnerable points in an organisation that an unauthorised person could exploit to conduct a cyber attack. While it may be hard to visualise your attack surface it can be helpful to break it down into more tangible groups. The groups we use are people, process, information and technology. I will focus on people as it tends to be the most difficult component of the attack surface to assess.
People can be the weakest part of any organisation and yet many cyber attacks can be defeated by adequately aware personnel. So what makes an adequately aware person? It boils down to connecting our decisions with the consequences on the attack surface. Is what we are doing exposing us to more or less risk? With all the other things that people are responsible for in their daily jobs, it can be challenging giving them the burden to be both sensors and first responders against cyber attack.
The absence of the normal and presence of the abnormal
A technique I like to use was one that was a successful component in defeating Improvised Explosive Devices (IEDs) in Afghanistan. The trick was not to make everyone experts in IEDs, but providing them with some basic awareness techniques. Very simply, we asked people to look for the absence of the normal and presence of the abnormal.
When walking into a Helmand village that the previous day had children playing and market stalls selling produce and was today deserted, was a sure sign the Taliban were around and an ambush should be expected. This is absence of the normal.
When approaching a vulnerable point in the road, such as a culvert or other narrowing, it was typical to get out the vehicles and conduct a visual scan of the surrounding area. The idea was to look for things that were out of place such as disturbed earth (indicating something had been recently buried) or other artefacts of IEDs (such as command detonation wires). This is presence of the abnormal.
Are your people likely to be suspicious when faced with situations that are unusual, out of sequence or where they may be under pressure to bend the rules? It is a perfectly human response to volunteer information or bypass organisational procedures if under pressure from an attacker posing as senior management or someone in need, in a spear phishing or whaling cyber attack, for example.
Reducing the attack surface - what can you do?
An awareness campaign can help your organisation reduce the attack surface. This should begin at the point of initial screening for employment, assessing individuals’ attitudes and experience of general cyber security issues. This should be followed up by setting the expectations of awareness during the induction process and any periodic organisational training. You may even consider making cyber security awareness part of the annual assessment process. This will also help you in tracking the maturity of your cyber security management system while potentially motivating employees, especially if it is connected to their pay and promotional prospects. Note however that heavy-handed mandatory security schemes often fail. Try adopting a softer approach that allows people to “fail-safe” and learn at the same time by running an internal email phishing campaign and see who falls for it.
Information operations augment cyber attacks
Cyber attacks are rarely decisive in their own right. They are frequently executed together with operations in the information environment, such as manipulation of social media or online journalism (‘fake news’), or require social engineering tactics to bridge a cognitive or physical barrier that a pure technical payload cannot cross. Such activity can augment or enable the effects of a cyber attack by making the deception far more convincing for the victim, and is helped along by the internet’s filter bubble effect, where people are fed information that reinforces their own perceptions. If an adversary can appear more convincing to their target by using an associated effect in social media, then they are more likely to penetrate the human aspect of the attack surface.
Many organisations experience a cyber attack that steals login credentials but this may just be a means to an end. This information is often analysed and fed back to the organisation in the form of convincing phishing emails using real information about current activity.
In cyber security, people can be the most vulnerable part of the attack surface, but also, with a bit of awareness, its strongest defence. A modest amount of awareness acts as a force multiplier in your defences far beyond any firewall or anti-virus software.
This post is the second in a series exploring the cyber security lexicon. Next time I will look at cyber attacks, and how to divide up the attack surface into areas that you can actually control, influence or just be afraid of!