Blog

Get the most innovative insights

Sort By

Rethinking the Insider Threat While Mining for Data Security Gold

By: Jeremy Wittkop

Many people believe that the vast majority of cyber threats involve the intentional theft of credit card numbers or Personally Identifiable Information (PII). That is not true.

Many people also believe that the most prevalent incidents involve malicious software and ransomware. That is also not true.

The news cycle drives these perceptions. Stories about malicious software, and ransomware in particular, are a media favorite. A ransomware attack is sensational. It features a villainous criminal demanding payment and a helpless victim pleading for his mercy. Even better for news outlets, this dramatic story requires little investigation or technical understanding to report it. But despite the media hype, this form of cybercrime represents less than 1% of actual attacks.

The truth is that the vast majority of stolen information is taken by someone who already has credentials. Sometimes people unknowingly share sensitive information through phishing or social engineering directed by an outside agent. But at other times, people act maliciously or in their own financial interests. Case in point is the story of American Semiconductor. An employee stole sensitive intellectual property and put it on a removable USB device in exchange for $2 million.

As one of the largest Managed Data Protection practices in the world, InteliSecure uniquely understands how people interact with sensitive information. We monitor the behavior of over 2 million users in over 140 countries around the world every day. As a result, we see both intentional and accidental data exposure, and we have amassed countless stories of how people really steal it. These days much of it winds up on the Dark Web. Details of these stories cannot be told due to client confidentiality, but we have built a library of anonymous examples to share, all of which came from our innovative Golden Nugget Program.

Origins of Golden Nuggets

Several years (and countless gray hairs) ago, I led InteliSecure’s Managed Security Services practice. A proponent of variable compensation, my CEO at the time decided that we needed to make changes in Operations. He thought our people needed additional motivation. While incentive compensation is relatively straightforward for sales and marketing, structuring it correctly for our Security Operations Center teams was a bit of a challenge. I told him I’d work on it.

My first step was to research what my peers were doing. After all, many good ideas were probably already in use. I discovered that majority of Managed Security Service providers used a variable compensation structure to incentivize behaviors that led to profitability. For instance, many firms referenced common call center metrics such as the volume of tickets or how fast, on average, agents closed them.

I knew these measures did not positively impact the client experience, and in many cases they had an adverse effect. I’m sure you’ve called customer service at a cable company at least once in your life. The representative probably asked your name, located your account, and immediately started pushing the ticket to a close, regardless of whether your problem was solved. Measuring employees based on productivity drives this type of behavior.

I wanted to do things differently. Rather than reduce costs, my goal was to reward the behaviors that helped us better acquire, satisfy, and keep clients. We had to focus on client value.

One day after skiing amazing powder at Breckenridge with an InteliSecure executive, a salesperson, and my friends on the Managed Security Services team, we had an idea. We were having a good time relaxing and watching a show called “Gold Rush” on the Discovery Channel. Gold Rush is about gold mining, a very slow, mundane and laborious process. But thanks to the magic of television, the Discovery Channel made it fascinating.

One of my colleagues remarked, “What we do is like gold mining. We create security policies to find rare security events, which is similar to a gold miner picking which plot of dirt to prospect. Obviously if there’s no gold in the dirt in the first place, you won’t be successful finding it in the end.”

Interesting thought!

He continued, “Our triage process is a lot like running dirt through a sluice box. If it’s done well, the miner maximizes his yield, but if it’s done poorly, the gold washes into the stream below. When our engineering team sets up the systems, we’re like the miners building the sluice box. If we don’t do a good job, the process fails. Our entire team must work together to find Golden Nuggets.”

At that very moment, our Golden Nugget program was born. It was simple. If our team found a valuable security incident for our clients, we would reward everyone who contributed to that discovery. We also didn’t want to decide the Nugget’s value in a vacuum. We asked our clients to participate in the process and rule whether the finding was significant. We continue to showcase Golden Nuggets today during business reviews with our clients.

Not All Nuggets are Created Equal

When we first started the Golden Nugget program, we simply compensated people for any material security event they found. But for really big finds, we gave them extra special recognition. You can read more about one amazing story in my book, Building a Comprehensive IT Security Program (https://www.amazon.com/Building-Comprehensive-Security-Program-Guidelines-ebook/dp/B01JRFGQY2), but in summary, we caught a user stealing a substantial amount of intellectual property at one of our manufacturing accounts. This proprietary information cost $30 million to create, and it pertained to a product line expected to deliver $3 billion in revenue over the next 5 years. The perpetrator intended to leave the country and illegally mass produce a counterfeit version of the goods. When the individual went to trial, investigators discovered he had successfully made away with similar information from our clients’ two top competitors. He is currently serving 10 years in federal prison.

When our SOC team agent surfaced this gem, we realized that not all Nuggets are created equal. We needed to recognize the best of all Nuggets we found. Doing so motivated our Managed Services team to compete even more to find them. Thanks to the increased volume of great finds, we celebrate the very best of them during our quarterly awards.

There’s Gold in Your Hills

Since the Golden Nugget program’s inception in 2013, we’ve seen more than our share of valuable Nuggets. In the beginning, broken business processes accounted for most of them. Later, however, we saw a disturbing rise in the volume of incidents when users inappropriately shared intellectual property. Although much of it was accidental, a surprising percentage was intentional.

Why the change? My colleagues fault three factors. First, many of our clients have matured past their initial compliance requirements and have started to build policies protecting intellectual property. Second, spurred on by competition for Golden Nuggets, our analysts have become much better at finding the proverbial “needle in the haystack.” Third, the lines of acceptable behavior pertaining to sharing sensitive information has blurred significantly as the traditional security perimeter has eroded. Since it’s easier to share in today’s cloud-connected world, people now think it’s OK to share whatever they want.   

I think these are valid explanations, but in my view they don’t tell the whole story. Here’s what I call the inconvenient truth:

More people than ever are stealing Intellectual Property and other sensitive data because the market for trafficking stolen information has matured. Theft has become for many a low-risk, high-reward occupation.

Most industry analysts agree that the success rate for data theft is around 95%. Surprisingly, only one criminal in twenty gets caught because most organizations do such a poor job of protecting their data. And of those detected, very few offenders will ever be prosecuted. They’re simply terminated and then go on to repeat the same behaviors elsewhere.

Protecting data is hard, and most organizations aren’t doing it well. Unfortunately companies place too much emphasis on perimeter security and not enough on protecting their most sensitive information.

The world has changed. To be successful, companies today must do more than retrofit their perimeter technologies—they must implement comprehensive approaches to protect all types of data, no matter where the intrusion occurs. Right now, it’s much easier for an insider to pilfer behind the walls than it is for an outsider to penetrate a firm’s thick perimeter defenses. Until this changes, criminals will continue to exploit this common vulnerability without fear of getting caught.

That is, unless they happen to work for an InteliSecure client.

Conclusion

Forget what you may have heard about data protection. Despite beliefs that DLP will only catch well-meaning insiders and broken business processes, we can tell you from our many years of experience that there’s significant risk in not doing DLP well. People who say data protection programs don’t work are among the 95% who are doing it wrong. Criminals are stealing your data, and technologies do exist to catch them. It’s time to make a change.

We can help. Our Golden Nugget program is just one example of the lengths we go to safeguard our clients’ most sensitive information. Put our expert teams in our Security Operations Center to work for you. We can find the nuggets that boost the value of your security program and deliver the level of protection you deserve. 

PS:

The Dark Web is an emerging threat for everyone in IT security, but most people don’t know what it is. InteliSecure is planning a webinar with Emily Wilson from Terbium Labs, an expert who does a phenomenal job of explaining how it works. We will update this post with a webinar link when it’s scheduled, but you can always check the InteliSecure Bright TALK channel for more information: (https://www.brighttalk.com/channel/17408/intelisecure)

By: Jeremy Wittkop

Many people believe that the vast majority of cyber threats involve the intentional theft of credit card numbers or Personally Identifiable Information (PII). That is not true.

Many people also believe that the most prevalent incidents involve malicious software and ransomware. That is also not true.

The news cycle drives these perceptions. Stories about malicious software, and ransomware in particular, are a media favorite. A ransomware attack is sensational. It features a villainous criminal demanding payment and a helpless victim pleading for his mercy. Even better for news outlets, this dramatic story requires little investigation or technical understanding to report it. But despite the media hype, this form of cybercrime represents less than 1% of actual attacks.

The truth is that the vast majority of stolen information is taken by someone who already has credentials. Sometimes people unknowingly share sensitive information through phishing or social engineering directed by an outside agent. But at other times, people act maliciously or in their own financial interests. Case in point is the story of American Semiconductor. An employee stole sensitive intellectual property and put it on a removable USB device in exchange for $2 million.

As one of the largest Managed Data Protection practices in the world, InteliSecure uniquely understands how people interact with sensitive information. We monitor the behavior of over 2 million users in over 140 countries around the world every day. As a result, we see both intentional and accidental data exposure, and we have amassed countless stories of how people really steal it. These days much of it winds up on the Dark Web. Details of these stories cannot be told due to client confidentiality, but we have built a library of anonymous examples to share, all of which came from our innovative Golden Nugget Program.

Origins of Golden Nuggets

Several years (and countless gray hairs) ago, I led InteliSecure’s Managed Security Services practice. A proponent of variable compensation, my CEO at the time decided that we needed to make changes in Operations. He thought our people needed additional motivation. While incentive compensation is relatively straightforward for sales and marketing, structuring it correctly for our Security Operations Center teams was a bit of a challenge. I told him I’d work on it.

My first step was to research what my peers were doing. After all, many good ideas were probably already in use. I discovered that majority of Managed Security Service providers used a variable compensation structure to incentivize behaviors that led to profitability. For instance, many firms referenced common call center metrics such as the volume of tickets or how fast, on average, agents closed them.

I knew these measures did not positively impact the client experience, and in many cases they had an adverse effect. I’m sure you’ve called customer service at a cable company at least once in your life. The representative probably asked your name, located your account, and immediately started pushing the ticket to a close, regardless of whether your problem was solved. Measuring employees based on productivity drives this type of behavior.

I wanted to do things differently. Rather than reduce costs, my goal was to reward the behaviors that helped us better acquire, satisfy, and keep clients. We had to focus on client value.

One day after skiing amazing powder at Breckenridge with an InteliSecure executive, a salesperson, and my friends on the Managed Security Services team, we had an idea. We were having a good time relaxing and watching a show called “Gold Rush” on the Discovery Channel. Gold Rush is about gold mining, a very slow, mundane and laborious process. But thanks to the magic of television, the Discovery Channel made it fascinating.

One of my colleagues remarked, “What we do is like gold mining. We create security policies to find rare security events, which is similar to a gold miner picking which plot of dirt to prospect. Obviously if there’s no gold in the dirt in the first place, you won’t be successful finding it in the end.”

Interesting thought!

He continued, “Our triage process is a lot like running dirt through a sluice box. If it’s done well, the miner maximizes his yield, but if it’s done poorly, the gold washes into the stream below. When our engineering team sets up the systems, we’re like the miners building the sluice box. If we don’t do a good job, the process fails. Our entire team must work together to find Golden Nuggets.”

At that very moment, our Golden Nugget program was born. It was simple. If our team found a valuable security incident for our clients, we would reward everyone who contributed to that discovery. We also didn’t want to decide the Nugget’s value in a vacuum. We asked our clients to participate in the process and rule whether the finding was significant. We continue to showcase Golden Nuggets today during business reviews with our clients.

Not All Nuggets are Created Equal

When we first started the Golden Nugget program, we simply compensated people for any material security event they found. But for really big finds, we gave them extra special recognition. You can read more about one amazing story in my book, Building a Comprehensive IT Security Program (https://www.amazon.com/Building-Comprehensive-Security-Program-Guidelines-ebook/dp/B01JRFGQY2), but in summary, we caught a user stealing a substantial amount of intellectual property at one of our manufacturing accounts. This proprietary information cost $30 million to create, and it pertained to a product line expected to deliver $3 billion in revenue over the next 5 years. The perpetrator intended to leave the country and illegally mass produce a counterfeit version of the goods. When the individual went to trial, investigators discovered he had successfully made away with similar information from our clients’ two top competitors. He is currently serving 10 years in federal prison.

When our SOC team agent surfaced this gem, we realized that not all Nuggets are created equal. We needed to recognize the best of all Nuggets we found. Doing so motivated our Managed Services team to compete even more to find them. Thanks to the increased volume of great finds, we celebrate the very best of them during our quarterly awards.

There’s Gold in Your Hills

Since the Golden Nugget program’s inception in 2013, we’ve seen more than our share of valuable Nuggets. In the beginning, broken business processes accounted for most of them. Later, however, we saw a disturbing rise in the volume of incidents when users inappropriately shared intellectual property. Although much of it was accidental, a surprising percentage was intentional.

Why the change? My colleagues fault three factors. First, many of our clients have matured past their initial compliance requirements and have started to build policies protecting intellectual property. Second, spurred on by competition for Golden Nuggets, our analysts have become much better at finding the proverbial “needle in the haystack.” Third, the lines of acceptable behavior pertaining to sharing sensitive information has blurred significantly as the traditional security perimeter has eroded. Since it’s easier to share in today’s cloud-connected world, people now think it’s OK to share whatever they want.   

I think these are valid explanations, but in my view they don’t tell the whole story. Here’s what I call the inconvenient truth:

More people than ever are stealing Intellectual Property and other sensitive data because the market for trafficking stolen information has matured. Theft has become for many a low-risk, high-reward occupation.

Most industry analysts agree that the success rate for data theft is around 95%. Surprisingly, only one criminal in twenty gets caught because most organizations do such a poor job of protecting their data. And of those detected, very few offenders will ever be prosecuted. They’re simply terminated and then go on to repeat the same behaviors elsewhere.

Protecting data is hard, and most organizations aren’t doing it well. Unfortunately companies place too much emphasis on perimeter security and not enough on protecting their most sensitive information.

The world has changed. To be successful, companies today must do more than retrofit their perimeter technologies—they must implement comprehensive approaches to protect all types of data, no matter where the intrusion occurs. Right now, it’s much easier for an insider to pilfer behind the walls than it is for an outsider to penetrate a firm’s thick perimeter defenses. Until this changes, criminals will continue to exploit this common vulnerability without fear of getting caught.

That is, unless they happen to work for an InteliSecure client.

Conclusion

Forget what you may have heard about data protection. Despite beliefs that DLP will only catch well-meaning insiders and broken business processes, we can tell you from our many years of experience that there’s significant risk in not doing DLP well. People who say data protection programs don’t work are among the 95% who are doing it wrong. Criminals are stealing your data, and technologies do exist to catch them. It’s time to make a change.

We can help. Our Golden Nugget program is just one example of the lengths we go to safeguard our clients’ most sensitive information. Put our expert teams in our Security Operations Center to work for you. We can find the nuggets that boost the value of your security program and deliver the level of protection you deserve. 

PS:

The Dark Web is an emerging threat for everyone in IT security, but most people don’t know what it is. InteliSecure is planning a webinar with Emily Wilson from Terbium Labs, an expert who does a phenomenal job of explaining how it works. We will update this post with a webinar link when it’s scheduled, but you can always check the InteliSecure Bright TALK channel for more information: (https://www.brighttalk.com/channel/17408/intelisecure)

Read More

Evaluating a Penetration Testing Company

By: Rob Hughes and Keith Sharp

It can be difficult to know what to look for when searching for a strategic partner to assist you with your security and risk management processes. More specifically, understanding what makes a good penetration testing company can be difficult without a pre-existing familiarity of the industry. In this blog we are going to discuss the key factors that can help identify a good penetration testing company.

A company or organisation can have many reasons for conducting a penetration test, including,

  • Gaining a better understanding of the effectiveness of their security defences
  • Ascertain risk levels of business critical systems and their related processes
  • To meet strict compliance requirements.

There can be many reasons as to why an organisation looks to utilise a penetration test, however, enabling better security awareness and assurance through remediating security weaknesses, are key goals all organisations should be aspiring too.

Unfortunately, as with any industry, there are good and there are not so good security testing organisations out there selling services. Therefore, InteliSecure have put together an overview on the main areas that should be considered when selecting a security testing company as a strategic partner.

The following three commonly raised questions, will be our starting point for this discussion:

  • How do you find a good Penetration testing Company?
  • What should you consider before engaging a Penetration testing Company?
  • How can you ensure that a Penetration Testing provider can perform the engagement to your requirements and meet your business needs?

Therefore, in order for an organisation to be able to answer these questions, InteliSecure have put together a high level overview of what to look out for and how to engage with the many organisations that are providing penetration testing services:

  1. Understanding what type of testing you require
  2. Ensuring the skill set of the third party consultants can meet your requirements
  3. Understanding the company’s processes and procedures, for example are these documented and aligned to any standard (ISO 27001 etc). 

Let’s look a bit more closely into a few of these specific areas.

  1. Understand the type of testing you require.

Penetration testing, in its true form, can be performed across many different technologies and is usually performed across either an external or internal network infrastructure, which can include physical or virtual servers, workstations, firewalls, network switches, routers and many IP based devices and applications.

Once the scope of the assessment has been defined, you will have to indicate how you want the assessment to be performed. A penetration test in its most basic description is the simulation of an attacker attempting to ascertain and then exploit weaknesses of networked computer systems. The classic categories of the attacker perspective that can be applied to a pen test are known as black box, grey box and white box, these are defined in their basic terms below:

Black box tests are performed without any knowledge of the tested environment. The objective of a black box assessment is to assess the level of security as seen by a third party connected to the internal network or the internet, without any prior knowledge of the environment.

Grey box tests are performed with standard access or with only limited knowledge of the tested environment. The objective of a grey box assessment is to assess the level of security as seen by a legitimate user of the customer who has an account, along with general information about the tested environment.

White box tests are performed with knowledge of the internal structure/ design/ implementation of the tested environment.

Penetration testing is an offensive methodology aimed at replicating a typical attacker, which could be scoped to focus on multiple areas of an organisation, including web applications. Generally, the methodology is better applied through a black box testing perspective, which is unauthenticated and with limited knowledge of the system. The concept is enumerate the information or attempt to bypass / brute force authentication in order to gain an initial foothold.

Typically, a penetration test is completed under a set methodology and resembles the basic principles of the open source security testing methodology manual (OSSTMM) and is scoped to include the subnet ranges, devices or IP addresses, and/or URL’s that are to be included in the assessment.

A myriad of factors can come into play on deciding which attacker perspective to assume for a penetration test and these ultimately depend on the complexity, criticality and management of the systems that are going to be targeted for attack. For example, an organisation may outsource web application development and have limited access or perspective with respect to the detailed hosting information or prior penetration testing assurance of the third party, and so a black box test may be the natural or only choice to assess the solution.

Attacker perspective becomes very important with regards to certain types of penetration testing, such as red team penetration testing exercises. Red team penetration tests, by their nature, are almost always performed on live systems and can include social engineering tactics against company employees and have less restrictions than other types of security assessment. The flow of red team penetration tests is typically goal based, in that a penetration testing team have been given challenges to, for example, gain access to a specific system, or retrieve a password for a specific type of user within the network environment, from a specific starting point (and level of knowledge about the environment that may map to i) a standard employee, ii) an employee in the IT department etc). Red team exercises must be pre-planned in agreement with IT security managers to avoid risk and preserve the integrity of the assessment (i.e. only select employees knowing that attacks are taking place) so genuine defensive responses can be gauged in their effectiveness during the assessment (reviewing intrusion/security monitoring alerts) and thereafter (log analysis etc). Therefore, to facilitate successful red team exercises, both black box and white box perspectives may have to exist in parallel to achieve the goals of the testing safely.

Ultimately a good penetration testing company will always guide a client to the right choices for the environments that are to be tested and should consider the requirements and constraints of the targeted systems when aligning the best choice of attacker perspectives with the target(s) involved. Defense in depth can often be more efficiently scoped and scrutinised by a penetration testing company depending on what background information they have from the outset. Attack perspectives can change depending on the information available, so the above categories are not necessarily rigid and all good penetration testing companies will recognise and highlight any relevant issues when such perspectives are not clear or have to change to best facilitate the proposed penetration testing.

The main objective of penetration testing is to essentially ascertain to what extent the issues and vulnerabilities discovered within a specific environment can be exploited by an attacker and what systems can be breached and how (i.e. can certain vulnerabilities be combined and therefore pose additional or greater risks)

Penetration testing of specific types of network technology can have their own overarching standards and methodologies, a prime example being network applications. Focused application testing differs slightly from a true form penetration test, as this is usually completed using multiple sets of credentials covering multiple roles (i.e. different levels of trust/access are assigned to the attacker perspective to align with the potential threats the application could pose). The principles in focused application testing are usually aligned to the Open Web Application Security Project (OWASP) and can cover web applications, mobile applications and thick client or Desktop applications.  This type of testing aligns with “grey box as a minimum set of information is required to successfully cover the test cases the application naturally presents.

Most penetration testing companies also offer a compliance and auditing type of assessment, which can include authenticated build reviews or servers, workstations, firewall’s and other network security devices, mobile devices etc etc. This type of testing isn’t essentially penetration testing per say, but can be used alongside the typical testing in order to gain a more thorough and comprehensive overview of risk within the environment. When these types of services are combined in this way, the term “Health Check” is usually used to describe the process.

Therefore, it is essentially that you fully understand the type of testing that you require as some compliance requirements, such as the PCI and the Cyber Essentials scheme in the UK, require a combined “Health Check” approach.

The penetration company will usually ask whether the penetration testing is required to meet specific compliance requirements, either through an initial meeting or via a scoping questionnaire, therefore it is essential that you understand the type of testing you require before engaging with the third party. This will allow you to gauge if the company can provide the type of testing you require and the skill set required within its organisation, which leads us onto the next area.

  • Ensuring the skill sets of the penetration test consultants can meet your requirements

In addition to evaluating the penetration testing company as a whole, you should also take a close look at the actual consultants who will perform the engagement. A good penetration testing company will be able to instantly provide details of their consultant’s professional backgrounds, along with any relevant qualifications or professional certification they may hold individually. Penetration testing, as a specialism, has now become better known in the IT security industry, with many organisations offering different types of certification to assess an individual’s competence in the subject. Certifications offer a way to ensure a baseline level of technical competence and knowledge and understanding of the profession. However, a consultant who can study a subject and pass an exam, may not have the expertise or experience to competently complete the penetration test to your unique requirements. Limitations of experience can exist within a pen testing company and so it should be expected that availability of individuals with niche skills may not always exist across the board. However good penetration testing companies will conduct training or in-house research to push the skill sets of their consultant’s forward to align with advances in technologies and/or tools or to allow their consultant’s to be able to upskill their repertoires.

Within a quote or proposal for penetration testing services from the third-party (which would be derived following the scoping phase), a good penetration testing company would include information on the consultant’s likely to be involved in the assessment.

The following areas should be investigated about each consultant, usually a search on LinkedIn or Google would return valuable results.

2.1 Expertise

Most penetration testing Consultant’s would have graduated from University with some form of Computer security or science degree, however, this may not always be the case. Also, there are many Industry certifications that can be much more focused in penetration testing than a generic degree.

Some of today’s most commonly-recognized certifications include Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), GIAC Exploit Researcher & Advanced Penetration Tester (GXPN), or Offensive Security Certified Professional (OSCP). In the UK there are Crest Certifications, Tigerscheme and Cyber Scheme which are aligned to the UK National Cyber Security Centre (NCSC) CHECK program, which deals with Government, Police and other potentially sensitive data.

When it comes to continuous education, the SANS Institute is a private company that also offers high quality information security and cybersecurity training including penetration testing courses to hone ethical hacking skills, including web application security assessments, social engineering, red team operations, wireless penetration testing and more.

Most competent penetration testing consultant’s would have at least one focused industry standard certification which would be focused on a specific area of penetration testing, therefore it is important to review the consultant’s detailed resume to confirm.

2.2 Experience

Experience within the penetration testing industry can be extremely broad, with many consultant’s coming into the industry directly from either University or from another profession. However, it is essential that in a focused penetration testing role, experience in different areas such as network infrastructure, application and compliance auditing has been gained by the consultant throughout their careers.

Most senior level penetration testers in the industry, who are likely to be the ones who initial scope the penetration test and then lead the assignment, have at least five years dedicated experience and are certified to the senior level qualifications.

Specialist consultant’s would also be required to complete testing across more advanced or lesser known types of security assessment such as red teaming or mobile application testing.

It is therefore vital to ensure the penetration testing company has consultant’s with the right skill set available for your assignment, therefore it is advisable to review any resumes or LinkedIn  profiles for the consultant’s being potentially involved in the project, to ensure they have the relevant skills and experience.

  • Understanding the Companies processes and procedures

All good companies document all of their processes and procedures, some of which are usually available to their clients if requested. Typically, a penetration testing company should be able to provide the following information.

  • Methodologies (covering the different type of testing)
  • Client Engagement Process
  • Data Handling and Retention Policies
  • Complaints and Escalation Procedure
  • Standard Operating Procedures (Covering Penetration Testing Execution)
  • Quality Assurance Policies
  • Information Security Policies
  • Liability Insurance Certificates

This level of documentation should be mature, with policies and procedures being adhered to within the organisation, therefore, it would be wise to work with companies that do have their internal policies and procedure regularly audited.

Also, if an organisation utilises sub-contractors or works with contractors when fulfilling a penetration test, then the procedures for ensuring standardisation across contractors should also be documented. If a client handles sensitive information, the data handing and retention policies may have to align to certain requirements for such data.

Fortunately, most of the established companies working within the industry are dedicated to providing quality assurance for their services. Some companies go a step further and are measured in providing penetration testing services to a set standard, through being aligned to organisations such as CREST (The Council of Registered Ethical Security Testers) in the UK and globally, which has effective and comprehensive testing standards and methodologies in place. This standard could be considered similar to an organisation that has adopted the ISO27001 standard, but is more closely focused on the type of security services a company can offer, be it Penetration testing, incident response etc.

In order to achieved company status to the CREST standard, all policies, methodologies and processes are individually evaluated and have to confirm to a rigorous standard. These companies must also employ consultants who are security cleared to at least UK SC level and have been assessed and accredited to the highest standards of security testing. They can be trusted in order to ethically replicate the threat actors and provide pragmatic advice and direction on how to protect yourself against the constantly evolving threat landscape.

Conclusion In conclusion, when selecting a partner to provide penetration testing services, researching the company is a vital step in ensuring they are competent and experienced to provide you with the information security assurance you are hoping to achieve.

By: Rob Hughes and Keith Sharp

It can be difficult to know what to look for when searching for a strategic partner to assist you with your security and risk management processes. More specifically, understanding what makes a good penetration testing company can be difficult without a pre-existing familiarity of the industry. In this blog we are going to discuss the key factors that can help identify a good penetration testing company.

A company or organisation can have many reasons for conducting a penetration test, including,

  • Gaining a better understanding of the effectiveness of their security defences
  • Ascertain risk levels of business critical systems and their related processes
  • To meet strict compliance requirements.

There can be many reasons as to why an organisation looks to utilise a penetration test, however, enabling better security awareness and assurance through remediating security weaknesses, are key goals all organisations should be aspiring too.

Unfortunately, as with any industry, there are good and there are not so good security testing organisations out there selling services. Therefore, InteliSecure have put together an overview on the main areas that should be considered when selecting a security testing company as a strategic partner.

The following three commonly raised questions, will be our starting point for this discussion:

  • How do you find a good Penetration testing Company?
  • What should you consider before engaging a Penetration testing Company?
  • How can you ensure that a Penetration Testing provider can perform the engagement to your requirements and meet your business needs?

Therefore, in order for an organisation to be able to answer these questions, InteliSecure have put together a high level overview of what to look out for and how to engage with the many organisations that are providing penetration testing services:

  1. Understanding what type of testing you require
  2. Ensuring the skill set of the third party consultants can meet your requirements
  3. Understanding the company’s processes and procedures, for example are these documented and aligned to any standard (ISO 27001 etc). 

Let’s look a bit more closely into a few of these specific areas.

  1. Understand the type of testing you require.

Penetration testing, in its true form, can be performed across many different technologies and is usually performed across either an external or internal network infrastructure, which can include physical or virtual servers, workstations, firewalls, network switches, routers and many IP based devices and applications.

Once the scope of the assessment has been defined, you will have to indicate how you want the assessment to be performed. A penetration test in its most basic description is the simulation of an attacker attempting to ascertain and then exploit weaknesses of networked computer systems. The classic categories of the attacker perspective that can be applied to a pen test are known as black box, grey box and white box, these are defined in their basic terms below:

Black box tests are performed without any knowledge of the tested environment. The objective of a black box assessment is to assess the level of security as seen by a third party connected to the internal network or the internet, without any prior knowledge of the environment.

Grey box tests are performed with standard access or with only limited knowledge of the tested environment. The objective of a grey box assessment is to assess the level of security as seen by a legitimate user of the customer who has an account, along with general information about the tested environment.

White box tests are performed with knowledge of the internal structure/ design/ implementation of the tested environment.

Penetration testing is an offensive methodology aimed at replicating a typical attacker, which could be scoped to focus on multiple areas of an organisation, including web applications. Generally, the methodology is better applied through a black box testing perspective, which is unauthenticated and with limited knowledge of the system. The concept is enumerate the information or attempt to bypass / brute force authentication in order to gain an initial foothold.

Typically, a penetration test is completed under a set methodology and resembles the basic principles of the open source security testing methodology manual (OSSTMM) and is scoped to include the subnet ranges, devices or IP addresses, and/or URL’s that are to be included in the assessment.

A myriad of factors can come into play on deciding which attacker perspective to assume for a penetration test and these ultimately depend on the complexity, criticality and management of the systems that are going to be targeted for attack. For example, an organisation may outsource web application development and have limited access or perspective with respect to the detailed hosting information or prior penetration testing assurance of the third party, and so a black box test may be the natural or only choice to assess the solution.

Attacker perspective becomes very important with regards to certain types of penetration testing, such as red team penetration testing exercises. Red team penetration tests, by their nature, are almost always performed on live systems and can include social engineering tactics against company employees and have less restrictions than other types of security assessment. The flow of red team penetration tests is typically goal based, in that a penetration testing team have been given challenges to, for example, gain access to a specific system, or retrieve a password for a specific type of user within the network environment, from a specific starting point (and level of knowledge about the environment that may map to i) a standard employee, ii) an employee in the IT department etc). Red team exercises must be pre-planned in agreement with IT security managers to avoid risk and preserve the integrity of the assessment (i.e. only select employees knowing that attacks are taking place) so genuine defensive responses can be gauged in their effectiveness during the assessment (reviewing intrusion/security monitoring alerts) and thereafter (log analysis etc). Therefore, to facilitate successful red team exercises, both black box and white box perspectives may have to exist in parallel to achieve the goals of the testing safely.

Ultimately a good penetration testing company will always guide a client to the right choices for the environments that are to be tested and should consider the requirements and constraints of the targeted systems when aligning the best choice of attacker perspectives with the target(s) involved. Defense in depth can often be more efficiently scoped and scrutinised by a penetration testing company depending on what background information they have from the outset. Attack perspectives can change depending on the information available, so the above categories are not necessarily rigid and all good penetration testing companies will recognise and highlight any relevant issues when such perspectives are not clear or have to change to best facilitate the proposed penetration testing.

The main objective of penetration testing is to essentially ascertain to what extent the issues and vulnerabilities discovered within a specific environment can be exploited by an attacker and what systems can be breached and how (i.e. can certain vulnerabilities be combined and therefore pose additional or greater risks)

Penetration testing of specific types of network technology can have their own overarching standards and methodologies, a prime example being network applications. Focused application testing differs slightly from a true form penetration test, as this is usually completed using multiple sets of credentials covering multiple roles (i.e. different levels of trust/access are assigned to the attacker perspective to align with the potential threats the application could pose). The principles in focused application testing are usually aligned to the Open Web Application Security Project (OWASP) and can cover web applications, mobile applications and thick client or Desktop applications.  This type of testing aligns with “grey box as a minimum set of information is required to successfully cover the test cases the application naturally presents.

Most penetration testing companies also offer a compliance and auditing type of assessment, which can include authenticated build reviews or servers, workstations, firewall’s and other network security devices, mobile devices etc etc. This type of testing isn’t essentially penetration testing per say, but can be used alongside the typical testing in order to gain a more thorough and comprehensive overview of risk within the environment. When these types of services are combined in this way, the term “Health Check” is usually used to describe the process.

Therefore, it is essentially that you fully understand the type of testing that you require as some compliance requirements, such as the PCI and the Cyber Essentials scheme in the UK, require a combined “Health Check” approach.

The penetration company will usually ask whether the penetration testing is required to meet specific compliance requirements, either through an initial meeting or via a scoping questionnaire, therefore it is essential that you understand the type of testing you require before engaging with the third party. This will allow you to gauge if the company can provide the type of testing you require and the skill set required within its organisation, which leads us onto the next area.

  • Ensuring the skill sets of the penetration test consultants can meet your requirements

In addition to evaluating the penetration testing company as a whole, you should also take a close look at the actual consultants who will perform the engagement. A good penetration testing company will be able to instantly provide details of their consultant’s professional backgrounds, along with any relevant qualifications or professional certification they may hold individually. Penetration testing, as a specialism, has now become better known in the IT security industry, with many organisations offering different types of certification to assess an individual’s competence in the subject. Certifications offer a way to ensure a baseline level of technical competence and knowledge and understanding of the profession. However, a consultant who can study a subject and pass an exam, may not have the expertise or experience to competently complete the penetration test to your unique requirements. Limitations of experience can exist within a pen testing company and so it should be expected that availability of individuals with niche skills may not always exist across the board. However good penetration testing companies will conduct training or in-house research to push the skill sets of their consultant’s forward to align with advances in technologies and/or tools or to allow their consultant’s to be able to upskill their repertoires.

Within a quote or proposal for penetration testing services from the third-party (which would be derived following the scoping phase), a good penetration testing company would include information on the consultant’s likely to be involved in the assessment.

The following areas should be investigated about each consultant, usually a search on LinkedIn or Google would return valuable results.

2.1 Expertise

Most penetration testing Consultant’s would have graduated from University with some form of Computer security or science degree, however, this may not always be the case. Also, there are many Industry certifications that can be much more focused in penetration testing than a generic degree.

Some of today’s most commonly-recognized certifications include Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), GIAC Exploit Researcher & Advanced Penetration Tester (GXPN), or Offensive Security Certified Professional (OSCP). In the UK there are Crest Certifications, Tigerscheme and Cyber Scheme which are aligned to the UK National Cyber Security Centre (NCSC) CHECK program, which deals with Government, Police and other potentially sensitive data.

When it comes to continuous education, the SANS Institute is a private company that also offers high quality information security and cybersecurity training including penetration testing courses to hone ethical hacking skills, including web application security assessments, social engineering, red team operations, wireless penetration testing and more.

Most competent penetration testing consultant’s would have at least one focused industry standard certification which would be focused on a specific area of penetration testing, therefore it is important to review the consultant’s detailed resume to confirm.

2.2 Experience

Experience within the penetration testing industry can be extremely broad, with many consultant’s coming into the industry directly from either University or from another profession. However, it is essential that in a focused penetration testing role, experience in different areas such as network infrastructure, application and compliance auditing has been gained by the consultant throughout their careers.

Most senior level penetration testers in the industry, who are likely to be the ones who initial scope the penetration test and then lead the assignment, have at least five years dedicated experience and are certified to the senior level qualifications.

Specialist consultant’s would also be required to complete testing across more advanced or lesser known types of security assessment such as red teaming or mobile application testing.

It is therefore vital to ensure the penetration testing company has consultant’s with the right skill set available for your assignment, therefore it is advisable to review any resumes or LinkedIn  profiles for the consultant’s being potentially involved in the project, to ensure they have the relevant skills and experience.

  • Understanding the Companies processes and procedures

All good companies document all of their processes and procedures, some of which are usually available to their clients if requested. Typically, a penetration testing company should be able to provide the following information.

  • Methodologies (covering the different type of testing)
  • Client Engagement Process
  • Data Handling and Retention Policies
  • Complaints and Escalation Procedure
  • Standard Operating Procedures (Covering Penetration Testing Execution)
  • Quality Assurance Policies
  • Information Security Policies
  • Liability Insurance Certificates

This level of documentation should be mature, with policies and procedures being adhered to within the organisation, therefore, it would be wise to work with companies that do have their internal policies and procedure regularly audited.

Also, if an organisation utilises sub-contractors or works with contractors when fulfilling a penetration test, then the procedures for ensuring standardisation across contractors should also be documented. If a client handles sensitive information, the data handing and retention policies may have to align to certain requirements for such data.

Fortunately, most of the established companies working within the industry are dedicated to providing quality assurance for their services. Some companies go a step further and are measured in providing penetration testing services to a set standard, through being aligned to organisations such as CREST (The Council of Registered Ethical Security Testers) in the UK and globally, which has effective and comprehensive testing standards and methodologies in place. This standard could be considered similar to an organisation that has adopted the ISO27001 standard, but is more closely focused on the type of security services a company can offer, be it Penetration testing, incident response etc.

In order to achieved company status to the CREST standard, all policies, methodologies and processes are individually evaluated and have to confirm to a rigorous standard. These companies must also employ consultants who are security cleared to at least UK SC level and have been assessed and accredited to the highest standards of security testing. They can be trusted in order to ethically replicate the threat actors and provide pragmatic advice and direction on how to protect yourself against the constantly evolving threat landscape.

Conclusion In conclusion, when selecting a partner to provide penetration testing services, researching the company is a vital step in ensuring they are competent and experienced to provide you with the information security assurance you are hoping to achieve.

Read More

Cisco® Email Security Appliance (Cisco® ESA) Non-RFC MIME Format Executable Attachment Bypass (CSCvh03786) (CVE-2018-0419)

In October 2017 InteliSecure were performing penetration testing activities for an important client.  One of the tasks involved performing tests against the client’s E-Mail content analysis systems. Various types of E-Mail were sent with attached executable files compressed and encrypted in various ways. These were blocked by the content analysis device, Cisco® Email Security Appliance (Cisco® ESA), previously known as Ironport.

In addition, E-Mails were sent with several types of malformed MIME formatting with executables attached in non-standard ways. One of these E-Mails passed by the executable blocking rules, which was reported to be an E-Mail without an attachment by Cisco® ESA, was accepted as a valid E-Mail with an executable attachment by Microsoft® Outlook. It was found that various other types of file could be sneaked past Cisco® ESA using the same method.  Interestingly, if the malicious email was then forwarded outside the organisation via Cisco ESA the same executable was blocked.

Whilst the CVSS3 score given by Cisco® in their advisory in August 2018 was 5.3, based on a minor integrity weakness in Cisco® ESA, the impact of this vulnerability could be greater given that malicious E-Mail is used to proliferate malware infected files, such as Trojans, Viruses and Ransomware. The exponential growth in E-Mail borne attacks has been observed since the beginnings of the Security Industry and is continuing to grow given the ease with which new malware can be developed using tools available on the Dark Web.

Cisco® ESA versions 10.0.0-203 and 11.0.0-264 are known to be affected however, Cisco has listed the issue as ‘Fixed’ but has not indicated where updated ESA software can be downloaded.

One interim workaround may be to create custom rules to looks for strings like ‘.exe’, ‘.com’, ‘.dll’, ‘.ps1’ and block E-Mails matching those however, due to Microsoft CreateNewProcess API executables with non-matching extensions may still execute.

InteliSecure recommends ensuring that endpoint security and Anti-Virus products be kept up to date. Application white listing should also be implemented so that users can only execute authorised executables. Additional Intrusion Detection or Intrusion Prevention devices could also be considered. To defend against ransomware, InteliSecure recommends that offline backups be taken of all important data.  If an incident occurs, backups should be scanned to ensure that files are not infected before they are restored.

Please refer to the Cisco Advisory for further information: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh03786

InteliSecure would like to thank our client for allowing us to pursue this vulnerability to try and encourage a fix to be produced.

InteliSecure would also like to thank the Cisco® developers and PSIRT for dealing with this issue rapidly.

If any organisations are unsure whether their Cisco ESA system is vulnerable InteliSecure would be happy to discuss this issue further.

In October 2017 InteliSecure were performing penetration testing activities for an important client.  One of the tasks involved performing tests against the client’s E-Mail content analysis systems. Various types of E-Mail were sent with attached executable files compressed and encrypted in various ways. These were blocked by the content analysis device, Cisco® Email Security Appliance (Cisco® ESA), previously known as Ironport.

In addition, E-Mails were sent with several types of malformed MIME formatting with executables attached in non-standard ways. One of these E-Mails passed by the executable blocking rules, which was reported to be an E-Mail without an attachment by Cisco® ESA, was accepted as a valid E-Mail with an executable attachment by Microsoft® Outlook. It was found that various other types of file could be sneaked past Cisco® ESA using the same method.  Interestingly, if the malicious email was then forwarded outside the organisation via Cisco ESA the same executable was blocked.

Whilst the CVSS3 score given by Cisco® in their advisory in August 2018 was 5.3, based on a minor integrity weakness in Cisco® ESA, the impact of this vulnerability could be greater given that malicious E-Mail is used to proliferate malware infected files, such as Trojans, Viruses and Ransomware. The exponential growth in E-Mail borne attacks has been observed since the beginnings of the Security Industry and is continuing to grow given the ease with which new malware can be developed using tools available on the Dark Web.

Cisco® ESA versions 10.0.0-203 and 11.0.0-264 are known to be affected however, Cisco has listed the issue as ‘Fixed’ but has not indicated where updated ESA software can be downloaded.

One interim workaround may be to create custom rules to looks for strings like ‘.exe’, ‘.com’, ‘.dll’, ‘.ps1’ and block E-Mails matching those however, due to Microsoft CreateNewProcess API executables with non-matching extensions may still execute.

InteliSecure recommends ensuring that endpoint security and Anti-Virus products be kept up to date. Application white listing should also be implemented so that users can only execute authorised executables. Additional Intrusion Detection or Intrusion Prevention devices could also be considered. To defend against ransomware, InteliSecure recommends that offline backups be taken of all important data.  If an incident occurs, backups should be scanned to ensure that files are not infected before they are restored.

Please refer to the Cisco Advisory for further information: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh03786

InteliSecure would like to thank our client for allowing us to pursue this vulnerability to try and encourage a fix to be produced.

InteliSecure would also like to thank the Cisco® developers and PSIRT for dealing with this issue rapidly.

If any organisations are unsure whether their Cisco ESA system is vulnerable InteliSecure would be happy to discuss this issue further.

Read More

The Proper Role of Cyber Insurance in Enterprise Risk Management

In AT&T’s 2017 Global State of Cybersecurity survey, 28% of respondents saw cyber insurance as a replacement for cyber defenses. Part of the issue is frustration with the apparent lack of effectiveness of cyber spend in reducing the prevalence in incidents, while part of the issue is a desire to make this problem someone else’s problem. But the fundamental issue is actually a misunderstanding of risk management.

Risk Management

One of my favorite similes in Information Security is that risk is like energy, it cannot be created or destroyed, rather, it simply changes forms. Risk has four forms of treatment: acceptance, avoidance, mitigation, and transference. All risk, whether identified or unidentified, falls into one of the four categories. Information Security is a risk mitigation strategy and cyber risk insurance is a risk management strategy. Therefore, if you were to ask me if you should mitigate risk or transfer risk, my answer would be “Yes”. You should do both to varying degrees, and the proper amount of investment in each is dependent on the risk profile of your organization, but asking whether you should do one or the other indicates a misunderstanding of risk and risk treatment. Therefore, even though most readers are likely familiar with the terms defined below, it is clear that understanding of these terms is not ubiquitous.

Risk Acceptance

This is the default strategy. If you were to do nothing at all to identify or treat the risk in your business, risk still exists. Consequently, ignorance of risk is de facto acceptance of that risk. Put another way, in order to apply any risk treatment strategy other than acceptance, the risk must be identified and treated. If risk isn’t identified, the vast majority of risk is automatically accepted. Risk acceptance isn’t necessarily bad, so long as it is identified and consciously accepted by someone who has the authority to accept the level of risk on behalf of the organization. I often tell people that CISOs that get in the business of accepting risk on behalf of the organization are the reason why the average tenure of a CISO is so short. Some minor risk can be accepted by the business units, but risk acceptance is generally the domain of the CEO.

Risk Avoidance

Risk avoidance is sometimes popular in organizations with limited resources because it has no direct cost. This strategy essentially says if something is risky, we will simply not do it. The classic example of Risk Avoidance is turning off USB access for all employees because you are concerned sensitive data will leak. A risk mitigation strategy for loss of sensitive data is to deploy a Data Loss Prevention technology, but those technologies may appear to be expensive to deploy and maintain, so the organization instead chooses to disable a core capability of their organization’s computing environment. While disabling the capability may not have a direct cost, there is often a significant opportunity cost manifested by lost productivity in doing so. Since risk avoidance is generally accomplished by limiting features of the IT environment, risk avoidance or the lack thereof is likely the domain of the CIO. While risk avoidance can be a problem from an opportunity cost perspective, it is often more of a problem when a CIO deploys a change or a technology that deprecates the avoidance of a risk without working with the CISO to mitigate that risk and instead accepts the risk on behalf of the CEO. This is a recipe for disaster that manifests itself time and again.

Risk Mitigation

The entirety of cyber security falls into risk mitigation. Everything the CISO does is a mitigation strategy whether the solutions he or she deploys are people, process, technology solutions or any mix of the three. It is notoriously difficult to quantify risk mitigation as it is hard to quantify what didn’t happen but likely would have happened if a specific control was not in place. However, since risk does not get created or destroyed, it is much easier to quantify accepted or avoided risk. Looking at risk mitigation as movement from one of the other categories allows an organization to quantify risk in their environment and therefore define the benefit of the aggregate of their risk mitigation strategies against their cost.

Risk Transference

Risk Transference is the classic insurance use case. The problem with risk transference is that you can only transfer risk for the direct costs associated with an incident. While this is a minor problem for insurance products like home and auto, it is a major issue for cyber risk insurance given that a full 66% of an average breach in the United States is categorized as an indirect cost. Put another way, if you are one of the 28% of companies that use cyber risk insurance as a replacement for cyber defense, your best case result is that you have transferred 34% of your risk and accepted 66%. In reality, you have likely not identified and transferred all risk factors, so you are likely accepting upwards of 80% of your risk. If you are the CEO and highly risk tolerant, this might be an acceptable strategy, if you are not, you likely don’t have the authority to make such a bold decision. Because risk transference is a strategy that is generally associated with buying down identified risk, it is most often the domain of the CFO.

The Genius of the AND

Jim Collins is an influential author of business philosophy books who has a multitude of quotable sayings, but one of the concepts that he is known for is the tyranny of the OR and the genius of the AND. This is applicable to risk management in a profound way. Those that are asking if they should buy a cyber risk insurance policy OR deploy cyber defenses are asking the wrong question. Essentially, a healthy organization should have Risk Mitigation strategies AND Risk Transference strategies AND Risk Acceptance Strategies AND likely some Risk Avoidance strategies. Ultimately, the quantity of risk and the likelihood that risk materializes are the factors that should go into the calculation of a Risk Transference premium, so it could be argued that Risk Transference should be the final strategy deployed in order to avoid accepting risk that cannot be mitigated or avoided. Unfortunately, too many organizations are trying to finish before they start and leading with the end.

Conclusion

While all four risk management strategies are important to treat risk in an organization of any size, it is important to ensure we do not allow frustration to prevent us from deploying sensible risk mitigation strategies. The truth is there is no easy button. That includes cyber risk insurance. It’s true that cyber risk insurance is a relatively immature market, but regardless of how much it matures, it will always be a part of the equation of how to treat risk and not the answer. Just as light energy and heat energy are inextricably linked, risk mitigation, risk transference, risk avoidance, and risk mitigation will always be components of a sensible risk mitigation strategy. The proportions of each will vary by organization, but they will all be omnipresent. So the answer to the question of whether an organization should buy a cyber insurance policy or build a program to mitigate as much risk as possible, is “Yes!”, and it always will be.

In AT&T’s 2017 Global State of Cybersecurity survey, 28% of respondents saw cyber insurance as a replacement for cyber defenses. Part of the issue is frustration with the apparent lack of effectiveness of cyber spend in reducing the prevalence in incidents, while part of the issue is a desire to make this problem someone else’s problem. But the fundamental issue is actually a misunderstanding of risk management.

Risk Management

One of my favorite similes in Information Security is that risk is like energy, it cannot be created or destroyed, rather, it simply changes forms. Risk has four forms of treatment: acceptance, avoidance, mitigation, and transference. All risk, whether identified or unidentified, falls into one of the four categories. Information Security is a risk mitigation strategy and cyber risk insurance is a risk management strategy. Therefore, if you were to ask me if you should mitigate risk or transfer risk, my answer would be “Yes”. You should do both to varying degrees, and the proper amount of investment in each is dependent on the risk profile of your organization, but asking whether you should do one or the other indicates a misunderstanding of risk and risk treatment. Therefore, even though most readers are likely familiar with the terms defined below, it is clear that understanding of these terms is not ubiquitous.

Risk Acceptance

This is the default strategy. If you were to do nothing at all to identify or treat the risk in your business, risk still exists. Consequently, ignorance of risk is de facto acceptance of that risk. Put another way, in order to apply any risk treatment strategy other than acceptance, the risk must be identified and treated. If risk isn’t identified, the vast majority of risk is automatically accepted. Risk acceptance isn’t necessarily bad, so long as it is identified and consciously accepted by someone who has the authority to accept the level of risk on behalf of the organization. I often tell people that CISOs that get in the business of accepting risk on behalf of the organization are the reason why the average tenure of a CISO is so short. Some minor risk can be accepted by the business units, but risk acceptance is generally the domain of the CEO.

Risk Avoidance

Risk avoidance is sometimes popular in organizations with limited resources because it has no direct cost. This strategy essentially says if something is risky, we will simply not do it. The classic example of Risk Avoidance is turning off USB access for all employees because you are concerned sensitive data will leak. A risk mitigation strategy for loss of sensitive data is to deploy a Data Loss Prevention technology, but those technologies may appear to be expensive to deploy and maintain, so the organization instead chooses to disable a core capability of their organization’s computing environment. While disabling the capability may not have a direct cost, there is often a significant opportunity cost manifested by lost productivity in doing so. Since risk avoidance is generally accomplished by limiting features of the IT environment, risk avoidance or the lack thereof is likely the domain of the CIO. While risk avoidance can be a problem from an opportunity cost perspective, it is often more of a problem when a CIO deploys a change or a technology that deprecates the avoidance of a risk without working with the CISO to mitigate that risk and instead accepts the risk on behalf of the CEO. This is a recipe for disaster that manifests itself time and again.

Risk Mitigation

The entirety of cyber security falls into risk mitigation. Everything the CISO does is a mitigation strategy whether the solutions he or she deploys are people, process, technology solutions or any mix of the three. It is notoriously difficult to quantify risk mitigation as it is hard to quantify what didn’t happen but likely would have happened if a specific control was not in place. However, since risk does not get created or destroyed, it is much easier to quantify accepted or avoided risk. Looking at risk mitigation as movement from one of the other categories allows an organization to quantify risk in their environment and therefore define the benefit of the aggregate of their risk mitigation strategies against their cost.

Risk Transference

Risk Transference is the classic insurance use case. The problem with risk transference is that you can only transfer risk for the direct costs associated with an incident. While this is a minor problem for insurance products like home and auto, it is a major issue for cyber risk insurance given that a full 66% of an average breach in the United States is categorized as an indirect cost. Put another way, if you are one of the 28% of companies that use cyber risk insurance as a replacement for cyber defense, your best case result is that you have transferred 34% of your risk and accepted 66%. In reality, you have likely not identified and transferred all risk factors, so you are likely accepting upwards of 80% of your risk. If you are the CEO and highly risk tolerant, this might be an acceptable strategy, if you are not, you likely don’t have the authority to make such a bold decision. Because risk transference is a strategy that is generally associated with buying down identified risk, it is most often the domain of the CFO.

The Genius of the AND

Jim Collins is an influential author of business philosophy books who has a multitude of quotable sayings, but one of the concepts that he is known for is the tyranny of the OR and the genius of the AND. This is applicable to risk management in a profound way. Those that are asking if they should buy a cyber risk insurance policy OR deploy cyber defenses are asking the wrong question. Essentially, a healthy organization should have Risk Mitigation strategies AND Risk Transference strategies AND Risk Acceptance Strategies AND likely some Risk Avoidance strategies. Ultimately, the quantity of risk and the likelihood that risk materializes are the factors that should go into the calculation of a Risk Transference premium, so it could be argued that Risk Transference should be the final strategy deployed in order to avoid accepting risk that cannot be mitigated or avoided. Unfortunately, too many organizations are trying to finish before they start and leading with the end.

Conclusion

While all four risk management strategies are important to treat risk in an organization of any size, it is important to ensure we do not allow frustration to prevent us from deploying sensible risk mitigation strategies. The truth is there is no easy button. That includes cyber risk insurance. It’s true that cyber risk insurance is a relatively immature market, but regardless of how much it matures, it will always be a part of the equation of how to treat risk and not the answer. Just as light energy and heat energy are inextricably linked, risk mitigation, risk transference, risk avoidance, and risk mitigation will always be components of a sensible risk mitigation strategy. The proportions of each will vary by organization, but they will all be omnipresent. So the answer to the question of whether an organization should buy a cyber insurance policy or build a program to mitigate as much risk as possible, is “Yes!”, and it always will be.

Read More

JOIN NEWSLETTER

Know What We're Up To!