Cutting through the noise in evaluating Cyber Security risk

Cyber security expert Alex Haynes outlines some of the ways that organisations can cut through the noise and efficiently evaluate cyber security risk.

For the average user the steady diet of news about hacking and data breaches can be overwhelming. Within an enterprise context this can become even more acute due to the wide array of technologies that are in use and the abundance of ‘threat feeds’ bringing in the latest and greatest vulnerabilities that might affect you and your company.

When trying to cut through the noise on issues of cyber security many companies can adopt a few baseline rules to make the job easier.

Don’t forget your threat model

Every company should have a threat model which maps out who your enemies or potential enemies are. For example, if your company has any political affiliations then you may be targeted by Hacktivists. If you work with governments then nation-state attackers may take an interest in you, and this may also be the case if you deal with intellectual property. All entities will be affected by ‘non-targeted’ attacks – this refers to automated bots that crawl the net looking for specific vulnerabilities, such as exposed databases, without caring much for who you are or what info you have. ‘Script kiddies’ also fall into this category – these are individuals who have no hacking skills whatsoever but have learnt to use one or two automated tools that can exploit vulnerabilities without understanding how they work or what they are doing.

Learn how ‘exploitability’ works

If you based your decisions on what is safe or what isn’t solely on the mainstream press you would be forgiven for thinking that ‘Cyberpocalypse’ is upon us and that we are all doomed and can be hacked at the drop of a hat. Nothing could be further from the truth. First of all, there is no correlation between the amount of news coverage a ‘threat’ receives and how likely it is to happen. Back in 2015, anyone with an Android device was deemed ‘hackable’ because of a vulnerability called ‘Stagefright’ that affected 99% of all Android devices. When the dust, settled, the total number of infections cause by this threat was zero.

Exploiting a vulnerability requires many steps to happen in a specific order, and for vulnerabilities where a specific individual is targeted then those steps become even more contrived. This is why your threat model is very important. If you have any vulnerabilities that require someone to be in physical proximity (for example, to take over your wi-fi network) then you can discount these almost instantly because only nation-state attackers will invest in the resources required to pull these off. They are high-risk and can often fail – the incident in the Hague attempted by some Russian nationals last year ended in catastrophic failure as they attempted (allegedly) to attack the wi-fi networks of the UN OPCW. They were rounded up, had all their equipment confiscated and sent back to Russia – the only thing that saved them in the end being their diplomatic passports.

Map your technology to threat intelligence

The last piece of the puzzle is knowing which threats affect you. To evaluate this effectively you need to map out which technologies you have and then be able to filter the new threats that appear and map them to your technologies. If you have your threat model inline and understand exploitability then this third piece will come naturally, and you can effectively operate a ‘triage’ of new threats to see if you will be affected, and if so, how likely it is to cause you trouble. Once you’ve filtered these you can plan remediation activity on the threats that are more serious, which usually involves updating systems or putting in more mitigating controls to protect your assets.

It goes without saying that the above can be automated to an extent but this is completely dependent on resources and budget, since there is already a plethora of tools and vendors that can do the above for you at a cost, or you can just bring this in-house and do it yourself, but this would require more manpower and thus more resources.

Once you have these pillars in place, you can evaluate cyber security risk more efficiently and cut through the torrent of news that won’t do you any harm, and cut through to the threats that you should really be focusing on.


To read more from Alex click here.

Topics: Investment Management, Insurance, Banking, Consumer, Technology Media and Telecoms, Data Privacy & Information Security

May 2, 2019
Talk to an expert

Written by Alex Haynes

Alex Haynes is a former pentester with a background in offensive security and is credited for discovering vulnerabilities in products by Microsoft, Adobe, Pinterest, Amazon Web Services, IBM and many more. He is a former top 10 ranked researcher on Bugcrowd and a member of the Synack Red Team. He is currently CISO at CDL. Alex is a regular contributor to various cyber security publications and speaks at security conferences on topics related to offensive security.