Cyber Crime Protection – Evaluate and Segment Data
It only seemed like yesterday that when business owners were asked about network security their focus was on identity theft protection and/or compliance with the different state and federal privacy laws. Those concerns are now elevating to the more destructive and finacially devistating risks of cyber crimes. At the beginning of this year I wrote a blog about how I was advancing my security skills from identity theft protecter to cyber warrior. I even posted a chapter-by-chapter review of the book “Cyber Warfare”, by Jason Andress and Steve Winterfeld. It doesn’t mater what industry your in, the size of your company , or the complexity of your computer network because if you can be found on Google, Bing, Yahoo, LinkedIn, FaceBook, Twitter, etc.then your business is at risk. All you can do now is limit your exposure and midigate the damages.
A Risk-Based Approach to Combating Cyber Crime
—by Rich Baich, principal, and Peter Makohon, senior manager, Deloitte & Touche LLP and leaders of the Deloitte Center for Security & Privacy Solutions.
How companies can use threat modeling and other strategies to help thwart increasingly sophisticated cyber attacks.
Cyber crime targeted at companies continues to increase in frequency and severity. Today’s cyber criminals have become adept at finding weaknesses in the assets and defenses of secured IT environments, and exploiting them to gain access.
To counter this threat, companies are embracing a risk-based approach to security that involves using threat modeling to identify system vulnerabilities and then applying threat intelligence to address existing and emerging threats. And they are reevaluating the way they apply often limited security resources: Tasks addressing minor threats are automated, thus freeing IT security experts on staff to focus their attention on more important threats.
In this first of two articles on system security, we explore a more effective risk-based approach to combating cyber crime—one that focuses on prioritizing which data and information to protect based on its value and risk-related significance to the organization.
Shifting the Approach
Cyber crimes are numerous and varied. They include fraud, misdirection of communication, theft of intellectual property, identity theft, corporate espionage, system sabotage, data theft and destruction, money laundering, and terrorism, among others. Relatively few organizations have recognized that organized networks of cyber criminals, rather than hackers, are their greatest potential cyber security threat; even fewer are prepared to address this threat.
As a result, organizations tend to employ security-based, “wall-and-fortress” approaches to address the threat of cyber crime, but in most cases these are insufficient. Yes, blocking what is coming into the environment is useful and necessary. But this can be accomplished by less expensive and potentially more selective means than are often employed. Furthermore, risk-based approaches—coupled with a focus on what is leaving the IT environment as well as on what is entering it—hold potentially greater value than traditional security-based, “wall-and-fortress” strategies.
Consider this: Cyber criminals view a system from a process perspective, focusing on finding process vulnerabilities that may have been overlooked in the traditional security assessments companies perform. Once inside, they can exploit the system in ways that the organization did not—and cannot—anticipate or defend against. While security personnel are intently watching their information-manager screens to monitor access to the environment, the cyber criminals are already inside. By shifting the security focus to include monitoring and identifying data that leaves the environment, organizations can detect activities that may alert them to the presence of an intruder in the system.
Priorities and Values
A risk-based approach starts with the assumption that an unauthorized user can gain access to the system. With this in mind, the organization undertakes a process of threat modeling in which security experts look at the entire IT environment and document threats—existing or emerging—and their potential impact on the security posture of the organization. Through this process, an organization can achieve a better understanding of its IT environment, the ways that business processes overlay that environment, and finally, the security controls that are either in place or needed.
Given the creativity and resourcefulness of cyber criminals, it is important that organizations consider non-traditional threats as they carry out their threat modeling exercises. For example, consider the kiosks that operate in some department stores. To the retailer, this kiosk and the customer interface it provides may seem low risk. After all, it only provides access to a catalog and job listings. To cyber criminals, however, this kiosk offers a way to get into a corporate network. A threat model that includes assessments of non-traditional assets would anticipate the threat that this kiosk presents a security risk: a network access point that is not adequately secured.
With the knowledge or “threat intelligence” accrued through the threat modeling process, the organization can then design responses based on the value of the data that could be compromised by an unauthorized user. This calls for prioritizing data and information based on their value to the organization or other useful criteria. The organization can then select the data and information on which to focus its resources, and determine how much to spend and which tools to use to protect these assets. The most valuable data, such as product formulations and sensitive financial and legal information, can be tagged and monitored so that the organization knows where they are, where they are going, where they have gone—and on whose authority. Resources can then be shifted away from less valuable data, such as website activity.
This approach can help an enterprise shift away from building a “great wall” against threats, and move toward employing greater resources to address the most significant ones. It takes effort, expense, training, and resources to develop a system of categorization by value and to track data after it leaves the organization. But once in place, it pays for itself in many times over in efficiency and effectiveness.
In a nutshell, the benefits of a risk-based approach include the ability to:
- Develop a more in-depth understanding of an IT environment, and of its strengths and vulnerabilities.
- Accrue actionable risk intelligence Define the value and risk-related significance of categories of data, and prioritize and protect them accordingly.
- Analyze previous security incidents to identify “lessons learned”.
- Identify customers, suppliers, service providers, and other parties that have compromised devices inside their networks.
- Analyze malicious code on compromised machines to develop cyber intelligence.
- Track compromised data that has left or is leaving the organization.
- Understand the organization’s susceptibility to persistent, sustained access by cyber criminals.
Breaking Down Organizational Silos
Given the sophistication, complexity, and evolution of the techniques and technologies used in cyber crime, even a sizable organization with ample IT resources may find it difficult to plan and implement an adequate response by itself. Therefore, CIOs, CSOs (chief security officers), CROs (chief risk officers), and cyber security professionals should consider pooling resources, and share information, technologies, and techniques in their battle against cyber crime. This can be done without revealing sensitive corporate or competitive information.
Internally, companies can strengthen their ability to perform value-added analysis by sharing and pooling data on fraud, loss prevention, and information security across the organization. In the second article in this two-part series, we will examine how organizations can develop actionable intelligence about cyber threats by sharing and combining critical information across traditional organization “silos”.