How Do I Measure Risk If Every Other Risk Can Completely Compromise My Organization?

It is a strange time to be in cybersecurity risk management. When did cybersecurity risk management become so binary?

Risk management has never been an easy, straightforward process. It has always involved a lot of estimating and guessing with far more subjectivity involved than empirical, easy-to-see measurements. I mean how can you possibly estimate your odds of getting hit by ransomware this year, figuring out how bad the damage might be, and if you get hit by the double extortion variant or not? It is all a guessing game.

Theoretically, risk management is a math and statistics exercise with a lot of word problems. Risk managers identify all of the possible threats, assess risks based on potential severity if the damage from a particular threat occurs times the likelihood of the threat occurring in a given time period.

Risk = Likelihood of Threat x Estimated Damage from Threat if it Occurs

Or even more simply

Risk = Probability x Severity

After identifying and evaluating all threats, risk managers are supposed to focus first and best on the threats with the biggest estimated risk-weighted damage. High risk events can be a single very high severity event with a low likelihood of occurring (e.g., natural disaster, etc.) or more numerous, less severe events with a higher likelihood of occurring (e.g., lost or stolen laptops, power outage, etc.).

Risk management decisions can be represented by a “heat map” (summarized below) to show what types of threats and risks should be focused on first to the exclusion of less severe and less frequent events.?

Or at least this is the way the theoretical risk management dream is supposed to go.

The problem is that in the cybersecurity world, nearly every other threat can completely, critically compromise your environment. And these days, with ransomware in the picture, it starts to paint a risk picture that looks like a far more binary-looking heat map, with a whole lot of red (see below):

Yes, you can get lucky and get hit by a less severe cybercrime than let’s say ransomware, but nearly every possible intrusion can easily turn into a full-scale ransomware event. I have tracked the ways hackers and malware can break into a device or network. Here are the ways:

·????????Programming Bug (patch available or not available)

·????????Social Engineering

·????????Authentication Attack

·????????Human Error/Misconfiguration

·????????Eavesdropping/MitM

·????????Side Channel/Information Leak

·????????Brute Force/Computational

·????????Data/Network Traffic Malformation

·????????Insider Attack

·????????Third Party Reliance Issue (supply chain/vendor/partner/etc.)

·????????Physical Attack

The problem is today’s attackers are often gaining access using any one of those methods (although social engineering, unpatched software and password issues are the top threats), and then often implementing ransomware. Back in yesteryear, if you got compromised by hackers or malware, it was often not the worse case scenario. Even the worst-case scenarios (e.g., macro-based email worm) was not that bad. You had to fight a day or two to put down an email or scripting worm…ruined your day for a day or two, and then things went back to normal.

It is not that way anymore. Basically, if you have a vulnerability that a hacker can find, that access is going to find its way to a ransomware gang or professional cybercriminal who is going to try to cause as much damage and downtime as possible. Every victim company is a big bag of money, and they want it. Today, if you get hit by hackers and malware, you are thanking the gods that you were only completely down for a couple of days. Heck, if you only get hit by first generation ransomware that only wants to encrypt your files and not today’s “double-extortion” variant, you will be celebrating a little bit.

It has made me thankful that I am not a risk manager. How do you manage risk when any social engineering attack, any missed patch, any stolen password can turn into a full-blown, multi-week data-is- exfiltrated-and-hacker-is-looking-for-$10M-extortion-payment event? Suddenly, every possible cyber attack starts looking like either red or green with very little in between.

Yes, there are still plenty of less severe risks, but most of the risks from cybersecurity literally start as part of an extended “kill chain” and end with complete compromise of the environment. Yeah, minor information leaks or adware do not really hurt an organization that much…but social engineering, eavesdropping, malware, unpatched software and all those other things can ultimately lead to complete control and ownership of the environment by a bad party. Even the seemingly more harmless things like adware, really are not harmless. Whatever way the adware made it into the environment is the same way something a lot more dangerous…ransomware, remote backdoor trojan, password stealing malware, etc., could get in. The adware is just the canary in a coal mine. You ignore the ultimate lesson of finding it at your own peril.

Solution

So, if nearly every other cyber attack can take down a company, how do you measure risk?

One, I think everyone in risk management needs to understand that cybersecurity risk is looking more binary these days. You are either going to have a really bad year or you are not. If you look at the incidences of ransomware, for example, most surveys say that about 25% to 50% of organizations get hit by in a given year. You can look up the costs associated with ransomware for your organization. They are all over the Internet, and unfortunately, all over the board. If it was me, I would contact my cybersecurity insurance company (if I had cyber insurance) and get their take on the odds, average ransomware costs, average downtime, etc. (for all companies, not just insured companies). Cybersecurity insurance companies are pretty good at revealing the real figures. They know the numbers per industry and size of the company. In general, the figures I see from insurance companies are on the low side. It does not mean you will not be the next organization asked to pay $25M by a ransomware gang, but the best you can do is play the odds. Figure out the odds and costs for the worst-case scenarios (e.g., ransomware, wiperware, data exfiltration, etc.) and plug that in as your maximum risk cost.

Then, and this is important, look at the ways that hackers and malware will most likely break into your organization. The most common root cause exploitation methods are in order of importance:

·????????Social engineering (involved in 50% to 90% of all attacks)

·????????Unpatched software (involved in 20% to 40% of all attacks)

·????????Password issues (involved in about 10% to 15% of all attacks)

Nearly every other root cause is a very distant fourth. All of the other causes added up all together, likely do not equate to 10% of the overall risk to most organizations. You need to focus on mitigating social engineering, better patching and using non-phishable multifactor authentication (MFA) where you can, and using a different long and complex password for every website and service where you cannot use MFA.

The organizations that do these three things very well will be at far less risk of being successfully exploited; and vice-versa. There are a lot of distractions in the cybersecurity world. Do not be distracted by shiny objects and too much time on defenses that do not work nearly as well (e.g., antivirus, firewalls, VPNs, etc.). Concentrate on stopping social engineering, better patching software, using non-phishable MFA and separate, strong passwords. That is it. That is the “secret” to better risk management.

Here are my guides to mitigating phishing:

·????????https://info.knowbe4.com/comprehensive-anti-phishing-guide

·????????https://info.knowbe4.com/webinar-stay-out-of-the-net

Here are my recommendations for better patching:

·????????https://www.dhirubhai.net/pulse/how-better-patcher-roger-grimes

·????????https://www.dhirubhai.net/pulse/cisa-says-fix-right-stuff-now-roger-grimes/

Here are my guides concerning MFA:

·????????https://www.dhirubhai.net/pulse/why-doesnt-mfa-stop-hacking-roger-grimes

·????????https://blog.knowbe4.com/how-you-can-be-more-at-risk-with-mfa

·????????https://www.dhirubhai.net/pulse/6-lessons-i-learned-from-hacking-130-mfa-solutions-roger-grimes/

·????????https://www.dhirubhai.net/pulse/why-majority-our-mfa-so-phishable-roger-grimes

Here are my guides concerning passwords:

·????????https://www.dhirubhai.net/pulse/you-likely-need-increase-your-default-password-length-roger-grimes

·????????https://www.dhirubhai.net/posts/rogeragrimes_my-recommended-password-policy-activity-6829425291820118016-Oam6

Risk management is getting harder to do with more and more threats able to completely compromise your environment. But it can still be done. Just need to think and analyze the risks better.

Now go continue to fight the good fight!