First, the objective of improving cybersecurity is vague and broad. Sometimes organizations struggle on how to measure any improvements to their cybersecurity posture or post-investment. What is even worst, it’s that you may be measuring the wrong thing. In 2015, the Global Information Security Workforce Study (GISWS) conducted a survey of more than 14,000 security professionals, of which 1,800 were federal employees. The survey concluded that we are not just getting better, but we are going backward.
Although it seems pessimistic, it is supported by facts; in 2014, one billion records were compromised the year before the survey, which triggered Forbes magazine to refer to 2014 as “the year of the data breach.” If you jump forward to 2021 and benefit from hindsight, we can confirm that the GISWS survey’s conclusion that we are going backward is not pessimistic but a factual statement.
Second, there is a staggering amount of exploits, cyber-attacks, and tactics, techniques, and procedures (TTP); back in 2017, the Common Vulnerability and Exposures (CVE) had over 75,000 entries, and the Common Attack Pattern Enumeration and Classification (CAPEC) had over 500 attack patterns. Today, the CAPEC database has over 550 new mechanisms of attack and growing.
Third, the challenge is to account for all the possible attack paths an attacker can take. The attacker can compromise multiple elements simultaneously, and the attacker could even start from a non-critical system and find its way to the target system.
Fourth, behavior; A determined attacker will provide a proportional response to every defender's attempt to improve the organization’s security posture to achieve their objective.
The fifth and final cybersecurity risk challenge is security investment; given what I just covered, resource limitations, and determining which tools to invest and where to deploy them to protect the organization most effectively, it’s what makes cybersecurity investment a challenge.
Many organizations have adopted a simplified risk model, Risk = Threat (T) x Vulnerability (V) x Consequences/Impact (C). The challenge with that approach is that subject matter experts view and assess threat and vulnerability as probabilities. At the same time, consequence or impact is considered from various angles, such as economic, replacement cost, and facilities. The challenge with this approach is the fact that vulnerability (V) and consequence (C) depends on the amount of effort the attacker and defender (yourself) use. So, it is not optimal to treat them independently.
Suppose your organization is assessing your cyber risk and considering an intelligent attacker. In that case, this attacker may compromise multiple components to create the desired impact, so a model that only looks at the risk as a single component will fail to identify critical scenarios.
As we discussed in our five challenges, there are various attacker exploits and methods to consider; how does a defender even consider all of them?
Many cybersecurity risk assessments focus on “known” exploits rather than assessing if sound cybersecurity principles are applied and maintained, which will make it as difficult as possible for the attacker. Others have addressed this problem by considering the “effects” of a cyber incident rather than the attack itself. It is also common to consider Confidentiality, Integrity, and Availability (CIA) cyber incident effects; however, it is too broad.
A more comprehensive set of incident effects is the DIMFUI taxonomy, which is an acronym for:
These are the effect a hack, regardless of which one, could have on your systems. So, if your security controls addressing the effects of a hack rather than the hack itself, you will make it harder for the hack to occur.
Dr. Bill Souza
E|CE - Executive Cyber Education