Cyber costs threaten to exceed benefits!
Oct 7th, 2015
A recent report: Cyber costs threaten to exceed benefits!
A recent report from Zurich Insurance 2015 and the Atlantic Council states that the annual cost of protecting our digital world from hackers will exceed the benefits of being connected by 2019. It even seems that in the US and Europe the situation has already reached the tipping point, whereas developing and emerging economies still have time, actually a few decades, ahead of them. The report delivers a -7%GDP to +1%GDP bracket for the benefit of being connected by 2030, the difference resulting from a pessimistic vs. optimistic scenario.
Hex dump of the Blaster worm that spread on computers running Windows XP and Windows 2000, during August 2003.
Five Emerging truths
A recent paper presented five major “emerging truths” in the organizational world with corresponding selected cases of successful recent cyber-attacks:
1. Correct identification of “external” threats and reduction of operational and strategic information (intelligence) gaps are paramount: it is critical to look upstream (suppliers) and downstream (service companies) in the supply chain because vulnerabilities upstream or downstream can significantly affect operations in the considered system.
Example: Attack campaign compromised 300,000 home routers, altered DNS settings. Attackers used a variety of techniques to exploit known vulnerabilities in router models from different manufacturers.
2. Failure to identify minor deviations and/or near misses which could be signs of an impending attack, or one underway, is a significant flaw.
Example: On July 4 2014 a group of relays that were assumed to be trying to de-anonymize users were identified. They appear to have been targeting people operating or accessing Tor hidden services. The attack involved modifying Tor protocol headers to perpetrate traffic confirmation attacks. The attacking relays joined the network on January 30th 2014, and were removed from the network on July 4th. While the start date is unknown, users who operated or accessed hidden services from early February through July 4th should assume they were affected.
Example: Private information about over 80 million clients of American multinational bank JP Morgan were stolen by hackers in a massive cyber-attack during summer 2014. The attack ran undetected for many months.
3. Treating cyber-security as a IT sector matter (silo-ed information), rather than a global operational / strategic risk is a very significant flaw. A cyber-attack can have the same effect as an earthquake, an explosion, an artillery bombardment, and it is therefore of utmost importance to treat it as any other hazard that may affect a system’s service.
Example: Hackers struck a steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in reportedly “massive” damage.
4. Protecting assets in a properly planned and prioritized way is a must. Asset management should be linked to Risk Management (RM). Audits and compliance with regulations do not constitute a sufficient pathway to safety.
Example: In December 2013, Target confirmed that hackers had infected the company’s payment-card readers, making off with approximately 40 million credit and debit card numbers that had been used at Target stores in the United States.
5.Capabilities of the enemy, whoever it may be should never be underestimated.
Example: Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. Canada Revenue Agency, U.S. hospital chain in the United States and many other where exploited.
Thus, it should be concluded that broad spectrum defense investments and in particular poorly prioritized ones, as generally implemented, are not efficient and ill damage your bottom line in the future.
“Businesses and government agencies often focus on the next “silver bullet” product, unaware that most cybersecurity problems stem from flawed procedures and human error”, reportedly said Art Gilliland, senior vice president and general manager for Hewlett-Packard’s software enterprise security products, quoted in a recent article.
It is simply neither possible nor sustainable to protect each property from each threat especially as oftentimes these investments are limited by other competing operational requirements.
This is a mockup of a real Cyber-defence dashboard built by Riskope using ORE (Optimum Risk Estimates) methodology (©Riskope)
Cyber-defense must be rooted on intelligence, based on prioritized risk management and not on standardized audits and practice of indolent regulations, written a priori, or fear-monger sellers solutions.
RM offers the ultimate support for operational decisions and protection (mitigation), provided clients want to explicitly define the level of acceptable service reduction and risks. It is important that RM efforts are based on methodologies that avoid confusion and help users focusing on scenarios that generate risks that really matter: it has been shown that, typically, a small number of risks scenarios (10%-20% of the total portfolio) represent 80% of the total intolerable risks, in compliance with the well known Pareto principle (a.k.a the 80-20 principle).
The key to success in the risk management approach to Cyber-defense of complex systems like modern corporations or armies lies in:
- a) the correct functional analysis of the system, including its inter-dependencies,
- b) the abolition of informational “silos” (treating each problem by itself),
- c) avoiding paralysis by analysis and
- d) looking to the minimal survival criterion of the systems involved and clear social and organizational tolerance criteria. Finally,
- e) giving cues on what should be included in the consequences function in order to depict reality as well as we can.
In particular it can be stated that incomplete functional analysis of the system (-a-, above) and information silos (-b-, above) inevitably lead to poorly built hazard identification which in turn can lead to conceptual dead-ends finally clouding the desired results.
Contact us for more information on ORE for Cyber-defence.
Tagged with: broad spectrum defense, Cyber costs, external threats, minor deviations, operational and strategic information, Protecting assets, Zurich Insurance
Category: Consequences, Mitigations, Risk analysis, Risk management