“Zero Tolerance” to “80-20” – Lazy Approaches to Cyber Risk

There is a new danger lurking in the information assets of countless organizations around the globe disguised by a plan devised to protect a large portion of those assets while failing miserably to protect the rest.

Zero tolerance approach to cyber security is untenable

Traditional approach to cyber security was for a board / management to declare that they have “zero tolerance” for cyber breaches, and for the first line to erect barriers and try to control access to any outsiders.

That approach is untenable today. Cyber criminals demonstrated that our perimeter protections are not sufficient. Customer voted for ease for access rather than security by defecting to competitors that offer more functionality through more channels. Why “zero tolerance” paradigm doesn’t make sense any more is a topic for a separate rant.

80-20 rule is a lazy man’s approach to cyber risk management

Today I want to focus on another pet peeve of mine – cyber security professionals using the 80-20 rule as a lazy replacement for a well thought out approach to cyber risk management. I keep hearing that organizations (usually non-FS) are focusing on 80% of the threats (by volume) or 80% of the assets. They believe that they would do well by securing against 80% of threats by spending 20% of the money they would have to spend in order to secure everything.

Situations in which organizations are dedicating only enough budget to address 80% of potential threats by volume seem to be far too common. The argument for practically ignoring the remaining 20% is quite simple.

1. 80-20 or Pareto is a proven principle. And it sounds sciencey.
2. 80% is pretty good, right?
3. The cost it would take to address the remaining 20% is too expensive.
4. It can be made to look very good on reports to management demonstrating significant changes in numbers after relatively small investment.

While on paper this approach may seem understandable, the reality is that the remaining 20% of threats could prove not only costly, but expose the most critical information putting the organization at the highest risk.

80% of attacks are performed by script kiddies. They might use mass scans, 1-day exploits, SQL injections, mass malware, etc. to:

• Deface your website
• Steal personal information such as SSNs or CCs
• Might redirect your systems to ads
• Use your systems as a bot in DDOS
• Strip your WoW character

Solutions to address those threats are often to implement IDS/IPS, firewalls, AV and other traditional tools and processes.

You may be saying to yourself that it’s terrific that organizations have dedicated enough time and money toward such important issues as these. Hold that thought as we take a gander at the 20% of issues that are being ignored.

The 20% of attackers that might get little attention might use zero-day breaches, social engineering, spear phishing, malicious insiders, crypto key stealing, and other attacks in order to:

• Gather intelligence against you to use in competitive bidding, negotiations, etc.
• Manipulate transactions
• Steal your intellectual property and/or your source code
• Alter or destroy records potentially causing huge financial losses
• Steal your source code or alter it to insert backdoors

So, while is it outstanding that cyber security mangers are implementing solutions such as IPS, AV, and Firewalls to protect your WoW characters, it is careless to disregard the threats of intelligence gathering and information manipulation that could cause enough chaos to begin the demise of an organization.

Cyber risk management

Organizations must learn to manage cyber risk while keeping their borders open. Mature risk management, however, doesn’t mean prioritizing threats by the volume. Few key concepts to keep in mind:

• Cyber risk is a strategic issue. Senior business management, and not just IT, must decide which products or lines of business have to be protected and what it is worth spending on their cyber protection.
• Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. If you are looking just at threats or just at assets, you are not performing risk management.
• Cyber risks change rapidly. Vulnerabilities and threats appear of change daily. Your cyber risk management process has to involve ongoing monitoring for changes and ongoing adjustments in risk management. It cannot be an annual exercise.
• Cyber risks should be quantified as much as possible. Cyber risk management (as well as the overall operational risk management) is the most broad-based and least mature of all risk management disciplines. Cyber risk is the most difficult type of risk to quantify and manage. Unlike other types of risk, for cyber risk there is no baseline, no way of knowing what losses have been successfully avoided, or how low and how high cyber events could be in terms of loss amounts. However, there are approaches to create estimates based on past events and scenarios. (For more detail, see my other blog post – “Estimating operational risks”).

Conclusion

The obvious solution here is to take a more proactive approach. In order to do this, cyber security management should evolve into cyber RISK management. Cyber security practitioners have to learn how to perform threat, vulnerability and risk analysis (TVRA) for all of their information assets and address the highest risks even if they are most expensive and hardest to implement. Only through proper risk management practices an organization can be sure that it best invested its security dollars.

It is time for organizations to stop spending effort and money focusing only on common threats and start using mature risk management and implement an active defense against innovative and hard-to-address threats that could completely destroy an organization.