Defining the correct risks levels to cyber assaults that any company is exposed is a priority of this time. We present the first of three articles that, together, represent the introduction to dynamic cybersecurity risk.
Dynamic cybersecurity risk makes it easier for any company to obtain security indicators that help to understand the impact of vulnerabilities present in their infraestructures.
Attacks originated in cyberspace, or “cyberattacks”, occur on technology. This statement is based on a main fact, on the cyberspace, the way to go from the point A to point B is through hardware and software devices such as: network devices, satellite, wired and wireless communications, and systems or software applications. that allow the user to interact with cyberspace.
However, despite the fact that the medium is tangible (we can touch it or perceive it precisely), we could affirm that the main motivation for the “bad guys” is information, knowledge, data, reputational objectives, humans, that is, the intangible.
Some questions such as, ¿Is my company at risk at this moment?. ¿How do the identified vulnerabilities affect the business, is it quantifiable?. ¿What level of cybersecurity risk does the organization have?. ¿What would be the impact on my business if a cyber attack occurs?. ¿Where should I invest to strengthen my defenses?.
The above questions are some examples that are habitually commented in some departmental meetings, security forums, works councils, and many conversations related to cybersecurity risks, threats, and vulnerabilities in companies regardless of their size.
As we will see in later articles, it is possible to find how vulnerabilities present in technology can produce an impact that affects not only technology itself, but also information stored and processed, due to the relationship between technology and information.
To understand how to measure the dynamic cybersecurity risk level in an organization, it is necessary first to know the difference between risk and “danger”.
The term “danger” refers to liability or exposure to harm or injury, a threatening situation for the human life or a particular or individual situation, while “risk” refers to the probability that dangerous situations will take place or not. The Spanish RAE defines “risk” as “contingency or proximity of damage”.
Applied to our world, dynamic cybersecurity risk determines the probability that a threat will act on one or more assets of an organization causing impact or damage.
Threats, on the other hand, are circumstances or events that can cause the intentional or unintentional exploitation of a vulnerability. These can be classified into three large groups:
- Natural: Tornado, Hurricane, floods, etc.
- Malicious: Spyware, Malware, or malicious actions.
- Not malicious: Such as the error of an employee inadvertently leaving a session open.
Finally, vulnerabilities are weaknesses or lack of control that make it easier for a threat to cause an impact, damage or degradation. They not only affect IT assets, but also security controls or measures implemented, or that are lacking in procedures dedicated to protect.
Vulnerabilities, are grouped into the following:
- Of the organization
A hypothetical example of application of these concepts would be the following:
It has been possible to identify that the company has vulnerabilities that affect the “N 2020” operating systems and could allow the installation of malicious software, the “N 2020” systems are used in the laptops of VIP users actually.
In other words,
Vulnerabilities could allow the materialization of a malware threat, causing a very high risk for the organization, since they can affect the confidentiality, integrity and availability (CIA) of user information.
The intangible as motivation
Cyberattacks occur daily and have different magnitude and impact, the objetive of attacks are different. domestic users, aimed at companies employees, large companies and even those that are directed to public organizations and critical infraestructure sectors.
Cyber attacks are originated by known threat actors, such as: low-profile agents (isolated or poorly organized individuals), cyber activists, cyber terrorists, organized groups or even states that use cyber attacks to improve their strategic position, either with a studied and premeditated objective, or as a consequence of a fortuitous finding, sometimes caused by carelessness, or by a coincidence that gives rise to the origin of an investigation. They are both intentional and unintentional incidents.
An example of a cyber attack is the one that aims to cause service degradation or unavailability, trying to impact the IT infrastructure and thus cause an economic or reputational loss, etcétera., to do this, Cybercriminals takes advantage of weaknesses present in software applications, operating systems, web applications, network devices, etc., in order to exploit them and achieve their goal.
When we carry out an internet search related to the most common cyberattacks in the last 10 years, those that have caused the most damage or impact, or those that have had the greatest impact, we will obtain a similar list list this:
- Distributed Denial of Service (DDoS)
- Malware (ransomware)
- Phishing (and Spear Phishing)
- SQL injection (SQLi)
- Man in the Middle Attacks (MITM)
- Brute Force attacks
- Cross-Site Scripting XSS
- Intercept conversations passively (Eavesdropping), or actively (Tampering)
From the previous list, and classified by type of attack, in a high percentage we will observe that information is the main objective. Information such as user passwords, personal data of individuals and companies, or industrial espionage, among many other examples of Cybercriminals activities.
¿Is it possible then to affirm that the main motivation of a cybercriminal is information, the knowledge, the intangible?
It is usual to focus our attention on protect technological infrastructures, update software versions, apply security patches or containment barriers because they are measures that allow us to improve the company health status and mitigate vulnerabilities, and we have already seen what is the possible relationship is with between technology and information.
In Tarlogic’s Cybersecurity Team we believe that this aspects of security measures should not be the only dimension to be addressed when we work to improve the security health status of our company, since the focus of information, where information resides, wich information is or is not critical for our business, how to protect it, what are the privileges to access to it, are also necessary parameters when we want to establish our cybersecurity strategy and can be included as an evaluation objective through security audits and pentesting tests directed by a cybersecurity consulting firm.