The title of this article seems like a “no-brainer,” since everything connected to the Internet is a potential target for attack. But we will examine what and how to determine if your organization is either a high or low value cyber target.
As CISOs, we need to take a critical view of our overall organization’s “attractiveness” as a cyber target. Some aspects to consider include:
1. What percentage of the IT budget is allocated for cyber security.
Obviously, the cyber security budget will vary as to the size of the organization, the use and complexity of IT from internal and external perspectives, executive management’s commitment to cyber security, etc. A general rule-of-thumb may be that the cyber security budget should be 10% to 15% of the overall IT budget. But more cerebral and mathematically-intense models such as the Gordon–Loeb Model, a mathematical economic model used to analyze the optimal investment level in information security, can be used.
The point is that if there is a sufficient budget with which to implement effective security measures, opportunistic attackers will likely bypass a well-defended organization for easier targets.
2. If your organization is a potential target based on your industry.
There are many cyber security reports that cite percentages of security breaches that occur on an industry basis. While this is not a full proof indicator as to whether or not your organization will be attacked, it is another significant data point you can use to improve your program and justify your budgetary requirements.
One of my favorite sources for security breach data is the Privacy Rights Clearinghouse. According to their 2017 statistics, medical organizations represented 52% of the reported data breaches while non-profits only represented 0.7% of the reported breaches.
Not only do they compile breach statistics by industry, but also by “breach type” such as hacking/malware, insiders, unintended disclosures, physical losses, etc. I would use this data to ensure our security measures were focused on the higher-valued breach types.
3. Other intangibles.
A more recent phenomena that may affect your organization’s “attractiveness” as a cyber target is social media. Negative commentary on social media can foster cyber-attacks and in even some cases, physical attacks. For example:
- Political organizations are a likely target for attack on social media for perceived controversial political stands that can potentially foster cyber-attacks and even physical attacks in some cases.
- Retail companies can be attacked on social media for any number of reasons: e coli outbreaks at restaurant chains, product deficiencies resulting in consumer harm, etc.
- Controversial company executive management can foster social media attacks (e.g., Wells Fargo CEO amid consumer loan abuses).
In an attempt to counter the above risks, I set up automated Google queries on company name and the names of key executives. I would receive daily output from which to assess any potential issues facing our company.
In one instance, the daily report identified a new company affiliated website of which I was unaware. The website had not undergone a security-evaluation as would be normal procedure. I was then able to quickly have my team evaluate the website, and there were a number of security-related issues that should have been addressed prior to the site going into production. Not bad for a free service!
- Unpatched systems are an open invitation to attack.
Do you remember the Equifax breach? Sensitive data of millions of consumers was compromised and the CEO and CISO lost their jobs. It was later disclosed that Equifax systems were breached due to unpatched systems – an Apache “struts” vulnerability. Hackers employ a number of intelligence-gathering techniques such as ShodanHQ, a search engine for system and their associated operating systems (OSs), patch levels, etc. Using these techniques, it is trivial for them to assess potential targets with unpatched OSs and applications.
- Misconfigured systems.
There is probably no greater vulnerability issue than having misconfigured systems. Simply having exposed ftp (file transport protocol) ports can allow attackers to gain a foothold into your organization.
To counter unpatched and misconfiguration risks, my team would routinely query system search engines like ShodanHQ to ascertain if our company systems presented any exposure. Additionally, we had a robust vulnerability scanning process from both internal and external perspectives. We used two 3rd party partners to vulnerability scan our Internet-exposed address space on a monthly basis.
While using two 3rd party scanning vendors may seem like overkill, I thought it prudent to have two “sets of eyes” evaluate our Internet presence to ensure our exposure was minimized. My security team performed vulnerability scans on internal systems. Setting up limited scans, for example, to just look for open/insecure ports like ftp and telnet can be executed to quickly cover a large number of systems in a fairly unobtrusive manner.
- Website vulnerabilities.
Your company’s “face” to the Internet is likely your website. Company website vulnerabilities such as SQL injection can result in exposure of your customer’s data, cross-site scripting and broken authentication etc. can damage your company’s brand and possibly result in regulatory and monetary issues. Assessing websites for vulnerabilities is an art as much as it is a science.
To counter website vulnerabilities, my team spent a great deal of time learning to use and interpret the results of website-specific vulnerability scanning tools. Additionally, we employed 3rd parties to conduct penetration testing and other focused technical assessments.
There are no foolproof protections to ensure your organization is not a cyber target, but having a prudent and effective security program including robust technical security controls, user education, and policies and procedures will minimize your exposure and hopefully reduce your organization’s “attractiveness” as a cyber target.
CISOBox, the industry-leading solution for information security incident management, can go a long way toward increasing the security of your program. To learn more about CISOBox, or to schedule a demo, get in touch with us today.
Share This Article