Solving Cyber Risk
Protecting Your Company and Society
1st Edition
Published on 12. December 2018
384 pages
978-1-119-49091-3 (ISBN)
Description
The non-technical handbook for cyber security risk management
Solving Cyber Risk distills a decade of research into a practical framework for cyber security. Blending statistical data and cost information with research into the culture, psychology, and business models of the hacker community, this book provides business executives, policy-makers, and individuals with a deeper understanding of existing future threats, and an action plan for safeguarding their organizations. Key Risk Indicators reveal vulnerabilities based on organization type, IT infrastructure and existing security measures, while expert discussion from leading cyber risk specialists details practical, real-world methods of risk reduction and mitigation.
By the nature of the business, your organization's customer database is packed with highly sensitive information that is essentially hacker-bait, and even a minor flaw in security protocol could spell disaster. This book takes you deep into the cyber threat landscape to show you how to keep your data secure.
* Understand who is carrying out cyber-attacks, and why
* Identify your organization's risk of attack and vulnerability to damage
* Learn the most cost-effective risk reduction measures
* Adopt a new cyber risk assessment and quantification framework based on techniques used by the insurance industry
By applying risk management principles to cyber security, non-technical leadership gains a greater understanding of the types of threat, level of threat, and level of investment needed to fortify the organization against attack. Just because you have not been hit does not mean your data is safe, and hackers rely on their targets' complacence to help maximize their haul. Solving Cyber Risk gives you a concrete action plan for implementing top-notch preventative measures before you're forced to implement damage control.
Solving Cyber Risk distills a decade of research into a practical framework for cyber security. Blending statistical data and cost information with research into the culture, psychology, and business models of the hacker community, this book provides business executives, policy-makers, and individuals with a deeper understanding of existing future threats, and an action plan for safeguarding their organizations. Key Risk Indicators reveal vulnerabilities based on organization type, IT infrastructure and existing security measures, while expert discussion from leading cyber risk specialists details practical, real-world methods of risk reduction and mitigation.
By the nature of the business, your organization's customer database is packed with highly sensitive information that is essentially hacker-bait, and even a minor flaw in security protocol could spell disaster. This book takes you deep into the cyber threat landscape to show you how to keep your data secure.
* Understand who is carrying out cyber-attacks, and why
* Identify your organization's risk of attack and vulnerability to damage
* Learn the most cost-effective risk reduction measures
* Adopt a new cyber risk assessment and quantification framework based on techniques used by the insurance industry
By applying risk management principles to cyber security, non-technical leadership gains a greater understanding of the types of threat, level of threat, and level of investment needed to fortify the organization against attack. Just because you have not been hit does not mean your data is safe, and hackers rely on their targets' complacence to help maximize their haul. Solving Cyber Risk gives you a concrete action plan for implementing top-notch preventative measures before you're forced to implement damage control.
More details
Other editions
Additional editions
Book
12/2018
1st Edition
Wiley
€47.00
Shipment within 15-20 days
Content
- Cover
- Title Page
- Copyright
- Contents
- About the Authors
- Acknowledgments
- Chapter 1 Counting the Costs of Cyber Attacks
- 1.1 Anatomy of a Data Exfiltration Attack
- 1.1.1 The Plan
- 1.1.2 The Malware
- 1.1.3 Finding a Way In
- 1.1.4 Using Suppliers with Authorized Access
- 1.1.5 Installing the Malware
- 1.1.6 Harvesting the Data
- 1.1.7 Selling the Stolen Data
- 1.1.8 Buy Back and Discovery
- 1.1.9 Disclosure
- 1.1.10 Customer Management
- 1.1.11 Target's Costs
- 1.1.12 Strategic Impacts on Target Corporation
- 1.1.13 And the Rescator Team?
- 1.1.14 Fallout
- 1.2 A Modern Scourge
- 1.2.1 Types of Cyber Losses
- 1.2.2 The Direct Payout Costs of a Cyber Attack
- 1.2.3 Operational Disruption Causing Loss of Revenue
- 1.2.4 Consequential Business Losses from a Cyber Attack
- 1.2.5 Cyber Attack Economic Multipliers
- 1.3 Cyber Catastrophes
- 1.3.1 NotPetya and WannaCry Cyber Catastrophes
- 1.3.2 Near-miss Cyber Catastrophes
- 1.3.3 Is Cyber Threat Systemic?
- 1.3.4 Potential Cyber Catastrophes
- 1.3.5 Cyber Catastrophes Could Impact Infrastructure
- 1.3.6 Could a Cyber Catastrophe Trigger a Financial Crisis?
- 1.3.7 The 'Cyber Catastrophe' of Tech Aversion
- 1.4 Societal Cyber Threats
- 1.4.1 Cyber Threats to Democracy
- 1.4.2 The Cyber Threat of Triggering War
- 1.5 Cyber Risk
- 1.5.1 Risk Terminology
- 1.5.2 A Framework for Risk Assessment
- 1.5.3 Risk Tolerance of Your Organization
- 1.5.4 Risk of Cyber Catastrophes
- 1.6 How Much Does Cyber Risk Cost Our Society?
- 1.6.1 Collecting Information on Cyber Loss Incidents
- 1.6.2 Incident Rate in Advanced Economies
- 1.6.3 Costs of Cyber Attacks to the US Economy
- 1.6.4 Cyber Risk Levels Across the World
- 1.6.5 Global Costs of Cyber Attacks
- 1.6.6 Trends of Future Cyber Risk
- 1.6.7 Risk of Future Cyber Catastrophes
- 1.6.8 Working Together to Solve Cyber Risk
- Endnotes
- Chapter 2 Preparing for Cyber Attacks
- 2.1 Cyber Loss Processes
- 2.2 Data Exfiltration
- 2.2.1 Protecting Your Data
- 2.2.2 Regulation and Data
- 2.2.3 Causes of Data Exfiltration Loss
- 2.2.4 Costs of Data Exfiltration
- 2.2.5 Other Costs and Consequences
- 2.3 Contagious Malware Infection
- 2.3.1 Melissa, 1999
- 2.3.2 ILOVEYOU, 2000
- 2.3.3 Generations of Malware
- 2.3.4 WannaCry, 2017
- 2.3.5 NotPetya, 2017
- 2.3.6 Antivirus Software Industry
- 2.3.7 Malware Payloads
- 2.3.8 Risk of Malware Infection
- 2.3.9 Ransomware
- 2.3.10 Cyber Extortion Attacks on Larger Organizations
- 2.3.11 The Business of Extortion
- 2.3.12 Ransomware Attacks on the Rise
- 2.4 Denial of Service Attacks
- 2.4.1 The Threat of DDoS Attacks
- 2.4.2 How to Protect Against a DDoS Attack
- 2.4.3 Intensity of Attack
- 2.4.4 Duration of DDoS Attacks
- 2.4.5 Repeat Attacks on Targets
- 2.4.6 Magnitude of DDoS Attack Activity
- 2.4.7 Motivation of DDoS Attackers
- 2.4.8 The Big Cannons
- 2.4.9 Sectoral Preferences in DDoS Targeting
- 2.4.10 IoT Being Used for DDoS Attacks
- 2.5 Financial Theft
- 2.5.1 Networks of Trust
- 2.5.2 Credit Card Theft
- 2.5.3 Wholesale and Back-End Financial Systems
- 2.5.4 Lazarus Attack on SWIFT Banking System
- 2.5.5 Security Spending
- 2.6 Failures of Counterparties or Suppliers
- 2.6.1 Risk in the IT Supply Chain
- 2.6.2 The Risk of CSP Failures
- 2.6.3 Cloud Service Types
- 2.6.4 Cloud Adoption and Strategies
- 2.6.5 CSP Outages
- 2.6.6 Duration of Outages
- Endnotes
- Chapter 3 Cyber Enters the Physical World
- 3.1 A Brief History of Cyber-Physical Interactions
- 3.1.1 Cyber-Physical Systems
- 3.1.2 Growing Consciousness of Cyber-Physical Interactions
- 3.1.3 The Earliest Hack of a Physical System
- 3.2 Hacking Attacks on Cyber-Physical Systems
- 3.2.1 Examples from the Past
- 3.3 Components of Cyber-Physical Systems
- 3.3.1 A Framework for Control Systems
- 3.3.2 Sensors
- 3.3.3 Actuators
- 3.3.4 Data Stores
- 3.3.5 Networking Equipment
- 3.3.6 Deciders
- 3.3.7 Safety Systems
- 3.4 How to Subvert Cyber-Physical Systems
- 3.4.1 Designed for Accidents, Not Malicious Attacks
- 3.4.2 Overriding Safety Alerts
- 3.4.3 Entering a Secure Facility
- 3.4.4 Deactivating Fire Suppression Systems
- 3.4.5 Triggering Fake Safety Procedures
- 3.4.6 Achieving Malicious Aims by Abusing Security Systems
- 3.5 How to Cause Damage Remotely
- 3.5.1 Change the File and You Change the World
- 3.5.2 Spoof the Sensors
- 3.5.3 Control the Actuators
- 3.5.4 Subvert the Logic
- 3.6 Using Compromises to Take Control
- 3.6.1 Intent and Compromises
- 3.6.2 Disable the Safety System
- 3.6.3 Change the Display/Induce Operator Error
- 3.7 Operating Compromised Systems
- 3.7.1 The Byzantine Generals Problem
- 3.8 Expect the Unexpected
- 3.8.1 You Can't Change Physics
- 3.8.2 Worst-case Scenarios
- 3.8.3 Estimate the Consequences
- 3.8.4 Prioritize Mitigation Against Multiple Scenarios
- 3.8.5 How Likely Is a Cyber-Physical Attack?
- 3.8.6 Variation in Risk over Time
- 3.9 Smart Devices and the Internet of Things
- 3.9.1 The Infrastructure of the Information Society
- 3.9.2 Security Levels in Connected Devices
- 3.9.3 Making Our Devices Safer
- 3.9.4 Why Isn't This Studied More Articulately?
- 3.9.5 Need This Always Be So?
- Endnotes
- Chapter 4 Ghosts in the Code
- 4.1 All Software Has Errors
- 4.1.1 Accidental Malfunction
- 4.1.2 Errors as Exploitable Vulnerabilities
- 4.2 Vulnerabilities, Exploits, and Zero Days
- 4.2.1 Arsenals of Exploits
- 4.2.2 The Vulnerabilities Equities Process
- 4.2.3 Software Is Milk, Not Wine
- 4.2.4 Issuing Security Patches
- 4.2.5 Getting Users to Install Patches
- 4.2.6 Lifespan of Software
- 4.3 Counting Vulnerabilities
- 4.3.1 US NIST National Vulnerability Database
- 4.3.2 Open Source versus Closed Source Vulnerabilities
- 4.3.3 Vulnerabilities Impacting Populations of Companies
- 4.3.4 Estimating Population Impacts
- 4.4 Vulnerability Management
- 4.4.1 Within a Project or Technology Under Your Control
- 4.4.2 Supply Chain Due Diligence
- 4.4.3 Across Different Companies Within Your Supply Chain
- 4.4.4 Telematics Assessments
- 4.4.5 Specializations in Security Solutions
- 4.5 International Cyber Response and Defense
- 4.5.1 National Vulnerability Agencies
- 4.5.2 How Many Vulnerabilities Can You Find Easily in a Given Country?
- 4.5.3 Posing a Risk to Others
- 4.5.4 Victim Notification
- 4.5.5 Bug Bounties
- 4.5.6 Lifespans of Exploits
- Endnotes
- Chapter 5 Know Your Enemy
- 5.1 Hackers
- 5.1.1 They Don't Wear Balaclavas
- 5.1.2 In the Red Corner .
- 5.2 Taxonomy of Threat Actors
- 5.2.1 Amateur Hackers
- 5.2.2 Hub-Structured Cyber Criminal Gangs
- 5.2.3 Hierarchically-Organized Cyber Criminal Syndicates
- 5.2.4 Mercenary Teams
- 5.2.5 Hacktivists
- 5.2.6 Cyber Terrorists
- 5.2.7 Nation-state- and State-sponsored Cyber Teams
- 5.3 The Insider Threat
- 5.3.1 Accidents Will Happen
- 5.3.2 Human Vulnerability of Your Staff
- 5.3.3 Disaffected Employees
- 5.4 Threat Actors and Cyber Risk
- 5.4.1 Threat Actors and Their Variety Act
- 5.4.2 Cyber Criminology
- 5.5 Hackonomics
- 5.5.1 Cyber Black Economy
- 5.5.2 Dark Web Trading Sites
- 5.5.3 Dark Web Prices
- 5.5.4 Logistical Burden of Cyber Attacks
- 5.5.5 Hackers Are Rational Game Players
- Endnotes
- Chapter 6 Measuring the Cyber Threat
- 6.1 Measurement and Management
- 6.1.1 A Man-Made Threats
- 6.1.2 Defending Ourselves
- 6.1.3 Measurement to Make Improvements
- 6.1.4 A Monitoring Checklist
- 6.1.5 Measurement for Better Risk Management
- 6.1.6 Setting a Cyber Security Budget
- 6.2 Cyber Threat Metrics
- 6.2.1 Perception of Threat
- 6.2.2 Threat Attributes
- 6.2.3 Threat Matrices and Attack Trees
- 6.3 Measuring the Threat for an Organization
- 6.3.1 Using Scenarios
- 6.3.2 Building Safety and Cyber Security
- 6.3.3 IoT as an Amplifier of Risk
- 6.3.4 Ways Things Can Go Wrong
- 6.4 The Likelihood of Major Cyber Attacks
- 6.4.1 Not If or When, but How Likely?
- 6.4.2 Measuring Cyber Attack Severity
- 6.4.3 Maximum Severity: Total Data Records Held
- 6.4.4 Characterizing Extreme Events
- 6.4.5 Challenges of Carrying Out an Extreme Event
- 6.4.6 Harvesting Bugs
- 6.4.7 Simulation Process - Stuxnet Example
- 6.4.8 The Pentagon Cyber Arsenal
- 6.4.9 Insider Theft and the Cyber 'Big One'
- 6.4.10 Reimagining History
- 6.4.11 Knowing What Could Have Occurred
- 6.4.12 Cyber Events That Could Have Turned Out Differently
- 6.4.13 Alternative Versions of the Past 10 Years of Cyber Attacks
- Endnotes
- Chapter 7 Rules, Regulations, and Law Enforcement
- 7.1 Cyber Laws
- 7.1.1 Jurisprudence and Commerce
- 7.2 US Cyber Laws
- 7.2.1 A Patchwork of Regulation
- 7.2.2 The Origins of US Legislation
- 7.2.3 Legitimizing NSA Operations
- 7.2.4 Cybersecurity Information Sharing Act
- 7.2.5 State-by-State Variations
- 7.2.6 Regulations for Finance, Healthcare, and Communications
- 7.3 EU General Data Protection Regulation (GDPR)
- 7.3.1 European Citizens' Data Rights
- 7.3.2 Data Controllers
- 7.3.3 Penalties for Breach of GDPR
- 7.3.4 National Implementation
- 7.4 Regulation of Cyber Insurance
- 7.4.1 Regulating an Emerging Insurance Market
- 7.4.2 Role of Rating Agencies
- 7.5 A Changing Legal Landscape
- 7.5.1 Reactive Legal Developments
- 7.5.2 Articulated Damages
- 7.5.3 Class-Action Lawsuits
- 7.5.4 Cyber Liability Insurance for Law Firms
- 7.6 Compliance and Law Enforcement
- 7.6.1 Cyber Hygiene
- 7.6.2 The Weakest Link
- 7.6.3 Damages Provisions
- 7.6.4 Compliance Management
- 7.7 Law Enforcement and Cyber Crime
- 7.7.1 The Role of Law Enforcement Agencies
- 7.7.2 Low Conviction Rates
- 7.7.3 Cooperation of Private Sector with Law Enforcement
- 7.7.4 Specialist Police Cyber Crime Units
- 7.7.5 Interpol and Europol
- 7.7.6 Cyber Vigilantes
- 7.7.7 Battling Conficker
- 7.7.8 Ignorance Is No Excuse
- Endnotes
- Chapter 8 The Cyber-Resilient Organization
- 8.1 Changing Approaches to Risk Management
- 8.1.1 Identify, Protect, Detect, Respond, Recover
- 8.1.2 Threat Analysis
- 8.2 Incident Response and Crisis Management
- 8.2.1 Real-time Crisis Management: How Fighter Pilots Do It
- 8.2.2 Rapid Adaptation to Changing Conditions
- 8.2.3 Cyber Risk Awareness in Staff
- 8.2.4 Business Continuity Planning and Staff Engagement
- 8.2.5 Gaming and Exercises
- 8.2.6 Nudging Behavior
- 8.3 Resilience Engineering
- 8.3.1 Safety Management
- 8.3.2 Hotel Keycard Failure Example
- 8.4 Attributes of a Cyber-Resilient Organization
- 8.4.1 Anticipate, Withstand, Recover, and Evolve
- 8.4.2 Negative Attributes
- 8.4.3 Six Positive Attributes for Resilience
- 8.4.4 Cyber Resilience Objectives
- 8.5 Incident Response Planning
- 8.5.1 Forensic Investigation
- 8.5.2 Initial Breach Diagnosis
- 8.6 Resilient Security Solutions
- 8.6.1 Resilient Software
- 8.6.2 Detection, Containment, and Control
- 8.6.3 Minimize Intrusion Dwell Time
- 8.6.4 Anomaly Detection Algorithms
- 8.6.5 Penetration Testing
- 8.6.6 The Risk-return Trade-off
- 8.7 Financial Resilience
- 8.7.1 Financial Consequences of a Cyber Attack
- 8.7.2 Financial Risk Assessment
- 8.7.3 Reverse Stress Testing
- 8.7.4 Defense in Depth
- 8.7.5 Enterprise Risk Management
- 8.7.6 Cyber Value at Risk
- 8.7.7 Re-Simulations of Historical Events
- 8.7.8 Counterfactual Analysis
- 8.7.9 Building Back Better
- 8.7.10 Events Drive Change
- 8.7.11 Education for Cyber Resilience
- 8.7.12 Improving the Cyber Profession
- Endnotes
- Chapter 9 Cyber Insurance
- 9.1 Buying Cyber Insurance
- 9.1.1 Types of Cyber Insurance
- 9.1.2 Choosing a Cyber Insurance Product
- 9.1.3 How Much Cover Should I Buy?
- 9.1.4 Isn't Cyber Loss Already Covered in My General Liability Insurance?
- 9.1.5 Cyber Insurance Against Property Damage
- 9.1.6 Are There Alternatives to Buying Cyber Insurance?
- 9.2 The Cyber Insurance Market
- 9.2.1 The Growth of the Cyber Insurance Market
- 9.2.2 Cyber Insurance Is Profitable (Until It Isn't)
- 9.2.3 Expectations and Reality for the Cyber Insurance Market
- 9.2.4 Cautious Insurers
- 9.2.5 Expanding Capacity for Cyber Insurance
- 9.3 Cyber Catastrophe Risk
- 9.3.1 How Much Risk Capital Is Needed for Cyber Claims?
- 9.3.2 Allocation of Capacity
- 9.3.3 Uninsurability of Cyber Risk
- 9.3.4 Growing Confidence in the Management of Cyber Tail Risk
- 9.4 Managing Portfolios of Cyber Insurance
- 9.4.1 Insurance Market Segmentation
- 9.4.2 Accumulation Management
- 9.4.3 Probable Maximum Loss Scenarios
- 9.4.4 Probabilities of Extreme Cyber Losses
- 9.5 Cyber Insurance Underwriting
- 9.5.1 Rating and Risk Selection
- 9.5.2 Cyber Loss Ratio Variation
- 9.5.3 Causes of a Large Loss
- 9.5.4 Shaping Portfolios by Underwriting
- 9.5.5 The Underwriting Questionnaire
- 9.5.6 Predictive Power of Company Attributes
- 9.6 Cyber Insurance and Risk Management
- 9.6.1 Protecting the Balance Sheet
- 9.6.2 Creating a Cyber Insurance Industry to Meet Corporate Needs
- Endnotes
- Chapter 10 Security Economics and Strategies
- 10.1 Cost-Effectiveness of Security Enhancements
- 10.1.1 Impact of Security on Cyber Loss Likelihood
- 10.1.2 How Security Enhancements Change the Scenarios
- 10.1.3 Cost-Effectiveness Surveys
- 10.1.4 Cost-Effective Technologies
- 10.1.5 Making Smarter Investment Decisions
- 10.2 Cyber Security Budgets
- 10.2.1 How Much Should an Organization Spend on Cyber Security?
- 10.2.2 What Is Your Security Attitude?
- 10.2.3 Risk-Informed Security Enhancement
- 10.2.4 Gauging Your Security Spend to Expected Loss
- 10.3 Security Strategies for Society
- 10.3.1 Finding Bugs Before the Bad Guys Do
- 10.3.2 The Odds Are Not on Our Side
- 10.3.3 Bug Economic Valuation
- 10.3.4 Heartbleed - A Hidden Vulnerability
- 10.3.5 Bug-Hunting Businesses
- 10.3.6 Zero Day Brokers
- 10.3.7 Risk Implications of the Market for Zero Days
- 10.4 Strategies of Cyber Attack
- 10.4.1 Cyber Attacks and Game Theory
- 10.4.2 Choice of Cyber Attack Technology
- 10.4.3 Hacker Motivations
- 10.4.4 Turning Hackers Legitimate
- 10.4.5 Functioning Black Markets
- 10.4.6 National Conflict Strategies
- 10.4.7 Improving Attribution
- 10.4.8 Strategies of State-sponsored Cyber Teams
- 10.5 Strategies of National Cyber Defense
- 10.5.1 Preparing for Cyber Conflict
- 10.5.2 Theft of Intellectual Property
- 10.5.3 Bringing Cyber Criminals to Justice
- 10.5.4 Putting Bounties on Their Heads
- 10.5.5 The Importance of the CISO
- Endnotes
- Chapter 11 Ten Cyber Problems
- 11.1 Setting Problems
- 11.1.1 The Hilbert Problem Set
- 11.1.2 Ten Problems for Solving Cyber Risk
- 11.1.3 Security as Well as Functionality
- 11.1.4 Rethinking the Design Time Horizon
- 11.1.5 Managing an Evolving Threat
- 1 The Canal Safety Decision Problem
- 2 The Software Dependency Problem
- 3 The Vulnerability Inheritance Problem
- 4 The Vulnerability Count Problem
- 5 The Malware Overlap Problem
- 6 The Vulnerability Lifespan Problem
- 7 The Binary Similarity Problem
- 8 The Virus Modification Problem
- 9 The Cyber Criminal's Dilemma Problem
- 10 The Security Verification Problem
- Endnotes
- Chapter 12 Cyber Future
- 12.1 Cybergeddon
- 12.1.1 Choosing Our Tomorrow
- 12.1.2 Hacker Hordes Rise
- 12.1.3 More Powerful Attack Technologies Are Deployed
- 12.1.4 No Data Is Safe
- 12.1.5 Splinternet
- 12.1.6 Consumer e-Commerce Dies
- 12.1.7 Cyber War
- 12.2 Cybertopia
- 12.2.1 Exorcism of Ghosts in the Code
- 12.2.2 Twenty-First-Century Law Enforcement
- 12.2.3 Geneva Convention for Cyber Operations
- 12.3 Future Technology Trends
- 12.3.1 Security and Cryptography
- 12.3.2 The Future of Passwords
- 12.3.3 Passwords Should Have High Entropy
- 12.3.4 The Security of Data Encryption
- 12.3.5 Asymmetric Cryptography
- 12.3.6 Elliptic Curve Cryptography
- 12.3.7 The Quantum Computing Horizon
- 12.3.8 Quantum Computing as a Security Risk
- 12.3.9 Quantum Key Distribution
- 12.4 Getting the Cyber Risk Future We Want
- 12.4.1 Multi-pronged Approach
- 12.4.2 Increased Cost of Cyber Safety
- 12.4.3 Ten Recommendations for Our Cyber Future
- Endnotes
- References
- Index
- EULA
