The recent hack at Twitter has reminded us of a fact we are all sorely aware of, an organization’s greatest asset may also be its greatest risk: its employees, the human factor in cybersecurity.
According to a statement made by Twitter, the event involved a multi-step “pretexting” attack in which attackers first gained access to internal systems via stolen credentials obtained from phishing emails sent to Twitter employee mobile devices and then proceeded to use the information contained in those systems to target privileged insider employees with access to the systems they were interested in. In doing so, the attackers successfully compromised 130 Twitter accounts.
The statement goes on to say, “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems. This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.”
Learn more about the event at Twitter here.
Taylor Maze is a Senior Risk Consultant for RiskLens.
While an employee was not the malicious attacker behind the hack at Twitter, it does pose important questions. How much cyber risk exposure do organizations face every year either directly or indirectly related to employee actions? Based on the complicated series of events above, it is apparent that attackers will stop at no end to target unwary employees. And short of resorting to a fully robotic workforce, what can be done to reduce that risk?
FAIR Risk Analysis for Employees and Cyber Security
The RiskLens platform integrates advanced quantitative risk analytics based on the FAIR™ standard, best-practice risk assessment and reporting workflows; industry specific loss data, and data from your security ecosystem to quickly and easily quantify risk in economic terms. By doing so, you can understand your risk exposure today as well as objectively evaluate mitigation options.
The good news is, in the Twitter example above, there are several risk reduction options that do not involve a dramatic layoff to the human workforce. In order to evaluate them and determine which is the best fit, we must first understand what the exposure might look like today. To do so, we need to be able to answer two questions:
Frequency: How often do we expect an external malicious actor will attempt to compromise sensitive information by gaining a foothold in the environment via social engineering?
Magnitude: How much financial loss will we experience each time that event occurs?
Below is a simplified version of the steps an external attacker might take when attempting to compromise sensitive information by gaining a foothold in the environment via social engineering.
Figure 1: Example Attack Chain
An attack chain is a great approach to logically determine a probable frequency of events. In this case, you would want to consider questions such as:
- How many phishing campaigns are reported in your organization, per year?
- What is your organization’s click rate on phishing email? Note: If you don’t have these values internally, you can use external resources such as the State of the Phish report for industry stats to get you started.
- Are there endpoint protection controls in your environment that might prevent a malicious file from executing when clicked? If so, how difficult are they to circumvent?
- If a successful foothold in your network were gained, what else stands in the way of the threat actor from completing the attack? Identity Access Management controls may provide an additional level of protection.
Event Magnitude (Financial Loss)
The key consideration to determining how much financial loss may result from a loss event is how the loss will materialize. Using FAIR™, we take an activity-based costing approach to determining this. Below are common ways loss may materialize in this event:
- Incident Response Management
- Affected Party (i.e. Customer) Notification
- Regulator Notification
- Credit Monitoring Provided to Affected Parties
- Litigation Cost/ Regulatory Fines/Settlements
- Reputation Loss (additional customer churn)
The RiskLens platform utilizes dynamic workshops with simple, intuitive questions to aid in deriving these values. Even better, when using the “Guided” mode of the platform, it automatically weeds out irrelevant activities and leaves you with only the ones that are applicable to the specific scenario you chose.
Current Financial Risk
Using the out-of-the-box reporting capabilities of the RiskLens platform, you will be able to understand the financial risk associated with this scenario as your environment is today.
Figure 2: Example Reporting
Above are example result exports from the RiskLens platform. The out-of-the-box reporting shows financial loss exposure on both an annual and per event basis; as well as showing how likely an event is to occur.
Please note: the results above are for example purposes only and are not meant to represent the specific event at Twitter.
Risk Reduction Alternatives
When considering risk reduction alternatives, we want to think about changes that will reduce either how often the event will occur or how much financial loss will materialize each time it does. Below are some examples of potential risk reduction options:
- Increased employee training/awareness
- New/enhanced Identity Access Management controls
- Multi-Factor Authentication (MFA) on key assets
- New/enhanced Data Loss Prevention (DLP) controls
Figure 3: Comparison Reporting
The benefit of quantitative risk analysis is the ability to assess control improvement opportunities objectively. Using the RiskLens platform, you can easily run “What If” analyses in which you change one or more of your inputs and evaluate the resulting change in loss exposure. The example above is comparing the baseline analysis and identified control improvement areas based on average annualized loss exposure.
The example is just one of the many cyber risk scenarios related directly or indirectly to employee actions. While we can never fully eliminate cyber risk while remaining in business, we can take practical steps to keeping it within a reasonable tolerance as cost-effectively as possible. By taking a rigorous, and objective approach to cyber risk management, you can quickly begin to enable effective risk-based decisions in your organization.