Protega Blog

What is the true cost of a Cyber Breach? Find out what our Regional Sales Manager, Tim Newland, has to say on the topic

Terry Swan - Friday, December 09, 2016

Written by our Regional Sales Manager, Tim Newland, and published in the Australian Security Magazine

What IS the true cost of a Cyber Breach? Having worked in the technology sector for many years, and more recently specialising in the cyber security space, I often read articles around ‘the true cost of a cyber security breach’.

As a security champion and seasoned consultant to both the government and private sector, I feel as if I should be promoting fear mongering and jumping on the band wagon, applying scare tactics and enforcing this style of selling for financial gain. However I feel uncomfortable with throwing unsubstantiated numbers around and generalising on events that we know very little or nothing about, especially when it comes to private businesses being compromised.

Having read numerous articles there seems to be a massive variance here without anyone actually having solid statistics, cross-referenced against all the scenarios. Granted AHPRA & AGO would have some statistics, but this would only be relevant to a handful of larger organisations that responded to the surveys or have in fact had a reported breach. Again, this doesn’t support the multiple articles substantiating breach costs of A$100k and others suggesting costs up to US$7m. Albeit these articles apply to varying organisations based in different locations on a global scale that will be governed by different compliance laws. In essence, the cost of the breach depends on the sector, what has been taken, reputational damage and what the penalties are around this, not excluding the response time needed and other mitigating factors.

I find it hard to make a generalist statement that a breach would cost upward of “x” amount of millions of dollars, these figures would seem to apply to less than 10% of the corporate market (large corporates). The remaining companies wouldn’t be able to afford a breach at that kind of cost, it would fold the company and I don’t hear a lot about companies going out of business due to a breach (not to say there hasn’t been any).
So, removing all the noise and the fear mongering from the equation, there is no simple answer to this. It is hard to track as the majority of private sector companies are not regulated here in Australia. Perhaps when the mandatory breach notification laws are passed and we have more information we can accurately make decisions on the actual cost of a breach within specific industry sectors, types of breaches and the knock-on effects this has had to companies. Then, and only then, can we advertise and label a breach with a specific price tag in mind.

Some Managed Security Service Providers (MSSP) may have some statistics and information surrounding breaches, especially if they have a large volume of customers. Although the large volume of customers would still only apply to a small percentage of the market, again, these would be speculative numbers that would generally not be released due to sensitive information and confidentiality issues, nor would it give them the ability to make mass generalisations on the cost of an average breach.

The point here is to not ignore the fear mongering but to take it with a pinch of salt. Do not be complacent and think it will never happen to you because the fact of the matter is, it probably will. Various hacker groups look for SMB companies to test their malware before they hit the large corporates so if anything, this makes the SMB sector a far greater target than the larger institutions.

Ensure you are having regular security health checks and test your critical infrastructure, make sure you have end point protection, Next Gen Firewalls and a solid Incident Response Plan in place to deal with the technology aspect and possibility a breach. I’d also recommend you have regular and appropriate staff training in place to deal with the human element.

Partner with a security consultancy that takes the time to understand the risks faced by your business and has a great view of your particular industry vertical. Make sure they will be able to identify what specific risks to that particular industry are applicable and understand if there are specific events that have affected organisations in your competitive landscape allowing you to mitigate the risks and bolster your defences where needed, rather than throwing budget into areas that you feel you have to because you have succumbed to the fear mongering!

Mitigating the risk can often be a complex process, some quick wins to be thinking about: Patching applications, restricting admin privileges, application whitelisting and regular re-enforcement of training to your staff to prevent Phishing attacks – which has proven to be the main instigator of successful cyber-attacks. Be prepared, have a plan and stay ahead of the bad guys as much as you can but don’t be blind-sided by tactical fear mongering and crafty marketing.

Obstinately clinging to iconic obsolescence

Terry Swan - Friday, November 11, 2016

Protega have been published!

Our Director, James Wootton, has had the following article published in the Australian Security Magazine. Enjoy reading it!

James Wootton

As those around me in the Protega office will tell you, combine information security and a certain clichéd icon or photo-stock image and it’s a recipe that is guaranteed to get me to turn the rage on – The padlock! Put the words cyber and padlock together and google will churn out around 364,000 results. Everything from the purchase of padlocks to ransomware; to convincing you a solution is secure because of its presence, something a depressingly small number of us know is simply not the case!

I wandered down to my local convenience store, handed over my $8 and purchased a stock brass-bodied padlock. This is one that the public clearly believe does the job because the lady behind the counter told me, it was a ‘good seller’.

It looks the part. A solid brass bodied, steel shackled device, oozing safety and confidence; it says it will protect your cherished items! Except a mere 5 seconds later, with only a lock pick and no torsion bar, the lock turned out to be much as expected; all brass, no protection!

But, in the same way your life is shattered the day you discover there is no Santa Claus, every competent locksmith will tell you that the vast majority of padlocks are nothing more than the illusion of security and should be treated with equal scepticism.

I assert that Padlocks are therefore the worst possible analogy and pictorially, the worst possible distortion of acceptable standards for information security.

Let me humour/frighten you with a physical-world analogy, where we recognised decades ago that in the ‘normal’ world, threat prevention and keeping the bad guys out requires a defence-in-depth risk mitigation strategy. A (hopefully) appropriate combination of guards, guns, dogs, walls, gates, locks, alarms, lights, cctv monitoring and insurance(!) will be involved, dependent upon the appetite for perceived risk, versus constraints. Sorry for anyone being taught to suck eggs, but let me explain by picking a risk scenario very real to all of us.

Consider the risks to your family and valuable belongings (assets) In your home. You definitely considered how to keep your family safe, right? You probably considered theft of your assets next, let’s face it, no one wants to lose their 6ct diamond necklace or 1968 ‘Bullitt’ Mustang! To a greater or lesser extent, you probably considered other threats such as Fire and Storm damage. Thinking about the counter measures that are deployed to mitigate these risks, can be an interesting exercise. Try thinking about the controls deployed in the negative, what haven’t you addressed (gap):

  • Locks – Chosen by Previous occupier, seemed ok when you made the risk assessment, but who has all the keys and are the locks any good?
  • Working Fire alarm?
  • Working Smoke alarms?
  • Secure safe for high value assets?
  • Secure Doors?
  • Secure Windows?
  • Secure garage door?
  • Adequate and appropriate Insurance?

Hands up all those that considered every element of the above and felt they made an accurate assessment of each? Or, did you make a shoulder shrugging gesture whilst thinking, ‘good enough’? Those with their hand up, for starters, shouldn’t take things so literally, but nonetheless, well done! But wait, was your risk assessment based upon evidence, experience, assumptions or perception? Humans are really bad at calculating accurate risk assessments, which is the very reason why society attempts to legislate against stupid activities, likely to harm us or others! Our approach to risk is nevertheless usually the minimum effort and expenditure that convinces us (and our conscience) that we’ve considered the risks and we’ve made a conscious decision, albeit not necessarily having made an accurate one!

So, why do we cling to broken technologies that are woefully inadequate in cyberspace?

Just like the padlock, we probably just don’t understand how much risk we are carrying, because we didn’t want to ask the question or we didn’t know the right question to ask. Any security professional worth their salt will tell you that the typical organisation’s computing devices aren’t protected by the technologies we have become comfortable with (AV, limited endpoint protection etc.) and aren’t worth the money and time invested in them If they aren’t protecting you from the today’s crop of threats. In some organisations I’ve assessed, they have actually increased business risk by weakening their systems, turning off such things as Microsoft Windows Defender/Essentials and continuing to use their preferred third party AV solution, without understanding the consequences of doing so, or assessing if the product even works (it didn’t!) In any case, Anti-Virus doesn’t address today’s user-based ‘social engineering’ attacks and your firewall is unlikely to be designed to either. Sorry to say, vouge cloud-based solutions aren’t the panaceas of information security either. For example, moving a mail solution to Office365 will not prevent the majority of spam and barely stop the simplest of spear phishing attacks, because that isn’t what it does! Marketing are partly to blame in the mad rush to sell cloud-based systems because they’re secure (usually meaning the communications are secure, via https and even that’s debatable!)

Enough rhetoric, present me with a solution already!

Ah, I’m afraid the classic ‘depends’ is my oh-so-clever answer. Not because I’m basking in the glow of my own smugness, but because it depends upon the values of or sensitivity attributed to the assets you want to protect and of course, how risky you’re prepared to be; not forgetting your assessment of residual risk may be suspect! If, like the devotees of the padlock, you just want the illusion of security, then maintain status quo; it’s all good. Don’t be surprised though when your online world comes crashing down and you have no strategy to recover. 

More practically, investigate technologies, procedures, techniques and training that add to your defence-in-depth strategy and don’t buy into the ‘snake oil’ often peddled, especially around ‘cloud’.

From an organisational standpoint, consider elements of the following, balancing bang for buck:

  • Policy overhaul and possibly security accreditations to focus your efforts;
  • User awareness training;
  • Sandboxing and content analysis technologies;
  • Much as I hate the phrase, application aware, next generation firewalls;
  • User and Networking behavioural analytics.

And if you don’t understand how all this bolts together, it’s likely that you aren’t going to address the risks you really need to. After all, you wouldn’t perform surgery yourself, or let a general surgeon loose on your brain. Find an expert, someone that can advise you, someone that you can trust. I know such a person and a company…..

AISA Cyber Security National Conference

Terry Swan - Thursday, October 13, 2016
Protega are attending the AISA Cyber Security National Conference today and tomorrow - make sure to say hello if you are here!

Hang 'em high! (or Educate) - The social and moral dilemma!

Terry Swan - Friday, October 07, 2016
Written by Protega Director, James Wootton

Catching up on recent events and seeing that the Tesla model S is the latest in the line of vehicles to be researched and hacked, I remember one headline a couple of months ago catching my attention:

"Car Hackers Could Face Life In Prison!"

Which doesn’t seem to be a proportional response and I had to investigate the ‘meat’ of this bold headline. It refers to proposed US Michigan State legislation, and a bill sponsored by two state senators probably intended to protect the fledgling connected and autonomous vehicle industry within the state. Anyone falling foul of the bill could face up to life in prison.

"I hope that we never have to use it," Kowall said. "That's why the penalties are what they are. The potential for severe injury and death are pretty high."

State Senator Kowall is one of the sponsoring senators and his comment says it all. I can't help but feel that it's another knee-jerk reaction to the symptom, not the cause. I’m reminded of a number of previous car-related hacks that the Jeep Cherokee hack demonstration kicked-off, July last year. It highlighted the risk inherent in designing systems without really understanding the threats scenario against the vulnerabilities, unintentionally designed into the vehicle's interconnected and seemingly unrelated systems. Gone are the days when wire was just wire and it seems that the auto industry is still stuck in a time of propriety obscurity, rather than considering the secure design of interconnected, safety critical components. Disappointingly, FCA (the owners of Jeep) chose to spin the message rather than acknowledge that FCA's code was "a bit rubbish" and that their design process, software development and testing processes most likely lacked a critical component... Anyone? Glow with a halo of self-righteousness if you sagely answered correctly, ‘Security’!

"To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle."
"...the vulnerabilities uncovered by Miller and Valasek in their laboratory tests."

Both of the above are quoted from the FCA blog, and what a great job they've done there to dress up the turkey! A good job it wasn't a hack against a ‘real’ Jeep Cherokee, just a ‘laboratory mock up’. Hold up, wasn't it Miller's Jeep Cherokee they used?...

"Some of these people are pretty clever," Kowall said. "As opposed to waiting for something bad to happen, we're going to be proactive on this and try to keep up with technology."

This made me cringe and displayed the lack of understanding required to adequately deal with such issues. I want to make it clear that I’m not justifying malicious hacking activities, but this is creating law for the sake of it - cue hand rubbing lawyers, the only winners here. Sure, prosecute the alleged infringement, but equally prosecute any blatant negligence too.

"Lengthy attack", "difficult", "propriety", "air gap"; are all words and phrases used by the spin doctors in the obfuscation of the facts. "Doh!" (To quote one of my favourite animated TV characters, with alarmingly similar characteristics and thought patterns.)

I had hoped to think better of Tesla, but they too had a stab at spin. I’m clearly paraphrasing, but claiming ‘didn’t we do well by issuing a timely patch!’ doesn’t fill me with the confidence that they understand that architecturally you just shouldn’t be able to get close to safety critical components through the infotainment system! Hands up all those happy with the prospect of autonomous vehicles driving down the road, carrying those dear to you, given the lack of basic understanding that led to this kind of security vulnerability?

All of which nicely takes me back to the subject of my article, education!

Education is a fundamental force for good, a huge learning opportunity across the board and should be a mandatory weapon in the arsenal when it comes to risk reduction activities, especially it seems within the automotive industry. Education, training and awareness should not be limited to just the parties involved in the design and creation. Other should be considered in need too:

  • Educate and not just about security! Security teams, system architects, software developers, system designers, software and security testers, the communications team and management, in their various guises. All of which badly need to be trained to understand their responsibility to the public and do things both safer and better, I'd be more likely to buy from organisations that put their hands up, say ‘mea culpa’ but then go on to demonstrate improvement.
  • Educate the public. We make a lot of assumptions that safety critical systems are secure and resilient, we believe for some reason that corporations have our best interests at heart. Sadly, for the majority, it just isn't true. During business risk analysis, we humans are reduced to a dollar figure and a human life doesn't equate to much on paper. We, the public, must get used to asking corporations to prove their commitment, shunning brands that aren't willing to disclose or constructively deal with challenges to their security posture.
  • Educate the politicians being lobbied by large corporations. Not all hackers are malicious, and quite frankly I'd like a third party to check any manufacturers homework, especially where the safety of my family may be in question! Again, I’m talking about ethical testing, not malicious attacking.

So there you have it. If you got this far, I'd like to know your thoughts. Do you believe we all should shoulder the burden of responsibility and, through a basic understanding of the risks, be in a position to influence manufacturers of cars and other devices, which could cause us injury simply because it was cheaper and easier to blame someone else for discovering the flaw, the flaw that shouldn’t have been present in the first place?

O.k. I led you there! Or, the alternative:

Be morally outraged that humans would be inquisitive enough to expose risks we’d rather not know are present in the devices manufacturers tell us are getting safer every day!

I appreciate I’ve just painted a very polarised picture, but I believe mediocrity should not be tolerated in safety critical systems and through this bias want others to realise it too!

Cyber Security Summit 16 in Sydney

Terry Swan - Thursday, September 22, 2016
Protega are excited to be attending the Cyber Security Summit 16 in Sydney today #AusCyberSummit