Author: DKALYA

Risk in Security

I typically don’t dwell into this topic until unless I was told to speak about it in a conference / group discussion. While I admit, I do not have all the necessary certifications in place to be a subject matter expert, I certainly feel to understand the importance of Cybersecurity Frameworks in OT Security , you will need to understand some basic math and statistics. This post is to introduce you to these fundamental concepts.

Where do I begin?

Math Concepts:

It all starts with understanding that there are many thoughts, ideas and methodologies in cybersecurity practice. One thing is for sure, you will need some basic understanding of math. If I were starting from no where, then I would pick up a book on statistics and probability however, some basic concepts such as uncertainty and risk are important.

There is one important and vital concept that you need to have a very good understanding, it is called uncertainty. As in the case of a data breach, we are not certain or we lack data / information to calculate the true outcome of a data breach or when the data breach will actually occur. For example.

“There is a 35% chance that company ABC will have a data breach / data leak incident sometime in the next four years”

The objective is to be able to measure something and predict an outcome. In this particular example, we are very certain when something will happen.

There is a 30% chance that company ABC will have a cyberattack in the form of data breach or data leak in the next three years”

Here is the same example with certainty that something will result (loss) from the data breach to the organization.

There is a 20% chance that a data breach or data leak will result in a fine from GDPR regulation in the amount of $5 million dollars for the company ABC”

Risk Terminologies

For cybersecurity and other risk management methodologies, understanding the terms such as Vulnerability (V) , Threat (T), Impact (I) and Likelihood (L) is very essential to be able to measure risk and apply counter measures. Also I want to point that there are two important methods to risk management , a qualitative approach (subjective) and a quantitative approach. Which approach is good? There are studies out there that suggest otherwise. Read Whatโ€™s Wrong with Risk Matrices? by Tony Cox (Link to original publication)

However, if you are a beginner in Risk Analysis, I certainly recommend you start with qualitative analysis for your understanding and also, choosing between the two is like choosing between a scoop of vanilla ice cream in a cup and spoon of vanilla ice Dippin’ Dots.

In order to understand both qualitative and quantitative approaches of risk analysis, we have some key risk terminologies that one needs to understand.

The case of the Sandwich Theif.

Let us say I have a special sandwich- my asset, which is very valuable, may have some secret sauce or ingredient. The value of this asset is $10, this is how much it cost for me to make it. Now, if I really want to protect this from a sandwich thief, I would like to know how valuable it is, did I not say $10, but it is not the true value. If I were to loose the $10 sandwich, it might cost me $30, why? Well, you see the sandwich when it was made, the ingredients were cheaper, may be I got a discounted price or I might spend $20 for the its shelf life on refrigeration. So understanding this value is very important because, if I were to put a counter measure, such as a lock on a cabinet or something more secure than that, then I want to make sure I am spending more than what is worth. Who makes that decision?

Vulnerability (V):

In cybersecurity, a vulnerability is a flaw, a weakness, a missing defense. This can be accidental or intentionally put in place.

An analogy to real world is “Padlocks are easiest to pick as they have a massive vulnerability in the form of easy access to locking pin and cylinder mechanism which can be aligned to pop open the lock”

Threat (T):

A threat is potential of exploiting a vulnerability which could result in a negative outcome. In cybersecurity, a threat is an exploitation of a vulnerability in a network, software or hardware that will allow a threat actor to gain privileged access to the system.

For example, a sandwich thief (threat actor) is a threat to your sandwich that is stored in a kitchen cabinet with a pad lock. How do we compute risk from threat and vulnerability?

Impact:(I)

Before we are able to define the risk, we need to also know what impact would this incident cost? Impact is the magnitude of harm that can be expected to result from a threat exploiting a vulnerability.

A sandwich stolen from the locked kitchen cabinet will result in a loss of $30 to your net worth.

We are almost ready to calculate risk, however, for the thief to exploit the vulnerability which is to pick the pad lock may seem easy enough but what if I told you, the kitchen is located in a armed location with 24 hours / 7 days a week surveillance and monitoring. Then what is the likely hood of such an event (incident) to even take place? You could say improbable or no chance at all and the impact would be moderate (subjective analysis).

We can express impact subjectively as follows:

Example 1:
Negligible-1, Minor-2, Moderate-3, Significant-4, Severe-5

Example 2:
Low-1, Moderate-2, High-3

Likelihood (L):

This is the probability that a threat will exploit the vulnerability. It is usually not a specific number but a range.

Example 1:
Frequently – 5, Likely-4, Occasionally-3, Very Seldom-2, Not Likely at all-1

Example 2: 
1=very unlikely, 2=low likelihood, 3=likely, 4=highly likely, and 5=near certain.

Risk Matrix / Risk Heat Map:

As you can see, we can then draw this Risk Matrix, also called as a Risk Heat Map.

As you can see, the qualitative analysis process involves judgment, intuition, and experience. For example, if I am a CSSP – Certified Sandwich Security Professional, with my intuition and judgement, I can categorize the risk of a sandwich thief stealing the sandwich to be LOW based on my understanding that it is unlikely for the sandwich thief to get into the kitchen and steal the sandwich which could have a protentional loss of $30 dollars, which is moderate. So, would I invest in putting any counter measures? As this is Risk is low, I would not consider it and accept this low risk.

End of this lesson, keep an eye out for more. Next- Quantitative Approach.

InfoSecWOTD#21 Ciphertext ๐Ÿงฎ

Today’s #InfosecWOTD Day 21 is

#Ciphertext ๐Ÿงฎ 

When you take a plain text and apply encryption algorithm, the resulting text is called ciphertext. The algorithm is called a cipher.

The word cipher (cypher) has its origins in the Arabic word ุตูุฑ sifr which means zero and it took many centuries for the word to mean encoding.

That is it for today, follow me for more tidbits, and hit that like button on this post to automatically engage in a conversation and keep #Learning! A new word will be posted tomorrow.

Are you looking for the previous word of the day? Just search #INFOSECWOTD. #learning!#cybersecurityawareness #cybersecurity #INFOSECWOTD #cipher #ciphertext #cypher

InfoSecWOTD#19 Cryptojacking ๐Ÿ’ธ๐Ÿ˜ˆ

Today’s #InfosecWOTD Day 19 is

#Cryptojacking ๐Ÿ’ธ๐Ÿ˜ˆ

Cryptojacking is the unauthorized use of personal or enterprise systems for crypto mining. The term crypto mining refers to an activity of solving cryptographic equations through the use of computing hardware to gain cryptocurrencies such as Litecoin, Dogecoin, Bitcoin etc.

That is it for today, follow me for more tidbits, and hit that like button on this post to automatically engage in a conversation and keep #Learning! A new word will be posted tomorrow.

Are you looking for the previous word of the day? Just search #INFOSECWOTD. #learning!#cybersecurityawareness #cybersecurity #INFOSECWOTD #cryptocurrency #crypto #dogecoin #bitcoin #Cryptojacking

InfoSecWOTD#18 RaaS ๐Ÿ’€๐Ÿ’ฐโ˜

Today’s #InfosecWOTD Day 18 is

#RaaS ๐Ÿ’€๐Ÿ’ฐโ˜

It stands for Ransomware as a Service. This type of cloud offering is illegal and works very similar to any other cloud services (anything as a service XaaS) and is used by bad actors to amplify the ransomware attacks.

RaaS is a subscription-based model which enables its customers or affiliates to use existing ransomware tools and other exploits to execute ransomware attacks.

In the recent months, a malicious group REvil has emerged very strong in conducting these RaaS based attacks and is behind the Kaseya VSA Attack. Read more here: https://unit42.paloaltonetworks.com/revil-threat-actors/

That is it for today, follow me for more tidbits, and hit that like button on this post to automatically engage in a conversation and keep #Learning! A new word will be posted tomorrow.

Are you looking for the previous word of the day? Just search #INFOSECWOTD#learning!#cybersecurityawareness #cybersecurity #INFOSECWOTD #RaaS #ransomwareattack #kaseya #kaseyavsa

InfoSecWOTD#17 Catfishing ๐Ÿฑ๐ŸŽฃ

Here is fun #InfosecWOTD Day 17 and it is

#catfishing ๐Ÿฑ๐ŸŽฃ

Catfishing and phishing has a lot of similarities. It is a form of social engineering attack where an individual aka the catfish, sets up a false personal profile on a social networking site such as LinkedIn for fraudulent or deceptive purposes.

You can apply very similar strategies to avoid becoming a victim of a catfishing attack.

That is it for today, follow me for more tidbits, and hit that like button on this post to automatically engage in a conversation and keep #Learning! A new word will be posted tomorrow.

Are you looking for the previous word of the day? Just search #INFOSECWOTD#learning!#cybersecurityawareness #cybersecurity #INFOSECWOTD #Catfish #catfishing #phishingattacks

InfoSecWOTD#16 Backdoor ๐Ÿšช

#InfosecWOTD Day 16 is

#Backdoor ๐Ÿšช 

Backdoors in technology or devices is a secret or undocumented vulnerability in computer software or hardware which is sometimes intentionally maintained or put in place by developers and engineers to gain remote access.

As this is something undocumented in most cases, when found by certain individuals with malicious intent can be used to gain unauthorized remote access and exploitation of such devices/systems.

That is it for today, follow me for more tidbits, and hit that like button on this post to automatically engage in a conversation and keep #Learning! A new word* will be posted tomorrow.

Are you looking for the previous word of the day? Just search #INFOSECWOTD#learning!#cybersecurityawareness #cybersecurity #INFOSECWOTD #APT #HACKERS #THREATS #backdoor

InfoSecWOTD#15 APT ๐Ÿ’€โš“

Today’s #infosec Word of the Day #15 is

#APT ๐Ÿ’€โš“

It stands for Advanced Persistent Threat. A threat actor who is acting for a organized crime operative such as a nation state or state sponsored criminal group.

They are typically well funded, use cutting edge technology and target high value companies to conduct cyber espionage, theft of intellectual property for financial gains.

That is it for today, follow me for more tidbits, and hit that like button on this post to automatically engage in a conversation and keep #Learning! A new word* will be posted tomorrow.

Are you looking for the previous word of the day? Just search #INFOSECWOTD. #learning!#cybersecurityawareness #cybersecurity #INFOSECWOTD #APT #HACKERS #THREATS

InfoSecWOTD#14 NGFW ๐Ÿ”ฅ๐Ÿงฑ

Today’s #infosec Word of the Day #14 is

#NGFW ๐Ÿ”ฅ๐Ÿงฑ

In computer networking, It stands for Next-Generation Firewall (FW). There are many kinds of FWs. For example, a stateful firewall, monitors & detects states of all traffic(data) on a network to track & defend based on traffic patterns & flows. There are other types FWs and are commonly grouped as traditional FWs.

An NGFW provides capabilities beyond a traditional, stateful firewall. While a traditional firewall typically provides stateful inspection of incoming and outgoing network traffic, a next-generation firewall includes features like application awareness (whitelisting/blacklisting), intrusion detection & prevention, & cloud-delivered threat intelligence, & more.

That is it for today, follow me for more tidbits, and hit that like button on this post to automatically engage in a conversation & keep #Learning!.

Are you looking for the previous word of the day? Just search #INFOSECWOTD. #learning!#cybersecurityawareness #cybersecurity #INFOSECWOTD #NGFW #Firewall #IPS #IDS #ApplicationWhitelisting #Network #CISCO #FORTINET #Checkpoint

InfoSecWOTD#13 Warm Site ๐ŸŒ“

Today’s #infosec Word of the Day #13 is

#WARMSite ๐ŸŒ“

It is summer in most parts of the world but a warm site is not what you think it is. A warm site is a middle ground between two disaster recovery options, A Hot site ๐ŸŒ• and a Cold site ๐ŸŒ‘, in your Disaster Recovery Planning (DRP).

A hot site is a backup facility that represents a mirrored copy of the primary production center. A cold site represents the same work area, recovery space, and infrastructure support as a hot site, but they donโ€™t function as a complete mirrored copy of the primary production center.

So the warm site is simply a backup facility with all of the primary production equipment without the actual data or information, a middle ground between hot and cold site.

That is it for today, follow me for more tidbits, and hit that like button on this post to automatically engage in a conversation and keep #Learning!. A new word* will be posted tomorrow.

Are you looking for the previous word of the day? Just search #INFOSECWOTD and you will be able to find them. #learning!#cybersecurityawareness #cybersecurity #INFOSECWOTD #Hotsite #warmsite #Coldsite #DRP