Case Study: Cyberthreats and Information Security Risk

After completing this reading, you should be able to:

• Provide examples of cyber threats and information security risks and describe frameworks and best practices for managing cyber risks.
• Describe lessons learned from the Equifax case study.

Examples of Cyber Threats and Information Security Risk

Cyber, technological, data protection, and information security risks are routinely ranked as the top concerns for operational risk practitioners in yearly surveys.

Typology of Information Security Risks

The term “information security” goes beyond just cyber dangers. Information may be misplaced, stolen, or accidentally made public, as well as lost from the theft or loss of paper records and other non-digital data.  These dangers have many root causes and distinct mitigation strategies.

The table below uses a four-quadrant technique to convey information security risks:

• Internal factors versus external factors (such as third parties).
• Data loss (including willful data corruption) versus data theft  (including involuntary corruption and accidental disclosure).

Table 1.1: Information Security Risks

$$\small{\begin{array}{l|l|l}
\textbf{Data Incidents} & \textbf{Theft or Corruption} & \textbf{Loss or Involuntary Disclosure} \\ \hline
\begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Third parties and}\\\text{external causes}\end{array} & \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Physical theft.}\\\text{Digital hacking,}\\\text{cyberattacks}\\\text{and phishing.}\end{array} & \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{System failures and third-party loss.}\end{array} \\ \hline
\begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Internal causes}\end{array} & \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Theft or loss}\\\text{of information}\\\text{both digital}\\\text{and physical}\\\text{by employee.}\end{array} & \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Database and backup loss.}\\\text{Loss of company devices by employees.}\\\text{Errors when sending documents.}\\\text{Loss of printed documents.}\\\text{Accidental disclosure of information}\\\text{ to outsiders.}\end{array} \end{array}}$$

Cyberattacks – Cases and Threats

Although the financial sector is particularly vulnerable to cyber risk due to the high value of the transactions it facilitates, cyber threats are not unique to this sector.

Example 1: The Paradise Papers

One of the biggest data hacks in history was the Paradise Papers. Private information was taken in November 2017 from the Bermuda-based offshore legal firm Appleby and supplied to a German publication, which then shared the information with the International Investigative Journalists. Leaked information on high-profile individuals, companies, government officials, enterprises, and nations’ offshore interests exposed them to reputational harm and public outcry.

Example 2: Equifax

One of the biggest credit-scoring companies in the world, Equifax, was the target of a cyberattack in 2017 that made the data of 147 million people public. An outside hack on Equifax servers led to the breach. Following the release of this news, Equifax’s market capitalization decreased by nearly $5 billion.

Information Leaks – Malicious Insiders

Information security still applies to data leaks caused by dissatisfied or dishonest employees. Such occurrences are more comparable to internal fraud situations than external cyberattacks.

Example 1: Data Leak at an Insurance Company

A UK insurance provider experienced a data breach that affected 500,000 clients. An employee fraudulently copied names, dates of birth, and some contact information and offered them for sale on the dark web. Even though the offending employee was fired, the company faced repercussions. The regulator upped its monitoring and levied a £175,000 regulatory penalty.

Example 2: Cryptocurrency Leaks

In November 2021, a developer’s private keys were stolen in a phishing attack against bZx, a US-based blockchain platform for lending and trading, resulting in a $55 million loss.

Frameworks and Best Practices for Managing Cyber Risks

A number of market standards and advice materials are released and updated on a regular basis for two reasons. To begin with, these market standards and advice materials assist businesses in developing cybersecurity protection. Besides, they offer high-quality benchmarks useful for mitigating and measuring cyber fraud and technology risks. Businesses that seek to adhere to industry-related regulations usually need cybersecurity frameworks. 

Three cybersecurity standards dominate the market:

• The US National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF).
• The Center for Internet Security Critical Security Controls (CIS).
• The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002.

The NIST Framework for Improving Critical Infrastructure Cybersecurity

The framework, which is optional, provides organizations with a summary of the best practices to assist them to choose where to concentrate their cybersecurity defense efforts.

The framework offers guidelines on how to analyze threats and vulnerabilities, weigh their consequences, and reduce the risks with specific solutions in order to help enterprises understand their cybersecurity risks. In addition to giving direction on how to respond to and recover from cybersecurity occurrences, the framework also encourages the use of root-cause analysis and use of lessons learned.

The framework’s main component is a set of cybersecurity tasks that adhere to the five fundamental processes of cyber defense: identify, protect, detect, respond, and recover. The following information is provided for each step by NIST:

Identify

Make a list of every piece of hardware, software, and information you use, such as computers, cellphones, tablets, and point-of-sale systems.

Create and distribute a company cybersecurity policy that details roles and duties for personnel and anyone else with access to sensitive information, as well as precautions to take to repulse attacks and minimize damage in the event that one does take place.

Protect

Control who accesses your network and uses your computers, other devices, and security software to protect your data. You should also frequently back up your data, update your security software, and have formal procedures for properly getting rid of electronic waste and devices.

Detect

Keep an eye on software, hardware (such as USB drives), and illegal employee access to your systems. Look for any unusual behavior by your personnel or on your network.

Respond

Make and test a strategy for notifying clients, staff members, and anyone else whose data may be in danger,  maintaining the smooth operation of the business, notifying law enforcement and other authorities of the attack, analyzing and preventing an attack, and preparing for unplanned occurrences that could endanger data, such as weather emergencies.

Recover

Repair and restore damaged equipment and network components after an attack and inform staff and clients of your response and recovery efforts.

Center for Internet Security (CIS)

Prioritized CIS measures are used to reduce the most common cyberattacks against systems and networks. The 18 CIS Critical Security Controls are:

$$\begin{array}{l|l}
\text{Control 1} & \text{Inventory and Control of Enterprise Assets} \\ \hline
\text{Control 2} & \text{Inventory and Control of Software Assets} \\\hline
\text{Control 3} & \text{Data Protection} \\\hline
\text{Control 4} & \text{Secure Configuration of Enterprise Assets and Software} \\\hline
\text{Control 5} & \text{Account Management} \\\hline
\text{Control 6} & \text{Access Control Management} \\\hline
\text{Control 7} & \text{Continuous Vulnerability Management} \\\hline
\text{Control 8} & \text{Audit Log Management} \\\hline
\text{Control 9} & \text{E-mail and Web Browser Protections} \\\hline
\text{Control 10} & \text{Malware Defenses} \\\hline
\text{Control 11} & \text{Data Recovery} \\\hline
\text{Control 12} & \text{Network Infrastructure Management} \\\hline
\text{Control 13} & \text{Network Monitoring and Defense} \\\hline
\text{Control 14} & \text{Security Awareness and Skills Training} \\\hline
\text{Control 15} & \text{Service Provider Management} \\\hline
\text{Control 16} & \text{Application Software Security} \\\hline
\text{Control 17} & \text{Incident Response Management} \\\hline
\text{Control 18} & \text{Penetration Testing}
\end{array}$$

The CIS recommendations are useful for businesses setting up or reviewing their cybersecurity procedures and an additional framework that can coexist with other industry-specific compliance requirements.

ISO/IEC 27001 – International Standard Organization

The International Standard ISO/IEC 27001 gives businesses general guidance on how to set up risk management processes for information security, as well as for its governance, policies, support, and communication. It offers guidance on operational planning and control, risk assessment for information security, and risk management. According to the standard, management reviews and audits both have a place in the context of information security.

The framework stipulates that an enterprise implementing ISO 27001 must have an information security management system that systematically controls its information security risks by locating threats and weaknesses in order to be eligible for certification. Organizations must also develop and implement information security policies, use a continuous risk management procedure, and always strive to update and improve their systems.

Essentials of Cybersecurity Protection and Monitoring

Technical safety precautions combined with suitable human actions result in effective risk minimization.  Confidentiality, Integrity, and Availability (CIA) are the three aspects of information protection. Two main categories can be used to classify information controls: Behavioral controls and technical controls.

Behavioral Controls

They relate to how people behave when managing and safeguarding information, and they are applicable to all kinds of information security concerns. They include awareness-raising initiatives, conduct, password management, data transfer rules, oversight, and penalties.

Technical Controls

This is related to detection and prevention. Preventative controls are aimed at external risks and pertain to system architecture, access, firewalls, encryption, passwords, and patching. Data breaches can be detected early using detective measures, whether they are internal or external.

Since information security measures are costly, the advantages of risk reduction must be weighed against the cost of control.

KRIs for Information Security

Risk monitoring examines how well controls are working as well as any unanticipated departures from the usual, such as adjustments to exposure, traffic, or employee conduct. The IT department is the first line of defense where all monitoring takes place. The second line of defense is the information security division. This department and IT may be separated. A set of behavioral and technical controls should be created, maintained, and monitored by the information security department, with failures and deviations acting as KRIs.

Lessons Learned from the Equifax Case Study

In the United States, Equifax is one of the biggest credit reporting companies. It has access to credit data for millions of people and companies. Hackers broke into Equifax’s networks in 2017 by taking advantage of a flaw in one of the systems. The attackers took credit card accounts, names, addresses, dates of birth, and other personally identifiable information from Equifax’s data bank.

The company’s cybersecurity procedures, guidelines, and resources were old and insufficiently managed. At the time of the attack, an audit had detected weaknesses in the patch management process. Equifax’s website had already been breached a year before the attack, exposing 430,000 names, addresses, social security numbers, and other pieces of sensitive data. Three days prior to the incident, an alert was sent to Equifax and communicated to 400 workers about the vulnerability that was the basis of the hack. However, not all relevant employees were in the email list. The National Institute of Standards and Technology (NIST), using the Common Vulnerability Scoring System, gave the discovered flaws in the patch management process the highest criticality score.

Equifax made up to $700 million in fines and restitution, of which $300 million was given to the people whose personal information was compromised in the hack.

The following significant flaws were identified in the case after analysis:

• The absence of a thorough inventory of IT assets.
• The patch management policy’s lax enforcement.
• Inconsistent staff communication regarding the fix of security flaws.
• An expired SSL certificate intended to examine network traffic that is encrypted.
• Ineffective external communication during crisis management.

Events with such high operational risk do not have a single root cause. They appear in weak operating environments that are marked by numerous governance and operational flaws, communication failures, and a lack of prioritizing in alerts and actions.

Practice Question

During a quarterly audit meeting, Pacifica Financial, a leading finance company, reviews its cybersecurity protocols. An executive on the team, Jane, brings up the Equifax data breach as a reminder of the vulnerabilities even the most prominent institutions can face. She presents a slide on lessons learned from the Equifax case study and asks for insights from the team.

Which of the following represents the most significant lesson Pacifica should prioritize to avoid a similar fate?”

A. Instituting robust password policies that mandate password changes every 30 days.

B. Ensuring a thorough and timely patching process for identified software vulnerabilities.

C. Regularly updating the company’s firewall systems.

D. Shifting all data to cloud-based storage solutions to minimize physical security risks.

Solution

The correct answer is B.

One of the primary factors in the Equifax data breach was the failure to patch a known vulnerability in a timely manner. A patch was available for the Apache Struts vulnerability almost two months before the breach, but Equifax did not apply it in time. This oversight allowed hackers to exploit the vulnerability and access sensitive data. Thus, ensuring a rigorous and prompt patching process for identified software vulnerabilities is crucial.

A is incorrect: While having strong password policies is essential for cybersecurity, the Equifax breach did not primarily occur due to weak passwords or a lack of password rotation. Instituting robust password policies would help in many cybersecurity scenarios but would not have prevented the Equifax breach.

C is incorrect: Regularly updating a company’s firewall systems is crucial for protecting against potential threats. However, in the context of the Equifax breach, the main vulnerability exploited was not directly related to firewall breaches. Therefore, while this is a good practice, it wouldn’t have been the primary lesson from the Equifax case.

D is incorrect: The Equifax breach was not due to physical security risks, so moving data to a cloud-based storage solution would not have directly prevented it. While cloud storage can offer various security benefits, it also comes with its own set of risks. Moreover, the decision to shift to cloud storage should be based on a comprehensive analysis of security needs, not solely as a response to the Equifax incident.

Things to Remember

• Proactiveness is Key: Equifax’s delay in patching a known vulnerability, despite the availability of a patch, highlights the importance of being proactive in addressing security concerns.
• Timeliness Matters: Acting promptly on identified vulnerabilities can be the difference between safeguarding data and experiencing a massive breach.
• Size Doesn’t Equate to Security: Even major corporations with extensive resources can be susceptible to breaches if proper cybersecurity protocols aren’t followed.
• Every Threat is Unique: Tailoring responses based on specific threats is critical. Not all security measures apply uniformly to every potential breach scenario.
• Continuous Vigilance: Institutions should maintain regular security audits and reviews, learning from past incidents, both internal and external, to bolster their defenses.