Case Study: Cyberthreats and Information Security Risk

After completing this reading, you should be able to:

• Provide examples of cyber threats and information security risks and describe frameworks and best practices for managing cyber risks.
• Describe lessons learned from the Equifax case study.

Examples of Cyber Threats and Information Security Risk

Cyber, technological, data protection, and information security risks are routinely ranked as the top concerns for operational risk practitioners in yearly surveys.

Typology of Information Security Risks

The term “information security” goes beyond just cyber dangers. Information may be misplaced, stolen, or accidentally made public, as well as lost from the theft or loss of paper records and other non-digital data.  These dangers have many root causes and distinct mitigation strategies.

The table below uses a four-quadrant technique to convey information security risks:

• Internal factors versus external factors (such as third parties).
• Data loss (including willful data corruption) versus data theft  (including involuntary corruption and accidental disclosure).

Table 1.1: Information Security Risks

$$\small{\begin{array}{l|l|l}
\textbf{Data Incidents} & \textbf{Theft or Corruption} & \textbf{Loss or Involuntary Disclosure} \\ \hline
\begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Third parties and}\\\text{external causes}\end{array} & \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Physical theft.}\\\text{Digital hacking,}\\\text{cyberattacks}\\\text{and phishing.}\end{array} & \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{System failures and third-party loss.}\end{array} \\ \hline
\begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Internal causes}\end{array} & \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Theft or loss}\\\text{of information}\\\text{both digital}\\\text{and physical}\\\text{by employee.}\end{array} & \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Database and backup loss.}\\\text{Loss of company devices by employees.}\\\text{Errors when sending documents.}\\\text{Loss of printed documents.}\\\text{Accidental disclosure of information}\\\text{ to outsiders.}\end{array} \end{array}}$$

Cyberattacks – Cases and Threats

Although the financial sector is particularly vulnerable to cyber risk due to the high value of the transactions it facilitates, cyber threats are not unique to this sector.

Example 1: The Paradise Papers

One of the biggest data hacks in history was the Paradise Papers. Private information was taken in November 2017 from the Bermuda-based offshore legal firm Appleby and supplied to a German publication, which then shared the information with the International Investigative Journalists. Leaked information on high-profile individuals, companies, government officials, enterprises, and nations’ offshore interests exposed them to reputational harm and public outcry.

Example 2: Equifax

One of the biggest credit-scoring companies in the world, Equifax, was the target of a cyberattack in 2017 that made the data of 147 million people public. An outside hack on Equifax servers led to the breach. Following the release of this news, Equifax’s market capitalization decreased by nearly $5 billion.

Information Leaks – Malicious Insiders

Information security still applies to data leaks caused by dissatisfied or dishonest employees. Such occurrences are more comparable to internal fraud situations than external cyberattacks.

Example 1: Data Leak at an Insurance Company

A UK insurance provider experienced a data breach that affected 500,000 clients. An employee fraudulently copied names, dates of birth, and some contact information and offered them for sale on the dark web. Even though the offending employee was fired, the company faced repercussions. The regulator upped its monitoring and levied a £175,000 regulatory penalty.

Example 2: Cryptocurrency Leaks

In November 2021, a developer’s private keys were stolen in a phishing attack against bZx, a US-based blockchain platform for lending and trading, resulting in a $55 million loss.

Frameworks and Best Practices for Managing Cyber Risks

A number of market standards and advice materials are released and updated on a regular basis for two reasons. To begin with, these market standards and advice materials assist businesses in developing cybersecurity protection. Besides, they offer high-quality benchmarks useful for mitigating and measuring cyber fraud and technology risks. Businesses that seek to adhere to industry-related regulations usually need cybersecurity frameworks. 

Three cybersecurity standards dominate the market:

• The US National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF).
• The Center for Internet Security Critical Security Controls (CIS).
• The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002.

The NIST Framework for Improving Critical Infrastructure Cybersecurity

The framework, which is optional, provides organizations with a summary of the best practices to assist them to choose where to concentrate their cybersecurity defense efforts.

The framework offers guidelines on how to analyze threats and vulnerabilities, weigh their consequences, and reduce the risks with specific solutions in order to help enterprises understand their cybersecurity risks. In addition to giving direction on how to respond to and recover from cybersecurity occurrences, the framework also encourages the use of root-cause analysis and use of lessons learned.

The framework’s main component is a set of cybersecurity tasks that adhere to the five fundamental processes of cyber defense: identify, protect, detect, respond, and recover. The following information is provided for each step by NIST:

Identify

Make a list of every piece of hardware, software, and information you use, such as computers, cellphones, tablets, and point-of-sale systems.

Create and distribute a company cybersecurity policy that details roles and duties for personnel and anyone else with access to sensitive information, as well as precautions to take to repulse attacks and minimize damage in the event that one does take place.

Protect

Control who accesses your network and uses your computers, other devices, and security software to protect your data. You should also frequently back up your data, update your security software, and have formal procedures for properly getting rid of electronic waste and devices.

Detect

Keep an eye on software, hardware (such as USB drives), and illegal employee access to your systems. Look for any unusual behavior by your personnel or on your network.

Respond

Make and test a strategy for notifying clients, staff members, and anyone else whose data may be in danger,  maintaining the smooth operation of the business, notifying law enforcement and other authorities of the attack, analyzing and preventing an attack, and preparing for unplanned occurrences that could endanger data, such as weather emergencies.

Recover

Repair and restore damaged equipment and network components after an attack and inform staff and clients of your response and recovery efforts.

Center for Internet Security (CIS)

Prioritized CIS measures are used to reduce the most common cyberattacks against systems and networks. The 18 CIS Critical Security Controls are:

$$\begin{array}{l|l}
\text{Control 1} & \text{Inventory and Control of Enterprise Assets} \\ \hline
\text{Control 2} & \text{Inventory and Control of Software Assets} \\\hline
\text{Control 3} & \text{Data Protection} \\\hline
\text{Control 4} & \text{Secure Configuration of Enterprise Assets and Software} \\\hline
\text{Control 5} & \text{Account Management} \\\hline
\text{Control 6} & \text{Access Control Management} \\\hline
\text{Control 7} & \text{Continuous Vulnerability Management} \\\hline
\text{Control 8} & \text{Audit Log Management} \\\hline
\text{Control 9} & \text{E-mail and Web Browser Protections} \\\hline
\text{Control 10} & \text{Malware Defenses} \\\hline
\text{Control 11} & \text{Data Recovery} \\\hline
\text{Control 12} & \text{Network Infrastructure Management} \\\hline
\text{Control 13} & \text{Network Monitoring and Defense} \\\hline
\text{Control 14} & \text{Security Awareness and Skills Training} \\\hline
\text{Control 15} & \text{Service Provider Management} \\\hline
\text{Control 16} & \text{Application Software Security} \\\hline
\text{Control 17} & \text{Incident Response Management} \\\hline
\text{Control 18} & \text{Penetration Testing}
\end{array}$$

The CIS recommendations are useful for businesses setting up or reviewing their cybersecurity procedures and an additional framework that can coexist with other industry-specific compliance requirements.

ISO/IEC 27001 – International Standard Organization

The International Standard ISO/IEC 27001 gives businesses general guidance on how to set up risk management processes for information security, as well as for its governance, policies, support, and communication. It offers guidance on operational planning and control, risk assessment for information security, and risk management. According to the standard, management reviews and audits both have a place in the context of information security.

The framework stipulates that an enterprise implementing ISO 27001 must have an information security management system that systematically controls its information security risks by locating threats and weaknesses in order to be eligible for certification. Organizations must also develop and implement information security policies, use a continuous risk management procedure, and always strive to update and improve their systems.

Essentials of Cybersecurity Protection and Monitoring

Technical safety precautions combined with suitable human actions result in effective risk minimization.  Confidentiality, Integrity, and Availability (CIA) are the three aspects of information protection. Two main categories can be used to classify information controls: Behavioral controls and technical controls.

Behavioral Controls

They relate to how people behave when managing and safeguarding information, and they are applicable to all kinds of information security concerns. They include awareness-raising initiatives, conduct, password management, data transfer rules, oversight, and penalties.

Technical Controls

This is related to detection and prevention. Preventative controls are aimed at external risks and pertain to system architecture, access, firewalls, encryption, passwords, and patching. Data breaches can be detected early using detective measures, whether they are internal or external.

Since information security measures are costly, the advantages of risk reduction must be weighed against the cost of control.

KRIs for Information Security

Risk monitoring examines how well controls are working as well as any unanticipated departures from the usual, such as adjustments to exposure, traffic, or employee conduct. The IT department is the first line of defense where all monitoring takes place. The second line of defense is the information security division. This department and IT may be separated. A set of behavioral and technical controls should be created, maintained, and monitored by the information security department, with failures and deviations acting as KRIs.

Lessons Learned from the Equifax Case Study

In the United States, Equifax is one of the biggest credit reporting companies. It has access to credit data for millions of people and companies. Hackers broke into Equifax’s networks in 2017 by taking advantage of a flaw in one of the systems. The attackers took credit card accounts, names, addresses, dates of birth, and other personally identifiable information from Equifax’s data bank.

The company’s cybersecurity procedures, guidelines, and resources were old and insufficiently managed. At the time of the attack, an audit had detected weaknesses in the patch management process. Equifax’s website had already been breached a year before the attack, exposing 430,000 names, addresses, social security numbers, and other pieces of sensitive data. Three days prior to the incident, an alert was sent to Equifax and communicated to 400 workers about the vulnerability that was the basis of the hack. However, not all relevant employees were in the email list. The National Institute of Standards and Technology (NIST), using the Common Vulnerability Scoring System, gave the discovered flaws in the patch management process the highest criticality score.

Equifax made up to $700 million in fines and restitution, of which $300 million was given to the people whose personal information was compromised in the hack.

The following significant flaws were identified in the case after analysis:

• The absence of a thorough inventory of IT assets.
• The patch management policy’s lax enforcement.
• Inconsistent staff communication regarding the fix of security flaws.
• An expired SSL certificate intended to examine network traffic that is encrypted.
• Ineffective external communication during crisis management.

Events with such high operational risk do not have a single root cause. They appear in weak operating environments that are marked by numerous governance and operational flaws, communication failures, and a lack of prioritizing in alerts and actions.

Practice Question

Which of the following five guidelines The National Institute of Standards and Technology (NIST) offers on cybersecurity standards involves creating and sharing a company cybersecurity policy that covers roles and responsibilities of employees?

1. Recover.
2. Protect.
3. Identify.
4. Detect.

The correct answer is C.

The identify guideline makes a list of all equipment, software, and data a company uses. In addition, it creates and shares a company cybersecurity policy that covers employee roles and responsibilities.

A is incorrect. The recovery guideline attempts to ensure that after an attack, there is repair and restoration of the equipment and parts of the network that were compromised. It also keeps employees and customers informed of the firm’s response and recovery activities.

B is incorrect. The protect guideline attempts to ensure that there are controls on who logs into networks. Besides, it ensures encryption of sensitive data, regular security update, and formulation of formal policies for safely disposing of electronic files.

D is incorrect. The detect guideline ensures there is monitoring of computers for any unauthorized personnel access, devices, and software.