Typology Of Information Security Risks

• Information security extends beyond cyber risks. Theft, loss, or unintentional disclosure of information occur frequently. Causes and controls vary.
• Perpetrators may be internal, external, or hybrid. McAfee found that 43% of leaks were caused by insiders, half of them accidental.
• Paper documentation and non-digital data loss also fall under information risk management. Controls should address incidents like leaving reports in public places.
• The table in the next page presents a taxonomy of information security risks using a four- quadrant approach –
  • internal causes (including contractors and consultants on site) versus external causes (including third parties), and
  • data theft (including voluntary data corruption) versus data loss (including involuntary corruption and accidental disclosure).

DATA INCIDENTS	THEFT or CORRUPTION	LOSS or UNVOLUNTARY DISCLOSURE
EXTERNAL CAUSES or THIRD PARTIES	1. Digital: Hacking, Virus infection, phishing and other cyberattacks 2. Physical: Theft, social engineering	3. Disaster, systems disruptions, third-party failure
INTERNAL CAUSES	4. Theft and transfer of digital or physical information by infiltrated employee or contractor 5. Departing employees take proprietary information or intellectual property from the firm (mishandled exits)	Digital: 6. Database loss, back-up loss 7. Loss of devices by staff members 8. Errors when sending documents (e-mail recipients or attachments) Physical: 9. Loss of printed documents (e.g., by accidentally disposing of them in a wastebasket) 10. Errors or accidental mentions of confidential information when communicating to outsiders 11. Loss of archives

A Typology of Information Security Risks

Cyberattacks – Cases And Threats

Cyber threats affect all industries, but the financial sector is at higher risk due to the high transaction value. Some famous cyberattacks are listed in the box below.

HIGH PROFILE, EGREGIOUS DATA HACKS

• The Paradise Papers: This became the second largest data hack in history after the Panama Papers. In November 2017, 1.4 terabytes of confidential data were stolen from offshore law firm and tax advisor Appleby in Bermuda and sent to the German newspaper, the Süddeutsche Zeitung. The data was then shared with the International Consortium of Investigative Journalists, revealing details of offshore investments made by thousands of high-profile individuals, corporations, government officials, and even countries. This leak caused significant reputational damage and public outrage. Appleby is still operational as of 2022 and has many major banks among its clients.’
• Equifax: One of the biggest credit-scoring companies globally, suffered a cyberattack in 2017 that resulted in the exposure of 147 million customers’ data in the US. The breach occurred due to an external intrusion on Equifax’s servers, which exploited a known vulnerability that had not been patched. Following the announcement, Equifax’s market capitalization decreased by approximately $5 billion out of a total of $15.5 billion.

Information Leaks – Malicious Insiders

Although information leaks caused by dissatisfied or dishonest employees resemble instances of internal fraud more than external cyberattacks, they still fall under the purview of information security. The following box provides examples of information leaks.

DATA LEAKS: TRANSFER OF CONFIDENTIAL INFORMATION

• UK: Data leak from a malicious employee at an insurance company – In July 2017, a UK insurance firm experienced a data breach impacting 500,000 clients. An employee illicitly copied and removed personal data, then offered it for sale on the dark web. The firm reported the breach to regulators, conducted a thorough inquiry, and terminated the employee responsible while taking legal measures. Despite the occurrence leading to a £175,000 regulatory penalty and heightened scrutiny, the incident did not generate much attention beyond specialized media outlets.
• United States: IRS data leaked to ProPublica – The investigative journalist agency ProPublica reported on tax rates of wealthy Americans from 2013 to 2018, including Jeff Bezos, Bill Gates, and Warren Buffett. The IRS employee data leak is suspected to be the source, but the exact origins are unclear.
• Recent leaks in cryptocurrency – Cryptocurrency and blockchain technology are vulnerable to cyberattacks due to their new and unregulated nature as a means of peer-to-peer transactions.
• bZx – bZx, a US platform for blockchain-based trading and lending, lost $55 million due to a phishing attack that stole a developer’s private keys. Private keys are used in blockchain to decrypt currency and access its value.
• BXH Exchange – China’s BXH Exchange lost $139.2 million after a hacker exploited an administrator’s private key, possibly due to an inside job. BXH is offering a $1 million reward for the recovery of funds and an unspecified reward for the hacker if the money is returned (November 2021).

Cyber Risk Management: Frameworks And Standards

• Several market standards and guidance documents are published and regularly updated to help firms in developing cybersecurity protection and measuring cyber fraud and technology risks. These frameworks provide a systematic approach for security managers to benchmark themselves against best practices in the industry and are frequently required for industry- related regulatory compliance.
• Three cybersecurity standards dominate the market –
  • The US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF)
  • The Center for Internet Security Critical Security Controls (CIS)
  • The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002

NIST CISF

• The NIST cybersecurity framework, created by the US Department of Commerce’s National Institute of Standards and Technology, was designed to aid businesses of all sizes in comprehending, managing, and diminishing their cybersecurity risks while safeguarding their networks and data. The framework is voluntary, and it furnishes companies with a set of best practices to pinpoint where to allocate their time and resources for cybersecurity protection.
• Although originally intended for safeguarding critical infrastructure such as power plants and dams from cyberattacks, the framework has extended to various industries, with many financial organizations adopting it to manage cyber risk. The framework’s purpose is to assist organizations in comprehending their cybersecurity risks by providing guidance on identifying threats and vulnerabilities, evaluating their impact, and reducing risks with custom measures. Additionally, the framework provides guidance for responding to and recovering from cybersecurity incidents, emphasizing root-cause analysis and learning from experience.
• The NIST cybersecurity framework is organized similarly to an operational risk management framework, with four main steps: risk identification, assessment, mitigation, and monitoring. The framework includes a list of cybersecurity functions that follow the basic steps of cyber defense: identify, protect, detect, respond, and recover. For each step, NIST provides guidance.
  • Identify – Businesses should create a list of all equipment, software, and data they use and share a company cybersecurity policy that covers roles and responsibilities, as well as steps to take to protect against an attack and limit damage.
  • Protect – Businesses should control who logs on to their network and uses their computers and other devices, use security software to protect data, encrypt sensitive data, conduct regular backups of data, update security software regularly, have formal policies for safely disposing of electronic files and old devices, and train everyone who uses their computers, devices, and network about cybersecurity.
  • Detect – Businesses should monitor their computers for unauthorized personnel access, devices, and software, investigate any unusual activities on their network, and check their network for unauthorized users or connections.
  • Respond-Businesses should create and regularly test a plan for the following
    • notifying customers, employees, and others whose data may be at risk,
    • keeping business operations up and running,
    • reporting the attack to law enforcement and other authorities,
    • investigating and containing an attack,
    • updating the cybersecurity policy and plan with lessons learned, and
    • preparing for inadvertent events that may put data at risk.
  • Recover – Businesses should repair and restore affected equipment and parts of the network and keep employees and customers informed of their response and recovery activities.
• When applied to financial risk management, adopting the NIST framework requires conducting an asset inventory to identify vulnerable assets that need protection. Next, the organization must determine how to safeguard these assets by detecting potential risks, responding to threats, and recovering assets in the event of a security incident.

CIS (Center For Internet Security)

• CIS is a framework developed by a volunteer-expert coalition to protect companies from cybersecurity threats. Its key controls are prioritized to mitigate prevalent attacks and referenced by multiple frameworks. Version 8 of the 18 CIS Critical Security Controls is the latest, updated to keep up with modern systems, software, and attacker tactics.
• CIS critical controls are categorized into control themes and subdivided into specific controls. It is a detailed and flexible framework that can be used alongside industry-specific standards like NIST or cybersecurity certifications like ISO 27001.

Control 1: Inventory and Control of Enterprise Assets

Control 2: Inventory and Control of Software Assets

Control 3: Data Protection

Control 4: Secure Configuration of Enterprise Assets and Software

Control 5: Account Management

Control 6: Access Control Management

Control 7: Continuous Vulnerability Management

Control 8: Audit Log Management

Control 9: E-mail and Web Browser Protections

Control 10: Malware Defences

Control 11: Data Recovery

Control 12: Network Infrastructure Management

Control 13: Network Monitoring and Defense

Control 14: Security Awareness and Skills Training

Control 15: Service Provider Management

Control 16: Application Software Security

Control 17: Incident Response Management

Control 18: Penetration Testing

CIS Critical Security Control – Version 8

Microsoft PowerPoint – OR 9 – Cyberthreats and Information Security Risks

ISO/IEC 27001 – International Standard Organization

• ISO/IEC 27001: 2013 is a recognized standard for cybersecurity that guides firms on risk management, policies, governance, support, and awareness. It covers operational planning and control, risk assessment, and treatment, with sections on audit and management review.
• ISO standards don’t offer practical advice to companies, but serve as assessment criteria for those seeking ISO certification. Organizations must have an ISMS that manages information security risks by identifying threats and vulnerabilities to be considered for certification. They must also implement effective controls to mitigate identified risks and continuously improve their risk management process. Certification requires demonstrating the use of the “PDCA Cycle” to the auditor.

Essentials Of Cybersecurity Protection And Monitoring

• The successful reduction of risks requires a combination of technical safeguards and appropriate human conduct. Information protection comprises three aspects known as CIA: Confidentiality and Integrity, which pertain to information security, and Availability, which pertains to system uptime and business continuity. Availability has now come under the domain of resilience.
• Information controls can be divided into two main categories –
  • Behavioral controls address human behaviors and include awareness campaigns, employee conduct rules, online training, password management, supervision, and sanctions. They are applicable to all types of information security threats, not just cyberattacks.
  • Technical controls cover all technical aspects of systems for prevention or detection. Preventative controls, aimed mainly at external threats, involve system architecture, access firewalls, encryption, passwords, and patching. Detective controls issue early warnings of data breaches, whether initiated internally or externally. Examples include a data loss prevention and detection (DLPD) solution and a honeypot, a security mechanism that lures attackers into a virtual trap. Mitigating controls concentrate on keeping redundancies and backups offline.
• A non-exhaustive list of key controls for information security is given below –

Behavioral Controls
Awareness and Prudence	Awareness campaign Training Fake phishing test Password cracking attempt (from IT department)
Conduct Rules	Rules of confidentiality Code of conduct Sanction rules
Data Governance	Data transfer rules

Technical Controls
Architecture	Network partitioning Access Management Firewalls
Encryption	Password rules Encryption levels and rules
Detection	DLPD Honeypot
Testing	Penetration testing

• Controls for information security vary based on risk appetite and consistency of choices. Firms may not have the same level of commitment to governance, discipline, and technical controls required for high security. Information security measures cost time, money, and effort, so the benefits of risk reduction must be weighed against the cost of controls, convenience, and speed. Categorizing information sensitivity levels is important to adjust the resources dedicated to information protection.

KRIs For Information Security

• When it comes to information security and cyber protection, risk monitoring aims to evaluate the effectiveness of controls and detect any unexpected changes in exposure, traffic, or staff behavior. Monitoring for cyberattacks and access breaches is primarily carried out in the IT department, which is typically the first line of defense. While the information security department may be separate from IT in some firms, it is still responsible for maintaining and monitoring a comprehensive set of behavioral and technical controls, with any deviations or failings serving as Key Risk Indicators (KRIs). This table provides examples of KRIs for information security.

Overdue vulnerability patching

Overdue penetration tests/overdue resolution of penetration tests recommendations

Overdue replacement of obsolescent software

Results of phishing tests, of password cracking attempts

Number of computers with inadequate access and overdue revisions of access

% change in # of IT help-desk requests/change requests/issues per IT managers

% vacancies in IT/cybersecurity teams

Overcapacity usage of systems

Conduct metrics on employee compliance

Number of reported breaches of conduct and information rules on social media

Number of “Repeat offenders” (staff failing more than one phishing test) in sensitive data areas

Number of devices or access cards lost/stolen

Examples of KRIs for Information Security Risk

Case Study Of A Cyberattack: Equifax

• Equifax is a major US credit reporting agency with data on millions of consumers and businesses. In March 2017, hackers exploited a vulnerability in one of Equifax’s systems (Apache Struts) via its online dispute portal, enabling them to access multiple databases and extract sensitive personal information, including names, addresses, dates of birth, social security numbers, and credit card accounts. The breach went undetected for three months.
• Equifax’s cybersecurity weaknesses were not a surprise during the 2017 hack. Their frameworks, policies, and tools were outdated and poorly maintained. In 2015, an internal audit found 8,500 unpatched vulnerabilities. Equifax’s CSO was developing their first patch management policy at the time. Equifax’s W-2 Express website was also hacked in May 2016, resulting in the leak of 430,000 people’s personal information.
• In 2017, Equifax had many un-remediated security deficiencies, including the failure to implement a patch for the Apache Struts vulnerability. Despite being alerted by their GTVM team and receiving a criticality score of 10 from NISTs Common Vulnerability Scoring System (or CVSS), the patch was not implemented for various reasons.

• An analysis of the case revealed the following key weaknesses compared to market standards in information security management –
  • A lack of a comprehensive inventory of IT assets – This made the Equifax GVTM teams unable to patch Apache Struts within the required 48-hour timeframe after being alerted.
  • Failure of risk management policy enforcement, and specifically the failure to enforce the patch management policy.
  • Inconsistent communication among employees on the remediation of security vulnerabilities – An employee who was aware of the use of Apache Struts was not included on the e-mail distribution list and could not receive news of the vulnerability. The employee’s manager failed to relay the information after receiving it.
  • An expired SSL certificate designed to inspect encrypted network traffic – Equifax was unable to monitor its encrypted traffic, including hacking activity, for months due to an expired SSL certificate. Equifax only noticed suspicious activity and discovered the breach more than three months after it had started, on July 29, after finally updating the certificate.
  • Poor external communication as part of the crisis management – Equifax faced criticism for its lack of transparency to customers regarding the data breach. They issued a public announcement six weeks after discovering the breach on September 7, 2017, which exposed the personal information of up to 147 million customers. Equifax did not apply the three Rs of crisis communication which added to their reputational damage.
• Such large operational risk events do not have a single cause. They are caused by multiple deficiencies in governance, procedures, communication, and prioritization. Equifax had weak cybersecurity controls at the time of the breach, resulting in a drop in share price, investigations, fines, lawsuits, and resignations by senior management. In July 2019, Equifax agreed to pay up to $700 million in fines and compensation, with affected consumers having the option of receiving a payment of up to $125 or free credit monitoring. Equifax revamped its IT security system and management after the incident.