The Twitterverse got its chance to pose cyber risk questions to a panel of distinguished experts at the NetDiligence® Cyber Risk Summit in Santa Monica on October 16. RMS and NetDiligence teamed up to host a live #ChatCyberRisk Q&A session at the conference. The experts on hand included Vinny Sakore, Chief Technology Officer, NetDiligence; Russell Thomas, Principal Engineer – Cyber, RMS and Christos Mitas, Vice President – Model Development, RMS.
Which cyberattacks will grow in prominence? Vinny Sakore sees more and more attacks against individuals – especially high net worth individuals, with personal cyber insurance coverage becoming an important issue in the future.
And the biggest driver of cyber risk for organizations? Russell Thomas stated that the main ones remain; contagious malware (including ransomware) and data theft/exfiltration will continue to be the most prominent types of attacks with potential for severe or catastrophic loss to victims. The number of attacks will also grow as more firms, government organizations, schools, etc. become more dependent on automated processes and e-commerce. Financial risk due to business interruption stands out as the immediate risk driver; in a 2018 survey of 1,300 global companies, 34 percent of companies reported business interruption due to cyberattack.
Whether the biggest threat is a data breach, malware, or something else, is largely sector dependent. For an e-commerce firm making its money on the web, DDoS or cloud outage can be catastrophic. For large financial services firms, both data breach and contagious malware are big drivers. For the largest and rarest loss events, risk drivers for large banks would be large-scale cloud outage (malicious or not) and SWIFT-type financial theft by advanced threat groups.
And although not fully mature, cyber-physical attacks are increasing in prominence. Russell added that threat actors will start to use cyber-physical attacks to either make money or achieve political goals. Also, the scope and scale of these attacks could change, with the potential to increase dramatically, dependent on threat actor capabilities, goals, and strategies. The larger risk to all companies from this is a major infrastructure outage.
One of the main threats – malware, continues to evolve, and the panelists looked at the forces driving this evolution. Christos Mitas from RMS saw a continued “spill-over” and collaboration between state-sponsored and cybercrime groups, also the availability of packaged malware toolkits and “malware-as-a-service” for less-skilled actors. The ease of deploying malware kits is lowering the threshold for the “bad guys” to start a cyberattack.
Advanced threat actors are now chaining together multiple malware sets (e.g. banking trojans) and repurposing to carry out new types of attacks, e.g. large financial thefts, industrial control systems. Vinny added that due to the successful monetization of ransomware attacks he does not foresee a decline in ransomware but continued growth.
Russell Thomas suggested that we are living in a target rich environment, a combination of many vulnerabilities together with immature defenses. There is the homogenization of deployed software, and an attack surface expanding dramatically due to the Internet of Things (IoT), in critical applications such as medical, automotive, etc.
He added that security by design is still not yet widespread. Currently, not many threat actors focus on cyber-physical attacks, given their goals (monetary, intelligence, geopolitical) but this could quickly change if a few more “puzzle pieces” fall into place. Vinny Sakore stated an example earlier this year as the DHS and the FDA alerted cardiologists, hospitals, and patients that hundreds of thousands of implanted defibrillators, programmers, and heart monitors could be hacked.
The fight back against cybercrime also evolves. Russell Thomas was asked how public and private sector groups are partnering to stop cybercrime. Russell stated that there have been many collaborations over the last ten years around standards, data sharing, but with the landscape changing so fast, there is always more to be done – such as the rise of e-commerce or IoT. Some issues seem outside of these efforts, such as “hack-back” or inter-government cyber conflict.
Vinny Sakore cited the National Cyber Forensics and Training Alliance (NCTFA) as a great example of public-private groups working together, and he suggested that informally, forensic cyber firms collaborate with law enforcement such as the FBI.
And how could cyber risk models support a stronger understanding of how to manage evolving cyber risk? Christos Mitas reminded attendees to align models with decisions. Cyber risk models, especially financial modeling, are best for big decisions like resource allocation, IT and business architecture., policy decisions, etc, but maybe not so good for low-level “which vulnerability should we patch” decisions. Cyber risk models such as RMS Cyber Risk Solutions enable regular updates to track trends and apply them for effective management of cyber portfolios of subjects at risk.
Wrapping up the chat, Vinny Sakore looked to the future and asked how we can make a real step-change in tackling cyber risk. He raised the example of irrigation systems that were revolutionized by creating models based on sensor data. Vinny asked us to imagine what we could do by mining endpoint data from devices and servers, and as Professor @alexstamos from Stanford University and a former CISO at Facebook reminds us …”breaches are like hurricanes, we can’t stop them but we can figure out how to survive them.”