Author(s): Andrew Coburn, Eireann Leverett, Gordon Woo
Edition: 1st Edition
Publisher: Wiley
Year: 2018
Language: English
Pages: 384
Cover......Page 1
Title Page......Page 5
Copyright......Page 6
Contents......Page 7
About the Authors......Page 11
Acknowledgments......Page 13
1.1.2 The Malware......Page 17
1.1.4 Using Suppliers with Authorized Access......Page 18
1.1.6 Harvesting the Data......Page 19
1.1.9 Disclosure......Page 20
1.1.11 Target's Costs......Page 21
1.1.13 And the Rescator Team?......Page 22
1.2.1 Types of Cyber Losses......Page 23
1.2.2 The Direct Payout Costs of a Cyber Attack......Page 24
1.2.4 Consequential Business Losses from a Cyber Attack......Page 25
1.2.5 Cyber Attack Economic Multipliers......Page 26
1.3 Cyber Catastrophes......Page 28
1.3.2 Near-miss Cyber Catastrophes......Page 29
1.3.3 Is Cyber Threat Systemic?......Page 31
1.3.4 Potential Cyber Catastrophes......Page 32
1.3.5 Cyber Catastrophes Could Impact Infrastructure......Page 33
1.3.7 The ‘Cyber Catastrophe’ of Tech Aversion......Page 34
1.4.1 Cyber Threats to Democracy......Page 35
1.4.2 The Cyber Threat of Triggering War......Page 36
1.5.1 Risk Terminology......Page 37
1.5.2 A Framework for Risk Assessment......Page 38
1.5.4 Risk of Cyber Catastrophes......Page 39
1.6.1 Collecting Information on Cyber Loss Incidents......Page 40
1.6.5 Global Costs of Cyber Attacks......Page 41
1.6.7 Risk of Future Cyber Catastrophes......Page 43
1.6.8 Working Together to Solve Cyber Risk......Page 44
Endnotes......Page 46
2.1 Cyber Loss Processes......Page 49
2.2.1 Protecting Your Data......Page 50
2.2.3 Causes of Data Exfiltration Loss......Page 53
2.2.4 Costs of Data Exfiltration......Page 54
2.2.5 Other Costs and Consequences......Page 56
2.3.3 Generations of Malware......Page 57
2.3.4 WannaCry, 2017......Page 60
2.3.5 NotPetya, 2017......Page 62
2.3.6 Antivirus Software Industry......Page 64
2.3.8 Risk of Malware Infection......Page 65
2.3.9 Ransomware......Page 68
2.3.10 Cyber Extortion Attacks on Larger Organizations......Page 69
2.3.11 The Business of Extortion......Page 70
2.3.12 Ransomware Attacks on the Rise......Page 71
2.4.1 The Threat of DDoS Attacks......Page 72
2.4.3 Intensity of Attack......Page 74
2.4.5 Repeat Attacks on Targets......Page 75
2.4.7 Motivation of DDoS Attackers......Page 76
2.4.9 Sectoral Preferences in DDoS Targeting......Page 77
2.4.10 IoT Being Used for DDoS Attacks......Page 78
2.5.1 Networks of Trust......Page 79
2.5.3 Wholesale and Back‐End Financial Systems......Page 80
2.5.4 Lazarus Attack on SWIFT Banking System......Page 81
2.5.5 Security Spending......Page 82
2.6.1 Risk in the IT Supply Chain......Page 84
2.6.3 Cloud Service Types......Page 85
2.6.4 Cloud Adoption and Strategies......Page 86
2.6.5 CSP Outages......Page 87
2.6.6 Duration of Outages......Page 90
Endnotes......Page 94
3.1.1 Cyber‐Physical Systems......Page 97
3.1.3 The Earliest Hack of a Physical System......Page 98
3.2.1 Examples from the Past......Page 99
3.3.2 Sensors......Page 102
3.3.5 Networking Equipment......Page 103
3.4.1 Designed for Accidents, Not Malicious Attacks......Page 104
3.4.3 Entering a Secure Facility......Page 105
3.4.6 Achieving Malicious Aims by Abusing Security Systems......Page 106
3.5.4 Subvert the Logic......Page 107
3.6.2 Disable the Safety System......Page 108
3.7.1 The Byzantine Generals Problem......Page 109
3.8.1 You Can't Change Physics......Page 111
3.8.3 Estimate the Consequences......Page 112
3.8.4 Prioritize Mitigation Against Multiple Scenarios......Page 113
3.8.6 Variation in Risk over Time......Page 114
3.9.2 Security Levels in Connected Devices......Page 115
3.9.5 Need This Always Be So?......Page 116
Endnotes......Page 117
4.1.1 Accidental Malfunction......Page 119
4.2.1 Arsenals of Exploits......Page 120
4.2.2 The Vulnerabilities Equities Process......Page 121
4.2.4 Issuing Security Patches......Page 122
4.2.5 Getting Users to Install Patches......Page 123
4.3.1 US NIST National Vulnerability Database......Page 124
4.3.2 Open Source versus Closed Source Vulnerabilities......Page 126
4.3.3 Vulnerabilities Impacting Populations of Companies......Page 127
4.3.4 Estimating Population Impacts......Page 128
4.4.1 Within a Project or Technology Under Your Control......Page 129
4.4.3 Across Different Companies Within Your Supply Chain......Page 131
4.4.4 Telematics Assessments......Page 133
4.5.1 National Vulnerability Agencies......Page 134
4.5.3 Posing a Risk to Others......Page 135
4.5.4 Victim Notification......Page 136
4.5.6 Lifespans of Exploits......Page 137
Endnotes......Page 138
5.1.1 They Don't Wear Balaclavas......Page 141
5.1.2 In the Red Corner …......Page 142
5.2.1 Amateur Hackers......Page 143
5.2.2 Hub‐Structured Cyber Criminal Gangs......Page 144
5.2.3 Hierarchically‐Organized Cyber Criminal Syndicates......Page 146
5.2.4 Mercenary Teams......Page 149
5.2.5 Hacktivists......Page 150
5.2.6 Cyber Terrorists......Page 152
5.2.7 Nation‐state‐ and State‐sponsored Cyber Teams......Page 155
5.3.1 Accidents Will Happen......Page 159
5.3.3 Disaffected Employees......Page 160
5.4.1 Threat Actors and Their Variety Act......Page 161
5.4.2 Cyber Criminology......Page 162
5.5.2 Dark Web Trading Sites......Page 163
5.5.4 Logistical Burden of Cyber Attacks......Page 164
Endnotes......Page 167
6.1.2 Defending Ourselves......Page 169
6.1.3 Measurement to Make Improvements......Page 170
6.1.4 A Monitoring Checklist......Page 171
6.1.6 Setting a Cyber Security Budget......Page 173
6.2.1 Perception of Threat......Page 174
6.2.2 Threat Attributes......Page 175
6.2.3 Threat Matrices and Attack Trees......Page 176
6.3.1 Using Scenarios......Page 178
6.3.2 Building Safety and Cyber Security......Page 182
6.3.4 Ways Things Can Go Wrong......Page 183
6.4.1 Not If or When, but How Likely?......Page 186
6.4.2 Measuring Cyber Attack Severity......Page 187
6.4.4 Characterizing Extreme Events......Page 188
6.4.5 Challenges of Carrying Out an Extreme Event......Page 189
6.4.6 Harvesting Bugs......Page 190
6.4.7 Simulation Process – Stuxnet Example......Page 191
6.4.8 The Pentagon Cyber Arsenal......Page 192
6.4.9 Insider Theft and the Cyber ‘Big One’......Page 193
6.4.10 Reimagining History......Page 194
6.4.11 Knowing What Could Have Occurred......Page 195
6.4.12 Cyber Events That Could Have Turned Out Differently......Page 196
6.4.13 Alternative Versions of the Past 10 Years of Cyber Attacks......Page 197
Endnotes......Page 198
7.1.1 Jurisprudence and Commerce......Page 199
7.2.1 A Patchwork of Regulation......Page 202
7.2.3 Legitimizing NSA Operations......Page 203
7.2.5 State‐by‐State Variations......Page 204
7.2.6 Regulations for Finance, Healthcare, and Communications......Page 205
7.3.1 European Citizens' Data Rights......Page 206
7.3.4 National Implementation......Page 207
7.4.1 Regulating an Emerging Insurance Market......Page 208
7.4.2 Role of Rating Agencies......Page 209
7.5.2 Articulated Damages......Page 210
7.5.4 Cyber Liability Insurance for Law Firms......Page 211
7.6.1 Cyber Hygiene......Page 212
7.6.2 The Weakest Link......Page 213
7.6.4 Compliance Management......Page 214
7.7.1 The Role of Law Enforcement Agencies......Page 215
7.7.2 Low Conviction Rates......Page 216
7.7.4 Specialist Police Cyber Crime Units......Page 217
7.7.5 Interpol and Europol......Page 218
7.7.6 Cyber Vigilantes......Page 219
7.7.7 Battling Conficker......Page 220
Endnotes......Page 221
8.1.1 Identify, Protect, Detect, Respond, Recover......Page 223
8.2.1 Real‐time Crisis Management: How Fighter Pilots Do It......Page 224
8.2.2 Rapid Adaptation to Changing Conditions......Page 225
8.2.4 Business Continuity Planning and Staff Engagement......Page 226
8.2.5 Gaming and Exercises......Page 227
8.3.1 Safety Management......Page 228
8.3.2 Hotel Keycard Failure Example......Page 229
8.4.1 Anticipate, Withstand, Recover, and Evolve......Page 230
8.4.3 Six Positive Attributes for Resilience......Page 231
8.4.4 Cyber Resilience Objectives......Page 232
8.5.1 Forensic Investigation......Page 234
8.6.1 Resilient Software......Page 235
8.6.3 Minimize Intrusion Dwell Time......Page 236
8.6.4 Anomaly Detection Algorithms......Page 238
8.6.5 Penetration Testing......Page 239
8.6.6 The Risk‐return Trade‐off......Page 240
8.7.1 Financial Consequences of a Cyber Attack......Page 241
8.7.3 Reverse Stress Testing......Page 242
8.7.4 Defense in Depth......Page 243
8.7.6 Cyber Value at Risk......Page 244
8.7.7 Re‐Simulations of Historical Events......Page 245
8.7.9 Building Back Better......Page 246
8.7.10 Events Drive Change......Page 247
8.7.11 Education for Cyber Resilience......Page 248
8.7.12 Improving the Cyber Profession......Page 249
Endnotes......Page 250
9.1.1 Types of Cyber Insurance......Page 251
9.1.2 Choosing a Cyber Insurance Product......Page 252
9.1.3 How Much Cover Should I Buy?......Page 253
9.1.4 Isn't Cyber Loss Already Covered in My General Liability Insurance?......Page 256
9.1.5 Cyber Insurance Against Property Damage......Page 257
9.1.6 Are There Alternatives to Buying Cyber Insurance?......Page 259
9.2.1 The Growth of the Cyber Insurance Market......Page 260
9.2.2 Cyber Insurance Is Profitable (Until It Isn't)......Page 261
9.2.3 Expectations and Reality for the Cyber Insurance Market......Page 262
9.2.4 Cautious Insurers......Page 263
9.3.1 How Much Risk Capital Is Needed for Cyber Claims?......Page 264
9.3.2 Allocation of Capacity......Page 265
9.3.4 Growing Confidence in the Management of Cyber Tail Risk......Page 266
9.4.2 Accumulation Management......Page 267
9.4.3 Probable Maximum Loss Scenarios......Page 268
9.4.4 Probabilities of Extreme Cyber Losses......Page 269
9.5.2 Cyber Loss Ratio Variation......Page 274
9.5.3 Causes of a Large Loss......Page 275
9.5.5 The Underwriting Questionnaire......Page 276
9.5.6 Predictive Power of Company Attributes......Page 278
9.6.1 Protecting the Balance Sheet......Page 279
Endnotes......Page 280
10.1.1 Impact of Security on Cyber Loss Likelihood......Page 283
10.1.3 Cost‐Effectiveness Surveys......Page 284
10.1.4 Cost‐Effective Technologies......Page 285
10.1.5 Making Smarter Investment Decisions......Page 286
10.2.1 How Much Should an Organization Spend on Cyber Security?......Page 287
10.2.2 What Is Your Security Attitude?......Page 288
10.2.3 Risk‐Informed Security Enhancement......Page 289
10.2.4 Gauging Your Security Spend to Expected Loss......Page 290
10.3.1 Finding Bugs Before the Bad Guys Do......Page 292
10.3.2 The Odds Are Not on Our Side......Page 293
10.3.3 Bug Economic Valuation......Page 294
10.3.4 Heartbleed – A Hidden Vulnerability......Page 297
10.3.6 Zero Day Brokers......Page 298
10.4.1 Cyber Attacks and Game Theory......Page 299
10.4.2 Choice of Cyber Attack Technology......Page 300
10.4.3 Hacker Motivations......Page 301
10.4.5 Functioning Black Markets......Page 302
10.4.6 National Conflict Strategies......Page 303
10.4.7 Improving Attribution......Page 304
10.5.1 Preparing for Cyber Conflict......Page 305
10.5.3 Bringing Cyber Criminals to Justice......Page 306
10.5.4 Putting Bounties on Their Heads......Page 307
10.5.5 The Importance of the CISO......Page 308
Endnotes......Page 310
11.1.2 Ten Problems for Solving Cyber Risk......Page 311
11.1.3 Security as Well as Functionality......Page 312
11.1.4 Rethinking the Design Time Horizon......Page 313
1 The Canal Safety Decision Problem......Page 314
2 The Software Dependency Problem......Page 316
3 The Vulnerability Inheritance Problem......Page 317
4 The Vulnerability Count Problem......Page 318
5 The Malware Overlap Problem......Page 319
7 The Binary Similarity Problem......Page 320
9 The Cyber Criminal’s Dilemma Problem......Page 322
10 The Security Verification Problem......Page 323
Endnotes......Page 324
12.1.2 Hacker Hordes Rise......Page 325
12.1.3 More Powerful Attack Technologies Are Deployed......Page 326
12.1.5 Splinternet......Page 328
12.1.7 Cyber War......Page 329
12.2.1 Exorcism of Ghosts in the Code......Page 331
12.2.2 Twenty‐First‐Century Law Enforcement......Page 332
12.2.3 Geneva Convention for Cyber Operations......Page 334
12.3.1 Security and Cryptography......Page 337
12.3.2 The Future of Passwords......Page 338
12.3.3 Passwords Should Have High Entropy......Page 339
12.3.4 The Security of Data Encryption......Page 340
12.3.5 Asymmetric Cryptography......Page 341
12.3.7 The Quantum Computing Horizon......Page 342
12.3.8 Quantum Computing as a Security Risk......Page 343
12.4.1 Multi‐pronged Approach......Page 344
12.4.2 Increased Cost of Cyber Safety......Page 345
12.4.3 Ten Recommendations for Our Cyber Future......Page 346
Endnotes......Page 347
References......Page 349
Index......Page 371
EULA......Page 384