CHALLENGES FOR RISK MANAGEMENT
7CCSMSEN Security Engineering Dr. Jose M. Such
The World is Changing
• From single organisations to organisational eco-systems
• Supply chains
• Procurement of specific third party technologies, software or services
• End-users utilising personal technologies or third-party services
• Pervasiveness of AI
Challenge: How to understand the risks posed by unanticipated cyber threats?
Video
Why is it hard?
• Information security risk assessments tend to focus only on information security in the organisation in question
• Often neglected: how members of the organisation’s supply chain (products/services) assess and manage information security risk and the impacts on the organisation
• Bifurcate online/offline and treat end users as separate from technologies.
• Information security risk is socially constructed at the point where technology intersects with end-users
• Understanding the risk context in such complex organisational eco-systems is extremely challenging
Challenge: How to address the lack of risk ownership by those other than the risk assessors?
Why is it hard?
• Information security risk management is seen as “imposed from high up”
• Organisational cultural shift is a very hard problem
What do we need?
• Better approaches for capturing information security risk context
• Everyone in the organisation can have a contribution to make
• Need to have better means to engage risk assessors and other members of an organisation in effective dialogue about risk assessments, risk communication and risk management
Challenge: Artificial Intelligence Risks
The AI revolution
AI for Information Security
But how SECURE is AI?
Machine Learning
Adversarial Machine Learning
• Key issue in Adversarial ML: bad actors will attempt to exploit the ML model itself
• Example: evasion attacks
• Attacks on ML, where malicious objects are deliberately transformed to make a ML model make wrong predictions
Adversarial examples
Classified as panda Small adversarial noise Classified as gibbon
Implications for Security?
Suppose that the sign is
Add adversarial noise…
Small adversarial noise
… and the ML in your self-driving car thinks it’s
Implications for Security beyond image recognition?
ML in Cyber Security
• Detect bad “things” (actors, actions, objects) • Fraud detection
• Malware detection
• Intrusion detection
• Spam detection •…
• Binary decision: Good or Bad
PDF Malware
• Acrobat Reader CVE entries per year
PDF Malware
• CosmicDuke – include code from MiniDuke APT trojan (used in a series of attacks against NATO and European government agencies in 2013) and information-stealing Cosmu family.
• CosmicDuke malware samples start with a malicious object embedded into a PDF file. When the file is launched, the object exploits the known CVE-2011-0611 vulnerability in specific versions of Acrobat products.
https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf
PDF Malware ML classifiers
Source: https://evademl.org
PDF Malware ML classifiers
Source: https://evademl.org
Runs properly in Cuckoo Sandbox??
Source: https://evademl.org
Challenge: Supply chain security
Outsourced services
Infected devices
Attacks against UK SME
• Disproportionate attacks against SMEs
• 74% of all small businesses (less than 50 employees) will
experience some form of attack
• Typical direct financial costs (fines and loss of business) accumulating to a potential loss of £13.2 billion to the UK economy;
• Does not include indirect losses such as IP theft
CYBER SECURITY CONTROLS EFFECTIVENESS FOR SME
AN ASSESSMENT OF CYBER ESSENTIALS
Jose M. Such, Pierre Ciholas, Awais Rashid, John Vidler, Tim Seabrook
Intro
• Small to Medium Enterprises (SMEs) facts:
1. UK: 99.3% of all Private Sector with 25.2 million employees.
2. US: 99% of all enterprises
3. Europe: 99% of approximately 23 million companies
• Internet facilitated expanding their market reach – but exposed them to cyber risks.
• Less resources than larger organisations for cyber security.
• Part of the supply chain of larger organisations.
• Risking not just their own, but also their customers’ and partners’ data and security
Intro
• Some “low-cost” initiatives aimed to improve SMEs cyber security:
• US National Campaign for Cyber Hygiene
• Assurance schemes such as UK Cyber Essentials
• Lack of an evaluation of how effective are these initiatives to protect SMEs.
• Our research is a first step towards this endevour.
Cyber Essentials
• CE was introduced by the UK government in collaboration with standards and private sector orgs (IASME, ISF, BSI) in 2014.
• Aims: “basic controls to help organisations to protect themselves against common non-targeted cyber attacks”
• Not only for SMEs but especially attractive to them for basic affordable cyber hygiene.
• UK government and private companies (HP) to make it mandatory for their supply chain.
Cyber Essentials
Aims of our study
• Analysis of the the difference between having/not having Cyber Essentials security controls in place in SME networks
• Scope: ‘commodity-level’ attacks attempting to exploit vulnerabilities in SME networks:
“Any unauthenticated remote attack exploiting a known vulnerability with the use of tools and techniques openly available for download or purchase on the internet – and that do not require extensive specialist knowledge to conduct.” –Common cyber attacks: Reducing the impact, CESG
Methodology
1. Selectionof4representativeSMES–from20+SMEs
2. 200randomvulnerabilitiesfromMitreCVElists
3. VulnerabilityAssessment
• SMEs do not have the resources to separate testing from operational systems.
• “Active” assurance techniques like penetration testing may have an operational impact on this resource-constrained type of businesses.
• We used: architectural reviews, configuration reviews, and interviews to see whether each SME would be vulnerable to any of the vulnerabilities selected and whether Cyber Essentials security controls mitigated them or not.
SME high-level characteristics
Employees
BYOD
Local Services
OS for Local Services
3rd Party Remote Services
Remote access to local services
OSX
Yes
File Sharing/Server
OS X
Linux
Email
Web Hosting
Online Banking / Accounting
Social Media
File Sharing (e.g. dropbox)
Data (e.g. Web Database)
Not Permitted
Connect to Network (e.g. VPN)
Connect to Server (e.g. SSH)
Survey
SME1
*
SME2
SME3
SME4
1-10 (small)
*
*
WorkStations
11-250 (small-to-medium)
Windows 7/8
Windows (older)
*
*
*
*
*
*
*
*
*
*
Linux
*
*
*
No
*
*
*
*
Database
Email
Domain Server
Webserver
*
*
*
Application Server
*
Windows
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
SME 1 – Finance Sector
• Extensive Local Services provided (file, database, domain, web, and app servers)
• Multi-site and remote users
• Off-premises private Email server
• Dell and Lenovo PCs with Windows and Linux
• 3Com, Draytek, BT and Huawei for infrastructure components
• 119 applicable vulnerabilities
SME 2 – Specialist Group
• Local windows shared folders
• Off-premises self-managed Dell Linux web server
• Extensive use of cloud-based services (Google Drive, Cal, Docs, Email, ReachIT, SalesForce, baseComp, OneSearch)
• Restricted access wifi network for guests
• Windows and OSX Workstations
• TPLink Switch and TPLink DHCP Router
• 79 vulnerabilities applicable
SME 3 – Web Development
• Extensive use of cloud-based services (Google Drive, DropBox, Calendar, Docs, Scheduling, Email, CRM)
• Extensive use of web development and deployment technologies
• Most web browsers with different versions for client-compatibility
• Windows and OSX Workstations
• TPLink Switch and TPLink DHCP Router
• 116 vulnerabilities applicable
SME 4 – Hospitality services
• Extensive use of cloud-based services (Skydrive, Dropbox, one+one web server, booking database, Xero)
• Windows and OSX Workstations
• BT router + Netgear repeaters
• Equipment from guests
• browsers for bookings and reception of guests
• 103 applicable vulnerabilities
Aggregated results
•
Most Vulnerabilities fully mitigated with a combination of CE security controls.
• From most to least occurring: patch management, secure configuration, access policy, firewall, anti-malware.
Some partially mitigated
• Most fully mitigated once third-party patch/fix available.
• Few (2) mitigated through website blacklisting (anti-malware) and secure configuration.
Very few vulnerabilities were not mitigated
• Inherent flaws in a hardware device that cannot be fixed.
• The hardware should be replaced.
•
•
Conclusions
• The 5 security controls of Cyber Essentials seem to provide a basic level of cyber hygiene.
• Vast majority of ‘commodity-level’ attacks would be mitigated.
• Cyber Essentials was not designed to address more advanced, targeted attacks (Insider threats, APTs)
• Organisations facing these threats may need to implement additional measures
• 10 steps to cyber security -> User Education and Awareness, and Network and Systems monitoring
Conclusions
• Actionable collaborative threat information to provide further help
• NCSC’s Cyber security information sharing partnership CiSP
• Timely CE patch management
• Extra feeds for website blacklisting – complement CE anti- malware control
• Black list of devices known to be flawed (vulns not mitigated by CE)
• Initiatives need to consider lack of resources / know-how in SMEs
Conclusions
• SME reliance on service providers:
• SMEs may not be the last node in the supply chain!
• Extensive use of cloud-based services
• e.g. Google, Microsoft, Dropbox, Amazon, …
• This reduces attack surface locally but also makes SMEs security depend on the security of service providers.
• Security as a dimension to consider for provider selection.