CyberSecurity Threat Intelligence Report June 2014

The CCSO CyberSecurity Threat Intelligence report identify one primary threat, “Humans”. Thisthreat can come from any geographic or physical direction. Depending on the motivation this threatcould register on the risk assessment scale anywhere from >90 Extreme to 29< Low. Several riskbased criteria must be assessed to help managers distinguish the Extreme risks and Critical Threatsfrom less serious threats, so they can concentrate limited resources or capital on immediate risks.

This information has been shared freely by Mark E.S. Bernard. If you find it useful pleaseacknowledge this contribution. If you would like additional information or assistance with thecustomization and implementation of a balanced risk management process for your securityprogram then please contact Mark @ 604-349-6557 or [email protected]

It was estimated that only 74% of existing vulnerabilities are known, in reality its much worse.Many organizations do not report defects found in their products. Combine that fact with themultitude of hacking techniques not reliant upon known vulnerabilities like social engineering,misconfiguration, etc… The problem is that most threats need a vulnerability to exist before itscan become a serious threat and many companies unintentionally or intentionally provide thatattack vector. Below are a few sources that quantify this threat.

New malicious files 8,206,419

Detection by Anti-Virus software

6,153,370

Undetected 2,053,049

Credits RedSocks March 2014 Report

Cybercrime cost Canadians $3B in past year.

Global Study at a Glance 234 total companies in six countries 1,935 interviews with company personnel 1,372 attacks used to measure total cost $7.22 million is the average annualized cost 30% net increase in cost over the past year 15% average ROI for seven security technologies

Credits Norton 2013 Report

Credits Ponemon Institute 2013

Page 1 of 5

The CCSO CyberSecurity Threat Intelligence Insight report identified Threats that are beyond ourcontrol, these threats are categorized as “Acts of Nature”. Our only recourse is to design resilient/redundant infrastructures and business practices that mitigate these risks. A critical part ofcapability and maturity is to documenting our business continuity plans so that knowledge can beshared and verified /validated through testing. These threats are so extreme it is impossible tomitigate the risk of them 100%. Examples including costs have been provided below.


Cost of natural disasters has quadrupled over past 30 years: EU official

Credits: The Associated Press

European Commissioner for humanitarian aid and crisis response, told a conference on disasterrisk reduction and management of the Asia-Europe Meeting that costs related to naturaldisasters have increased from $50 billion a year in the 1980s to $200 billion in the last decade.In three of the last four years, costs exceeded $200 billion.

1. Flooding In Central Europe Cost $22B2. An Earthquake In Lushan, China Cost $14B 3. Super Typhoon Haiyan Cost $13B4. Typhoon Fitow In China And Japan Cost $10B5. Droughts In China Cost $10B

6. A Series of Droughts In Brazil Cost $8B 7. Flooding In Alberta, Canada Cost $5.2B 8. Aug-Sept Floods In North China Cost $5B9. 2nd Flood In Southwest China Cost $4.5B10. Hurricane Manuel In Mexico Cost $4.2B

Top 10 2013 Natural Disasters

Page 2 of 5

Making the connection between a vulnerability and threat is paramount to root-cause analysis andtaking corrective action and/or preventive action designed to effectively, efficiently remediate a risk.Todays business environments Enterprises span multiple countries and continents where amultitude of potential attack vectors exist. Humans are crucial to the success of mitigatingCyberSecurity Threats because they can avoid or mitigate most vulnerabilities. Below is a summaryof the top three vulnerabilities that can be avoided with human intervention.

Humans can also lead to a breach of security or be the victim of a breach. The average cost $200.00USD per record for three years following the security breach and this does not including damages.The largest breach cost $177 million. There have also been several companies that have beenbreached are forced to close. In the following each threat was created by Humans.


Most Threats can be remediated, but all threats would not exist in the absence of a vulnerability. Root-Cause Analysis suggests

that if you fix the vulnerabilities the Threats will go away!

Summary of Threat Report Findings for 2013 (74 threats / 7 sources)

CSI 2013 • Malware infection• Insider Abuse of Net Access /eMail• Laptop /Mobile Theft

Verizon Data Breach 2013•Network Intrusion /stolen credentials• Used some form of hacking• Incorporated Malware

Websense 2014 Threat Report• Web Threats. • Social Media Threats. • Mobile Threats.

OWSAP Top 10 Risks• A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS)

CSI 2011 Survey• Malware infection• Bots / zombies within the organization• Fraudulently represented as sender of phishing messages

ISC2 - 2013 Global Report• Application Vulnerabilities• Malware• Mobile Devices

CSA Top Risks 2013• Data Breaches • Data Loss • Account Hijacking

Page 3 of 5

What I can only conclude from the current state of affairs is that we are experiencing a lack ofquality management during the development of technology hardware, software andtelecommunications has led to the creation of a database of defects equaling 61,000 report. Its verylikely that there are many more unreported if you consider that 2,053,049 have already beenidentified as undetected, that’s 25%. This situation is pushing the risk down from the manufacturerto the customer yet we are expected to pay full price for defective products.

There exists today a culture of driving products to the market place before they have been testedand hardened with security standards. The majority of products on the market today are vulnerableto fraud and hacktivism. There is also a culture within Information Technology to promote software,hardware and telecommunications based on tacit knowledge leaving many systems improperlydeployed or misconfigured and not hardened. The adoption and integration of best practices ISO9001, ISO 27001, ISO 38500, ISO 31000, ISO 14001 and ISO 18001 would help to stabilize thetechnology environment. I’ve provided an excerpt from ISO 9001, so that you can see the activities.


Emerging vulnerabilities awaiting threat exploitation include robots, our food chain andNanotechnology. The latter is already in use today maintaining both a military and medicalapplication. At this point in time Nanotechnology is completely undetectable and the perfectattack vector.

A lack of “Quality” and a demonstrable “Standard of Care” by Executive management in the development of software, hardware and

telecommunications is our greatest threat today!

8 Measurement, analysis and improvement8.1 General8.2 Monitoring and measurement8.3 Control of nonconforming product8.4 Analysis of data8.5 Improvement

7 Product realization7.1 Planning of product realization7.2 Customer-related processes7.3 Design and development7.4 Purchasing7.5 Production and service provision7.6 Control of monitoring and measuring equipment

ISO 9001 Product Realization Strategy

Page 4 of 5


The solution depends on establishing a solid proven information security management systembased on an internationally accepted standard framework ISO/IEC 27001:2013. This frameworkwill mitigate 261 of the most common compliance risks and operational risks to informationand knowledge. This framework can be independently audited. This framework can help tomake compliance with statutes, regulations and contractual obligations more self sustainable.

Page 5 of 5

Business

CyberSecurity Threat Intelligence Report June 2014