Cyber Risk and Fault Tree Analysis

I've been trying to think of a business that does not have exposure to cyber risk.  I can't think of one.  At minimum, everybody stores confidential data on a computer, which means they have a valuable commodity subject to data breach.

Let's take a higher-level view of this risk by using a fault-tree analysis.  Here's what that would look like:

The left side focuses on compromised data.  Here's the general process criminal use to get your information:

1. Research: The cybercriminal looks for weaknesses in the company’s security (people, systems, or network).
   
2. Attack: The cybercriminal makes initial contact using either a network or social attack.
3. Network/Social attack: A network attack occurs when a cybercriminal uses infrastructure, system, and application weaknesses to infiltrate an organization’s network. Social attacks involve tricking or baiting employees into giving access to the company’s network. An employee can be duped into giving his/her login credentials or may be fooled into opening a malicious attachment.
   
4. Exfiltration: Once the cybercriminal gets into one computer, he/she can then attack the network and tunnel his/her way to confidential company data. Once the hacker extracts the data, the attack is considered successful.
   

The right side discusses network breaches.  Here are some of the ways hackers will use to infiltrate networks:

• Emails containing viruses and malware - This is one of the most popular methods of spreading malware hidden in an attachment in the email. Once the attachment is opened, the malicious software executes and/or downloads onto the computer that receives it.
• Emails with links to malicious websites - Often referred to as phishing these emails attempt to emulate legitimate emails from well-known organisations that the receiver would tend to trust such as a bank. The html links lead to fake websites which try and trick the user entering sensitive information such as passwords and banking details. Sometimes these websites also attempt to install malware, viruses or spyware on the recipient’s computer.
• Probing for weaknesses - Sometimes hackers send out mass emails in an attempt to compromise firewalls, intrusion detection systems and intrusion prevention systems to gain access to computer systems behind these defences. It’s a numbers game with millions of emails going out to identify malfunctioning, misconfigured or un-patched equipment.
• Social networking pages - People tend to let down their guard and be less wary on social networking sites. With this method, a fake profile entices real users into following links to malicious websites or giving up sensitive personal information.
• Inserting malicious packets - This relies on access to a swathe of zombie computers to send out large quantities of data packets to a large number of recipients targeting a specific port. The aim is to identify a router or firewall with the specific port open and gain access to the computers behind the firewalls
• Hijacking ads - Cybercriminals often place ads containing malicious code on legitimate websites. They do this either by purchasing ads directly, hijacking the ad server or hacking someone else’s ad account.
• Malware sold as legitimate software - Fake antivirus programs have infected millions of computers. Software is offered as free, available through the internet that includes malware designed to infect computers.
• Advanced Persistent Threats (APTs) - APT means a sustained multi-pronged attempt to break into a specific organization’s or institution’s data networks. With APTs, hackers use many methods from sending fake promotional material to network attacks. The aim is to breach the network and steal information. APTs are different from other forms of attack because generally take place over the long term and can last months and years.