7. www.cyberoam.com
Average cost per security incident
Overall, the costs and complexity of responding to
incidents are increasing”. “This includes the cost to
investigate; the cost to understand business risks and
contain incidents; the cost to manage notification to
regulators, customers, and consumers; and the cost
of litigation. Also, the cost of remediation is rising
because more records across more jurisdictions are
being impacted, and security controls have not kept
pace with the ever-changing threat landscape.”
8. www.cyberoam.com
There’s more to reveal…
CIOs, IT managers unable to track advanced evasion
techniques - The Security Industry’s Dirty Little Secret
There are 800 million known advanced evasion
techniques (AETs) but most security managers don’t
have the methods to track AETs within their company
10. www.cyberoam.com
Cost of reacting
of machines will need to be patched
manually at a cost of $50/machine10%
- Marc Donner, executive director, Morgan Stanley
$50 * 500
=
$25,000
(5000-node network)
Redesigning and implementing
new security solution help little
Reactive way is not solution
Not Smarter Spent
11. www.cyberoam.com
Threat can be anything i.e. human, event, weather, error, and failures that
have the potential to cause an impact or harm to an asset.
Directly compromises CIA traid
Threat
14. www.cyberoam.com
Cyberoam Threat Modeling- The process
Identify and document critical assets in your
infrastructure
Identify and document each component in the
system
Identify and document possible points of attack
Identify and document threats that pertain each
possible attack point
Identify and document the category and priority
of the attack
Identify and document the Mitigation solutions
Monitor the security controls
Re-evaluate security Controls
16. www.cyberoam.com
Identify and document critical assets in your infrastructure
Temperature level
Pressure level
Oil level
Maintenance alarm
Radioactivity level
Pump /Fan speed
Remote
Terminal
Unit
Remote
Terminal
Unit
HMI
Supervisory
control
system
Database/
Backup
Authorized to access
ICS/SCADA
IP-based access
Unauthorized
user
Unscheduled time to access
SCADA system
17. www.cyberoam.com
Identify and document possible points of attack
Temperature level
Pressure level
Oil level
Maintenance alarm
Radioactivity level
Pump /Fan speed
Remote
Terminal
Unit
Remote
Terminal
Unit
HMI
Supervisory
control
system
Database/
Backup
Exploitation of
Service vulnerability
Exploitation
of RTU
vulnerability
Service-level exploits.
E.g. web attacks, FTP
attacks, Telnet or SSH
attacks
18. www.cyberoam.com
Identify and document threats that pertain each possible attack point
Malware over email to employees
Temperature level
Pressure level
Oil level
Maintenance alarm
Radioactivity level
Pump /Fan speed
Remote
Terminal
Unit
Remote
Terminal
Unit
HMI
Supervisory
control
system
Database/
Backup
19. www.cyberoam.com
Identify and document threats that pertain each possible attack point
Temperature level
Pressure level
Oil level
Maintenance alarm
Radioactivity level
Pump /Fan speed
Remote
Terminal
Unit
Remote
Terminal
Unit
HMI
Supervisory
control
system
Database/
Backup
Lure employees to visit an
infected website or app
20. www.cyberoam.com
Identify and document threats that pertain each possible attack point
Waterhole attacks
- Bad guys poison a website frequented by employee and/or company
- Hacker maliciously modifies the website code or some desired object on the website is poisoned
Temperature level
Pressure level
Oil level
Maintenance alarm
Radioactivity level
Pump /Fan speed
Remote
Terminal
Unit
Remote
Terminal
Unit
HMI
Supervisory
control
system
Database/
Backup
21. www.cyberoam.com
Identify and document the category and priority of the attack
Temperature level
Pressure level
Oil level
Maintenance alarm
Radioactivity level
Pump /Fan speed
Remote
Terminal
Unit
Remote
Terminal
Unit
HMI Supervisory
control system
Database
/Backup
HMI
ClientBusiness Systems,
Web/Email server
Data between Server and the ICS Systems
Threat Description Eavesdropping Data during Transit
Threat Target Damage critical infrastructure
Risk High
Attack Technique Command Change
Counter Measure Strong IPS
22. www.cyberoam.com
Priority of the attack - DREAD MODEL
Damage Potential
Reproducibility
Exploitability
Affected Users
Discoverability
Medium = 2
Leaking sensitive information
The attack can be reproduced, but only with a
timing window and a particular race situation.
A skilled programmer could make the attack,
then repeat the steps.
Some users, non-default configuration
The vulnerability is in a seldom-used part of
the product, and only a few users should come
across it. It would take some thinking to see
malicious use.
Low = 1
Leaking trivial information
The attack is very difficult to reproduce,
even with knowledge of the security
hole.
The attack requires an extremely skilled
person and in-depth knowledge every
time to exploit.
Very small percentage of users, obscure
feature; affects anonymous users
The bug is obscure, and it is unlikely
that users will work out damage
potential.
High = 3
The attacker can subvert the security system;
get full trust authorization; run as
administrator; upload content.
The attack can be reproduced every time and
does not require a timing window.
A novice programmer could make the attack in
a short time.
All users, default configuration, key customers
Published information explains the attack. The
vulnerability is found in the most commonly
used feature and is very noticeable.
Threat: Eavesdropping Data during Transit
Damage Potential Reproducibility Exploitability Affected Users Discoverability Total RISK
3 3 3 3 3 15
23. www.cyberoam.com
Monitor and Re-evaluate security Controls
Due Care and Due Diligence
Compliance
Better and Smarter spent of IT budget
Pro-active Solution
Systematic defense, build on thorough Threat Modeling
methodology, is your best protection
There is still no silver bullet!
As stems from the findings, while the number of security incidents have grown, the ambiguity in dealing with these incidents has also grown. We can see a growing percentage of respondents admitting to lack. of awareness.
Now this one’s a real eye-opener. As stems from the chart, many security executives and IT decision makers continue to believe that security threats from insider sources is JUST as high as from outsiders like hackers and cyber criminals. This underlines the fact that many CIOs still fail to trust their own decisions and security deployments and lack confidence in existing security measures.
As stems from the findings, while the number of security incidents have grown, the ambiguity in dealing with these incidents has also grown. We can see a growing percentage of respondents admitting to lack of awareness.
As emerges from the chart, security executives at different positions, from those with very mature security practices to those coping at a relatively nascent level, all of them indicate at rising cost in dealing with security incident…
As one leading ICT analyst observes, present situation in enterprise security clearly showcases the compounding costs of loss due to spiraling cost in mitigating security threats.
While many organizations seem to be ready to increase their IT spend on security, a question still remains. Are they spending ig bucks on security wisely?
The answer can be seen from this. This clearly reveals that despite growing security deployments, number of security incidents also continue to grow and degree of compromise is significant. This is because there’s a lack of proactive approach. Enterprises fail to see how they need to defend different areas of their network and IT ecosystem. It takes a combination of the right security technologies and how they are deployed at various points throughout the enterprise network.
Identify potential threats and the conditions that must exist for an attack to be successful
2. Provide information about how existing safeguards affect required attack conditions
3. Provide information about which attack condition and vulnerability remediation activities add the most value
4. Help you understand which conditions or vulnerabilities, when eliminated mitigated, affect multiple threats; this optimizes your security investment
Smart investment