Is security the tail that is wagging the dog or could it be the kidneys?

Kidneys are organs that extract waste from blood and balance body fluids. With no kidney function, death typically occurs within a short time period. The same fatal results are also true

for an organization that does not have a properly functioning Cyber Security program. Cyber Security should empower you and your staff by extracting the waste from the being online in a

constantly connected state and discard the waste while passing on the needed information. In the same way that kidneys need to balance your body fluids, security should balance the need for information availability, integrity, and confidentiality.

A person can survive without kidneys for a short period of time, and the same is for good cyber

security. In today’s world, an organization without cyber security will fail. Someone with failing kidneys can be put on dialysis to bypass the function of normal kidneys, and the same can

be said of cyber security. IT can be outsourced or added at the end, but this is not a long-term solution. Cyber security should become a part of everyone’s function as everyone is online and connected to systems. One major goal of the security team should be empowering staff through

training and providing resources so they understand how to filter out the waste and use the needed information.

Cyber security professionals should remember that their job is to ensure the availability and

integrity of the data, while at the same time helping others to keep protected information confidential. Security is not effective if we try to add it on after the fact; that is why security should become part of the entire life cycle from the cradle to the grave of any project or program. “The cost to fix a bug found during implementation was around 6 times costlier than one identified during design. Furthermore, according to IBM, bugs found during the testing phase could be 15 times more costly than during design… Additionally, the complexity of deploying/implementing changes in a live production environment would further increase the

overall cost associated with late stage maintenance. ” [1]

Cyber Security professionals need to help users understand the current cyber security risk

landscape and give them resources to help them protect themselves and those they s erve.

“To ensure that bugs are fixed at an earlier stage within the SDLC, take advantage of the following security testing practices:

1. Activities such as architecture risk analysis help to identify issues during the design phase

of software development. 2. Use the OWASP best practices quick Reference as a guide for securely writing initial

code.

https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf . 3. Once the code is written for the approved architecture, conduct a source code review to

identify issues within the code.

4. Prior to the software’s release, conduct a penetration test to identify issues and to make

sure that issues previously identified are resolved.” [1] June 2017 SANS Whitepaper Testing Web Apps with Dynamic Scanning in Development and Operations Current Cyber Security Trends: https://www.sans.org/reading-room/whitepapers/application/testing-web-apps-dynamic-scanning-development-operations-37820 Ransomware attacks worldwide increased by 36 percent in 2017 — with more than 100 new malware families introduced by hackers. [4].

The average amount demanded for a ransomware attack is $1,077, is an increase of about 266

percent. [4]. Emails are now being increasingly used by hackers, and an estimated one in every 131 emails contain a malware. [4]. The research revealed that the victims of identity fraud in the U.S. alone increased to 15.4

million in 2016, an increase of 2 million people from the previous year [5]. At least 43 percent of cyber attacks against businesses are targeted at small companies, and this

number is increasing. [6] More than 4,000 ransomware attacks occur every day. This is according to data from the FBI [10]. That’s a 300 percent increase in ransomware attacks. It takes most business about 197 days to detect a breach on their network. Many businesses have been breached and still have no idea, and as hackers get more sophisticated it will only take

businesses even longer to realize that they have been compromised [13]. Sources

1. https://www.synopsys.com/blogs/software-security/cost-to-fix-bugs-during-each-sdlc-phase/ 2. https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics 3. https://www.juniperresearch.com/press/press -releases/cybercrime-cost-businesses-over-2trillion 4. https://www.symantec.com/security-center/threat-report 5. https://www.javelinstrategy.com/press -release/identity-fraud-hits-record-high-154-million-us-victims-

2016-16-percent-according-new 6. https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html 7. https://www.csoonline.com/article/3200024/security/cybersecurity-labor-crunch-to-hit-35-million-unfilled-

jobs-by-2021.html 8. http://www.businessinsider.com/warren-buffett-cybersecurity-berkshire-hathaway-meeting-2017-5 9. https://www.pandasecurity.com/mediacenter/press -releases/all-recorded-malware-appeared-in-2015/ 10. https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view 11. http://www.businessinsider.com/expert-phishing-emails-2016-8?IR=T 12. https://www.venafi.com/assets/pdf/wp/Venafi_2016CIO_SurveyReport.pdf

13. http://www.zdnet.com/article/businesses -take-over-six-months-to-detect-data-breaches/ 14. https://www.computerworld.com/article/2475964/mobile -security/98–of-mobile-malware-targets-android-

platform.html 15. https://swimlane.com/10-hard-hitting-cyber-security-statistics/ 16. https://www.esecurityplanet.com/network-security/over-80-percent-of-americans-are-more-worried-about-

privacy-security-than-a-year-ago.html 17. https://www.comparitech.com/vpn/vpn-statistics/ 18. https://www.techinasia.com/indonesia-world-leader-vpn-usage

+++++++++++++++

How an ARA works

1. Analyze business context

We conduct interviews with business owners of the system to gather and analyze the information to better understand the security risks that impact the business goals of the

system. 2. Create a threat model

We identify major components, assets, threat agents, and security controls that exist in the system then create a diagram to capture these entities and the relationships between them.

3. Conduct a risk analysis We identify software-based risks and prioritize them according to business impact (e.g.,

unauthorized access to data or service availability). Activities that comprise our analysis include:

o Known Attack Analysis. We draw from a set of known attack patterns to model subsystem and application behavior for the components in the system being

reviewed. o System-Specific Attack Analysis. We evaluate the foundations of system

architecture as it relates to well-established security principles. We also look for unspecified software behaviors with little independent impact that may combine

to create critical vulnerabilities.

o Dependency Analysis. We focus on peeling back the layers of the software in the platform to understand the security risks introduced or mitigated by each layer.

4. Provide mitigation advice At the end of each assessment we conduct a read-out call with the appropriate

development team to review each vulnerability identified during the assessment, answer any questions that the team might have around each vulnerability, and discuss

mitigation/remediation strategies.