Ransomware: how to estimate the Risk
Updated: Mar 18, 2022
Why is it so hard to estimate cybersecurity, especially ransomware risk? Why is it that ransomware attacks have an outsized impact on an enterprise? For example, the Colonial Pipeline attackers demanded roughly $4.4 million in ransom. That amount is not even a rounding error of their annual revenue.
Let's first define Risk
Risk = probability of loss x expected loss.
Value of WHAT is impacted is important
Let's use an example:
You have a $100 million business. It has 2 vulnerabilities:
A 0-day vulnerability in a third-party hosted blog. The blog is detached from your IT system
An Accounting database instance accessed internal employees using shared shared passwords. This database is used to manage all payments, bank accounts, and receivables.
Even though the 0-day vulnerability seems to be more severe, the expected loss is going to be negligible. The expected loss from the accounting database server is going to be higher. Hence the Risk resulting from password sharing is going to be higher.
Let's define the complexity of the problem
Assume there are 100 nodes (e.g. servers, S3 buckets, VPC's, etc.). Let's also assume that each node could have 10 vulnerabilities
Connection complexity: there are 100 x (100 - 1) / 2 ways to connect these nodes directly
Vulnerability scanning complexity: the theoretical maximum number of ways the system vulnerabilities can manifest themselves is
10 x 100 x (100 - 1) / 2 = 49500
TalaSecure uses 42+ broad categories of vulnerabilities we analyze to compute ransomware risk estimates.
Cyberinsurance companies don't have the luxury of collecting 49,500 data points
Cyberinsurance companies have to limit the amount of information they collect because
The amount of data is huge
Some data, like EC2 details, firewall configurations, etc. are hard to get as it requires direct access into the system
Lack of resources
Some data is simply not available
The client may go to a competing cyberinsurance broker/underwriter who asks fewer questions.
Daniel Woods has an excellent article about why cyber risk estimates are complete based on customer tolerance for supplying data, "THE EVOLUTIONARY PROMISE OF CYBER INSURANCE".
TalaSecure uses 42+ classes of security metrics to estimate Ransomware Risk
Calculating the probability of a security incident is not straightforward. Pieter van de Griend at Philips stated, "Risk tends to have complex internal causal relationships. Two dependent risks may cascade".
For example, taking up the 0-day hosted blog vulnerability example again vs. the shared password accounting RDS database situation yet again, it may so happen that access to the database is over a 2-factor secured VPN to a Bastion server, mitigating some of the risk as the probability of loss drops. However, if someone got phished, then the risk goes up.
Discovery of your infrastructure
Risk is hard to compute if you don't know what you have. In the cloud, it is hard to discover your assets. That led to the use of the phrase, "Shadow IT".
"Bob in marketing just put up this cool website where you can enter orders and your credit card number and it delivers to you full purchase orders by email".
It took Bob just a few minutes to set up the whole site. He can also tear it down even faster when his CSO hears about it.
The security yardsticks that should be used
In order to measure gaps in security, we need to measure something. We all know that data should be encrypted at rest and in motion. However, actually getting the measurements is hard.
Furthermore, there are multiple competing security standards: SOC2, HIPAA, PCI, etc.
Surely we can use experience? ML to the rescue
We have no dearth of knowledge. However, applying them at scale with the right speed is extremely hard. Moreover, there are more systems than experienced security engineers. These engineers have to be well versed in the business at stake.
TalaSecure uses Machine Learning to use all 42+ classes of security metrics to estimate Ransomware Risk.
Tools to fix these issues; the magic of Auto remediation
Any modern system should be able to automatically assess your ransomware risk and even fix issues for you.
Tala Defender does the job for you. We help reduce ransomware risks and also make sure you are always compliant. Auto remediation......Contact us today for a demo.