Transferring Risk

By Randy Rose, Director of Cybersecurity, Tasman Global

By Randy Rose, Director of Cybersecurity, Tasman Global

Being connected to the Internet is a tremendous thing: it provides global communication opportunities, access to seemingly endless resources, and allows companies and individuals to extend their influence and impact in ways humanity couldn’t have dreamed of even 30 years ago. But being connected to the Internet also comes with a lot of risk, especially for business owners.

Most organizations have an Acceptable Use Policy (AUP) which stipulates general guidelines and rules that employees must abide by when using corporate network information technology assets, particularly those that access the Internet. Once an employee signs such an agreement, the organization’s leadership, from the employee’s direct supervisor up to the Senior Executives, assumes the employee will abide by the policy. Most policies provide for incidental use of corporate assets for personal use as long as they are not used for illegal, immoral, or other questionable activity (to include personal business).

Unfortunately, due to the unregulated nature of the Internet, even employees who operate within the bounds of an AUP can sometimes introduce corporate networks to dangers unwittingly. A common example is ransomware. Many ransomware campaigns leverage the capabilities of exploit kits, which essentially function as pre-packaged combinations of attack techniques along with additional functions to detect which techniques are likely to work against a given victim, delivered through standard web-based advertisements. This attack vector is commonly referred to as malvertisements, which is cybersecurity slang for malicious advertisements. Due to the business model for web-based adverts, many advertising firms sell ad space to buyers who resell multiple layers down. Sometimes bad dudes buy up that ad space and serve up some unpleasant code.

Ransomware can hit you from any site that hosts ad banners. Employees checking the news, weather, or recent sports scores could potentially introduce malicious code, unwittingly, that could take down your entire network.

And that’s the well-meaning employees.

On February 15, 1995, Kevin Mitnick was arrested in Raleigh, North Carolina. He was a fugitive computer hacker—arguably the most famous hacker in the world—who was now being indicted on 23 counts of computer fraud wherein he stole private company data worth more than $1 million dollars (about $1.6 adjusted to 2017). I know Kevin Mitnick and he’s a very interesting man who is well-respected in the cybersecurity community today. Yet few, including me, doubt that what he did in his younger days was wrong.

Several years ago, a co-worker and I wrote a white paper for the US Navy called Pretending Our Network is a Weapons System. This paper, and subsequent briefs, focused on the problem of end users not treating Navy networks with the proper care they deserved, the associated risks introduced by users, and the overall costs from such behavior. What we found in our research was that the Navy spent over $160 million per year cleaning up incidents on Navy networks, with nearly half being the result of negligent security practices by trusted users. We also found that over half of all Navy network browsing data was associated with non-mission use for a total cost of nearly $60 million dollars per year ensuring sailor and civilians were well-entertained while at work.

The paper also introduced a solution we dubbed Transfer Risk Off Network, or T.R.O.N.

It is the essence of T.R.O.N. that I ask you to think about today. What are you doing to transfer risk off your network?

A long held belief is that the best way to mitigate cyber related risk is to limit users’ exposure to it. Yet, in many cases, mitigating risk is unobtainable or impractical. There are several alternate solutions and the utmost one available is risk transference.

Most folks are familiar with transferring risk without realizing it. Risk transference is the basis for the insurance industry. In cybersecurity, insurance may help. But a technical solution will also help.

Transferring all non-mission related web traffic through a third party service provider via a secured virtual private network connection and white listing all other network traffic allows an organization to operate their network with such a reduced attack surface as to nearly eliminate all Internet-related risks.

Tasman has close relationships with some of the best in the business at providing such a service and can help you reduce your attack surface overnight. Ransomware and other threats need not be threats anymore.

If you are interested in knowing more about how you can set this up at your organization, please send us a message. We'd be happy to talk.