Cyber threats are out of our control, so stop focusing solely on them.
“We need to stop thinking about threats and start thinking about consequences,” said Summer Fowler, deputy technology director of the CERT Cyber Security Solutions Directorate in the CERT program at the Software Engineering Institute of Carnegie Melon.
Fowler, the keynote speaker at Advisen’s Cyber Risk Insights Conference in Chicago, said CERT has published and updates an 800-plus-page book in an effort to put her statement into practice.
The CERT Resilience Management Model (CERT-RMM) can be used as a model for organizations to sustain and improve operational resilience.
“It’s not how you’re doing today but [can you] sustain high performance,” she said during the May 12 event.
Business must give priority to identifying critical assets—data, people, IT and supply chain, for example—before focusing on potential threats because, chance are, a business is not going to be successful in assessing all cyber threat, Fowler explained. For instance, Target arguably could not have been expected to see the threat of hackers accessing its point-of-sale system via its HVAC vendor.
“Cyber risk is unique to each organization,” said Fowler. “Assets are more stable and can be monetized.”
To move from threat-thinking to consequence-thinking, Fowler said to look at from the top down at the value chain and then the bottom-up at the critical asset prioritized by consequence. Understand vulnerabilities and create a risk index for each asset, she continued. Finally, cyber risk must be institutionalized.
CERT works closely with the Department of Homeland Security to meet mutually set goals in areas such as data collection and mining, statistics and trend analysis, computer and network security, incident management, insider threat, software assurance, and more.
Fowler outlined some trends, including banking Trojans, point-of-sale and card-skimming schemes, zero-day attacks and botnets.
Malicious code and compromised systems such as the Zeus malware and botnets have shown that they can “change form quickly,” Fowler said. Some exist for years, morphing as quickly as countermeasures are put in place to stop them.
Zero-day attacks are very expensive malicious codes for sale but have yet to exploited. One zero-day exploit was used on Internet Explorer.
“These stories sell newspapers but they don’t solve anything unless we learn from them,” Fowler said.
Fowler said she has little knowledge about insurance but that is changing, since CERT has been charged with bridging the gap between the government and the insurance industry. CERT had a part in working with the government to develop the NIST cybersecurity framework.
The division is searching for more partnerships with the insurance industry, which many times “does not have the actuarial evidence to make the right decisions.”
“We can help ask the right questions,” Fowler said.