Wednesday, October 2, 2019

Risky Business

Business ownership involves risk. We all know that, but how much risk is too much risk? One's risk-tolerance is usually expressed, at least initially, as a qualitative statement about what one's "gut" says; something like "moderate", or "limited". Arguably, such statements are about as useful as a milk-bucket under a bull. So, the CISSP Common Body of Knowledge proposes a few quantitative formulas to help us out. Introducing the "Single Loss Expectancy" (SLE) and the "Annualized Loss Expectancy" (ALE).

Simply put, the SLE is the potential cost of a single event, and the ALE is the cost of such an event spread across all the years between events. Such formulas appeal to the executive members of organizations because they give actual numbers that can be used in making "fact-based" decisions. So, the cost of a particular event is $x, and the event can be reasonably expected to occur every y years. Your ALE becomes $x/y. Nice. Clean. Simple. Now we know what our risk on that given event will cost, and we can factor its management into the budget. Or can we?

Risk Management generally applies one or more of four strategies: Avoidance, Acceptance, Transference, and/or Mitigation. Avoidance means not doing whatever leads to the event in question. If the event is the loss of the entire executive team in a transportation accident, the risk can be avoided by not allowing the c-suite to travel at the same time. But if the risk is a breach of the computer network, deciding not to use networked computers may not be a viable solution. Acceptance means what you would expect; yes, there's a risk to the c-suite all traveling together, we acknowledge that risk but will keep doing it. This is an informed decision, no action required. Transference is making some other arrangement so that the risk is addressed in some other way. Buying what is known as Key-man Insurance on the entire c-suite would transfer the risk of them all being lost at sea to the insurance company (though I doubt this would be practical). Finally, mitigation is the handling of the risk. If the executive team never travel together, the risk of an empty c-suite due to a transportation accident is mitigated, though maybe not eliminated. Calculating the SLE of a particular threat is a natural part of the lead-up to a risk management plan. In order to determine a useful SLE however, one had better make sure the scope of the risk is adequately analysed.

As mentioned earlier, identifying the ALE is the process of determining how much a risk might cost over a given number of years. Common wisdom would say don't spend more than that amount trying to manage the risk. Furthermore, the more efficiently and effectively one can manage a risk, the better. The challenge however, is in accurately identifying all the composite parts of the risk event. Obviously, some risks have fewer moving parts than others. In the world of Cyber-security the knock on effects of an event can quickly become bigger than the event itself.

A case-in-point is the story of Danish hearing aid manufacturer Demant. On September 30th, ZDNet published the story discussing how a ransomware attack on Demant has cost the company $95M in one month. According to the story, Demant announced their trouble on the third of September, and by the publication date had not yet fully recovered. To be fair, I wouldn't begin to suggest that I know all that took place in this story, and admit that I am comfortably playing armchair analyst. However, I will make a few observations here as a thought experiment with the aim to help my readers avoid similar situations.

Of the risk management strategies discussed earlier, there is no way that Demant, or any other organization, could "avoid" a ransomware attack. Doing so would require disconnecting their computers from the internet, and maybe even getting rid of them all together. There is also no reason to suspect that Demant just "accepted" the risk and went about their business with their collective heads in the sand. Quite the opposite in fact. The story makes a couple of key points that illustrate that Demant included in their risk management a transference strategy. This is shown in that they have a $14.6 million cyber insurance policy. That is double the $7.3M required to recover and rebuild their IT infrastructure.
Demant Stock History (www.demant.com)

So if they had insurance for double the cost of their IT infrastructure, how did this event cost them $95M? According to the report, about half of that represents lost earnings, while the rest includes missed opportunity to implement a planned expansion. Demant seems to be a significant player in their field, and with stock prices still sitting at ~$25 per share, I would suspect they will rebound. But the question remains, how did this get so out of hand? Without inside knowledge, one is left to posit that the initial calculations of SLE did not take into account the amount of time it would take to restore the IT infrastructure and, by extension, the lost revenue during that time. I would also doubt that the individual calculating the SLE could have known that an expansion would be planned at the very time that the event occurred. It would be my guess that an assumption was made that new equipment would be bought, or existing equipment would be restored to factory defaults, and the back-ups would simply be applied. Done. Easy, right?

My grandfather used to say: "You don't get what you expect, you get what you inspect." While Demant can be credited for their implementation of a transference strategy, this story shows that transference is not necessarily enough. We can see that the risk from a ransomware attack could not be transferred to an insurance company because they only deal with the exchange of funds. In our earlier example, if the insurance company pays out the key-man policies, the company would still have to hire the replacements. Here, it would appear that though there were funds for the infrastructure, the restoration took significantly longer to execute than expected. This could be the result of corrupt back-up media, limited scope of back-ups, or any other number of failure points in the exercise. Unless one actually goes through the motions, and actually tries to restore from back-ups, one is rolling the dice. What would risk mitigation have looked like? Demant should have at least tested their ability to restore from back-ups. Or at an extreme, they could have had a complete segregated IT infrastructure sitting in the wings, ready to go at a moment's notice. While the setup of such an environment may have seemed cost prohibitive at the outset, the events that transpired over the past month show that greater mitigation was in fact warranted.


Photo credit: "Destiny" by Dave Gough (cc-by 2.0)

Saturday, February 9, 2019

No Free Lunch

I heard this line again today. This time on The CyberWire podcast:

«If it's free,
you're the product.»


I love that. Our society has gotten kind of bipolar. On the one hand, nobody wants to pay for anything, and on the other hand people get bent out of shape when they find out that companies like Google and Facebook may be monitoring their activities. We want the low prices of Walmart, and then complain when jobs are lost to China.

Wired Magazine reports that "On Thursday[February 7th, 2019], Germany’s Federal Cartel Office, the country’s antitrust regulator, ruled that Facebook was exploiting consumers by requiring them to agree to [extensive] data collection in order to have an account, and has prohibited the practice going forward." Facebook claims that it's adherence to the General Data Protection Regulation (GDPR) absolves it of any antitrust violations.

The timing of this is downright spooky, in that on the Monday February 4th, 2019 episode of the Jordan Harbinger podcast, Mr. Harbinger discusses the real cost of the “everything is free” mentality with Jaron Lanier, an early Internet pioneer and author of Ten Arguments for Deleting Your Social Media Accounts Right Now. I'm not willing to go to the extent that Mr. Lanier suggests, however he makes a few good observations: he is able to stay up to date on all the latest trends without any social media accounts by having real relationships with other people; most people don't realize the degree that their information is being collected and monetized; and if the business model was subscription based, instead of advertising based, many of the negative aspects of social media would be removed.

From a security and liability perspective, it is best practice to only gather as much data as is necessary to provide the goods and services for which an organization is engaged. What has been happening however, is that organizations are developing services that they can't sell, so they offer them for free, and then recoup their costs and try to earn profit by selling advertising. For example, when Facebook came out, they were offering a solution to a problem I didn't know I had. Therefore, I would never have signed up if it required a financial obligation. But when I created my account, and noticed that I could use it to connect with friends and family that have otherwise slipped out of my life, I realized that the service had value. Where my initial observation was that Facebook was just a website, I now view it as a service not unlike a telephone. I gladly pay for my telephone (though I feel I pay too much), and I would gladly pay for Facebook today (as long as the price was in check). What I will not do, is pay twice: both financially and with data.

It would make an interesting study. If Facebook were to reveal the full extent of their data collection, and tell its subscribers how much that data is worth to them financially, how many subscribers would be willing to pay for a "datanonymous" version of the service? What's your privacy worth to you? Could Facebook continue to offer their current service in Germany if they also offer a subscription-based version that gathers no data?