The system, method, and apparatus for measuring, modeling, reducing, and addressing cyber risk contains a fixed enumeration and structure.
The enumeration and structure are foundational and ensure that modular components connect in a meaningful way. Additionally, the enumeration and structure provide a means of organization that is easy to integrate and understand.
Threat Enumerations
This system, method, and apparatus contains 10 threat categories, which divide into numerous threat varieties. The threat enumerations are based on VERIS (Vocabulary for Event Recording and Incident Sharing).
X-Analytics has 10 threat categories:
Web Application Attacks: In this category, web application is the vector of attack to disrupt operations or compromise data.
Point-of-Sale (POS) Intrusion: In this category, a PoS asset is the vector of attack, with the intention of stealing payment records. includes critical and non-critical network equipment, such as routers, firewalls, and switches.
Misuse: In this category, misuse is the action. This includes data mishandling, and unapproved actions.
Error: In this category, error is the action. This includes misconfiguration, omission, and malfunction, but does not include loss of asset.
Theft & Loss: In this physical is the action. This includes an employee losing or a thief stealing a physical asset.
Crimeware: In this category, malware is the action that does not fit into a more specific pattern. This includes ransomware.
Skimmers: In this category, a thief physically implements an unauthorized skimming device onto a system to extract data.
Cyber Espionage: In this category, a nation-state or competitor sponsors an attacker to perform acts of espionage.
Denial-of-Service Attacks: In this category, a hacker uses a denial-of-service technique to disrupt operations.
Everything Else: In this category, malware, hacking, and social are the action that does not fit into a more specific pattern.
Each of the 10 threat categories divides into numerous threat varieties. The below figure is only a representative example of the threat varieties per threat category.
Historical data and cyber risk intelligence data informs the mapping of varieties, and which varieties are most common per threat category.
Asset Enumerations
This system, method, and apparatus contains 11 asset groups. The asset groups are based on VERIS and other common asset group labels.
Server & Applications: This includes critical and non critical servers (including the hosted applications), such as domain servers, web servers, files servers, and DNS servers.
Network: This includes critical and non-critical network equipment, such as routers, firewalls, and switches.
End User Systems: This includes critical and non-critical user assets, such as laptops, desktops, and mobile phones.
Terminals: This includes critical and no-critical terminal assets, such as kiosks, ATMs, and payment terminals.
ICS, SCADA, & OT: This includes industrial control systems (ICS), supervisory control & data acquisition (SCADA), and operational technologies (OT).
Healthcare Devices: This includes critical and non-critical network-based (including wireless) healthcare equipment, such as insulin pumps, heart monitors, and glucometers.
Onboard Systems: This includes systems that are used to control or help navigate airplanes, cars, trucks, trains, and ships.
Critical Internet of Thing (IoT) Devices: This only includes critical internet of thing devices, such as meters, inventory tracking systems, and drones.
Non-Critical Internet of Thing (IoT) Devices: This only includes non-critical internet of thing devices, such as printers, apple TVs, and refrigerators.
Media & Offline Data: This includes all forms of offline data and media, such as paper, USB drives, and removable hard drives.
People: This includes the human element of an organization, such as employees, customers, and contractors.
Historical data and cyber risk intelligence data inform asset group selection and deselection.
Risk Scenario Enumerations and Structure
This system, method, and apparatus contains 110 risk scenarios. Each risk scenario is the intersection of a threat category with an asset group. A grid represents the risk scenarios best.
From the above grid, each scenario is represented by a number. 1 is the intersection of web application attacks with servers and applications and 110 is the intersection of everything else with people. The numbers are for reference purposes only.
With each risk scenario, this system, method, process, and apparatus executes a processing routing to determine residual risk using this risk formula, Risk = Threat x Impact x (1 – Control Effectiveness).
Control Enumerations and Structure
This system, method, and apparatus leverage the CIS Critical Security Controls (version 8) as a foundation control set in which all other control frameworks align.
1. Inventory and Control of Enterprise Assets – Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
2. Inventory and Control of Software Assets – Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
3. Data Protection – Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
4. Secure Configuration of Enterprise Assets and Software – Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
5. Account Management – Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
6. Access Control Management – Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
7. Continuous Vulnerability Management – Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
8. Audit Log Management – Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
9. Email and Web Browser Protections – Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
10. Malware Defenses – Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
11. Data Recovery – Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
12. Network Infrastructure Management – Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.
13. Network Monitoring and Defense – Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.
14. Security Awareness and Skills Training – Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
15. Service Provider Management – Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
16. Application Software Security – Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
17. Incident Response Management – Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
18. Penetration Testing – Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
Acceptable use of and adoption of cybersecurity frameworks will inform changes to the Control Emumerations and Structure. For example, X-Analytics also uses NIST CSF as another control enumeration and structure.
The intersection of the control structure with the risk structure is as stated below:
In the above table, 1.01 represents the intersection of Risk Scenario #1 with CIS CSC control #1. The numbers are for reference purposes only.
With each control to risk scenario intersection, historical data and cyber risk intelligence data inform the control effectiveness or risk reducing quality. Additionally, historical data and cyber risk intelligence data may also inform that the control has no risk reducing quality for a given intersecting point.
Cyber Exposure Enumerations and Structure
This system, method, and apparatus contains four primary cyber exposure (or loss) categories. Cyber exposure is the sum of all possible losses multiplied by the probability of those losses. Each category includes a collection of direct, indirect, and opportunity costs.
Data Breach: The intentional or unintentional release of secure, private, or confidential information to an untrusted environment.
Interruption: The intentional or unintentional disruption of one or more information technology (IT) or operational technology (OT) systems.
Interruption (DoS): This only includes interruption incidents from distributed denial of service (DDoS) attacks
Interruption (Other): This includes all forms of interruption, resulting from malice or error, which does not include DDoS attacks.
Misappropriation: The intentional (illegal) use of intellectual property, funds, or service via a cyber incident.
Misappropriation of Funds: The intentional and illegal theft of electronic funds (such as ACH, wire transfer, and SWIFT)
Misappropriation of Intellectual Property (IP): The intentional and illegal theft of intellectual property, trade secrets, and other highly proprietary information.
Misappropriation of Services: The intentional and illegal use of a critical service to gain advantage or to cause integrity-based issues.
Ransomware: The intentional deployment of malware intended to encrypt data within one or more system to extort money from the victim organization.
The exposure categories are subject to change. Historical data and cyber risk intelligence data inform the exposure categories.
The loss categories map directly to specific threat categories and specific risk scenarios to determine loss probability.
The above diagram is subject to change. Historical data and cyber risk intelligence data will inform loss category to threat category mapping for the purposes of determining loss probability.
The mapping from loss category to risk scenario is a continuation of the loss category to threat category mapping.
The above diagram is subject to change. Historical data and cyber risk intelligence data will inform loss category to threat category mapping to risk scenario mapping for the purposes of determining loss probability.
Additional Enumerations and Structure
This system, method, and apparatus contains additional enumerations and structures that are not listed within this support page. The additional enumerations and structures are considered confidential, intellectual property, and trade secrets of Secure Systems Innovation Corporation.