Part 3 of 3
So far, we have looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. We’ve seen how this model can guide your anti-phishing program by focusing on the value of assets you protect. We’ve also examined ways to translate your organization’s data to dollars, which is useful if you’re responsible for data oversight and governance—in other words, it helps to know where data might live and the (estimated) value of digital assets should a breach occur.
This week let’s dive into the “access” aspect of VAR. We’ll ask: do you know which people (employees, third parties, etc.) have access to your organizational data, including customer data, and if so, what are their permissions?
One (Bad) Thing Can Lead to Another
When a breach happens, a ripple effect often takes place, in which one comprised account turns into many compromised accounts. If any of the accounts in this string have admin privileges compromised, the adversary can make major changes to the system or begin exfiltration of data. So, is your organization being diligent when it comes to assigning and maintaining access controls?
For example, an admin can be a trusted source to communicate proprietary information and guard access to sensitive data. A compromised admin can appear to be sending legitimate emails. This is one example of the VAR model as it relates to phishing—in this case, the admin may or may not have the appropriate access controls and becomes a target for attackers.
While we are not here to the discuss the various access control models, the ‘access’ piece of the VAR model can help you understand your organization’s ability to respond to a breach—and how it often gets worse before it gets better, as we have seen in many of the recent cyber breaches.
Factoring Access into VAR
As a best practice, organizations should apply the principle of least privilege when determining and assigning access controls. The principle of least privilege states that users should have the fewest data privileges required to perform their day-to-day duties.
Just as part 2 of this series suggested mapping your data, at least informally, to identify the types, amount and value of information you have and where it’s stored, it’s advisable to perform a similar exercise to better understand your access controls. In other words, try to map out which of your employees have access to valuable data. Those with access to high-value data should be considered high-value targets and targeted in an anti-phishing program as such. Even if an individual is not thought of as a high-value target (e.g. belonging to senior management), do not forget their admins or the physical security teams who may have more access than you realize.
Note: An often-overlooked part of access controls is removing access for employees no longer with the company. Ensuring you have a robust process for removing logins, file access, and network capabilities can reduce the risk of data exposure to disgruntled ex-associates.
Key Insights You Can Gain
If the VAR model of anti-phishing is consistently practiced, your organization could pinpoint the active threat models it’s most susceptible to, the type of data at risk, and a projected dollar amount at risk of loss…plus, the ripple effect of weak access controls that would put other data at risk. This may skyrocket the estimated cost of a breach, remembering that value goes beyond the data as discussed in part 2, to include server recovery, brand reputation, and more.
By asking ‘who has access?’ organizations can take the VAR model one step further and understand that user X is the most susceptible to attack Y, and that if/when user X falls victim to attack Y, data Z is at risk of exposure—and not just the data on the computer of user X, but all accessible data.
Once you have identified high-value targets at risk of exposing high-value data, you can work this knowledge into targeted phishing training exercises, using known or related spear phishing tactics. This will improve your overall risk posture and better protect against financial loss.
To wrap up, VAR concepts have been around for years but aren’t as widely applied as they could be, especially in the area of anti-phishing. If your company is growing fast and your plate is more than full, it’s hard to find the time for things like VAR assessments. Of course, you probably don’t have time for a breach investigation, either. Using a VAR model in anti-phishing is one more way to avoid it.
For another perspective on how to improve your anti-phishing program, view our “Left of Breach” e-book.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.