The Cost of Compromise

Download CSOC Update, The Cost of Compromise (345K PDF), June 2014

Introduction

  1. The Cyber Security Operations Centre (CSOC) regularly responds to cyber security compromises involving Australian government networks and other networks of national importance. This publication summarises the common cyber security compromise scenarios observed by the CSOC, and the costs associated with remediating these compromises.
  2. The Strategies to Mitigate Targeted Cyber Intrusions remain your best defence against the cyber threat. Implementing the Top 4 strategies as a package is at the core of this protection, as they mitigate at least 85% of cyber intrusions responded to by the CSOC. The Top 4 strategies prevent execution of malicious software, and minimise software vulnerabilities and the ability of a cyber adversary to propagate across a network. The remaining 31 strategies form an excellent basis from which to assess further network security initiatives based on a risk assessment. Your risk assessment processes should take into account the specific risks faced by your agency, the information you are protecting, and your current network security posture. See the Cyber Security Picture 2013 for updated information about threats to Australian government networks as observed by the CSOC during 2013.
  3. Although the initial cost of implementing the Strategies to Mitigate Targeted Cyber Intrusions can seem high for some agencies, they actually represent an important investment in your organisation, reducing long term costs and risk. If you experience a network compromise, not only will you be faced with the cost of implementing these strategies to prevent further compromise, but you will also incur both higher direct and indirect costs associated with remediating the compromise. These costs include, but are not limited to, investigating the compromise, tactical remediation, reputational costs, opportunity costs from the loss of information, and lost productivity.

Can you afford a compromise?

  1. Consider these common compromise scenarios responded to by the CSOC.

How often do these compromises occur?

  1. Low or medium-level compromises are identified by or reported to the CSOC daily. They can hit the biggest departments or the smallest agency. Many cyber adversaries are indiscriminate, and are simply looking for the weakest link for opportunities to conduct malicious activities. Since 2012, the number of known high-level compromises of Australian government departments responded to by the CSOC has reduced, as more departments have implemented at least the Top 4 Strategies to Mitigate Targeted Cyber Intrusions and then selectively implemented the remaining 31 to maximise their network defences. While the nature and impact of some of the activity observed by the CSOC remains unknown, raising your baseline cyber security posture forces cyber adversaries to either pursue easier targets or become more sophisticated. As the CSOC plays an important role in ensuring that the Australian Government is positioned to defend against sophisticated threats, and update its advice accordingly, improved baseline security across the Australian Government increases the resources available to the CSOC to focus on sophisticated threats.

The cost of compromise

  1. There are a number of direct and indirect costs associated with a compromise, including but not limited to:
    1. Resources to investigate the extent of the intrusion, and understanding the harm.
    2. The immediate remediation of the intrusion (for example, by cyber security specialists).
    3. Reactive implementation strategies to mitigate further intrusions – this is more expensive to do in response to an incident, as timeframes are more compressed compared to implementing these strategies proactively.
    4. Lost productivity, and the costs of diverting staff and resources from other business to deal with a compromise.
    5. Opportunity costs associated with the theft of information, such as intellectual property or information about Australia’s negotiating position.
    6. Broader costs to the Australian economy where non-government information is stolen from government networks, for example, patent information, personal information used to conduct fraud.
    7. Reputational costs, including negative media exposure and the trust of your customers, in the case of disruption to the availability of online services.
    8. Costs associated with breaching privacy legislation or remediating data-breaches of financial information.
    9. Legal costs when impacted third-parties may sue for negligence or breach of contract.
    10. Loss of trust by government and industry partners, harming domestic and international relationships critical to the department.
    11. The cost of paying a ransom, in the case of a ransomware attack.
  2. If you do not have the skills and resources in-house to remediate an intrusion, contracting a suitably skilled company to do this work for you can be expensive, especially for smaller agencies. Other factors, such as the availability of your logging records, documentation about the structure of your network and how long the network has been compromised, can also impact the costs and time to remediate a compromise. The CSOC commonly finds that poor logging records, or a poor understanding of the layout of a network, can impede the CSOC's ability to assist a victim organisation and result in more time and resources being required to remediate the compromise.
  3. No department or agency is immune from the risk of compromise. While the upfront costs of implementing the Strategies to Mitigate Targeted Cyber Intrusions may seem high, senior managers should consider the associated costs that could be incurred if a serious compromise occurs on your network.
  4. Even if you do not think that your information is particularly interesting, valuable or sensitive, consider the recent emergence of ransomware attacks, which tend to be more indiscriminate and opportunistic. In these cases, your information only needs to be valuable to you!

A final word

  1. Your network is not necessarily the only network that holds your agency’s information – do not forget about contractors and other service providers, who may be the weaker and therefore more attractive target for a cyber adversary that wants your information. Also consider that you likely hold the information of others, often with contractual provisions around confidentiality or secrecy. While your own information may potentially not be of interest to a cyber adversary, information you hold for third parties may be, and cyber adversaries often target the weakest link.

Further information

  1. The Australian Government Information Security Manual (ISM) assists in the protection of official government information that is processed, stored or communicated by Australian government systems.
  2. ASD’s Strategies to Mitigate Targeted Cyber Intrusions and its companion ASD products, which complement the advice in the ISM.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.