Pub. 4 2015 Issue 4

The CommunityBanker 16 Risk Analysis On a Full Stomach By Craig Schurr, CISA, CISSP, CCNP B A Special Introductory Offer for ICBA Members Double your Member Discount on Dell Desktops, Laptops and Servers! Visit www.Dell.com/ICBA or call 1-800-757-8442 take advantage of these savings! ALLORDERSARESUBJECTTOAPPROVALANDACCEPTANCEBYDELL.Offerssubject tochangeandmaynotbecombinablewithallotheroffers.Taxes,shipping,handlingandother feesmayapply.Valid fornewDellSmallBusiness and Home Office purchases only. Dell reserves the right to cancel orders arising from pricing or other errors. *2% off Inspiron systems; 5% off Latitude, XPS and OptiPlex systems; 10% off Dell Precision workstations. Offers valid for a limited time only and are nontransferable. Offers are combinable with other offers, discounts or coupons. Limit of 5 promotional items per customer. Only valid on select systems purchased through Dell Small Business and Home Office. *10% off PowerEdge rack and PowerEdge tower servers $1,299 or more. Nontransferable. Offer is combinable with other offers, discounts or coupons. Limit of 5 promotional items per customer. Only valid on PowerEdge rack and PowerEdge tower servers purchased through Dell Small Business and Home Office. Offers valid for a limited time only. *5% off DT and NB accessories. One coupon per customer. Eligible for association members only. One-time use only. Nontransferable. Limit 5 promotional items per customer. OFFER VALID THROUGH January 29th 2016. Member ID:141351622 BANK BYTES uried in David Hitz' book How to Castrate a Bull: Unexpected Lessons on Risk, Growth and Success in Business is a short interlude that illustrates the problem with using news headlines to drive risk analysis processes. Just because something is in the news does not mean that is it a big risk; it simply means that it is out of the ordinary and has been deemed “newsworthy”. Conversely, something that doesn't make the news might be a significant security risk. The point being, we shouldn't rely on news headlines to drive risk analysis. As an example, you may remember recent headlines about the World Health Organization announc- ing that processed meats are likely causes of cancer. Many of the headlines might have had you believing that eating bacon increases your risk of cancer by 18%. However, if you dig deeper, the research indicated that processed meats may increase your relative risk of specific types of cancer by 18%. Meaning, that if your initial risk of getting that type of cancer is 5%, eating processed meats could increase that risk to 5.9%. While the headlines might be mostly true, they don't always tell the whole story. It is not hard to find attention grabbing headlines about the importance of selecting strong passwords. As a result, secure password selection is typically the first topic in most security awareness training. While having a weak password isn't recommended, it might not be the biggest security weakness, depending on the the level of access the account is granted and whether or not the account can be used for remote access. In contrast, software vulnerabili- ties rarely make front page news. Java is often installed on systems where it isn't necessary and is commonly the most poorly patched software on the network. The Cisco 2014 Annual Security Report states that Java comprises 91% of all web vulnerabilities. If exploited, several of the vulner- abilities may give an attacker remote access to the network without knowing a single password. Annual security reports released by technology in- dustry leaders (e.g. Symantec, Cisco, etc.) that summarize real-world security statistics and trends might be a better source of information. Reviews and discussions of these, or similar, reports could highlight potential gaps in your in- formation security program. In fact, these types of reports often go as far as listing areas of biggest concern on a per industry basis. How often have reports like these been dis- cussed in your IT committee or executive meetings? A far more common agenda item is “recent cybersecurity-related news”. While conversations about the latest breach are more entertaining and easier to discuss, they may shift fo- cus away from the highest risks within your organization.