Security is sometimes thought of being the tail that wags the Dog. A better analogy is that Cyber Security should be the Kidneys of the organization taking out the waste while allowing the useful information to pass.

1. Is security the tail that is wagging the dog or could it be the kidneys?
Kidneys are organs that extract waste from blood and balance body fluids. With no kidney
function, death typically occurs within a short time period. The same fatal results are also true
for an organization that does not have a properly functioning Cyber Security program. Cyber
Security should empower you and your staff by extracting the waste from the being online in a
constantly connected state and discard the waste while passing on the needed information. In the
same way that kidneys need to balance your body fluids, security should balance the need for
information availability, integrity, and confidentiality.
A person can survive without kidneys for a short period of time, and the same is for good cyber
security. In today’s world, an organization without cyber security will fail. Someone with
failing kidneys can be put on dialysis to bypass the function of normal kidneys, and the same can
be said of cyber security. IT can be outsourced or added at the end, but this is not a long-term
solution. Cyber security should become a part of everyone’s function as everyone is online and
connected to systems. One major goal of the security team should be empowering staff through
training and providing resources so they understand how to filter out the waste and use the
needed information.
Cyber security professionals should remember that their job is to ensure the availability and
integrity of the data, while at the same time helping others to keep protected information
confidential.
Security is not effective if we try to add it on after the fact; that is why security should become
part of the entire life cycle from the cradle to the grave of any project or program.
“The cost to fix a bug found during implementation was around 6 times costlier than one
identified during design. Furthermore, according to IBM, bugs found during the testing phase
could be 15 times more costly than during design… Additionally, the complexity of
deploying/implementing changes in a live production environment would further increase the
overall cost associated with late stage maintenance. ” [1]
Cyber Security professionals need to help users understand the current cyber security risk
landscape and give them resources to help them protect themselves and those they serve.
“To ensure that bugs are fixed at an earlier stage within the SDLC, take advantage of the
following security testing practices:
1. Activities such as architecture risk analysis help to identify issues during the design phase
of software development.
2. Use the OWASP best practices quick Reference as a guide for securely writing initial
code.
https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf .
3. Once the code is written for the approved architecture, conduct a source code review to
identify issues within the code.

2. 4. Prior to the software’s release, conduct a penetration test to identify issues and to make
sure that issues previously identified are resolved.” [1]
June 2017
SANS Whitepaper Testing Web Apps with Dynamic Scanning in Development and Operations
Current Cyber Security Trends:
https://www.sans.org/reading-room/whitepapers/application/testing-web-apps-dynamic-
scanning-development-operations-37820
Ransomware attacks worldwide increased by 36 percent in 2017 — with more than 100 new
malware families introduced by hackers. [4].
The average amount demanded for a ransomware attack is $1,077, is an increase of about 266
percent. [4].
Emails are now being increasingly used by hackers, and an estimated one in every 131 emails
contain a malware. [4].
The research revealed that the victims of identity fraud in the U.S. alone increased to 15.4
million in 2016, an increase of 2 million people from the previous year [5].
At least 43 percent of cyber attacks against businesses are targeted at small companies, and this
number is increasing. [6]
More than 4,000 ransomware attacks occur every day.
This is according to data from the FBI [10]. That’s a 300 percent increase in ransomware attacks.
It takes most business about 197 days to detect a breach on their network. Many businesses have
been breached and still have no idea, and as hackers get more sophisticated it will only take
businesses even longer to realize that they have been compromised [13].
Sources
1. https://www.synopsys.com/blogs/software-security/cost-to-fix-bugs-during-each-sdlc-phase/
2. https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics
3. https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion
4. https://www.symantec.com/security-center/threat-report
5. https://www.javelinstrategy.com/press-release/identity-fraud-hits-record-high-154-million-us-victims-
2016-16-percent-according-new
6. https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html
7. https://www.csoonline.com/article/3200024/security/cybersecurity-labor-crunch-to-hit-35-million-unfilled-
jobs-by-2021.html
8. http://www.businessinsider.com/warren-buffett-cybersecurity-berkshire-hathaway-meeting-2017-5
9. https://www.pandasecurity.com/mediacenter/press-releases/all-recorded-malware-appeared-in-2015/
10. https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view
11. http://www.businessinsider.com/expert-phishing-emails-2016-8?IR=T
12. https://www.venafi.com/assets/pdf/wp/Venafi_2016CIO_SurveyReport.pdf

3. 13. http://www.zdnet.com/article/businesses-take-over-six-months-to-detect-data-breaches/
14. https://www.computerworld.com/article/2475964/mobile -security/98–of-mobile-malware-targets-android-
platform.html
15. https://swimlane.com/10-hard-hitting-cyber-security-statistics/
16. https://www.esecurityplanet.com/network-security/over-80-percent-of-americans-are-more-worried-about-
privacy-security-than-a-year-ago.html
17. https://www.comparitech.com/vpn/vpn-statistics/
18. https://www.techinasia.com/indonesia-world-leader-vpn-usage
+++++++++++++++
How an ARA works
1. Analyze business context
We conduct interviews with business owners of the system to gather and analyze the
information to better understand the security risks that impact the business goals of the
system.
2. Create a threat model
We identify major components, assets, threat agents, and security controls that exist in
the system then create a diagram to capture these entities and the relationships
between them.
3. Conduct a risk analysis
We identify software-based risks and prioritize them according to business impact (e.g.,
unauthorized access to data or service availability). Activities that comprise our analysis
include:
o Known Attack Analysis. We draw from a set of known attack patterns to model
subsystem and application behavior for the components in the system being
reviewed.
o System-Specific AttackAnalysis. We evaluate the foundations of system
architecture as it relates to well-established security principles. We also look for
unspecified software behaviors with little independent impact that may combine
to create critical vulnerabilities.
o Dependency Analysis. We focus on peeling back the layers of the software in the
platform to understand the security risks introduced or mitigated by each layer.
4. Provide mitigation advice
At the end of each assessment we conduct a read-out call with the appropriate
development team to review each vulnerability identified during the assessment,
answer any questions that the team might have around each vulnerability, and discuss
mitigation/remediation strategies.