Project: Advanced Cybersecurity Risk Assessment Checklist

What is the “Advanced Cybersecurity Risk Assessment Checklist” (ACRAC)?

ACRAC allows any organisation to assess a status quo of their cybersecurity.

It’s a thorough, and constantly updated checklist to reduce common cyber threats organisations are confronted with.

Its goal is to raise awareness for vulnerabilities, thereby neutralising a majority of threat vectors an organisation sees itself confronted with, and making cyber security risks manageable. 

Once the checklist is completed, the results can be converted to action items to reduce the risks of cyber incidents to an organisation, and to mitigate common vulnerabilities.

Contribute to ACRAC?

The project is open source and anyone is encouraged to contribute ideas to the project. Until a platform is found, please join us and share ideas on our Discord Server: https://discord.gg/ZRJtEEP

Download ACRAC?

Creative Commons License
ACRAC Advanced Cybersecurity Risk Assessment Checklist by Lars G. A. Hilse is licensed under a Creative Commons Attribution 4.0 International License.

Version: 20190131.1

Download the latest ACRAC as PDF

https://www.dropbox.com/s/wqt9hmfrbo6gc1o/20190130.1%20ACRAC.pdf?dl=0

SHA256: 025d5584fdf246f20e8d8da39cbd7d4b550d24767c3cd4b684e30acbdfee0cfc

Download the latest ACRAC as XLSX

https://www.dropbox.com/s/biu5g7x45zsdsdf/20190130.1%20ACRAC.xlsx?dl=0

SHA256: 657358656ea58b46e966d224ec05ab875f4807d27894471a575f4060b7e8ba10

Need older or more specialised versions? Join the server mentioned above and ask us.

History

In 2018 I was asked to brief the European Parliament about the risks of cyberterrorism. In talks after the public hearing there was a desire for a checklist of sorts. One that would allow an organisation to at least assess a status of where they are from a cybersecurity perspective.

What ensued was a painstaking search for something out there… yet there was nothing that wasn’t a sales pitch by some company.

All publicly available information was then merged into, and spiced up into ACRAC, the Advanced Cybersecurity Risk Assessment Checklist.

Cyber Insurance: What is a DDoS attack and how to mitigate it?

I don’t know how often I had to answer the question what a DDoS attack is. Yet one of the most prominent questions was when I was confronted by an insurance company offering cyber insurance products.

Together with a friend I run a cyber insurance brokerage. Obviously, the clients have to be signed by the insurance company. The products most of the companies have are crap.

And if they are not, their underwriting policies are… well, worth getting used to.

A client of mine operates a rather large e-business, particularly an e-commerce shop.

Like pretty much all of the e-commerce sites, this one was also concerned about the safety of their site, and wanted insurance if they got taken down.

We did my famous analysis of their operation and ruled out most of the obvious risks.

This would give me an easier stance trying to pitch it to the insurance company.

None the less, the first thing the genius underwriter tells me with a frown on his face is that the risk is not coverable because it’s an e-commerce operation relying too heavily on the income from the website.

His main argument, however, was that the risk of a DDoS attack was too big, before resting his case, and trying to send me off.

I asked him if he was even aware of what a DDoS attack was, upon which a large discussion erupted which was mainly focussed on me having crushed his ego.

However, it was fruitful from the angle that I was able to find a “noob” explanation to the issue, which I outlined by explaining to him that it was like a million people trying to exit an aircraft after it had landed, and all of them had to fit through the door. (very short version).

Against all odds, he understood what I was trying to convey to him; yet now came the bigger problem… explaining the solution fo fighting off a DDoS attack.

You see, probably one of the most easiest things to do is to put a content distribution network Infront of your operation. A CDN will take malicious traffic and deal with it differently than with legit traffic coming to a site.

So: bye bye DDoS attacks.

I told him the we could make this a prerequisite for the client to receive insurance coverage… yet the discussion was and burned.

 

 

Mitigating sophisticated phishing attacks

Phishing has always been a rather difficult issue to solve.

I’ve spent countless hours trying to create programs to successfully keep employees from opening suspicious emails, believe me!

The new generation of phishing, however, is even more complex and the threat is even more difficult to mitigate.

In the most recent cases I worked on, the email sent to the victim was either announced or followed up by a phone call from a seemingl legitimate source.

Thereby, the victim was dooped into opening the attachment to infect the system/network, and there is pretty much no training that will help to reduce that risk.

One of the issues we began working on was to have existing contacts confirm their identity through an IM. Of course this only works if the source is internal, and/or the source is available on an IM service.

Stay safe folks! These new attacks are devious with potentially devastating consequences, essentially with no one to blame.