Project: Advanced Cybersecurity Risk Assessment Checklist

What is the “Advanced Cybersecurity Risk Assessment Checklist” (ACRAC)?

ACRAC allows any organisation to assess a status quo of their cybersecurity.

It’s a thorough, and constantly updated checklist to reduce common cyber threats organisations are confronted with.

Its goal is to raise awareness for vulnerabilities, thereby neutralising a majority of threat vectors an organisation sees itself confronted with, and making cyber security risks manageable. 

Once the checklist is completed, the results can be converted to action items to reduce the risks of cyber incidents to an organisation, and to mitigate common vulnerabilities.

Contribute to ACRAC?

The project is open source and anyone is encouraged to contribute ideas to the project. Until a platform is found, please join us and share ideas on our Discord Server: https://discord.gg/ZRJtEEP

Download ACRAC?

Creative Commons License
ACRAC Advanced Cybersecurity Risk Assessment Checklist by Lars G. A. Hilse is licensed under a Creative Commons Attribution 4.0 International License.

Version: 20190131.1

Download the latest ACRAC as PDF

https://www.dropbox.com/s/wqt9hmfrbo6gc1o/20190130.1%20ACRAC.pdf?dl=0

SHA256: 025d5584fdf246f20e8d8da39cbd7d4b550d24767c3cd4b684e30acbdfee0cfc

Download the latest ACRAC as XLSX

https://www.dropbox.com/s/biu5g7x45zsdsdf/20190130.1%20ACRAC.xlsx?dl=0

SHA256: 657358656ea58b46e966d224ec05ab875f4807d27894471a575f4060b7e8ba10

Need older or more specialised versions? Join the server mentioned above and ask us.

History

In 2018 I was asked to brief the European Parliament about the risks of cyberterrorism. In talks after the public hearing there was a desire for a checklist of sorts. One that would allow an organisation to at least assess a status of where they are from a cybersecurity perspective.

What ensued was a painstaking search for something out there… yet there was nothing that wasn’t a sales pitch by some company.

All publicly available information was then merged into, and spiced up into ACRAC, the Advanced Cybersecurity Risk Assessment Checklist.

Is your organizations data valuable to outside threats?

Whether or not your organizations data as valuable to outsiders depends heavily on what business you’re in.

Generally said, your organizations data is valuable :period.

There is an ever increasing amounts of data being taken from paper, and digitized.

Therefore they are not only victim to attempts of corporate espionage, but also to data collection spies, And even more persistent threats.

While ago I worked on a case of CEO Frade, in which the main enabler was the fact that the email server of the organization had a vulnerability, which was exploited, and allow the perpetrators to monitor email communication between the chief executive officer, and The chief financial officer.

This angle was then exposed by the attackers to lose a couple of million euros; unretrievable.

So you see, it’s not only corporate espionage that as a threat of valuable information, but much less appearing information can be utilized to harm your organization.

Cyber insurance versus insurance companies

Getting cyber insurance cover is easy.

Getting cyber insurance coverage that is adequate and up to speed to current threats: totally different story.

Currently, very conservative and traditional insurance companies are trying to deliver top-of-the-line products; mostly to customers who don’t need them.

So what’s up with that?

While ago, I tried to sign an e-commerce business with an insurance company that appeared to be very advanced in signing cyber insurance contracts.

During the negotiations however, it turns out that they generally ruled out e-commerce businesses.

The main argument was that an e-commerce business could fall victim to a denial of service attack.

My counter argument was that any conventional business could burn down, and still they wrote insurance policies for the buildings of this client.

I went on to argue that denial of service attack’s are easily mitigated through various means; the most important one of which is a content distribution network.

Still, the insurance company wouldn’t budge.

Having close connections inside the insurance company I went ahead and looked at their exclusion list. And it was terrifying!

I ended up working with them to reduce the general exclusions, and softened up some of their strict policies towards certain types of businesses. And now, they are doing tremendously well and signing up risks, which are manageable.

Mitigating sophisticated phishing attacks

Phishing has always been a rather difficult issue to solve.

I’ve spent countless hours trying to create programs to successfully keep employees from opening suspicious emails, believe me!

The new generation of phishing, however, is even more complex and the threat is even more difficult to mitigate.

In the most recent cases I worked on, the email sent to the victim was either announced or followed up by a phone call from a seemingl legitimate source.

Thereby, the victim was dooped into opening the attachment to infect the system/network, and there is pretty much no training that will help to reduce that risk.

One of the issues we began working on was to have existing contacts confirm their identity through an IM. Of course this only works if the source is internal, and/or the source is available on an IM service.

Stay safe folks! These new attacks are devious with potentially devastating consequences, essentially with no one to blame.