Cybersecurity Scoring in Plain English: On a Scale from One to Ten

Many readers have asked how to lay out threat severity (and what should be deflected) in a simple way. While I can’t claim to have all the answers there, I am reminded of what a good friend of mine (@snipeyhead on Twitter) once explained to me when I was starting out in Cybersecurity. She referenced a ten-point scale to spell out different levels of threat and threat preparedness to make the whole thing a lot more visible and easier to understand through cybersecurity scoring. 

• Level 1: Non-Targeted “spray and pray” attacks like “blind email” attacks and SMS malicious spam – such as so-called “adult behavior extortion” attacks or fake money transfer schemes that are sent to half the internet and very rarely contain any non-public personal data at all. 
• Level 2: False advertising of what a download really is – such as fake application downloads. 
• Level 3: Non-Targeted phishing attacks – most commonly wide-scale provider spoofing as fake Netflix, IRS, and other emails trying to trick consumers into giving up login information.
  

These first three levels should be defended against by every single person who uses a computer. They do not require technical knowledge to either detect or avoid interacting with and, therefore, can be deflected by not clicking on links in emails, only downloading software from known and recognized vendors, keeping anti-malware tools updated, and keeping the OS patched/updated, etc.   

• Level 4: Targeted blind email/SMS attacks – where all the employees of a specific company get a malicious email that includes public – but organization-specific – information within the email itself. 
• Level 5: Targeted generic phishing – aimed at a specific industry but not personalized to the victim. A typical example is someone pretending to be the CEO or VP and asking for a gift card – they may have just enough information to do an accurate impersonation and win employee trust. 
• Level 6: Co-opting legitimate software for illegitimate purposes, such as compromising a software vendor’s update systems and inserting a rogue update that users automatically download and apply. 
• Level 7: Tailored email, text messaging, and phishing attacks – where the attack email is highly targeted to specific individuals and/or company principles and uses details that make the user who gets it significantly more likely to interact with it due to the targeted tailoring. 

At these levels, an individual would have some issues making sure the attacks are fully deflected, but any organization can obtain and use appropriate toolsets like Email Gateway defenses, behavioral-based anti-malware, firewalls with DNS, and known-bad IP filtering, Group Policies, etc. 

• Level 8: Organized multi-facet threat campaigns – REvil, Loki, and other Advanced Persistent Threat groups. 

At this level, organizations begin to see targeted attacks that utilize a combination of techniques – and often manual intervention by the attackers – to bypass common controls. While more difficult to both fully detect and fully deflect, the proper application of Cybersecurity policies and procedures can derail a lot of this level of attack, breaking the kill-chain and preventing the attacker from acting on their objectives.  

• Level 9: State-Sponsored attacks and acts of cyber-warfare – such as surgical strikes on critical infrastructure or enterprise businesses for political or hacktivism reasons or as part of a military operation. 

While this level is not impossible to defend against, an organization would have to bring quite a lot of both technology and personnel to the table to effectively deal with these forms of threats. Multiple layers of defenses and hardening of systems, combined with continual overwatch (such as a Security Operations Center), are necessary and may be out of reach for smaller businesses and organizations. 

• Level 10: Multiple party collusion – such as when a government either partners with or coerces a service provider to give them information. 

This final level is nearly impossible to defend against. Since the attack occurs outside of you or your organization’s sphere of influence, you cannot exert security controls over the areas where the attack happens and, therefore, cannot effectively mount a defense. One very recent example is the Pegasus Spyware situation, where a third-party (NSO) cooperated with government agencies to attack in a way that neither organization could accomplish on their own. Another example from some time ago was the PRISM system and other state-run operations that siphoned data directly from mobile phone networks with the help (willing or unwilling) of the network providers themselves.  

 From this ten-point scale, we can take away two very positive points: 

1. The vast majority of attacks can be defended against by any company or organization of just about any size. Anything up to Level 7 can be defeated with tools and training and can fit within most budgets. While an individual would have trouble defending against Level 4 and up, an organization can layer on the additional defenses necessary.
2. For the few levels that are exceptionally difficult to defend against, the good news is that there are not a lot of these going on in the world. Though do occur, and sometimes even impact smaller businesses and individuals, they are nearly exclusively targeting enterprise organizations and/or entire countries.   

Hopefully, this article helps answer some of the questions we received from readers on how to map out threat activity on a scale that is easy to understand.

Of course, you can utilize the tools provided by Cymulate to help determine if you are ready to meet the challenges faced at different levels and ensure your organization is defended to the highest level it can be – just let us know if you’d like more information or to see the platform at work in your unique environment.