Breach of Crown Jewel Database (PII) by an External Actor via Phishing Overview

Breach of Crown Jewel Database (PII) by an External Actor via Phishing Overview

Scenario at a Glance

• Threat: External Malicious Actor
• Asset: Crown Jewel Database (PII)
• Effect: Confidentiality
• Method: Social Engineering (Phishing)

Overview

The purpose of this analysis is to quantify the risk associated with an external actor breaching the in a crown jewel database via phishing. This content pack contains this analysis because personal data is the second most breached data type, just behind credentials. According to the Verizon Data Breach Investigations Report (DBIR), approximately 45% of breaches in 2020 involved personal data. Phishing was selected as the method for this analysis due to the increased prevalence of this attack type, with the DBIR noting that approximately 36% of breaches in 2020 involved phishing, up 11% from 2019. 

Key FAIR Components

• Threat Event Frequency (TEF): The annual frequency that malicious threat actors attempt to breach the confidentiality of PII in a crown jewel database. This is done via targeted, malicious, phishing emails that bypass perimeter controls and end up in users' inboxes. These target an organization’s assets via network credentials, not the user personally.
• Vulnerability: Once the threat actor has gained a credentialed network foothold, this is the percentage of time the actor will successfully bypass relevant controls and access the scoped asset to cause loss.

Data Sources

The RiskLens’ Starter content pack comes prepopulated in the RiskLens platform with data, risk scenarios, and other content. Each risk scenario is fully populated with expert-estimated ranges and draws on RiskLens’ experience, third-party content, and data helpers available in the Starter content pack in the catalog. All relevant data sources and assumptions are documented in the accompanying rationale so you can be confident in the results.

The third-party sources referenced for this scenario include:

• 2020 Verizon Data Breach Investigations Report (DBIR)
• North America Industry Classifications System (NAICS)
• Advisen Cyber Loss Data (fines & judgments loss table)

Starter Content Pack Resources

This scenario uses estimates sourced from various data helpers for both frequency and magnitude workshop questions. When applicable, workshop questions using data helpers list the data helper and tier in the question’s rationale. These data helpers are available via the Starter content pack in the catalog. 

The Starter content pack data helpers used in this scenario include:

• Network Footholds, per Year
• Network Foothold – Susceptibility to Asset Compromise
• Incident Management Efforts, in Hours
• Loaded Hourly Employee Wage
• Data Access/Disclosure – Probability of Secondary Loss Occurring (Guided)
• Percentage of Suspicious Activity Logged
• Percentage of Logged Suspicious Activity Recognized

You’re encouraged to add these data helpers to your library to review their additional tiers and select the option best aligned with your organization. You can find additional information about this scenario’s modeling and estimation within the workshop. 

Starter Content Pack Purpose and Guidance

The RiskLens’ Starter content pack enables efficient analysis of some of the most important and common risk scenarios that have been modeled using FAIR and RiskLens leading practices. The scenarios in this content pack are designed to provide structure and guidance for future analysis work while also quantifying some of the most commonly analyzed scenarios in the RiskLens’ platform.