The cyber attack potential assessment database By Thierry Autret, GIE Cartes bancaires

To have a scale that allows the virulence of each cyber threat to be assessed, with the aim of raising the general public’s awareness and deciding whether or not a situation is serious: This idea was born in 2012 in the cyber community. The cyber attack potential assessment database, known as BEPA-Cyber, was made public in the FIC 2014 special French gendarmerie magazine (No. 248 — December 2013) and has since been improved. The BEPA-Cyber tool is now assessed on a scale from 0 to 10.

BEPA-Cyber characterises threats according to five criteria (origin, precision, sophistication, visibility and persistence), each of which is rated from 1 to 4. The BEPA-Cyber score is calculated using a binary logarithm of the products of these five rates. This characterisation is used in Annex 1 of the guide « L’homologation en 9 étapes simples » (Certification in 9 Easy Steps), published by the French Network and Information Security Agency (ANSSI) in June 2014, in the self-diagnosis chart on information system protection needs. We are currently seeking contributors in fields of experimentation with the BEPA-Cyber’s various uses, which include:

• – helping a CISO graph its dashboard information on the incidents it has dealt with and threats to be wary of for the attention of its management committee;
• – enhancing an internal company newsletter to raise employees’ awareness of threats;
• – establishing correlation tables between recommended ISS actions and the threats they can cover, etc.

This contribution will enable to verify that everybody can understand this simple tool. BEPA-Cyber aims to allow individuals in charge of anticipating and dealing with the effects of cyber threats to communicate without going into technical detail, prioritise threats, identify means of response more readily and make appropriate and properly targeted decisions.

SMEs, SMIs and VSEs generally lack expert skills and the time to acquire them. The BEPA-Cyber tool should be able to help them support fast and effective ISS efforts, because once the threats of concern to them are characterised, charts of actions classified according to the same criteria should allow them to easily select and implement relatively well-targeted preventive measures.

Let’s imagine, for example, the case of a metal frame construction company. The company’s survival depends on the accuracy and precision of its structural calculations and the confidentiality of the formulas it develops. The first step in protecting these assets is to identify the threats that might be of concern to this company. In the selected case, potential attackers could be competitors or employees within the company, with basic or unsophisticated resources and no expertise in targeted attacks. More generic attacks by cyber criminals with no specific interest in the company could also harm it (origin: 3, precision: 4). The tools used in such attacks are more likely to be trivial or generic (sophistication: 2). The attacks feared are the discrete attacks that would not be detected immediately (visibility: 3). Regular attacks can be expected at every major call for bids; occasional attacks can also be expected (persistence: 3).

Therefore, the maximum BEPA-Cyber level for attacks that that could be of reasonable concern to the company has a score of ln(3x4x2x3x3)/ln2 ≅ 7.5.

Let’s also consider a list of actions. For example, in the ANSSI guide to measures for a healthy network, rule 1 (« Have an accurate map of IT installations and keep it updated ») is necessary to block trivial threats with a BEPA-Cyber score of 0 and all higher-score threats. Rule 5 (« Prohibit the connection of personal devices to the organisation’s information system ») allows protection against viruses with a BEPA-Cyber score of at least 1.

These rules should thus be implemented in the case of the above construction company, which must face attacks with a maximum score of 7.5. The rules for a healthy network constitute a set of minimum guidelines to follow.

Recommendations on deleting the contents of removable devices used by the company, on the other hand, are limited to encryption by an OTS tool. This action is intended to protect information from being read immediately in case of, for example, theft, which is a BEPA-Cyber Level 3 threat (precision: 4; visibility: 2; other characteristics: 1). Device overwriting does not appear to be relevant because it would protect against attacks involving a high level of expertise and requiring sophisticated tools to break the encryption, which are BEPA-Cyber Level 8 skills.

Cataloguing actions according to the BEPA-Cyber level of the attacks that they are intended to block gives companies and individuals a certain level of autonomy in fighting cyber attacks.