Risk Assessment Conclusion

US #CISA has released a summary of #Risk and #Vulnerability Assessments for FY2023, and it's an excellent guide on how to mitigate the most common threats. The release has an infographic (attached) as well as a longer form PDF report (linked). The conclusions are not surprising, but the data points are useful to validate your assumptions with quantified observations. Some key takeaways: 🚩 Valid Accounts (MITRE ATT&CK technique T1078) are the most common initial access vector, seen in 41% of attacks - we could assume that this means either default passwords or credential theft are being utilized 🚩 Spearphishing variations were the next most prevalent initial access vector, highlighting the importance of email security 🚩 Valid Accounts are also the most widely used persistence and privelege escalation method, at 42% and 45% respectively - highlighting the need to monitor IDAM, manage privileges effectively, and look for anomalous behavior 🚩 Pass the hash, pass the ticket, and RDP were most common lateral movement techniques observed There's a lot more useful information in the report - worth a read!

The Ministry of Justice has published its latest 🇱🇺 National Risk Assessment (NRA) focused specifically on money laundering (ML), covering data from 2020 to 2023. It separates ML from terrorist financing (TF) risks — a first — allowing for a more targeted understanding of ML threats and vulnerabilities in the country’s financial and non-financial sectors. 🔍 Key findings from the report: ✅ External ML threats dominate: Luxembourg’s status as a global financial centre creates heightened exposure to laundering of proceeds from foreign crimes. Fraud, tax crimes, and corruption are ranked as very high threats, underscoring the cross-border vulnerabilities of Luxembourg’s open economy. ✅ High-risk sectors: • In the financial sector, banks, investment firms, e-money institutions, PIs, and VASPs face a high inherent ML risk. • In the non-financial sector, legal and accounting professions (except auditors and bailiffs) remain high-risk, especially due to complex legal arrangements and use of corporate structures. • Legal arrangements (e.g. trusts) are flagged with the highest inherent risk. ✅ Emerging threats: Cyber-enabled fraud, crypto-related laundering, the misuse of virtual IBANs, and the exploitation of digital finance services are seen as evolving ML typologies, especially in connection with organised crime and weak KYC jurisdictions. ✅ Residual risk analysis: While mitigation strategies reduce risk in some sectors, the overall residual risk remains significant for high-risk entities, especially where mitigation is uneven or supervisory resources are limited. ✅ Cross-border insights: The report links ML risks to Luxembourg’s top FDI partner countries (e.g. US, UK, Netherlands, Ireland), noting that while these countries have strong AML regimes, vulnerabilities such as fraud, human trafficking, and the abuse of legal persons are shared challenges across jurisdictions. 🌍 International recognition: Luxembourg’s ML/TF regime was commended by the FATF in its 2023 Mutual Evaluation Report, citing a solid AML framework and risk understanding. However, the NRA stresses that continuous vigilance is essential, especially as Luxembourg diversifies into crypto-assets, sustainable finance, and fintech. 📊 The methodology is rigorous: a structured scorecard approach with multi-level risk assessments (macro, meso, micro), involving public-private partnerships, expert workshops, and use of granular data from national agencies and FATF guidance. #Compliance #AML #FinancialCrime #Luxembourg #RiskAssessment #FATF

A client just shared a security consultant's risk assessment report with me and it was full of a bunch of pretty red, yellow, and green colors… What did the client think of the report? The CFO shared that it was a complete waste of money. The COO said there wasn’t anything actionable. The CEO, well, he stated this “I didn’t understand an f-ing word the guy said…” Why? It isn’t a risk report. It’s a checklist with no owner. I’ve seen dozens like it over the years… risk heatmaps, control IDs, high scores, and a list of tool-based recommendations. It’s NOT a deliverable that drives business decisions. No... executive summary. cost analysis. accountability. prioritization (beyond color codes). actionable roadmap. Where’s the impact to operations? legal exposure? loss potential? reputation risk? Without those, it’s just risk assessment theater. If you do security risk assessments DO NOT stop at identifying risks. Tell a story: What happens if we do nothing? What’s the cost to fix it? Who owns the risk treatment decisions? When will it be done? If you deliver this type of report and call it complete, you’re checking boxes & not shrinking business risk. And the outcome will be a CFO that felt it was a waste of time and money, a clueless and uninformed COO, and a CEO that is annoyed because you sound like the adults in an episode of a Peanuts comic “wah wah wah…” #vciso #riskassessments #msp #security #leadership