State of Oregon

Cybersecurity Summit

February 24, 2016

Willamette University

Managing the Complexity

of Cyber Risks

Mike WyattDeloitte & Touche LLP

February 24, 2016

The State of Cybersecurity

… and

organizations

must trust people

every day.

We have connected our economy and

society using platforms designed for

sharing information… not protecting it

5 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

State agencies continue to be a target

States collect, share and use

large volumes of the most

comprehensive citizen

information.

The large volume of

information makes states an

attractive target for both

organized cyber criminals and

hacktivists.

6 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

The things states do to more effectively connect and serve

citizens and become more efficient and are the very things

that create or exacerbate cyber risk.

The Growing Complexity of

Cyber Risk

8 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

States rapidly embrace new technology to

better serve constituents, efficiently

Clo

ud

An

aly

tics

Mo

bile

On

lin

e

9 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

Have you anticipated and prepared for the possible outcomes?

It is almost inevitable that your safeguards will fail, at some points.

Cyber Risk Management

11 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

In the private sector, boards

increasingly view cyber risk as a first

order business risk.

A sound cyber risk program is not

simply a cost to the business …

it is an integral aspect of achieving

successful mission delivery.

12 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

• The Deloitte-NASCIO

Cybersecurity Study also

provides benchmarking data on

IT security spending

• Others provide average breach

impact data

Use the data wisely….

$3.79M1Ponemon Institute 2015 Cost of Data Breach Study:

Global Analysis, May 2015

and the

average cost

of a cyber

incident is…

$154Globally, the average

per-record cost of

data breach is…

Investing in a cyber risk program –

Elevate your discussion with agency and

state leaders

• Cyber strategy cannot be based solely on

preventing the kind of attack you just saw in the

news.

• Benchmarking against security spend for your

industry may be misleading. Each organization’s

cyber risk profile is distinct.

• The costs and impact of a cyber attack may be

more far-reaching than common references would

indicate. Example: Citizen trust impact

• Improved security controls may not be the most

important investment for your organization.

13 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

Cyber security vulnerabilities

Weak change

management/

ITIL

Poor patch

management

No asset

inventory

Lack of data

classification

No security

framework/

enterprise risk

management

(ERM)

Elements adding to inefficient cyber risk management

14 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

Assessing cyber risks

THREAT MODELING

• What are the possible motives of an

attacker?

• What is the implication of a breach

within the agency, state and external

parties?

ASSET INVENTORY

• Do I know my information assets?

• Where are my high-risk assets?

• Where does sensitive data reside?

SENSITIVE DATA ASSESSMENT

• How should the data be classified?

• What are the data flows of our sensitive

systems?

• How should sensitive data be protected?

SECURITY OPERATIONS

ENTERPRISE RISK ASSESSMENT

INCIDENT RESPONSE

• What systems are in place to detect cyber

incidents?

• What systems are in place to respond to

cyber incidents?

• What systems are in place to manage

risks and where are they?

• When an incident occurs, how will my

organization respond?

15 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

An assessment of the organization’s cybersecurity should evaluate specific capabilities

across multiple domains

Establish a framework V

igila

nt

Se

cu

re

Data management and

protection

Secure development life cycleCybersecurity risk and

compliance management

Threat and

vulnerability management

Resili

en

t

Security operationsSecurity awareness

and training

Crisis management

and resiliency

Risk analytics

Security program and

talent management

Third-party

management

Identity and

access management

Information and

asset management

* The Deloitte cybersecurity framework is aligned with industry standards and maps to Cyber Security Framework, NIST, ISO, COSO, and ITIL.

16 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

Prevention is no longer adequate…

early detection is just as important

Discern Detect Decide

Understand the threat

landscape and

determine which threats

your organization needs

to protect against

Implement the

appropriate detection

mechanisms to

discover threats, early

Use the situational

awareness and

organizational context

to comprehensively

resolve the threat

What do you discern from your logs from

multiple security devices?

17 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

Identify possible business scenarios and run

simulation exercises

A range of scenarios can be used to test specific plans, rehearse interactions

between teams or functions and challenge assumptions

Potential Use Cases:

Inoperability of public/Internet facing

systems; resulting from an

extended distributed cyber attack or

virus/malware attack.

A third-party handling client data;

stores data using systems that are

compromised.

Breach of sensitive customer

information (e.g., bank accounts,

personal information, Credit cards

information)

Critical information systems;

Revenue collections

compromised.

Targeted attack towards

government executives and senior

legislators—to cause a political

impact

Infiltration of APTs and insider

threats compromising large

volumes of customer PII on a

long-term basis (e.g.

18 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

Collaborate on a resiliency plan…

Resiliency

Executive crisis

management

Legal, risk, &

compliance

The plan

Support with

technology

Simulate the

eventOperations

Cyber

education

CIR

response

team

19 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

…effectively manage what is in your control.

Secure.Vigilant.Resilient.TM

Being

VIGILANT

means having threat

intelligence and situational

awareness to anticipate and

identify harmful behavior.

Being

RESILIENT

means being prepared and

having the ability to recover

from, and minimize the

impact of, cyber incidents.

Being

SECURE

means having risk-prioritized

controls to defend critical

assets against known and

emerging threats.

20 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

Cyber Risk Services contact information

Michael Wyatt

Cyber Risk Services State Sector

Programs Leader

Deloitte & Touche LLP

michaelswyatt@deloitte.com

@michaelswyatt

www.linkedin.com/in/mikewyatt

Bari Faudree

Cyber Risk Services State Health

Leader

Deloitte & Touche LLP

bfaudree@deloitte.com

David Mapgaonkar

Cyber Risk Services

Deloitte & Touche LLP

dmapgaonkar@deloitte.com

Appendix

22 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.

Anatomy of a cyber attackThe lifecycle of a cyber attack involves a progression of several stages

Att

ac

k S

tag

e

Time

Data is

Compromised

Intelligence

Collection

Opening the Door

• Spear phishing

• Drive by download

• Software/hardware

vulnerabilities

• Third-party compromise

Weapon/Malware

Delivery

Maintaining the

Back Door

• Peer to peer

networks

• Search engines

• Social engineering

• Data theft

• Data destruction

• Espionage

• Denial of service

• Unauthorized system

and network access

• Unmonitored ports

• Misconfigured data

loss prevention tools

• Stolen access

credentials

• Spyware

• Ransomware

• Rootkit

• Bot

Time to Exploit: Minutes

Time to Discovery: Months or Longer

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or

other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or

action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.