The Institute of Internal Auditors Detroit Chapter Presents€¦ · A Cyber Risk Assessment is a...
Transcript of The Institute of Internal Auditors Detroit Chapter Presents€¦ · A Cyber Risk Assessment is a...
Experis Finance | December 14, 2018 1
Assessing Cyber Risk
The Institute of Internal AuditorsDetroit Chapter
Presents
Assessing Cyber RiskChallenges and Solutions
Stephen Head | Director | Experis Finance
Experis Finance | December 14, 2018 3
Assessing Cyber Risk
If You Have Questions…If you have questions during the webcast:
– If necessary,exit Full Screen Viewby pressing the Esc key
– Submit questionsthrough theAsk a question button
Experis Finance | December 14, 2018 4
Assessing Cyber Risk
In order to receive CPE credit for this webcast, participants must:
Attend the webcast on individual computers (one person per computer)
Answer polling questions asked throughout the webcast
When answering polling questions, select your answer and the click “Vote” button (next to the “Ask a Question” button) to submit / save your answer.
CPE certificates will be sent to the e-mail address on your BrightTALK account within two weeks of this webinar.
Earning CPE Credit
Experis Finance | December 14, 2018 5
Assessing Cyber Risk
Please tell us your member status
A) Member Detroit Chapter
B) Member – Central Region District 2 (Fort Wayne, Toledo, Michiana, W. Mich., Lansing)
C) Member – Other District
D) Non-member
Experis Finance | December 14, 2018 6
Assessing Cyber Risk
Meet Our Presenter
Stephen Head, CISSP, CISM, CISADirector, IT Risk Advisory Services
Experis Finance
Experis Finance | December 14, 2018 7
Assessing Cyber Risk
AgendaThreats and Root Causes of Breaches
The Changing Regulatory Landscape
Security Frameworks and Tools
Practical Ways to Assess your Risk and Organizational Exposure
Key Elements of a Successful Cyber Risk Management Program
Threats and Root Causes of Breaches
Experis Finance | December 14, 2018 9
Assessing Cyber Risk
• Financial risk / loss• Business interruption• Reputational / brand risk• Regulatory risk / requirements• Liability of Board / Management• Technology proliferation / Internet of Things (IoT)
– Third-party / outsourced service providers– Sensor proliferation– Drone technologies– Alternative payment systems– Use of contractors
Why is Cyber Risk Important?
Experis Finance | December 14, 2018 10
Assessing Cyber Risk
Headlines Highlight Increased Cyber Risk
Experis Finance | December 14, 2018 11
Assessing Cyber Risk
Source: https://www.secureworldexpo.com/industry-news/cyber-risk-is-business-risk
Experis Finance | December 14, 2018 12
Assessing Cyber Risk
Pundits extoll the costs of breaches and cyber attacks, but few offer anything beyond anecdotal data collected through surveys. According to the Ponemon Institute, as of 2018:
The only cost that truly matters is the one your organization must deal with!
• $3.86 million is the average total cost of a data breach
• 6.4% increase in the total cost of a data breach since 2017
• $148 is the average cost per lost or stolen record
Not IF, but WHEN You Will Be Attacked
Source: Ponemon Institute
Experis Finance | December 14, 2018 13
Assessing Cyber Risk
Source: http://www.emc.com/collateral/other/emc-trust-curve-es.pdf
Data Losses Are Only One Aspect of a Broader Issue
Experis Finance | December 14, 2018 14
Assessing Cyber Risk
Threat Actors RisksAttack TargetsMotives
Nation State
Hactivists
Lone Wolves
Insiders
Criminal Underground
• Political Agenda• Military Agenda• Economic Harm
• Theft• Fraud• Ransom
• Political Agenda • Personal Agenda• Social Change
• Thrill Seeking• Personal Gain• Social Status
• Financial Gain• Social/Political Gain• Revenge
• Intellectual Property• Sensationalism• Critical Infrastructure
• Personal Information• Credit Card Data• Device Manipulation
• Corporate Sensitive• Key Employee
Information
• Device Control• Vandalism• Harassment
• Device Control• Vandalism• Harassment
• Competitive Impact• Service Disruptions• Design Disclosure
• Regulatory Sanctions• Lawsuits• Loss of Reputation
• Brand Damage• Business Disruption• Loss of Reputation
• Competitive Impact• Business Disruption• Loss of Reputation
• Business Disruption• Brand Damage• Personal Safety
Attackers, Targets and Motivations are Evolving
Experis Finance | December 14, 2018 15
Assessing Cyber Risk
The right sensors when monitored and acted upon can prevent or detect attacks at each critical phase
Each attack type is unique, but most have a similar structureAnatomy of an Attack
Planning/Information Gathering
Initial Attack and Breach
Establish Command and Control
Additional Exploitation
Data Exfiltration and Persistence
Identify Employees and Contact Information
Information available on the internetInformation coerced via various means
Create a spoofed web site
Send malicious linkWait for results
Identify vulnerable systems, services, processesGain access to internal network or systems
Establish a means of controlling “base” for gathering more network details and exploitationMalware takes effect
Search for information sourcesAdditional credentials/ authorizationsAttempt additional exploits
Remove or extract data obtainedAvoid discovery
Test for access, connectivity,
conduct scans, identify resources
Identify additional vulnerabilities,
execute exploits, collect information
Identify additional vulnerabilities
Phases
Example
Experis Finance | December 14, 2018 16
Assessing Cyber Risk
Polling Question 1
Has your organization’s business operations been impacted by a cyber attack within the last year?
A. Yes
B. No
C. Do not know
The Changing Regulatory Landscape
Experis Finance | December 14, 2018 18
Assessing Cyber Risk
What Regulators are Saying
• Cybercriminals can cause significant financial losses for regulated entities as well as for consumers whose private information may be revealed and/or stolen for illicit purposes.
• The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.
• Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted.
Source: New York State DFS 23 NYCRR 500
Experis Finance | December 14, 2018 19
Assessing Cyber Risk
Regulatory Risk / Requirements
Experis Finance | December 14, 2018 20
Assessing Cyber Risk
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for individuals in the EU and the European Economic Area. Critical compliance and regulatory changes it entails are:
• Clear consent required to collect and use data.• Limitations on automated data processing for decision making.• Right to rectify and restrict data usage, and the right to be forgotten.• Transparency and accountability about processing.• ‘Right to portability’, to migrate data between service providers.• Data access denial procedures to be as simple as data collection.• ‘Right to notification’ if data is compromised.• Stricter safeguards for transfers of personal data outside the EU.
GDPR
Experis Finance | December 14, 2018 21
Assessing Cyber Risk
Polling Question 2
Which area within your organization is responsible for assessing cyber risk?
A. Internal Audit
B. Security Management
C. Compliance
D. Other
Security Frameworks and Tools
Experis Finance | December 14, 2018 23
Assessing Cyber Risk
NIST• National Institute of Standards and
Technology
• Part of the U.S. Department of Commerce
• NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.
• 3,000 employees
• 2,700 guest researchers
• Two main locations: Gaithersburg, MD and Boulder, CO
NIST Priority Research Areas
Advanced Manufacturing
IT and Cybersecurity
Healthcare
Forensic Science
Disaster Resilience
Cyber-physical Systems
Advanced Communications
Experis Finance | December 14, 2018 24
Assessing Cyber Risk
Describes how cybersecurity risk is managed by an organization and degree the risk management
practices exhibit key characteristics
NIST Framework Components
Aligns industry standards and best practices to the Framework Core in a particular implementation scenario
Supports prioritization and measurement while factoring in business needs
Cybersecurity activities and informative references, organized
around particular outcomes
Enables communication of cyber risk across an
organization
Framework Core
Framework Implementation
Tiers
Framework Profile
Source: NIST Cybersecurity Framework
Experis Finance | December 14, 2018 25
Assessing Cyber Risk
NIST Cybersecurity FrameworkEach NIST function has multiple categories subdividing the cybersecurity requirements into more detailed groups of activities. These categories are further divided into over 100 subcategories.
Identify Protect Detect Respond Recover
• Asset Management• Business
Environment• Governance• Risk Assessment• Risk Management
Strategy• Supply Chain Risk
Management
• Identity Management & Access Control
• Awareness & Training
• Data Security• Information
Protection Processes & Procedures
• Maintenance• Protective
Technology
• Anomalies & Events
• SecurityContinuous Monitoring
• Detection Processes
• Response Planning• Communications• Analysis• Mitigation• Improvements
• Recovery Planning• Improvements• Communications
What assets need protection?
What safeguards are available?
What techniques can identify incidents?
What techniques can contain the impact of incidents?
What techniques can restore capabilities?
Experis Finance | December 14, 2018 26
Assessing Cyber Risk
NIST Framework Core Excerpt
Source: NIST Cybersecurity Framework
Experis Finance | December 14, 2018 27
Assessing Cyber Risk
NIST Implementation Tiers
Source: NIST Cybersecurity Framework
Experis Finance | December 14, 2018 28
Assessing Cyber Risk
Criteria for Tier 1
Source: NIST Cybersecurity Framework
Experis Finance | December 14, 2018 29
Assessing Cyber Risk
Criteria for Tier 3
Source: NIST Cybersecurity Framework
Experis Finance | December 14, 2018 30
Assessing Cyber Risk
• Enables organizations to establish a roadmap for reducing cybersecurity risk that is aligned with organizational goals, considers legal/regulatory requirements and industry best practices, and reflects the risk management priorities of the organization
• Used to describe current state and the desired target state of cybersecurity activities
NIST Framework Profile
Experis Finance | December 14, 2018 31
Assessing Cyber Risk
Framework Scope: Executives to Operations
Experis Finance | December 14, 2018 32
Assessing Cyber Risk
Benefits Features
• Reduces time and expense of starting an information security program
• Reduces risk within current informationsecurity programs by identifying areas for improvement
• Increases efficiencies and reduce the possibility of miscommunication within your information security program and with other organizations such as partners, suppliers, regulators, and auditors
• Organizes reconciliation and reducing conflicts between legislation, regulation, policy, and industry best practice (Core)
• Guides organization and management of and information security program (Core)
• Measures current state and expresses desired state (Profile)
• Provides justification for investment decisions to address gaps in current state (Profile)
• Communicates cybersecurity requirements with stakeholders, including partners and suppliers (Profile)
• Enables informed trade-off analysis of expenditure versus risk (Tiers)
Why Adopt the NIST Framework?
Experis Finance | December 14, 2018 33
Assessing Cyber Risk
• The Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity maturity. The methodology provides a repeatable process to measure your cybersecurity preparedness over time
• The FFIEC Assessment is much more detailed than NIST. The NIST Framework only looks at 100+ controls, while the FFIEC Assessment looks at 494 different controls, which they refer to as declarative statements.
What is the FFIEC CAT?
Experis Finance | December 14, 2018 34
Assessing Cyber Risk
• Inherent Risk Profile
– What is your organization’s degree of exposure to cyber risks (based on type, volume, an complexity of operations)?
• Cybersecurity Maturity
– Based on the inherent risk profile, what level of control is needed?
– Organizations subject to higher risk require more sophisticated control mechanisms.
The FFIEC Tool Has Two Components
Experis Finance | December 14, 2018 35
Assessing Cyber Risk
FFIEC Risk/Maturity Relationship
Experis Finance | December 14, 2018 36
Assessing Cyber Risk
FFIEC Cybersecurity Assessment Structure
Experis Finance | December 14, 2018 37
Assessing Cyber Risk
Domains and Assessment Factors
Experis Finance | December 14, 2018 38
Assessing Cyber Risk
Mapping NIST to the FFIEC Assessment Tool
Source: FFIEC CAT Document - Appendix B
Practical Ways to Assess your Risk and Organizational Exposure
Experis Finance | December 14, 2018 40
Assessing Cyber Risk
A Cyber Risk Assessment is a comprehensive evaluation of your cybersecurity program and overall security posture. It identifies key risks that can impact the availability, integrity, and confidentiality of your information assets, determines where your strengths are, and zeroes in on weaknesses that present the greatest threats to the organization.
It is a deep dive into the layers of protection that separate sensitive andcritical data from sophisticated attackers. It gives you the necessary information to close gaps in your defenses, and provides the needed detail on how to do so in a cost effective manner.
What is a Cyber Risk Assessment?
Experis Finance | December 14, 2018 41
Assessing Cyber Risk
Assessment Process
Experis Finance | December 14, 2018 42
Assessing Cyber Risk
Assessment Tool
Experis Finance | December 14, 2018 43
Assessing Cyber Risk
Assessment Tool
Experis Finance | December 14, 2018 44
Assessing Cyber Risk
Assessment Tool
Experis Finance | December 14, 2018 45
Assessing Cyber Risk
Assessment Tool
Experis Finance | December 14, 2018 46
Assessing Cyber Risk
Assessment Tool
Experis Finance | December 14, 2018 47
Assessing Cyber Risk
Assessment Tool
Experis Finance | December 14, 2018 48
Assessing Cyber Risk
Assessment Tool
Experis Finance | December 14, 2018 49
Assessing Cyber Risk
Ongoing Process
Experis Finance | December 14, 2018 50
Assessing Cyber Risk
Polling Question 3
How does your organization assess cyber risk?
A. We assess it continuously or at least quarterly
B. We assess it annually
C. Still considering how we will assess it
Key Elements of a Cyber Risk Management Program
Experis Finance | December 14, 2018 52
Assessing Cyber Risk
• Asset Management – we find that many clients lack clear information on how many servers they have, what other devices reside on their network, what O/S each is running, etc.
• Controls Management – many organizations lack continuous monitoring of controls, limiting their focus to what is necessary to meet regulatory requirements
• Configuration and Change Management – configuration changes often focus on getting the application up-and-running, not minimizing the attack surface
• Vulnerability Management – we see many cases where vulnerability management may take 6 to 8 weeks to close a vulnerability. This is 6 to 8 weeks during which the organization is at an increased level of risk
• Incident Management – we see a need for much greater coordination and communication between the information security group and the business units
What Key Elements Are Often Overlooked?
Experis Finance | December 14, 2018 53
Assessing Cyber Risk
• Service Continuity Management – many organizations focus on traditional threats and have not performed tabletop or simulated tests involving a cyber attack
• Risk Management – we have noted many cases where risk management is assessing the risks posed by cyber attacks as they existed 10-15 years ago, failing to take into account how these risks have evolved in recent years
• External Dependencies Management – organizations are in many cases failing to fully evaluate the impact of a cyber attack against critical service providers, the communications links with them, and what the downstream impact will be
• Training and Awareness – many organizations ignore cross-functional training, whereas true resiliency requires a multi-disciplinary approach to training and awareness
• Situational Awareness – a number of organizations lack the tools and technical training to quickly identify, contain, and recover from cyberattacks
What Key Elements Are Often Overlooked?
Experis Finance | December 14, 2018 54
Assessing Cyber Risk
• Periodic risk assessment to evaluate IT cyber risk posture
• Comprehensive security policies that are reviewed annually
• Appointment of CISO with enterprise-wide responsibility
• Annual report by CISO to senior management covering cyber risks
• Risk personnel who understand how cyber risks affect business risks
• Training and awareness activities including testing
• Incident response management plan that is holistic
• Metrics to evaluate the efficiency and effectiveness of cyber operations
• Monitoring of business partners, vendors, third-parties
• Adherence to standardized framework requirements (NIST, etc.)
Essential Cyber Risk Management Practices
Q&A / Contact Information
Experis Finance | December 14, 2018 56
Assessing Cyber Risk
Contact Information
Thank You for Attending!
Stephen Head, CISSP, CISM, CISADirector, IT Risk Advisory ServicesMobile: 704.953.6688Email: [email protected]