a risk based approach to cyber security
Transcription
a risk based approach to cyber security
2014 Financial Management Seminar A RISK BASED APPROACH TO CYBER SECURITY Presented by: Eric Holmquist Managing Director, Enterprise Risk Management Accume Partners Information Security Agenda • What’s new? • Defining is a risk-based approach to info security • Program governance • Assessing IS risk • Other program elements • Recap & final thoughts • Q&A © 2014 Accume Partners 2 In The News • Target data breach – Contractor’s system infiltrated by email malware – Claims they were in full compliance with industry security practices – Hackers entered through billing system, then moved laterally through Target’s systems – Cardholder data was captured for almost 3 weeks – 40 million credit & debit cards stolen – Cost: $148 million* to start(and one CEO) *Source: Forbes © 2014 Accume Partners 3 In The News • Home Depot data breach – Hackers attacked through their retail systems using malware that was undetected – Attack went unnoticed for over 5 months – 56+ million cards compromised – Class action lawsuits have already started – Home Depot estimates initial costs at $62 million – Ultimate costs will be in hundreds of millions – Customer volume decreased due to mistrust © 2014 Accume Partners 4 Information Security From the 2014 Verizon Business Data Breach Investigations Report covering 1,367 data breaches from 2014. 34% of the breaches with confirmed data loss affected the finance industry (followed by public 13%, retail 10% & accommodation 10%) 75% can be described by 3 specific attack patterns (financial services) Motives remain #1 financial, #2 espionage & #3 fun/ideology Use of stolen credentials the top attack method Hacks to user devices somewhat flat Criminals are getting faster Discovery is not © 2014 Accume Partners 5 Information Security Where do we start? Information security must be approached as a business issue not a technology issue. Once we agree on this then we can consider using risk management practices. © 2014 Accume Partners 6 Information Security Risk Management The keys to information security governance: • Cannot be managed to 80/20 rule. • You cannot start at controls first. • If you can’t answer these 4 questions, you don’t have an information security program: – Where is my data? – What is my exposure? – What are my key controls? – What is my residual risk? © 2014 Accume Partners 7 Information Security Taking a risk based approach means: • Agreement on risk appetite and tolerance • Cross functional governance • Comprehensive risk assessment methods • Dynamic risk measurement methods • Ownership and accountability • Effective communication • Ensuring ability to quickly respond • Meaningful reporting mechanisms © 2014 Accume Partners 8 Information Security Governance Governance Structure Board Level Policy Information Security Officer Information Security Council Program Roles & Resp. © 2014 Accume Partners Op Policies Procedures 9 Metrics Establishing Risk Tolerance • Fact: Senior management always says they have a “very low” risk appetite. News flash, you don’t. • Must have realistic and comprehensive risk assessment tools to truly understand the risk profile. • Requires deep, honest discussions with a lot of people to fully understand the risk. • In practice, this area scares people to the point of not being able to face it head on. That model will never successfully operationalize risk tolerance. © 2014 Accume Partners 10 Information Security Policy • Board level policy • Establishes issue as business risk • Defines the role of the ISO or CISO • Sets mandates for program • Establishes program expectations • Defines board notification provisions • Not detailed in program specifics – Using Operating Policies for specifics © 2014 Accume Partners 11 Information Security Officer WRONG! © 2014 Accume Partners 12 Information Security Officer • Senior, if not executive level position • Preferably not in IT – Better in Risk Management • Must have senior access • Must have extraordinary interpersonal and communication skills (written and verbal) • Must have both business and some technical skills • Most important role will probably be translator © 2014 Accume Partners 13 Information Security Program • Regulatory requirement • Supports issue as business risk • Documents major components • Eliminates unspoken assumptions • Sets clear responsibilities • Defines risk-based approach • Establishes training curriculum • Supported with operating policies © 2014 Accume Partners 14 Information Security Council • A very good practice • Must have authority to set policy • Make it cross-disciplinary • Get senior participation • Make it visible • Make it safe • Honesty is critical © 2014 Accume Partners 15 Engaging Senior Management • Starts with education and awareness • Once educated, solicit active input • Knowledge breeds ownership • Language is the key!!!! © 2014 Accume Partners 16 Culture – Building a Big Army • Training is your single best IS investment • Create a culture of cooperation • Build social intolerance to data exposure • Make it everyone’s responsibility • Make disclosure safe • Don’t underestimate instincts • Reward creativity • Make it positive, not negative © 2014 Accume Partners 17 Information Security Training • We are training three different groups • Program overview is a good thing • Context is very important • Educate on the real risk • Clear do’s and don’ts • Make it ongoing • Make it interesting! © 2014 Accume Partners 18 Assessing Info Security Risk • Focus must be on risk, not just controls • Everything starts with the risk assessment • Manage to assessed risk, not perceived risk • Have to understand inherent vs. residual risk • Insiders are probably more of a threat than outsiders, and their impact is much bigger • Ability to respond quickly and effectively is critical – Time is not on your side! © 2014 Accume Partners 19 Assessing Info Security Risk • Inventories are critical • Approach four ways: – – – – Information systems Electronic data Physical files Third parties • Focus on accountability • A good assessment should always start from what you know that you know that you know • Use self-assessments vs. loss data or scenarios • The worst possible answer to assessing information security risk is… © 2014 Accume Partners 20 Risk Quantification Risk is quantified in four categories: • What’s at risk? Customer, corporate, third-party • What would be the impact? Financial, operational, regulatory & reputation • What could be the source? Internal, external & natural disaster • What can we mitigate? Prevention, monitoring & recovery © 2014 Accume Partners 21 The Role of IT • IT is one part of the conversation, but a critical one • Lives a dilemma between serving and controlling • Must come to an agreement on risk tolerance level • Guardians of systems, not content • SMEs of “What could go wrong?” • Use IS Council to set policies • Strive for a risk aware culture • Don’t assume anything © 2014 Accume Partners 22 The Role of IT • Independent vulnerability studies are critical • At least yearly, more often if needed • Patch management program remains one of the most critical areas to focus • Credentials really do matter • Bring Your Own Device (BYOD), must have: – A “Right to wipe” acknowledgement – Acceptable use policy – Encryption © 2014 Accume Partners 23 Other Program Elements Role of Regulations and Standards (e.g. Sox, ISO, FFIEC, GLBA, PCI-DSS, etc.) • All guidance is risk-based • Most focus on assumptions and managing change • Not program design specs! • Focus first on risk aspects • Use specific provisions as tests • Leverage compliance process © 2014 Accume Partners 24 Data Management • Probably your highest area of residual risk • You cannot manage risk if you don’t know exactly where your data is…period • Beyond that… – Who, what, when, where, why and how • Acquiring data access should be difficult • Leverage monitoring technology • View data like cash © 2014 Accume Partners 25 Cloud Service Providers • This model is not at all new, just the technology • Mirror your internal standards • Must be very clear on: – – – – Fault tolerance Data proximity Data location Service levels • Tech specs matter • Regulatory focus Source: Techiestate.com © 2014 Accume Partners 26 Vendor Management • Proper oversight and due diligence is not optional, it’s mandatory: – – – – Where ‘s the data? Who has access? How are you protecting it? Use documentation (Soc report, SIG, etc.) but never stop asking hard questions • Reinforced by regulatory guidance • What are your breach response SLA’s? • Use every resource available, like www.glassdoor.com © 2014 Accume Partners 27 Trends and Issues • Distributed Denial-of-Service (DDOS) • Increasing in frequency • May be one of two types: – Flooding site – Direct server attack • May be a smokescreen for other activity • Must address with your Internet Banking vendor • If self-hosting: – Talk with your Internet Service Provider – Explore availability appliances • Mobile may be a good alternate channel © 2014 Accume Partners 28 Trends and Issues • Phishing is an ongoing threat • Social Engineering • Configuration Management • Advanced Persistent Threats (ATP) – Known foreign sponsored groups – Long-term, sophisticated attacks – May be low-and-slow vs. brute force • Patches remain your most critical protection • Comprehensive risk management is more critical than ever! © 2014 Accume Partners 29 Mobile Banking / Mobile Devices • • • • • • Still more unknowns than knowns Increased fraud? No “remember me” options Insure aggressive timeout requirements Clear terms & conditions are critical Customer awareness © 2014 Accume Partners 30 Change Management • Risk management begins with strategy • Requires understanding assumptions and agreed upon risk tolerance levels • Critical to have both IT & business input • In this context, expand the analysis to confidentiality, availability and integrity • Remember, all operational risk failures are attributable to a change of some sort © 2014 Accume Partners 31 Data Breach Response Program • Establish a primary & secondary coordinator • Clear roles and responsibilities • Link to incident response program • Must have a first-day checklist • Notification list & procedures • Staff training is critical • Data breach exercise! © 2014 Accume Partners 32 Monitoring and Reporting • Information security by nature defies M&R • There is a limited amount we can monitor – However, data trends can be meaningful • Tie into KRI program – what can we track? • The real value may be in the visibility • Reporting must be timely, clear, root-cause focused and actionable • Some of this stuff really is interesting © 2014 Accume Partners 33 To Summarize • Starts with strategy • Focus on risk awareness (culture) • Training is absolutely critical • You’re not focused enough on internal risk • You need more discussion about residual risk • Establish agreement on risk tolerance • Must be masters at change management • You must be able to respond FAST © 2014 Accume Partners 34 Cyber Security Other Resources • http://www.verizonenterprise.com/ • http://www.darkreading.com/ • http://www.ponemon.org/ • http://www.searchsecurity.com/ • http://msisac.cisecurity.org/ • http://www.sans.org/ • https://cloudsecurityalliance.org/ Slide 35 Cyber Security For more information, please contact: Eric Holmquist Managing Director, Enterprise Risk Management 341 New Albany Road Moorestown, New Jersey 08057 Mobile Phone: 215.817.2107 eholmquist@accumepartners.com © 2014 Accume Partners 36