a risk based approach to cyber security

2014 Financial
Management Seminar
A RISK BASED APPROACH
TO CYBER SECURITY
Presented by:
Eric Holmquist
Managing Director, Enterprise Risk Management
Accume Partners
Information Security
Agenda
• What’s new?
• Defining is a risk-based approach
to info security
• Program governance
• Assessing IS risk
• Other program elements
• Recap & final thoughts
• Q&A
© 2014 Accume Partners
2
In The News
• Target data breach
– Contractor’s system infiltrated by email malware
– Claims they were in full compliance with industry security
practices
– Hackers entered through billing system, then moved
laterally through Target’s systems
– Cardholder data was captured for almost 3 weeks
– 40 million credit & debit cards stolen
– Cost: $148 million* to start(and one CEO)
*Source: Forbes
© 2014 Accume Partners
3
In The News
• Home Depot data breach
– Hackers attacked through their retail systems using
malware that was undetected
– Attack went unnoticed for over 5 months
– 56+ million cards compromised
– Class action lawsuits have already started
– Home Depot estimates initial costs at $62 million
– Ultimate costs will be in hundreds of millions
– Customer volume decreased due to mistrust
© 2014 Accume Partners
4
Information Security
From the 2014 Verizon Business Data Breach Investigations
Report covering 1,367 data breaches from 2014.
 34% of the breaches with confirmed data loss affected the finance
industry (followed by public 13%, retail 10% & accommodation 10%)
 75% can be described by 3 specific attack patterns (financial
services)
 Motives remain #1 financial, #2 espionage & #3 fun/ideology
 Use of stolen credentials the top attack method
 Hacks to user devices somewhat flat
 Criminals are getting faster
 Discovery is not
© 2014 Accume Partners
5
Information Security
Where do we start?
Information security must be approached as a business
issue not a technology issue. Once we agree on this
then we can consider using risk management practices.
© 2014 Accume Partners
6
Information Security Risk Management
The keys to information security governance:
• Cannot be managed to 80/20 rule.
• You cannot start at controls first.
• If you can’t answer these 4 questions, you don’t have an
information security program:
– Where is my data?
– What is my exposure?
– What are my key controls?
– What is my residual risk?
© 2014 Accume Partners
7
Information Security
Taking a risk based approach means:
• Agreement on risk appetite and tolerance
• Cross functional governance
• Comprehensive risk assessment methods
• Dynamic risk measurement methods
• Ownership and accountability
• Effective communication
• Ensuring ability to quickly respond
• Meaningful reporting mechanisms
© 2014 Accume Partners
8
Information Security Governance
Governance Structure
Board Level Policy
Information Security Officer
Information Security Council
Program
Roles & Resp.
© 2014 Accume Partners
Op Policies
Procedures
9
Metrics
Establishing Risk Tolerance
• Fact: Senior management always says they have a “very low”
risk appetite. News flash, you don’t.
• Must have realistic and comprehensive risk assessment tools
to truly understand the risk profile.
• Requires deep, honest discussions with a lot of people to fully
understand the risk.
• In practice, this area scares people to the point of not being
able to face it head on. That model will never successfully
operationalize risk tolerance.
© 2014 Accume Partners
10
Information Security Policy
• Board level policy
• Establishes issue as business risk
• Defines the role of the ISO or CISO
• Sets mandates for program
• Establishes program expectations
• Defines board notification provisions
• Not detailed in program specifics
– Using Operating Policies for specifics
© 2014 Accume Partners
11
Information Security Officer
WRONG!
© 2014 Accume Partners
12
Information Security Officer
• Senior, if not executive level position
• Preferably not in IT
– Better in Risk Management
• Must have senior access
• Must have extraordinary
interpersonal and communication
skills (written and verbal)
• Must have both business and some
technical skills
• Most important role will probably be
translator
© 2014 Accume Partners
13
Information Security Program
• Regulatory requirement
• Supports issue as business risk
• Documents major components
• Eliminates unspoken assumptions
• Sets clear responsibilities
• Defines risk-based approach
• Establishes training curriculum
• Supported with operating policies
© 2014 Accume Partners
14
Information Security Council
• A very good practice
• Must have authority to set policy
• Make it cross-disciplinary
• Get senior participation
• Make it visible
• Make it safe
• Honesty is critical
© 2014 Accume Partners
15
Engaging Senior Management
• Starts with education and awareness
• Once educated, solicit active input
• Knowledge breeds ownership
• Language is the key!!!!
© 2014 Accume Partners
16
Culture – Building a Big Army
• Training is your single best IS investment
• Create a culture of cooperation
• Build social intolerance to data exposure
• Make it everyone’s responsibility
• Make disclosure safe
• Don’t underestimate instincts
• Reward creativity
• Make it positive, not negative
© 2014 Accume Partners
17
Information Security Training
• We are training three different groups
• Program overview is a good thing
• Context is very important
• Educate on the real risk
• Clear do’s and don’ts
• Make it ongoing
• Make it interesting!
© 2014 Accume Partners
18
Assessing Info Security Risk
• Focus must be on risk, not just controls
• Everything starts with the risk assessment
• Manage to assessed risk, not perceived risk
• Have to understand inherent vs. residual risk
• Insiders are probably more of a threat than outsiders, and
their impact is much bigger
• Ability to respond quickly and effectively is critical – Time
is not on your side!
© 2014 Accume Partners
19
Assessing Info Security Risk
• Inventories are critical
• Approach four ways:
–
–
–
–
Information systems
Electronic data
Physical files
Third parties
• Focus on accountability
• A good assessment should always start from what you know
that you know that you know
• Use self-assessments vs. loss data or scenarios
• The worst possible answer to assessing information security
risk is…
© 2014 Accume Partners
20
Risk Quantification
Risk is quantified in four categories:
• What’s at risk?
Customer, corporate, third-party
• What would be the impact?
Financial, operational, regulatory & reputation
• What could be the source?
Internal, external & natural disaster
• What can we mitigate?
Prevention, monitoring & recovery
© 2014 Accume Partners
21
The Role of IT
• IT is one part of the conversation, but a critical one
• Lives a dilemma between serving and controlling
• Must come to an agreement on risk tolerance level
• Guardians of systems, not content
• SMEs of “What could go wrong?”
• Use IS Council to set policies
• Strive for a risk aware culture
• Don’t assume anything
© 2014 Accume Partners
22
The Role of IT
• Independent vulnerability studies are critical
• At least yearly, more often if needed
• Patch management program remains one of the most
critical areas to focus
• Credentials really do matter
• Bring Your Own Device (BYOD), must have:
– A “Right to wipe” acknowledgement
– Acceptable use policy
– Encryption
© 2014 Accume Partners
23
Other Program Elements
Role of Regulations and Standards
(e.g. Sox, ISO, FFIEC, GLBA, PCI-DSS, etc.)
• All guidance is risk-based
• Most focus on assumptions and managing change
• Not program design specs!
• Focus first on risk aspects
• Use specific provisions as tests
• Leverage compliance process
© 2014 Accume Partners
24
Data Management
• Probably your highest area of residual risk
• You cannot manage risk if you don’t know exactly where
your data is…period
• Beyond that…
– Who, what, when, where, why and how
• Acquiring data access should be difficult
• Leverage monitoring technology
• View data like cash
© 2014 Accume Partners
25
Cloud Service Providers
• This model is not at all new, just the technology
• Mirror your internal standards
• Must be very clear on:
–
–
–
–
Fault tolerance
Data proximity
Data location
Service levels
• Tech specs matter
• Regulatory focus
Source: Techiestate.com
© 2014 Accume Partners
26
Vendor Management
• Proper oversight and due diligence is not optional, it’s
mandatory:
–
–
–
–
Where ‘s the data?
Who has access?
How are you protecting it?
Use documentation (Soc report, SIG, etc.) but never stop asking
hard questions
• Reinforced by regulatory guidance
• What are your breach response SLA’s?
• Use every resource available, like www.glassdoor.com
© 2014 Accume Partners
27
Trends and Issues
• Distributed Denial-of-Service (DDOS)
• Increasing in frequency
• May be one of two types:
– Flooding site
– Direct server attack
• May be a smokescreen for other activity
• Must address with your Internet Banking vendor
• If self-hosting:
– Talk with your Internet Service Provider
– Explore availability appliances
• Mobile may be a good alternate channel
© 2014 Accume Partners
28
Trends and Issues
• Phishing is an ongoing threat
• Social Engineering
• Configuration Management
• Advanced Persistent Threats (ATP)
– Known foreign sponsored groups
– Long-term, sophisticated attacks
– May be low-and-slow vs. brute force
• Patches remain your most critical protection
• Comprehensive risk management is more critical than
ever!
© 2014 Accume Partners
29
Mobile Banking / Mobile Devices
•
•
•
•
•
•
Still more unknowns than knowns
Increased fraud?
No “remember me” options
Insure aggressive timeout requirements
Clear terms & conditions are critical
Customer awareness
© 2014 Accume Partners
30
Change Management
• Risk management begins with strategy
• Requires understanding assumptions and agreed upon
risk tolerance levels
• Critical to have both IT & business input
• In this context, expand the analysis to confidentiality,
availability and integrity
• Remember, all operational risk failures are attributable to
a change of some sort
© 2014 Accume Partners
31
Data Breach Response Program
• Establish a primary & secondary coordinator
• Clear roles and responsibilities
• Link to incident response program
• Must have a first-day checklist
• Notification list & procedures
• Staff training is critical
• Data breach exercise!
© 2014 Accume Partners
32
Monitoring and Reporting
• Information security by nature defies M&R
• There is a limited amount we can monitor
– However, data trends can be meaningful
• Tie into KRI program – what can we track?
• The real value may be in the visibility
• Reporting must be timely, clear, root-cause focused and
actionable
• Some of this stuff really is interesting
© 2014 Accume Partners
33
To Summarize
• Starts with strategy
• Focus on risk awareness (culture)
• Training is absolutely critical
• You’re not focused enough on internal risk
• You need more discussion about residual risk
• Establish agreement on risk tolerance
• Must be masters at change management
• You must be able to respond FAST
© 2014 Accume Partners
34
Cyber Security
Other Resources
• http://www.verizonenterprise.com/
• http://www.darkreading.com/
• http://www.ponemon.org/
• http://www.searchsecurity.com/
• http://msisac.cisecurity.org/
• http://www.sans.org/
• https://cloudsecurityalliance.org/
Slide 35
Cyber Security
For more information, please contact:
Eric Holmquist
Managing Director, Enterprise Risk Management
341 New Albany Road
Moorestown, New Jersey 08057
Mobile Phone: 215.817.2107
[email protected]
© 2014 Accume Partners
36