000 risk & precautions cyberlaw

7/30/2019 000 Risk & Precautions Cyberlaw

1/56

Risk

Management


2/56

How Much to Invest in Security?How much is too much?

Firewall

Intrusion Detection/Prevention

Guard

Biometrics Virtual Private Network

Encrypted Data &Transmission

Card Readers

Policies & Procedures Audit & Control Testing

Antivirus / Spyware

Wireless Security

How much is too little? Hacker attack Internal Fraud Loss of Confidentiality

Stolen data Loss of Reputation Loss of Business Penalties Legal liability

Theft & Misappropriation

Security is a Balancing Act between Security Costs & Losses


3/56

Risk Management

Internal Factors External Factors

Structure

Risk Mgmt Strategies are determined by both internal & external factors


4/56

Risk Management ProcessEstablishScope &

Boundaries

Identification

Analysis

Evaluation

Avoid Reduce Transfer Retain

Accept Residual Risk

RiskCommunicatio

n

&Monitoring

RiskAssessment

Risk

Treatment

What assets & risks exist?

What does this risk cost?What priorities shall we set?

What controls can we use?

What to investigate?What to consider?


5/56

Risk Appetite

Do you operate your computer with or without antivirussoftware?

Do you have antispyware?

Do you open emails with forwarded attachments fromfriends or follow questionable web links? Have you ever given your bank account information to a

foreign emailer to make $$$?

What is your risk appetite?If liberal, is it due to risk acceptance or ignorance?

Companies too have risk appetites, decided afterevaluating risk


6/56

Continuous Risk Mgmt Process

Identify &Assess Risks

Develop Risk

Mgmt Plan

Implement RiskMgmt Plan

Proactive

Monitoring

RiskAppetite

Risks change with time asbusiness & environmentchanges Controls degradeover time and are subject tofailure Counter measures mayopen new risks


7/56

Security Evaluation:Risk Assessment

Five Steps include:1. Assign Values to Assets:

Where are the Crown Jewels?

2. Determine Loss due to Threats & Vulnerabilities Confidentiality, Integrity, Availability

3. Estimate Likelihood of Exploitation Weekly, monthly, 1 year, 10 years?

4. Compute Expected Loss Loss = Downtime + Recovery + Liability + Replacement

5. Treat Risk Survey & Select New Controls Reduce, Transfer, Avoid or Accept Risk


8/56

Step 1:

Determine Value of AssetsIdentify & Determine Value of Assets (Crown Jewels): Assets include:

IT-Related: Information/data, hardware, software, services,

documents, personnel Other: Buildings, inventory, cash, reputation, sales opportunities

What is the value of this asset to the company? How much of our income can we attribute to this asset? How much would it cost to recover this?

How much liability would we be subject to if the assetwere compromised?

Helpful websites: www.attrition.org


9/56

Determine Cost of Assets

Sales

Product A

Product B

Product C

Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=

Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=

Cost of loss of confidentiality=

Risk: Replacement Cost=

Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=

Tangible $ Intangible: High/Med/Low

Costs


10/56

Matrix of Loss Scenario

(taken from CISM Exhibit 2.16)SizeofLoss

Repu-tation

Law-suitLoss

Fines/

Reg.Loss

Mar-ketLoss

Exp.

YearlyLoss

Hacker steals customerdata; publicly blackmailscompany

1-10KRecords

$1M-$20M

$1M-$10M

$1M-$35M

$1M-$5M

$10M

Employee steals strategicplan; sells data tocompetitor

3-year Min. Min. Min. $20M $2M

Backup tapes and Cust.data found in garbage;makes front-page news

10MRecords

$20M $20M $10M $5M $200K

Contractor steals employeedata; sells data to hackers

10KRecor

ds

$5M $10M Min. Min. $200K


11/56

Step 1:

Determine Value of AssetsAsset Name

$ ValueDirect Loss:Replacement

$ ValueConsequential

Financial Loss

Confidentiality,Integrity, and

Availability Notes

Laptop $1,000 Mailings=$130 x #Cust

Reputation

= $9,000

Conf., Avail.Breach

Notification

Law

Equipment $10,000 $2k per day

in income

Availability


12/56

Step 2: Determine LossDue to Threats

Natural: Flood, fire, cyclones,rain/snow/hail and earthquakes

Unintentional: Fire, water, buildingdamage/collapse, loss of utilityservices, and equipment failure

Intentional: Fire, water, theft,vandalism

Intentional, non-physical: Fraud,espionage, hacking, identity

theft, malicious code, socialengineering, phishing, denial ofservice


13/56

Threat Agent Types

Hackers/Crackers

Challenge, rebellion Unauthorizedaccess

Criminals Financial gain,Disclosure/ destructionof info.

Fraud, computercrimes

Terrorists Destruction/ revenge/extortion

info warfare

IndustrySpies

Competitive advantage Info theft, econ.Exploitation

Insiders Opportunity, personalissues

Fraud/ theft,malware, abuse


14/56

Step 2: Determine Threats Due to Vulnerabilities

SystemVulnerabilities

Behavioral:unsatisfiedemployee,

uncontrolledprocesses,

poor networkdesign,

improperlyconfiguredEquipment

Misinterpretation:Poorly-defined

procedures,employee error,Insufficient staff,

Inadequate mgmt,Inadequate

complianceenforcement

CodingProblems:

Security ignorance,poorly-definedrequirements,

defective software,

unprotectedcommunication

PhysicalVulnerabilities:

Fire, flood,negligence, theft,kicked terminals,

no redundancy


15/56

Step 3: Estimate Likelihood of Exploitation

Best sources: Past experience Specialists and expert advice

Economic, engineering, or other models Market research & analysis Experiments & prototypes


16/56

Likelihood of Exploitation:

Sources of Losses

Source: 2009 Annual Study:Evaluation of 31 organizations

Lost laptop/device 35%

Third party or outsourcer 21%

Electronic backup 19%

Paper records 9%

Malicious insider or code 9%

Hacked system 7%


17/56

Step 4: Compute Expected Loss

Risk Analysis StrategiesQualitative: Prioritizes risks so that highest risks

can be addressed first

Based on judgment, intuition, and experience May factor in reputation, goodwill, nontangibles

Quantitative: Measures approximate cost ofimpact in financial terms

Semiquantitative: Combination of Qualitative &Quantitative techniques


18/56

Step 4: Compute Loss Using

Qualitative AnalysisQualitative Analysis is used:

As a preliminary look at risk

With non-tangibles, such as reputation,image -> market share, share value

When there is insufficient information toperform a more quantified analysis


19/56

Vulnerability AssessmentQuadrant Map

Threat(Probability)

Vulnerability(Severity)

Hacker/CriminalMalware

Disgruntled Employee

Fire

Terrorist

Flood

Spy

Snow emergencyIntruder


20/56


Semi-Quantitative AnalysisImpact

1. Insignificant: Nomeaningful impact

2. Minor: Impacts a smallpart of the business, $1M

4. Material: Requiresexternal reporting,>$200M

5. Catastrophic: Failure ordownsizing of company

Likelihood1. Rare2. Unlikely: Not seen

within the last 5 years3. Moderate: Occurred in

last 5 years, but not inlast year

4. Likely: Occurred in last

year5. Frequent: Occurs on a

regular basis

Risk = Impact * Likelihood


21/56

SemiQuantitative Impact Matrix

Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)

Catastrophic(5)

Material(4)

Major(3)

Minor(2)

Insignificant(1)

Likelihood

Impact


22/56


Quantitative AnalysisSingle Loss Expectancy (SLE): The cost to the

organization if one threat occurs once Eg. Stolen laptop=

Replacement cost + Cost of installation of special software and data Assumes no liability

SLE = Asset Value (AV) x Exposure Factor (EF) With Stolen Laptop EF > 1.0

Annualized Rate of Occurrence (ARO): Probability or

frequency of the threat occurring in one year If a fire occurs once every 25 years, ARO=1/25

Annual Loss Expectancy (ALE): The annual expectedfinancial loss to an asset, resulting from a specific threat ALE = SLE x ARO


23/56

Risk Assessment Using

Quantitative AnalysisQuantitative:

Cost of HIPAA accident with insufficient

protectionsSLE = $50K + (1 year in jail:) $100K = $150K

Plus loss of reputation

Estimate of Time = 10 years or less = 0.1

Annualized Loss Expectancy (ALE)=

$150 x .1 =$15K


24/56

Annualized Loss ExpectancyAssetValue->

$1K $10K $100K $1M

1 Yr 1K 10K 100K 1000K

5 Yrs 200 2K 20K 200K10 Yrs 100 1K 10K 100K

20 Yrs 50 1K 5K 50K

Asset Costs $10K Risk of Loss 20% per Year

Over 5 years, average loss = $10K

Spend up to $2K each year to prevent loss


25/56

Quantitative

Risk

Asset Threat Single LossExpectancy

(SLE)

AnnualizedRate of

Occurrence(ARO)

Annual LossExpectancy

(ALE)

Building

Fire $1M .05(20 years)

$50K

Laptop Stolen $1K + $9K(breachnotif)

0.2(5 years)

$1K

Workbook


26/56

Step 5: Treat Risk

Risk Acceptance: Handle attack when necessary E.g.: Comet hits Ignore risk if risk exposure is negligible

Risk Avoidance: Stop doing risky behavior E.g.: Do not use Social Security NumbersRisk Mitigation: Implement control to minimize

vulnerability E.g. Purchase & configure a firewallRisk Transference: Pay someone to assume risk for you E.g., Buy malpractice insurance (doctor) While financial impact can be transferred, legal

responsibility cannot

Risk Planning: Implement a set of controls

Activity Output


27/56

System Characterization

Identify Threats

Identify Vulnerabilities

Analyze Controls

Determine Likelihood

Analyze Impact

Determine Risk

Recommend Controls

Document Results Risk Assessment

Report

Recommended Controls

Documented Risks

Impact Rating

Likelihood Rating

List of current &planned controls

List of threats& vulnerabilities

System boundarySystem functions

System/data criticalitySystem/data sensitivity

Activity Output

Company historyIntelligence agency

data: NIPC, OIG

Audit &test results

Business ImpactAnalysis

Data Criticality &

Sensitivity analysis

Input

NIST RiskAssessment

Methodology


28/56

Control Types

Threat

CompensatingControl

Impact

Vulnerability

CorrectiveControlDeterrentControl

Detective

Control

PreventiveControl

Attack

Reduceslikelihood of

Decreases

Resultsin

Creates

Reduceslikelihood of


29/56

Deterrentcontrol

Mitigatingcontrol

Detectivecontrol

Preventivecontrol

Correctivecontrol

VULNE

RABILITY

IM

PACT

Residualrisk

RiskProbab

ility

THREAT


30/56

Controls & Countermeasures

Cost of control should never exceed theexpected loss assuming no control

Countermeasure = Targeted ControlAimed at a specific threat or vulnerability

Problem: Firewall cannot process packets fastenough due to IP packet attacks

Solution: Add border router to eliminateinvalid accesses


31/56

Analysis of Risk vs. Controls

WorkbookRisk ALE or

ScoreControl Cost of

Control

StolenLaptop $1K($9K BreachNotif. Law)

Encryption $60

Disk Failure $3K per day RAID $750

Hacker $9K BreachNotif. Law

Firewall $1K

Cost of Some Controls is shown in Case Study Appendix


32/56

Extra Step:

Step 6: Risk MonitoringStolen Laptop In investigation $2k, legal issues

HIPAA IncidentResponse

Procedure being definedincident response

$200K

Cost overruns Internal audit investigation $400K

HIPAA: Physicalsecurity

Training occurred $200K

Report to Mgmt status of security Metrics showing current performance Outstanding issues Newly arising issues

How handled when resolution is expected

Security Dashboard, Heat chart or Stoplight Chart


33/56

Training

Importance of following policies & procedures

Clean desk policy

Incident or emergency response

Authentication & access control

Privacy and confidentiality

Recognizing and reporting security incidents

Recognizing and dealing with social engineering


34/56

Security Control Baselines &

MetricsBaseline: A measurement

of performance

Metrics are regularly and

consistently measured,quantifiable,inexpensively collected

Leads to subsequentperformance evaluation

E.g. How many viruses ishelp desk reporting?

0

10

20

30

40

50

60

70

80

90

Year 1 Year 2 Year 3 Year 4

Stolen Laptop

Virus/Worm

% Misuse

(Company data - Not real)


35/56

Risk Management

Risk Management is aligned with businessstrategy & direction

Risk mgmt must be a joint effort betweenall key business units & IS

Business-Driven (not Technology-Driven)

Steering Committee: Sets risk management priorities Define Risk management objectives to

achieve business strategy


36/56

Risk Management Roles

Governance & Sr Mgmt:Allocate resources, assess

& use risk assessment results

Chief Info OfficerIT planning, budget,

performance incl. risk

Info. Security MgrDevelops, collaborates, and

manages IS risk mgmt process

Security TrainersDevelop appropriatetraining materials, includingrisk assessment, to

educate end users.

Business Managers(Process Owners)Make difficult decisionsrelating to priority toachieve business goals

System / Info OwnersResponsible to ensurecontrols in place toaddress CIA.

Sign off on changes

IT Security PractitionersImplement security requireminto IT systems: network,

system, DB, app, admin.


37/56

Due Diligence

Due Diligence = Did careful risk assessment (RA)Due Care = Implemented recommended controls from RA

Liability minimized if reasonable precautions taken

Senior Mgmt Support


38/56

Question

Risk Assessment includes:

1. The steps: risk analysis, risk treatment, risk

acceptance, and risk monitoring2. Answers the question: What risks are we

prone to, and what is the financial costs ofthese risks?

3. Assesses controls after implementation

4. The identification, financial analysis, andprioritization of risks, and evaluation of controls


39/56

Question

Risk Management includes:

1. The steps: risk analysis, risk treatment, risk

acceptance, and risk monitoring2. Answers the question: What risks are we

prone to, and what is the financial costs ofthese risks?

3. Assesses controls after implementation

4. The identification, financial analysis, andprioritization of risks, and evaluation of controls


40/56

Question

The FIRST step in Security RiskAssessment is:

1. Determine threats and vulnerabilities2. Determine values of key assets

3. Estimate likelihood of exploitation

4. Analyze existing controls


41/56

Question

Single Loss Expectancy refers to:

1. The probability that an attack will occur in one

year2. The duration of time where a loss is expected

to occur (e.g., one month, one year, onedecade)

3. The cost of losing an asset once

4. The average cost of loss of this asset per year


42/56

Question

The role(s) responsible for deciding whetherrisks should be accepted, transferred, or

mitigated is:1. The Chief Information Officer

2. The Chief Risk Officer

3. The Chief Information Security Officer

4. Enterprise governance and senior businessmanagement


43/56

Question

Which of these risks is best measured using aqualitative process?

1. Temporary power outage in an office building2. Loss of consumer confidence due to a

malfunctioning website

3.Theft of an employees laptop while traveling

4. Disruption of supply deliveries due to flooding


44/56

Question

The risk that is assumed afterimplementing controls is known as:

1. Accepted Risk2. Annualized Loss Expectancy

3. Quantitative risk

4. Residual risk


45/56

Question

The primary purpose of risk managementis to:

1. Eliminate all risk2. Find the most cost-effective controls

3. Reduce risk to an acceptable level

4. Determine budget for residual risk


46/56

Question

Due Diligence ensures that

1. An organization has exercised the best possiblesecurity practices according to best practices

2. An organization has exercised acceptably reasonablesecurity practices addressing all major security areas

3. An organization has implemented risk management andestablished the necessary controls

4. An organization has allocated a Chief InformationSecurity Officer who is responsible for securing theorganizations information assets


47/56

Question

ALE is:1. The average cost of loss of this asset, for a

single incident

2. An estimate using quantitative riskmanagement of the frequency of asset loss dueto a threat

3. An estimate using qualitative risk management

of the priority of the vulnerability4. ALE = SLE x ARO


48/56

Vocabulary to study

Risk mgmt, risk appetite, risk analysis, riskassessment, risk treatment, residual risk

Risk avoidance, risk reduction/risk mitigation,risk transference, risk retention/risk acceptance

Threat, threat agent, vulnerability,

Qualitative risk analysis, quantitative riskanalysis

SLE, ARO, ALE

Due diligence, due care


49/56

HEALTH FIRST CASE STUDYAnalyzing Risk

Jamie Ramon MDDoctor

Chris Ramon RDDietician

TerryMedical Admin

PatSoftware Consultant


50/56

Step 1: Define Assets


51/56


Consider Consequential Financial Loss

Asset Name $ ValueDirect Loss:

Replacement

$ Value

Consequential Financial

Loss

Confidentiality, Integrity,and Availability Notes

Medical DB C? I? A?

Daily Operation (DO)

Medical Malpractice (M)

HIPAA Liability (H)

Notification Law Liability (NL)


52/56


Consider Consequential Financial Loss

Asset Name $ ValueDirect Loss:

Replacement

$ Value

Consequential Financial

Loss

Confidentiality, Integrity,and Availability Notes

Medical DB DO+M_H+NL C I A

Daily Operation (DO) $Medical Malpractice (M) $HIPAA Liability (H) $Notification Law Liability (NL) $


53/56

HIPAA Criminal Penalties

$ Penalty Imprison-ment

Offense

Up to $50K Up to one

year

Wrongful disclosure of

individually identifiable healthinformation

Up to$100K

Up to 5years

committed under false

pretenses

Up to$500K

Up to 10years

with intent to sell, achievepersonal gain, or causemalicious harm

Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims,


54/56

Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation

Normal threats: Threats common to allorganizations

Inherent threats: Threats particular to yourspecific industry

Known vulnerabilities: Previous audit

reports indicate deficiencies.


55/56

Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation

low Down Business Temp. Shut Down Business Threaten Business

222

333

111

444

1 week

1 year

10 years

(.1)

5 years

(.2)

Vulnerability

(Severity)

20 years

(.05)

50 years

(.02)

Threat

(Probability)

Snow Emergency

Hacker/Criminal

Loss of Electricity

Malware

Failed Disk

Stolen Laptop

Stolen Backup Tape(s)

Social Engineering

Intruder

Fire

Flood

Earthquake

Pandemic

Tornado/Wind Storm


56/56

Step 4: Compute Expected LossStep 5: Treat RiskStep 4: Compute E(Loss)

ALE = SLE * ARO

Asset Threat SingleLoss

Expectancy(SLE)

Annualized

Rate ofOccurrence

(ARO)

AnnualLoss

Expectancy(ALE)

Step 5: Treat Risk

Risk Acceptance: Handleattack when necessary

Risk Avoidance: Stop doing

risky behavior Risk Mitigation: Implement

control to minimizevulnerability

Risk Transference: Pay

someone to assume risk foryou

Risk Planning: Implement aset of controls

000 risk & precautions cyberlaw

Documents