how to assess and manage cyber risk

34
How to Assess and Manage Your Cyber Risk Stephen Cobb, CISSP Senior Security Researcher

Upload: stephen-cobb

Post on 14-Aug-2015

104 views

Category:

Technology


4 download

TRANSCRIPT

Page 1: How to assess and manage cyber risk

How to Assess and Manage Your Cyber RiskStephen Cobb, CISSPSenior Security Researcher

Page 2: How to assess and manage cyber risk

Stephen CobbSr. Security Researcher, ESET North America

Stephen Cobb has been a CISSP since 1996 and has helped companies large and small to manage their information security, with a focus on emerging threats and data privacy issues. The author of several books and hundreds of articles on information assurance, Cobb is part of the research team at ESET North America, based in San Diego.

Page 3: How to assess and manage cyber risk

Today’s topic• Information technology brings

many benefits to a business, but IT also brings risks

• Your organization needs to know how to assess and manage those cyber risks

• Cyber risk assessment and management can provide a powerful hedge against many of the threats that your business faces

Page 4: How to assess and manage cyber risk

Q1: Has there been a risk analysis of your organization in the last 12 months?

Polling Question

Yes No Not sure I don’t work for an organization

Page 5: How to assess and manage cyber risk

Risk assessment is fundamental• It’s the basis of your security program• Your defense in case of a breach• And a hedge against fines!

Meaningful Use audit of a small optometry clinic in MN found: “failure to perform a proper risk assessment and follow policies and procedures.”Penalty: Initial incentive payments had to be repaid, plus 2 more years of payments totaling more than $40,000 put in doubt

OCR investigation of ePHI breach at NY hospital found: “failure to complete an accurate and thorough risk analysis identifying all systems that access ePHI.”Penalty: Fined $4.8 million.

Page 6: How to assess and manage cyber risk

Working definitions• Follow standards in NIST and HIPAA literature • Because even if your organization is not

covered by federal standards, the courts will likely use those standards to determine guilt

But your honor, how on earth could we have known that hackers would try to steal our customers’ data? My firm has never heard of this “risk analysis.”

Page 7: How to assess and manage cyber risk

Risk Analysis: • An assessment of the

potential risks and vulnerabilities to the confidentiality, integrity, and availability of information held (or collected or processed) by the organization

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf

Page 8: How to assess and manage cyber risk

Risk is…• The likelihood that a specific threat will occur• A Vulnerability triggered or exploited by a

Threat equals a Risk

NIST SP 800-30

VulnerabilityYour office network is connected to the Internet by a router that contains a software bug

ThreatSomeone wants to steal information of the type that may be stored on your office network

RiskThe bug in your router will be used by a criminal to penetrate your network and steal information

+ =

Page 9: How to assess and manage cyber risk

Vulnerability is… • Flaw or weakness in system security

procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

Page 10: How to assess and manage cyber risk

Threat is…• The potential for a person or thing to exercise

(accidentally trigger or intentionally exploit) a specific vulnerability.

Natural threatsFloods, earthquakes, lightning strikes

Human threatsUnintentional, like accidentally deleting a file OR intentional like installing malicious software

Environmental threatsPower outage, Internet connectivity failure, office evacuation due to chemical spill

Page 11: How to assess and manage cyber risk

Risk is also• The net mission impact, bearing in mind:– the probability that

a particular threat – will exercise

(accidentally trigger or intentionally exploit)

– a particular vulnerability – and the resulting impact

if this should occur

NIST SP 800-30

Page 12: How to assess and manage cyber risk

Q2: Has your organization experienced a significant data loss in the last 12 months?

Polling Question

Yes No Not sure I don’t work for an organization

Page 13: How to assess and manage cyber risk

Risk and mission impact• Missed deadline for RFP submission

due to lack of access to data

VulnerabilityYour office is easily accessible from the street and the door is unlocked

ThreatSomeone wants to steal the kind of computer hardware you use in your office

RiskYour computer is stolen, preventing you from meeting an important deadline

+ =

Page 14: How to assess and manage cyber risk

Risks arise from legal liability or mission loss due to 1. Unauthorized (malicious or accidental) disclosure,

modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made

disasters 4. Failure to exercise due care and diligence in the

implementation and operation of the IT system.

Page 15: How to assess and manage cyber risk

Risk analysis in 8 steps1. Identify the scope of the analysis2. Gather data3. Identify and document potential threats and

vulnerabilities4. Assess current security measures5. Determine likelihood of threat occurrence6. Determine potential impact of threat occurrence7. Determine the level of risk8. Identify security measures and finalize

documentation

Page 16: How to assess and manage cyber risk

Steps 1 and 2• Identify the scope of the analysis– Is this an IT security risk analysis?– General risk, company-wide?– Department or project specific?

• Gather data– Within the above bounds, make sure you are

comprehensive in your data gathering with respect to assets and processes in scope

– Seek a range of perspectives

Page 17: How to assess and manage cyber risk

#3 Threats and Vulnerabilities• Identify and document potential

threats and vulnerabilities– This is where you need to be current or

your analysis will be flawed– Are you aware of all the threats?– Do you understand all of the

vulnerabilities?– Consider an audit or pen-test at this stage?

Page 18: How to assess and manage cyber risk

#4 Assess current security measures

• This can be done internally, but an outside view might be more perceptive

• Real world, healthcare company internal versus external findings:

• “We require passwords to be changed every six months”• The system allowed passwords to remain unchanged• “We delete access for all ex-employees”• Several dozen ex-employees still had access• “We use antivirus on all our endpoints”• But it was turned off in the HR department

Page 19: How to assess and manage cyber risk

#5 Determine likelihood of threat occurrence

2015 ISACA and RSA Conference Survey

Page 20: How to assess and manage cyber risk

6+7: Determine potential impact of threat occurrence and level of risk• Risks can be rated Low to High • Based on Consequence and Occurrence Rate

ConsequencesLow High

Occ

urre

nce

Rate

Hig

hLo

w

Humanerrors

Earthquake

After: Jacobs, CSH6, Wiley

Page 21: How to assess and manage cyber risk

6+7: Impact of threat and level of risk• Annualized Loss Exposure or ALE

Threat Occurrence Rate (number per year) XThreat effect factor (0.0 to 1.0) XLoss potential (in $$)

Malware InfectionThreat Occurrence Rate: 2 per monthLimited impact: 0.5Loss potential: $25,000ALE = $600,000

Page 22: How to assess and manage cyber risk

#8 Identify security measures and finalize documentation• Important to document everything• Risk analysis is not just an exercise• Should lead to informed choices about

security measures, in other words• Risk management

Page 23: How to assess and manage cyber risk

Risk management consists of…• Identifying risks – Risk Identification

• Assessment and classification of risks – Risk Assessment

• Dealing with risks– Risk Strategy

Definite overlap with risk analysis

This is where Management comes into play

Page 24: How to assess and manage cyber risk

4 ways of addressing risks• Avoidance– Don’t make that movie about that dictator

• Reduction– Make sure all systems are patched regularly

• Acceptance– Take a calculated risk

• Transfer– Buy insurance

Page 25: How to assess and manage cyber risk

Help is available• Engage an expert to set the baseline• Use the tools that are available– CompTIA Security Assessment Wizard– HHS Security Risk Assessment Tool– DHS Cyber Security Evaluation Tool– OCTAVE from CERT

Page 26: How to assess and manage cyber risk

https://www.comptia.org/communities/it-security/documents/security-assessment-wizard

Page 27: How to assess and manage cyber risk

http://www.healthit.gov/providers-professionals/security-risk-assessment

Page 28: How to assess and manage cyber risk

https://ics-cert.us-cert.gov/Assessments

Page 29: How to assess and manage cyber risk

http://www.cert.org/resilience/products-services/octave/

Operationally Critical Threat Asset & Vulnerability Evaluation

Page 30: How to assess and manage cyber risk

OCTAVE: 8 steps in 4 phases1. Develop risk measurement criteria consistent with

the organization's mission, goal objectives, and critical success factors.

2. Create a profile of each critical information asset that establishes clear boundaries for the asset, identifies its security requirements, and identifies all of its containers.

3. Identify threats to each information asset in the context of its containers.

4. Identify and analyze risks to information assets and begin to develop mitigation approaches.

Page 31: How to assess and manage cyber risk

OCTAVE: 8 steps in 4 phases

Page 32: How to assess and manage cyber risk

OCTAVE: worksheets provided

Page 33: How to assess and manage cyber risk

Thank You

[email protected]@zcobb

Page 34: How to assess and manage cyber risk

Q5: I would like access to one of the following:

Polling Question

Contact from ESET Sales A custom business edition trial of ESET

software which includes our Remote Administrator

A product demo of ESET Endpoint Solutions Information on becoming a reseller partner

or MSP None of the Above