how to assess and manage cyber risk
TRANSCRIPT
How to Assess and Manage Your Cyber RiskStephen Cobb, CISSPSenior Security Researcher
Stephen CobbSr. Security Researcher, ESET North America
Stephen Cobb has been a CISSP since 1996 and has helped companies large and small to manage their information security, with a focus on emerging threats and data privacy issues. The author of several books and hundreds of articles on information assurance, Cobb is part of the research team at ESET North America, based in San Diego.
Today’s topic• Information technology brings
many benefits to a business, but IT also brings risks
• Your organization needs to know how to assess and manage those cyber risks
• Cyber risk assessment and management can provide a powerful hedge against many of the threats that your business faces
Q1: Has there been a risk analysis of your organization in the last 12 months?
Polling Question
Yes No Not sure I don’t work for an organization
Risk assessment is fundamental• It’s the basis of your security program• Your defense in case of a breach• And a hedge against fines!
Meaningful Use audit of a small optometry clinic in MN found: “failure to perform a proper risk assessment and follow policies and procedures.”Penalty: Initial incentive payments had to be repaid, plus 2 more years of payments totaling more than $40,000 put in doubt
OCR investigation of ePHI breach at NY hospital found: “failure to complete an accurate and thorough risk analysis identifying all systems that access ePHI.”Penalty: Fined $4.8 million.
Working definitions• Follow standards in NIST and HIPAA literature • Because even if your organization is not
covered by federal standards, the courts will likely use those standards to determine guilt
But your honor, how on earth could we have known that hackers would try to steal our customers’ data? My firm has never heard of this “risk analysis.”
Risk Analysis: • An assessment of the
potential risks and vulnerabilities to the confidentiality, integrity, and availability of information held (or collected or processed) by the organization
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
Risk is…• The likelihood that a specific threat will occur• A Vulnerability triggered or exploited by a
Threat equals a Risk
NIST SP 800-30
VulnerabilityYour office network is connected to the Internet by a router that contains a software bug
ThreatSomeone wants to steal information of the type that may be stored on your office network
RiskThe bug in your router will be used by a criminal to penetrate your network and steal information
+ =
Vulnerability is… • Flaw or weakness in system security
procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
Threat is…• The potential for a person or thing to exercise
(accidentally trigger or intentionally exploit) a specific vulnerability.
Natural threatsFloods, earthquakes, lightning strikes
Human threatsUnintentional, like accidentally deleting a file OR intentional like installing malicious software
Environmental threatsPower outage, Internet connectivity failure, office evacuation due to chemical spill
Risk is also• The net mission impact, bearing in mind:– the probability that
a particular threat – will exercise
(accidentally trigger or intentionally exploit)
– a particular vulnerability – and the resulting impact
if this should occur
NIST SP 800-30
Q2: Has your organization experienced a significant data loss in the last 12 months?
Polling Question
Yes No Not sure I don’t work for an organization
Risk and mission impact• Missed deadline for RFP submission
due to lack of access to data
VulnerabilityYour office is easily accessible from the street and the door is unlocked
ThreatSomeone wants to steal the kind of computer hardware you use in your office
RiskYour computer is stolen, preventing you from meeting an important deadline
+ =
Risks arise from legal liability or mission loss due to 1. Unauthorized (malicious or accidental) disclosure,
modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made
disasters 4. Failure to exercise due care and diligence in the
implementation and operation of the IT system.
Risk analysis in 8 steps1. Identify the scope of the analysis2. Gather data3. Identify and document potential threats and
vulnerabilities4. Assess current security measures5. Determine likelihood of threat occurrence6. Determine potential impact of threat occurrence7. Determine the level of risk8. Identify security measures and finalize
documentation
Steps 1 and 2• Identify the scope of the analysis– Is this an IT security risk analysis?– General risk, company-wide?– Department or project specific?
• Gather data– Within the above bounds, make sure you are
comprehensive in your data gathering with respect to assets and processes in scope
– Seek a range of perspectives
#3 Threats and Vulnerabilities• Identify and document potential
threats and vulnerabilities– This is where you need to be current or
your analysis will be flawed– Are you aware of all the threats?– Do you understand all of the
vulnerabilities?– Consider an audit or pen-test at this stage?
#4 Assess current security measures
• This can be done internally, but an outside view might be more perceptive
• Real world, healthcare company internal versus external findings:
• “We require passwords to be changed every six months”• The system allowed passwords to remain unchanged• “We delete access for all ex-employees”• Several dozen ex-employees still had access• “We use antivirus on all our endpoints”• But it was turned off in the HR department
#5 Determine likelihood of threat occurrence
2015 ISACA and RSA Conference Survey
6+7: Determine potential impact of threat occurrence and level of risk• Risks can be rated Low to High • Based on Consequence and Occurrence Rate
ConsequencesLow High
Occ
urre
nce
Rate
Hig
hLo
w
Humanerrors
Earthquake
After: Jacobs, CSH6, Wiley
6+7: Impact of threat and level of risk• Annualized Loss Exposure or ALE
Threat Occurrence Rate (number per year) XThreat effect factor (0.0 to 1.0) XLoss potential (in $$)
Malware InfectionThreat Occurrence Rate: 2 per monthLimited impact: 0.5Loss potential: $25,000ALE = $600,000
#8 Identify security measures and finalize documentation• Important to document everything• Risk analysis is not just an exercise• Should lead to informed choices about
security measures, in other words• Risk management
Risk management consists of…• Identifying risks – Risk Identification
• Assessment and classification of risks – Risk Assessment
• Dealing with risks– Risk Strategy
Definite overlap with risk analysis
This is where Management comes into play
4 ways of addressing risks• Avoidance– Don’t make that movie about that dictator
• Reduction– Make sure all systems are patched regularly
• Acceptance– Take a calculated risk
• Transfer– Buy insurance
Help is available• Engage an expert to set the baseline• Use the tools that are available– CompTIA Security Assessment Wizard– HHS Security Risk Assessment Tool– DHS Cyber Security Evaluation Tool– OCTAVE from CERT
https://www.comptia.org/communities/it-security/documents/security-assessment-wizard
http://www.healthit.gov/providers-professionals/security-risk-assessment
https://ics-cert.us-cert.gov/Assessments
http://www.cert.org/resilience/products-services/octave/
Operationally Critical Threat Asset & Vulnerability Evaluation
OCTAVE: 8 steps in 4 phases1. Develop risk measurement criteria consistent with
the organization's mission, goal objectives, and critical success factors.
2. Create a profile of each critical information asset that establishes clear boundaries for the asset, identifies its security requirements, and identifies all of its containers.
3. Identify threats to each information asset in the context of its containers.
4. Identify and analyze risks to information assets and begin to develop mitigation approaches.
OCTAVE: 8 steps in 4 phases
OCTAVE: worksheets provided
Thank You
[email protected]@zcobb
Q5: I would like access to one of the following:
Polling Question
Contact from ESET Sales A custom business edition trial of ESET
software which includes our Remote Administrator
A product demo of ESET Endpoint Solutions Information on becoming a reseller partner
or MSP None of the Above