p3 l1 cyber security page 1 - amazon s3cyber+security.pdfp3_l1 cyber security_ page 2 gatech omscs...

P3_L1 Cyber Security_

GaTech OMSCS – CS 6035: Introduction to Information Security

Reference: Computer Security by Stallings and Brown, Chapter 14 & 15

Part 3 Introduction:

So far, we've been focusing on the technology aspects of information security. However, the

organization note as assigned to aspects are also very important. In the next few lectures Dr.

Mustaque Ahamad is going to cover several of these topics.

We're going to start with managing cyber security in the context of an organization. So what is it

cyber risk? How can it reduce that risk with using technical solutions that we discussed, and

what are the cost benefit trade offs for example?

Once we do that, we're going to move on to how can we have consequences for the bad guys.

Well laws, or cyber laws in particular, are one way to do that. So we'll discuss some of the US

cyber laws and then also some ethical considerations. Then we're going to wrap up with online

privacy which is a topic that is of great deal of interest to many of us.

So far we have discussed a number of

technical solutions to deal with cyber

threats. But these solutions have to

be considered in a context of an

organization. For example:

What are my cyber assets?

What kind of risks do they face?

Do the technical solutions really

reduce this risk significantly?

Are there people and process

issues?

These topics come under what we call managing cyber security, and cyber security management is going

to be the focus of this lesson.

So far we have been talking about

technical controls, whether it has to

do with authentication. Or in the

context of network security, we

talked about firewalls and presented

detection and so on. And these are

used to secure systems that we have

in an organization.

What are the assets that need to be

secured? Who do they need to be

secured from?



So let's talk a little bit more about this

organizational context. We said,

there's something of value that is

under threat, so we need to worry

about securing it. But what other

reasons may be there for us to worry

about this problem?

While there may be legal and

compliance reasons, financial data and

health data, for example, HIPAA

mandates how you can share online

health data or distill health data and things like that. One solution that we've been talking about is that

of course there are various kind of technical controls. For me to use these technical controls, I have to

understand what kind of risk that I'm facing. What is the threat source? What is that threat landscape

for me? Of course the technical solution or control that I have is going to have an associated cost. I have

to worry about what that cost is, and, what is the benefit of actually deploying this particular solution

that we're talking about?

So what are the challenges that

we're going to face when we have

this task of managing cyber security

for the organization that we're

talking about? We said we have to

know what are the assets that are of

value and are they under risk? Also,

sort of understand the threats. And,

how serious are those threats? So

when we talk about risk, actually

we're going to look at this a little bit more, but risk is really the likelihood of an attack, okay? So

probability of an attack. It's not the worst case but the worst can happen. It's sort of trying to compute

the likely case in some sense.

So continuing with the challenges, even

if I sort of identify my assets and threat

source, and perhaps the likelihood of

attacks, then I have to worry about, well

what can I do about it? What sort of

solutions are out there or controls that

exist? Deciding that of course is a

challenge. We did talk about cost-

benefit and the trade off that are there

when you think about the deploying

various solutions. So, of course we want to do into a cost effective manner. It sounds simple, but doing

that, again, is a serious challenge. Obviously we have to argue that the cost is less than the reduction in

risk we're going to have. Finally, we know that when you look at sort of the threat landscape, and I think



in the context of database security, we did the question where we said, what are the threats? External

hackers or insiders, and we say in one of the surveys, insiders and unauthorized access was ranked

higher than external hackers. So we have to of course, understand the people and the process that we

have.

The question's asking if you think

that it should be part of this policy,

Georgia Tech's policy. I mean, if you

are responsible for managing

security at a University like Georgia

Tech would the staff, student's, and

faculty, would they need to adhere

by the kind of requirements these

options present? If you agree, then

you check that. If you don't agree,

then of course, you leave that.

By requiring that the passwords are

changed periodically we are sort of

ensuring that it's going to be less likely

that someone who is not the right user is

going to be able to gain access to an

account. So, this is actually part of the

policy we're going to see later on.

And if there is a compromise, if a computer is hacked, if a password is stolen, then we have to report it

to somebody who's responsible for cyber security at Georgia Tech, maybe in your unit or could be the

university wide, but yes our policy does, so this option is also there.

The third one says Georgia Tech computers cannot be used to download illegal content, example of that

here is child pornography. It's absolutely a part of that

Our next question is about a

botnet operator. So let's say it

compromises a number of

computers in an organization.

These computers are running

malware, so these are the bots,

and they're sending lots of spam

email, but they don't look at any

sensitive data. They're all just using

the computational resources and

the network resources to pump

out lots of spam. So, sensitive data, they don't do that, or they don't even interfere with any legitimate

activities that may be going on on those machines. So, if this happens, tons of spam email sent by

computers on your network, what should you do? I guess this is one of those situations, again, where



compromises happened, and when something goes wrong, how do we respond to it? That's what we're

thinking about here.

The abuse of resources by this unauthorized

parties. We have to detect and act on it, so the

first option is the right one. You really won't

want to recommend the second option

because although sensitive data is not sent

out, as I said, you may get blacklisted eventually, you wouldn't be able to communicate, so of course this

legitimate activities will be impacted

So let's talk about sort of planning

for security. When we talk about

security here, obviously we're talking

about cyber security. So of course,

the first thing you're going to ask is,

you talk about what is of value what

are the assets? What needs to be

secured? You've been asked to come

in and plan. The next thing you have

to say is if something has to be

secured, whose responsibility is it to

do that? So who is responsible for it? Okay once we do that, the next thing then we're going to say well

security is going to require some controls okay, so once you have that, you have to say we know who is

responsible for it. We know what kind of things they're doing or what controls they're putting in place,

but are people really supported to do what they need to do? Do they have the budgets? Do they have

the authority? And one thing to keep in mind is that no matter how well we do all these things that we

are talking about. The risk is not going to be zero. So the chance, or likelihood that something might go

wrong, well it's going to be there. And if something does go wrong, fortunately if that were to happen,

how do we respond to that? How do we recover from that adverse event that has happened because

some control either didn't exist or didn't function as it should have. And of course if we had people who

are responsible for doing certain things in our security planning that we did and something bad happens,

there has to be accountability. So in the planning process we always have to keep in mind that we're

never going to get 100% security. Okay. The risk is never going to be zero so we have to worry about, we

sort of focus on prevention, detection but then of course we have to focus on response and recovery as

well. And the planning process has to cover all those aspects.



The first part of security planning is

to start doing inventory of our

assets. What is that we have which

is of value? And something that is of

value of course, has to have some

risk to it. So there has to be a threat.

That is the source of that risk that is

faced by this particular asset.

So the service is the software, the

hardware, these are the assets that

we have. And we have to concern

ourselves about securing them.

So, when you think about cyber security and planning for it, of course, you have to worry about all these

assets, or the list of what needs to be secured has to include all these.

When you talk about the software, so this is sort of the hardware. When it comes to software, we're

running operating systems on these servers, or laptops, or mobile devices. The databases that store

large amounts of data, perhaps, the services that are talking about the applications actually we have on

the devices. Again when it comes to software and services we have to worry about that.

And of course the databases or the file systems, they're storing lots of data, either structured data or in

files.

Some of the data is going to be sensitive. Some of it could be highly sensitive. Could be your Lexile

property, you could in employed accords and things like that, so of course we have to say where this

data resides. What kind database, which server, and are we securing the server, the database, and the

data that's stored in it.

And whenever you talk about assets and securing them, securing them from whom? Are we concerned

about external attackers or hackers? They could be cyber criminals. They could be motivated for some

other reason. Activists, for example, activists perhaps don't like you or your business or whatever it is.

So is it remote hackers that concern us, when it comes to securing all these assets that we are talking

about? Or it's insiders, it's employees within the organization.

Instructor Notes: VA Fails Security Audit

o in this question, you're actually asked

to sort of think about what are some of

the challenges that potentially can sort

of help explain why the VA did not do

well on this cyber security audit that was

done by the Inspector General. So there

are three options, and check all the ones

that you think are possible reasons that

https://www.washingtonpost.com/blogs/federal-eye/wp/2014/11/17/va-fails-cybersecurity-audit-for-16th-consecutive-year/



may have contributed to the sorry state of cyber security that existed in the VA and resulted in a failing

grade.

So the first option here is saying the VA

needs to manage, or the CIO who's

explaining why they got the poor grade.

It's talking about a huge number of

devices. So this is how the complexity

gets you reason saying no we have such a huge problem, okay? And that's why we not able to fully

address it. And actually this is one of the explanations he gave.

The next option here says lack of sense of urgency in fixing vulnerabilities. And the CIO actually did not

say he did say that you know they take vulnerabilities seriously, so this wasn't that reason.

The last option here is choosing to support key functions even when this could introduce vulnerabilities.

This is kind of interesting. We say sometimes security gets in the way. These organizations have to get

certain things done. And when it you have to choose between you know not being able to do something

and having security of course you're going to say no, this needs to get done. And even if there's some

vulnerability that exists, I have to take the risk. Because the risk of not being able to do it is, is greater.

So the CIO actually did say that there are situations where they run into that they must support certain

functions knowing very well that support those functions are critical. They need to be supported, but

supporting them is going to introduce certain vulnerabilities.

We talk about people who are

responsible for cyber security. Well,

the Chief Information Security

Officer, or CISO sometimes also

called CSO, Chief Security Officer, is

the executive who is responsible for

information security in a company.

If you think Target had a CISO when

the leaks happened, you check yes.

Otherwise you check no.

The answer to this question is the second one. They did not have a CISO, or CISO, at the

time. They did have a CIO, and she was fired, who was victim of one of this breach. And

we're going to talk about later on who's responsible, who sort of entirely focuses on

cybersecurity. The CISO's job is to do that. I should say that post-breach, they did actually

end up hiring a Chief Information Security Officer who came from General Electric, where

he was responsible cybersecurity and risk.



So security planning, of course, has to

address this question of what sort of

controls make the most sense given

our assets and given our threat,

posture, and so on. So what are some

of these controls?

So first thing that you have to worry

about is identity and access

management. This should come as no

surprise because you've been talking

with authentication. That tells us who

is making a request for any kind of

resource we have in the system, and

then we have access management. So

Identity Access Management is a buzzword you hear all the time. Access management basically says if

somebody is making a request for a resource, do they have permission to access that resource?

So, credentialing is essentially deciding that the person is, we're not going to worry about what you

need to show where to show who you are. And based on that they're going to create an account for you.

And they're going to decide what kind of access should be granted to you.

Using passwords, then, for example, you may have password policies. How long the password has to be.

How frequently it has to be changed. We talked about the Georgia Tech policy for example. Some places

may have a multi factor authentication for example, they may require that you have a token in relation

to a password and things like that.

Then we have our assets we are talking about, we have networks and we have hosts, servers and

desktops and so on. So we have to have defenses for those as well.

So we may have firewalls who control what comes into our network or our that leaves our network. We

may have Intrusion Detection and Prevention Systems to look at the traffic with the network level then

look at network traffic or host activity, and so on, and decide if there is something suspicious that may

be going on.

Another controller solution we might acquire is that people have anti-virus systems running on their

machines. People talk about their effectiveness and question how good they are, but there's not going

to be one solution that takes care of everything or one control that takes care of everything. They all

help you increase the level of assurance, as we said, that you are secure. So we may require this.

If people access our system, the network's from outside, we may require that we have a VPN solution, a

Virtual Private Network solution. If they bring your own devices, that might necessitate something else.

We know that the software, we are talking about systems and controls, so the software we run on our

systems may, vulnerabilities may be discovered and patches may become available.

And when we talk about controls I think we're talking technological controls. These examples of course,

password management or identity management, firewalls and so on. So it looked like those, but not a



control is how do we educate our users? So this could be, for example, some sort of periodic thing you

run. We've seen many companies, for example, to educate their employees so they don't fall for

phishing attacks. Monthly or they have these things where they send you an email and if you fall for it,

this is not a real attack. This is sort of used to train and educate you that you shouldn't be falling for

those kind of things.

So we talked about security planing

sort of, consist of many different

parts, the last one was we talked

about controls. Next, we talk what

we call a security policy that you

have. Who talking daily about

enterprise security policy. You could

have policies at national level or

something like that. Federal

government may have one across its

different agencies, and each agency

may have its own and things like

that, but if you think about this in the

context of an enterprise, security planning requires that you have some sort of a security policy, what

exactly is a security policy?

A security policy really sort of at the high level articulate, what are the security objectives are? What is

that want to? What goals do we have? We want to maintain confidentiality. We want to make sure that

sensitive is not disclosed to parties not authorized to see it. We want our systems to be available. We

don't want our data to be corrupted. We don't want sensitive data to get into the hands. We want to be

legally compliant or whatever. Cause you can think of all the kind of security objectives somebody might

have. Which actually motivate what a policy is.

So often this high level articulation requires it would include some sort of a legal, business and

regulatory rationale for why the policy has what it does. While legal and regulatory you don't really have

lot of choice. Business, reasons tell you why it's good for the enterprise or for the company. And what's

good for the company, of course, is good for its employees. So that's the articulation of the outlined

reasons why we want to have the kind of policy that we do.

So the policy is really what you should do and what should not be done.

So we talked about passwords, for example. What kind of password you should choose, what the size

and length of your password, things like that.

We may have web and email policy, for example, can use surf the web while you're at work.

The policy actually might say, if something were to go wrong there is some security event that occurs,

what sort of response is that we're going to have. Do you need, if your machine gets compromised. Do

you had informed somebody for example.

The security policy or the dos and don'ts, and we saw some examples of those, of course they may have

to do with prevention, so bad things don't happen. They may have to do with detection, so compromise



how you find out that there was a breach may have to do with how we respond to that sort of a thing

and how remediation occurs, and of course it must address the concerns and impact and that could any

of these things have. So rationale, articulation of why things need to be the way the policy says they

should be and if it doesn't sort of address the concerns and needs and impact it may have on users of

course the policy may not be well accepted.

So we talked about organizations

as part of their security planning

need to have a security policy.

While Georgia Tech has a

computer and network use policy,

we talked about do's and don'ts.

What is okay to do, and what you

should not do. So let's quickly sort

of look at some things that are

there in the Georgia Tech

computer and network use policy.

It does articulate, it does talk about what some of the guiding principles are. Why does the policy look

the way it does?

First of all, we want the policy guiding principle is that we want in order to protect important IT

resources that Georgia Tech has. So when you protect, you're talking about protecting the data, the

services, and things like that which are enabled by those resources.

Another guiding principle is that we don't let anything illegal happen that involves our computer

systems, our IT systems.

So these are the guiding principles, but you should read the policy. And here, we're just going to talk

about sort of couple of quick highlights, things that you might think jump out and say, why do we have

this?

So it talks about copyright and intellectual property, actually. So why is it talking about? Of course, as a

research university, Georgia Tech creates intellectual property and so on, and that intellectual property

resides on our computers. But at the same time, state campuses, they used to have a problem where

people would download music. In particular, they will download illegal music, and universities got into

trouble because of that. So we're obviously addressing that explicitly in the policy. Remember, the policy

is about dos and don'ts, and if it is copyrighted material or there's intellectual property, how that should

be handled. Of course, it talks about that.

Interestingly, it also talks about export controls. While universities have people from all over the world,

and people work with counterparts in other countries and things like that, when there's exchange of

things across national boundaries, of course, export control becomes an issue. And that's why it's

interesting that it sort makes its way into this policy. But again, this is sort of the guiding principle here,

is that there are any legal requirements we are okay with them.

Georgia Tech's policy actually also, remember one of the things we said, we have to make sure that the

people who responsible for it can be held accountable and things like that. So it does address



responsibility for securing the resources or the assets that we have, and it's kind of a distributed

responsibility at Georgia Tech.

When you look at sort of the larger network Office of Information Technology which is a central

organization for the entire university, well they're responsible for it.

But if you look at individual devices, laptops, servers, or desktops, all that is the responsibility of the unit

or the individual whose machine it is. A unit for example, School of Computer Science or the College of

Computing, for example, would be responsible for the computers that are used by their staff, faculty,

and students. But protecting the Georgia Tech network that is the responsibility of the central office. As I

said, you should read the policy and all the different aspects that are covered by it.

The question is, should the policy

address personal use of university

resources? Remember, this is sort of

dos and don'ts, so in some sense, you

should say, well, yeah, it should. And

if it addresses it, does it say blanket,

no personal use of university

resources or are there some

exceptions?

Actually, if you read the policy, and we said the policy sort of describes the dos and

don'ts and where they come from, [ersonal use is allowed to some degree. They say it's

incidental personal use is okay. So it's all right if you send a message to your friend or

you family member. Again, sort of need to use your judgement when incidental personal

use ends and personal use that is inconsistent with this part of the policy starts. So, yet,

it's not blanket prohibition, but of course, I can't be using Georgia Tech computers to support a business

that I haven't assigned.

So, next question actually is about

data, about students, their grades for

example, what is that motivated by,

okay? So, the two options, regulatory

reasons or the data is sensitive and it's

the right thing to do, okay? So, choose

either one or both as you wish.



Actually student data has to be protected,

a regulatory reason there is FERPA. We

talked about HIPAA when health data

where FERPA is in the educational context.

Student grades and their performance is of

course their personal information and you can't release that or let somebody hack into your system.

Instructor Notes: Anthems Breach Response

Anthem is Warning Customers

Fairly recently, there was a large scale

breach. Anthem, actually, I was

personally affected by it, because I do

have insurance in Blue Cross Blue

Shield, and so Anthem has all these

health insurance that they offer these

companies in different parts of the

country. And they had a breach, and

Close to 80 million customers data was perhaps stolen by whoever breached their systems. So this

question is about, actually, what happened after that breach, okay. How did Anthem respond to it? Did

they respond well, or they did not? Okay, that's the question.

So when it said somebody didn't respond well to an adverse thing that happened.

Reasonable people of course can have different answers and agree to disagree. They did a

number of things that were kind of right. They actually discovered it themselves. It wasn't

in the newspapers that they had been hacked. They fairly quickly actually reached out to

law enforcement, also customers and so on. So a number of people feel that they actually

did a good job, there were some things that they didn't do as well according to others.

One was that since they responded fairly quickly, they didn't know all the details of the response was

kind of weird. Others said, well, they didn't inform other key stake holders, or people that they had

business with, and things like that. But overall, I think tone was positive, so I'm going to pick a yes here.

If you read more about it and you have a different opinion and you have a good justification for it, here

it's okay to choose a no.

So we said we were going to have

controls in place, that we're going to

have people responsible, we're going

to have policy to inform people of our

do's and don'ts and things like that,

but that's not going to reduce our risk

to zero. There's still the possibility,

because there are unknown

vulnerabilities, where people became

http://blogs.wsj.com/riskandcompliance/2015/03/02/crisis-of-the-week-anthems-breach-response/

http://www.latimes.com/business/hiltzik/la-fi-mh-anthem-is-warning-consumers-20150306-column.html



victims of a phishing attack, we hear about those on a regular basis. So the risk is not going to go down

to zero, something could still go wrong, despite having the best planning and best management for

cyber security. So if there is a risk, how do we sort of get a sense of how much risk is that we still have?

What kind of risk are we dealing with?

Assessing such risk is important

because we talked about cost benefit.

So if you're going to make investment

in cyber security, those investment

decisions have to be based on risk

and its reduction. So you're going to

pay for a certain control. How much is

the risk being reduced?

And they say risk is going to be

reduced because it's never going to

be zero. The only way to make it zero is you disconnect from the rest of the world. But then you can't do

anything useful.

So some risk is going to remain, and if the risk remains, well, how do you quantify it if your investments

are going to be based? Investments passed a certain control, what are you going to pay for it? Certainly,

there's a number. So if you're assessing risk or quantifying it, how exactly do you? It'll be great to say,

this is my risk and this is what I can do to deal with it, but how do you assess risk? And one of the things

we're going to find out is that quantifying it is actually not easy. There are various frameworks to sort of

see what you do or don't do that may pose some degree of risk, but actually quantifying it is what is

hard, so that's what we're talking about.

So if we talk about quantifications,

is there a formula for risk or the

risk exposure we have?

Risk is really, we said, how likely,

the probability of an adverse

security event happening. So the

first thing you have to say, well

there is a threat out there, they

may come after me. I have some

controls in place, but they may be

able to get around them. And actually, I might get compromised, may experience a breach or whatever

it is. So what is the likelihood of that? So you have to have the probability, then you have to multiple by

the impact of that adverse event.

If it's going to cost me $10 million to deal with that. Well, the probability is half. That's way too much.

But if it is half and it's going to cost you $10 million, your risk is $5 million. We said quantifying, of course

we had to quantify both of these quantities. The probability, as well as the impact or the loss that you're

going to suffer as a result of the adverse event that we're talking about.



So there's something called risk

leverage, because we like to

reduce our risk exposure. And one

way we can do that is by having

some sort of a control in place. A

control we know comes with a

cost.

So risk leverage is for a given

control. Talking about quantifying

it and then sort of, if it's too high,

you don't like it, we can try to reduce it by putting in one or more controls. So when you put a control

you can ask what the risk level of that control is.

So, the way to sort of compute that is that you say, what was my risk exposure before or without the

control that is under consideration? That's without deploying that. Minus the risk exposure after this

control is deployed. This difference really is nothing but the amount by which the risk is reduced

because of this control that we're going to put into our enterprise. So, that's the decrees in risk divided

by the cost of that control that we're talking about. We've been saying, we have to have cost benefit

analysis. This is how much risk. This is what happens to risk if we do something about unacceptable level

of risk. So this is the cost of that control, that we have in the denominator here. So, if you divide the

reduction in risk by the cost, that gives you the risk leverage.

For any control that you have, risk leverage should be greater than 1. It makes no sense for it to be less

than 1 because, in that case you're saying, your risk reduction actually is smaller than the cost. It's not

very smart that you pay more and, overall, you're not in a better place than you were before in terms of

the cost and whatever risk that you have. So, this is how we compute the leverage, and whenever you

talk about a particular control, if you do this and the value is not greater than 1, then of course that

control should not be considered.

We said risk assessment is

challenging, we don't understand all

the threats, we don't know what

our vulnerabilities are of course, so

it's two playing two. Likelihood of a

successful attack of course is going

to depend on what sort of

vulnerabilities you might have and

who's trying to target you.

But we said, well if you can come up

with a probability and what

happens as a result of an attack, then you can compute the risk, that's how you quantify or assess the

risk. And you can try to reduce it, but that's really a question of managing that, how do we manage?

What options do we have for managing the risk that our business is exposed to on the cyber front.



So we talked about assessing it, but

if it's too high, then of course, we'd

like to reduce it. So how do you

reduce cyber risk?

As we said before we get into

reduction, assessing required the

likelihood as well as the impact. So

how do you assess the impact? It's

the expected loss we're talking

about, so it's expected losses, really

loss multiply the probability, so we

do have get to the loss, and when you talk about loss it could be reputation loss, target of core suffered

including degrees and sales. It's the cost of calling somebody in. So, for example, if you're Sony and you

call FireEye or Mandiant to come figure out what happened, I'm sure they paid for that Mandiant or

FireEye got compensated really well. Your response, it may be legal costs, you may have to buy identity

theft protection for your customers and things like that. It's real dollars, reputational. What you do in

the aftermath. All that has to add up to sort of the cost or the loss that you would attribute to a certain

attack. And expected I said was that value multiplied by the probability. So that's really risk. Risk was

probability times impact, so maybe the impact is a loss. So let's just talk about loss here.

So this one would still be talking about you're assessing risk. Now let's talk about how do we manage

risk. So the only three things you can do once you come up with some sort of a risk estimate.

1) You can say well, I can live with it. In that case, you're accepting the risk. You may want to

transfer it. So the risk is transferred to another party. So if something bad happens to you, the

consequences or the cost is going to be borne by somebody else. That somebody else is going to

do it only if they are paid to be in that business. And that business is the insurance business. So

you can buy insurance. And by buying insurance, you're transferring it to whoever insures you.

2) The other option is you can reduce it. How do you reduce it? Well, you're going to reduce it by

deploying new technology solutions, and maybe a more expensive, more effective firewall. You

can reduce by educating your people or having training and things like that. More security

awareness, of course, is going to ensure that it's less likely that they make a mistake, so that's

going to reduce the likelihood of the probability of some adverse event. Which we know a

factor, the way we compute our risks.

So, managing once you have an estimate of the risk, there are a couple of options on how you can

deal with that risk. As we said this transfer thing happens in a lot of other domains. You buy

insurance for your car, for your health and things like that.



Now that we talked about risk, and

we said risk is actually probably

multiplied by impact. Impact is the

loss you incur or suffer as a result

of the breach. So, this questions is

about, how do you figure out that

loss? So, the company, we talked

with Anthem for example, or

Target, stores sensitive data,

customer data. Data that could be

used by identity theft for example,

or credit card numbers and things

like that. So stores sensitive

customer data. Impact of a breach of such data. And remember the risk was probability times

impact. So this is saying, what are we going to include in the impact?

First one is cost of purchasing identity

theft protection for your customers. So

Anthem actually offered that to me.

Some banks offered when they had a

breach to their customers and so on. So

this is a cost that is definitely because

of this breach that we have had.

Loss of business due to reduced customer confidence. Well, that is an impact of this breach, as well.

It is a loss and it impacts you adversely. So, that should figure into the impact of this event.

Compensation for new cyber security personnel the company hires to better manage cyber security

in the future. Well, this is, if you include this or not, actually happened as a result. Maybe you

wouldn't have done it if you didn't if you didn't have this breach, but this is really sort of investment

in the future. So, in the future, we don't have such a breach, or don't get attacked. Act the way we

did this case. So this is really part of the response. It's how you get to a more secure state. This

impact is probably not something that should be included, the loss that occurs because of this

particular incident, or this breach. This is something that probably should have been there and if it

was there then this situation wouldn't have happened.



There are two options. One is we

look at cost and risk reduction. So

one is $100K. That is reducing the

risk by 150. The other one is 250

and reducing the risk by 500. So,

the question is, which solution

would you recommend?

So how can we answer? Of

course, one is cheaper but the

risk reduction is also lot smaller,

it's 150 only. And it's the cheaper

because it's 100K, but the risk is only reduced by 150 here. Other one is two and a half times as more

expensive, but it's reducing the risks lot more, 500K.

So, we said one way we can think about it is risk leverage. So the risk leverage was

reduction in risk, so the first case, it's 150, divided by the cost, and that's 100. So the risk

leverage is 1.5 for the first solution, or the cheaper solution. So this is 1.5. For the more

expensive solution it's 500, the amount, this is how much the risk is reduced by, divided by 250 which is

the cost. So risk leverage is higher for the more expensive solution, and based on that

reasoning you would recommend this one [more expensive solution].

So cyber insurance was one way

to, remember managing risk

accepted, transfer it. So cyber

insurance is how you transfer it. Is

not very popular. Based on a 2014

survey, what percentage of

customer's major insurance

brokers were interested in buying

cyber insurance? There is more to

read about it, but car insurance is

mandated, you have to have it.

So when it comes to cyber, the

question is how many people actually are interested in buying cyber insurance. Small, which is

really, the exact number is not important. Is small or significant? These are the two buckets you're

asked to choose from. So, what do you think? Which answer is the right one? Think and mark, and

then we'll talk about the solution.



I guess it gave away when it says it's still not very popular,

of course, a lot of people not interested in buying it. There

are a variety of reasons actually. People who are selling

cyber insurance have too many exclusions. It's not really

worth the cost. You pay for it and when you need it they

say this this is excluded and things like that. So people are interested in insurance when they think it's a

good value for them, which means there are not too many exclusions and the cost is low, and those

things don't hold when it comes to cyber insurance. So not very popular not a lot of people are actually

asking for it and buying it actually. So that's what this link has more information about it. You should

read it.

So the whole idea of security planning

and security management is to be

better prepared when it comes to

cyber security. So, if your enterprise,

your company, if your ask how well

prepared you are, how good is the

state of cyber security? Really, that's

what the cyber security posture is. So,

cyber security posture, how do we

address our security, how do we

prepare ourselves for cyber security,

how do we handle when something

goes wrong.

The posture can either be reactive, unfortunately, in many cases, this is what it is. What does reactive

mean? Well, we worry about it, because we're sort of forced to do it.

Because there's a regulation compliance requirements they say you must do so. And we react to that

regulation that comes down our throats.

Or it's customer's demands, customer's saying I will not do business with you unless you have that. Lot

of companies these days, especially business to business, B2B, they don't want to business with

someone who has lax cyber security. So again, we react to this demand that comes from somebody we

want to do business with.

It could be in response to something bad that happens to us, okay. So breach for example, the target,

Home Depot examples, everybody talks about. So, we react to the adverse event that we suffered, so

that's another example of what reactive security posture is.

And, finally, it may be in response to events that occur, our competition may have suffered. One bank,

for example, suffers a bridge and other banks may react to that by making sure that the vulnerabilities

that were exploited don't exist in their IT systems. So all these are examples of, so this is a reactive

posture, I said, unfortunately security is event driven when something bad happens. People say, we

need it and so we need to do something about. But this is what is called a reactive posture to cyber

security.



Of course, it's better to have what is

called a proactive approach to

security. You plan for it, that's what

security planning is talking about.

You work hard to assess your risk,

you do things to reduce it, look at

the cost and do that before either

you're forced because of regulation

or forced because something bad

happens to you and you respond to

it reactively. So what are some

examples of proactive things that companies should be doing?

Well first of all, it should be somebody's job to worry about cyber securities and assets, how they

protect it, how people are educated, cyber security insurance, having a good policy. Making sure people

are held responsible and empowered to do things, and all the things we talked about when it comes to

security planning and management. So having a champion whose job it is to worry about it, a champion

should have influence. If is doesn't, he or she doesn't have influence of course you're not going to get

anything meaningful done.

So one thing people talk about, for example, is well, is this proactively addressed at the highest level in

an organization? Talk about the board level conversation. The board addresses various kind of risks an

enterprise has to deal with. Is cyber security risk one of those, or is there a conversation about it? Is

there a conversation about what needs to be done to reduce that risk? Is there an investment made in

cyber security controlled in solutions and personnel and things like that?

If that's done before bad things happen, that would be a proactive approach. It's again unfortunately

not aware this is happening in every company. In fact, one of the things that happened we said target

hired a CSO, who does the CSO report to? Does the CSO report to CIO? Well when it's not talking about

the highest level it doesn't report to the CEO. The CEO maybe doesn't bring it up at the board level and

things like that. So proactive means somebody, the champion, looks ahead, has the influence that's

necessary and has support at the highest levels and that would be a proactive posture for cyber security.

If you are the person who has to

champion cyber security and get

the company to a proactive cyber

security posture, how do you make

your case? You're champion, it's

your job to be as well prepared as

possible given the cost benefits and

risk tolerance and so on. What are

the kind of arguments you can

make?



The easiest argument to make is

the bottom line argument, or the

economic argument that it's going

to save us money. Of course

security doesn't make money.

Security we would say it's a cost. It

doesn't bring money in, but we

could lose money because of that.

The economic argument we can

make is, the return on investment

argument, or the ROI argument.

Saying, if you don't do this, we're going to lose $10 million. If you do this, it's only going to cost us 1

million and we save 5 million and the losses we're going to suffer are going to be reduced by half. Then

of course it's an investment you make, you're putting out one million but you're saving five million. So

that is a pretty good return on investment that we have. So the economic argument of course makes

sense when you say that by coming up with a budget to put a control in place. The cost of that we're

going to have is going to result in savings that are much greater than the cost. Significant savings greater

than the cost, so there is in a way a return on the investment. This is money we're going to lose that

we're not going to lose now. And that's how our bottom line is going to be in a better state.

Of course this does require that you estimate the cost benefits that we're talking about, and

unfortunately, it's pretty tricky.

Cost and benefits, either you can exactly quantify them, so that would be data driven, or its perception.

So with perception it's sort of what they perceived to be the risk, and what they perceived the risk

reduction, maybe if we do A or B, or something like that. Versus sort of actually knowing those

probabilities and those impact numbers that you are talking about. So you're going to make an

argument. This is all fine and good, but a lot of times it comes to perception, and then people would say,

well, this is their opinion. How do you know for sure? Do you have some hard numbers? And

unfortunately, making this argument is difficult because a lot of times those hard numbers are not easy

to come by.

So we've been talking about security

planning and management. There

are many sort of different pieces

that make up this whole process of

planning and then managing the

security. How do we bring it all

together? If you're going to go

explain this to someone in a few

minutes. What are the things you

should be talking about.

Well first of all you're going to say

that there are things that are of



value which are at risk. Maybe your

reputation, maybe your intellectual

property, there are assets that are

of value which are at risk.

So then you're going to talk about

the risk comes from certain threats

sources. Not only there are bad guys

out there. Of course, we have

certain vulnerabilities, those are the

attack vectors, that's why those

threat sources would be able to do

us harm. That's why we need to

worry about, the risk comes from the fact, not just because we have something of value, but that thing

could be harmed or could be breached. So the threats and attack vectors, really talking about threats

and vulnerabilities. Together they come together, result in an attack. So an attack then leads to a

breach. And that's where we have the adverse consequences. So if we have that, we have to talk about

things that are of value - we have to talk about threats. These two are the reasons that help us explain

that there is something at risk. And the amount or level of risk that we may have.

And the way to manage that risk is to plan for security, implement whatever controls that are

meaningful, and then sort of manage that in terms of controls, people, processes and things like that.

And all that has to be done.

Again, this controls that we're talking about, of course we're going to look at the cost. The benefits they

offer? What impact they have? How user friendly they are? Things like that. So we have to sort of look

into the controls that we have, what their effectiveness is.

Then we have to identify people. It's their job to worry about security. We have to empower them to do

it. They have to have the budget, they have to be able to have policies that can be enforced and things

like that. And people have to be held responsible and accountable. Because we know that something

was wrong. They should be called to answer what exactly happened.

And no matter how well you do that, we have to plan for something going wrong. And when something

goes wrong, a response is going to be needed. Remediation has to happen. There shouldn't be any

surprises. We should be prepared and have a plan in place saying if something bad were to happen, this

is how we're going to respond to it.

Of course, people as we said, need to be aware of the importance of security. The guiding principles, the

do's and don'ts, all the things we were talking about under security policy so we need to think about

that.

And finally we need to understand and people have to recognize that a proactive option is what gets you

ahead of the threats in some sense. Threats change continuously. If you're just going to be in reactive

mode something new is going to come and hit you and you're going to suffer the same sort of thing that

you did before. So proactively addressing the risk and the threats and the vulnerabilities and having a

champion to do that is another part of this security planning and management that we're talking about.



Overall understand what is of value, why there's risk to it which is the threats and the vulnerabilities

we're talking about. And then plan, implement, manage, and do that all proactively. That's sort of

bringing it all together when it comes to security planning and management.

Instructor Notes: PWC Report

According to this report, this yes/no

question saying, are we budgeting,

making larger allocations for cyber

security, as the threats become

more sophisticated?

According to this report that I'm talking about, and this is fairly recent, the answer is

no. In fact, they report a slight dip in 2014. So people are not investing. Either they

don't have the money to invest, they don't think they're getting a good return on it,

maybe they don't understand the risk very precisely. If it's vague then of course it's

hard to convince someone to put out the dollars to do that. So now cyber security

budgets or investments in cyber security are not dramatically going up.

We talked about sort of reactive and

proactive security measures. So this

is saying, we have two options here.

Which is you would say is an example

of proactive security? Remember

reactive is sort of post something bad

happening, it's the cleaning up and

doing something in response.

Proactive is sort of getting ahead of

that, so which one of these two you

would say is proactive measure?

The first one is not really proactive. The

regulation is sort of forcing you to do

something and when you comply, you

essentially, you're reacting to the

regulation and doing what they demand

that you do. But the other one is Chief

Risk Officer of the company addressing

cyber risk regularly at the highest level. And risk and investigation discussed, I would say that is

http://www.partnerre.com/assets/uploads/docs/cyber-survey-results.pdf



proactive. Because you do this on a regular basis. And highest level means you do something to address

them as well. So this is proactive versus reactive that we had discussed.

We saw that managing cyber security

is a complex undertaking because it

has technical, people, and policy

dimensions. We studied the

tradeoffs that exist when we

consider various security controls in

the context of an organization.

Security management covered how

we can explore these tradeoffs. And

pick the right solutions to manage

the cyber risk that is faced by an

organization.

p3 l1 cyber security page 1 - amazon s3cyber+security.pdfp3_l1 cyber security_ page 2 gatech omscs...

Documents