how to assess and manage cyber risk
TRANSCRIPT
![Page 1: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/1.jpg)
How to Assess and Manage Your Cyber RiskStephen Cobb, CISSPSenior Security Researcher
![Page 2: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/2.jpg)
Stephen CobbSr. Security Researcher, ESET North America
Stephen Cobb has been a CISSP since 1996 and has helped companies large and small to manage their information security, with a focus on emerging threats and data privacy issues. The author of several books and hundreds of articles on information assurance, Cobb is part of the research team at ESET North America, based in San Diego.
![Page 3: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/3.jpg)
Today’s topic• Information technology brings
many benefits to a business, but IT also brings risks
• Your organization needs to know how to assess and manage those cyber risks
• Cyber risk assessment and management can provide a powerful hedge against many of the threats that your business faces
![Page 4: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/4.jpg)
Q1: Has there been a risk analysis of your organization in the last 12 months?
Polling Question
Yes No Not sure I don’t work for an organization
![Page 5: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/5.jpg)
Risk assessment is fundamental• It’s the basis of your security program• Your defense in case of a breach• And a hedge against fines!
Meaningful Use audit of a small optometry clinic in MN found: “failure to perform a proper risk assessment and follow policies and procedures.”Penalty: Initial incentive payments had to be repaid, plus 2 more years of payments totaling more than $40,000 put in doubt
OCR investigation of ePHI breach at NY hospital found: “failure to complete an accurate and thorough risk analysis identifying all systems that access ePHI.”Penalty: Fined $4.8 million.
![Page 6: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/6.jpg)
Working definitions• Follow standards in NIST and HIPAA literature • Because even if your organization is not
covered by federal standards, the courts will likely use those standards to determine guilt
But your honor, how on earth could we have known that hackers would try to steal our customers’ data? My firm has never heard of this “risk analysis.”
![Page 7: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/7.jpg)
Risk Analysis: • An assessment of the
potential risks and vulnerabilities to the confidentiality, integrity, and availability of information held (or collected or processed) by the organization
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
![Page 8: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/8.jpg)
Risk is…• The likelihood that a specific threat will occur• A Vulnerability triggered or exploited by a
Threat equals a Risk
NIST SP 800-30
VulnerabilityYour office network is connected to the Internet by a router that contains a software bug
ThreatSomeone wants to steal information of the type that may be stored on your office network
RiskThe bug in your router will be used by a criminal to penetrate your network and steal information
+ =
![Page 9: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/9.jpg)
Vulnerability is… • Flaw or weakness in system security
procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
![Page 10: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/10.jpg)
Threat is…• The potential for a person or thing to exercise
(accidentally trigger or intentionally exploit) a specific vulnerability.
Natural threatsFloods, earthquakes, lightning strikes
Human threatsUnintentional, like accidentally deleting a file OR intentional like installing malicious software
Environmental threatsPower outage, Internet connectivity failure, office evacuation due to chemical spill
![Page 11: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/11.jpg)
Risk is also• The net mission impact, bearing in mind:– the probability that
a particular threat – will exercise
(accidentally trigger or intentionally exploit)
– a particular vulnerability – and the resulting impact
if this should occur
NIST SP 800-30
![Page 12: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/12.jpg)
Q2: Has your organization experienced a significant data loss in the last 12 months?
Polling Question
Yes No Not sure I don’t work for an organization
![Page 13: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/13.jpg)
Risk and mission impact• Missed deadline for RFP submission
due to lack of access to data
VulnerabilityYour office is easily accessible from the street and the door is unlocked
ThreatSomeone wants to steal the kind of computer hardware you use in your office
RiskYour computer is stolen, preventing you from meeting an important deadline
+ =
![Page 14: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/14.jpg)
Risks arise from legal liability or mission loss due to 1. Unauthorized (malicious or accidental) disclosure,
modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made
disasters 4. Failure to exercise due care and diligence in the
implementation and operation of the IT system.
![Page 15: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/15.jpg)
Risk analysis in 8 steps1. Identify the scope of the analysis2. Gather data3. Identify and document potential threats and
vulnerabilities4. Assess current security measures5. Determine likelihood of threat occurrence6. Determine potential impact of threat occurrence7. Determine the level of risk8. Identify security measures and finalize
documentation
![Page 16: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/16.jpg)
Steps 1 and 2• Identify the scope of the analysis– Is this an IT security risk analysis?– General risk, company-wide?– Department or project specific?
• Gather data– Within the above bounds, make sure you are
comprehensive in your data gathering with respect to assets and processes in scope
– Seek a range of perspectives
![Page 17: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/17.jpg)
#3 Threats and Vulnerabilities• Identify and document potential
threats and vulnerabilities– This is where you need to be current or
your analysis will be flawed– Are you aware of all the threats?– Do you understand all of the
vulnerabilities?– Consider an audit or pen-test at this stage?
![Page 18: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/18.jpg)
#4 Assess current security measures
• This can be done internally, but an outside view might be more perceptive
• Real world, healthcare company internal versus external findings:
• “We require passwords to be changed every six months”• The system allowed passwords to remain unchanged• “We delete access for all ex-employees”• Several dozen ex-employees still had access• “We use antivirus on all our endpoints”• But it was turned off in the HR department
![Page 19: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/19.jpg)
#5 Determine likelihood of threat occurrence
2015 ISACA and RSA Conference Survey
![Page 20: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/20.jpg)
6+7: Determine potential impact of threat occurrence and level of risk• Risks can be rated Low to High • Based on Consequence and Occurrence Rate
ConsequencesLow High
Occ
urre
nce
Rate
Hig
hLo
w
Humanerrors
Earthquake
After: Jacobs, CSH6, Wiley
![Page 21: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/21.jpg)
6+7: Impact of threat and level of risk• Annualized Loss Exposure or ALE
Threat Occurrence Rate (number per year) XThreat effect factor (0.0 to 1.0) XLoss potential (in $$)
Malware InfectionThreat Occurrence Rate: 2 per monthLimited impact: 0.5Loss potential: $25,000ALE = $600,000
![Page 22: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/22.jpg)
#8 Identify security measures and finalize documentation• Important to document everything• Risk analysis is not just an exercise• Should lead to informed choices about
security measures, in other words• Risk management
![Page 23: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/23.jpg)
Risk management consists of…• Identifying risks – Risk Identification
• Assessment and classification of risks – Risk Assessment
• Dealing with risks– Risk Strategy
Definite overlap with risk analysis
This is where Management comes into play
![Page 24: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/24.jpg)
4 ways of addressing risks• Avoidance– Don’t make that movie about that dictator
• Reduction– Make sure all systems are patched regularly
• Acceptance– Take a calculated risk
• Transfer– Buy insurance
![Page 25: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/25.jpg)
Help is available• Engage an expert to set the baseline• Use the tools that are available– CompTIA Security Assessment Wizard– HHS Security Risk Assessment Tool– DHS Cyber Security Evaluation Tool– OCTAVE from CERT
![Page 26: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/26.jpg)
https://www.comptia.org/communities/it-security/documents/security-assessment-wizard
![Page 27: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/27.jpg)
http://www.healthit.gov/providers-professionals/security-risk-assessment
![Page 28: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/28.jpg)
https://ics-cert.us-cert.gov/Assessments
![Page 29: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/29.jpg)
http://www.cert.org/resilience/products-services/octave/
Operationally Critical Threat Asset & Vulnerability Evaluation
![Page 30: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/30.jpg)
OCTAVE: 8 steps in 4 phases1. Develop risk measurement criteria consistent with
the organization's mission, goal objectives, and critical success factors.
2. Create a profile of each critical information asset that establishes clear boundaries for the asset, identifies its security requirements, and identifies all of its containers.
3. Identify threats to each information asset in the context of its containers.
4. Identify and analyze risks to information assets and begin to develop mitigation approaches.
![Page 31: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/31.jpg)
OCTAVE: 8 steps in 4 phases
![Page 32: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/32.jpg)
OCTAVE: worksheets provided
![Page 34: How to assess and manage cyber risk](https://reader036.vdocument.in/reader036/viewer/2022062420/55cda5f2bb61eb093c8b4817/html5/thumbnails/34.jpg)
Q5: I would like access to one of the following:
Polling Question
Contact from ESET Sales A custom business edition trial of ESET
software which includes our Remote Administrator
A product demo of ESET Endpoint Solutions Information on becoming a reseller partner
or MSP None of the Above