p3 l1 cyber security page 1 - amazon s3cyber+security.pdfp3_l1 cyber security_ page 2 gatech omscs...
TRANSCRIPT
P3_L1 Cyber Security_ Page 1
GaTech OMSCS – CS 6035: Introduction to Information Security
Reference: Computer Security by Stallings and Brown, Chapter 14 & 15
Part 3 Introduction:
So far, we've been focusing on the technology aspects of information security. However, the
organization note as assigned to aspects are also very important. In the next few lectures Dr.
Mustaque Ahamad is going to cover several of these topics.
We're going to start with managing cyber security in the context of an organization. So what is it
cyber risk? How can it reduce that risk with using technical solutions that we discussed, and
what are the cost benefit trade offs for example?
Once we do that, we're going to move on to how can we have consequences for the bad guys.
Well laws, or cyber laws in particular, are one way to do that. So we'll discuss some of the US
cyber laws and then also some ethical considerations. Then we're going to wrap up with online
privacy which is a topic that is of great deal of interest to many of us.
So far we have discussed a number of
technical solutions to deal with cyber
threats. But these solutions have to
be considered in a context of an
organization. For example:
What are my cyber assets?
What kind of risks do they face?
Do the technical solutions really
reduce this risk significantly?
Are there people and process
issues?
These topics come under what we call managing cyber security, and cyber security management is going
to be the focus of this lesson.
So far we have been talking about
technical controls, whether it has to
do with authentication. Or in the
context of network security, we
talked about firewalls and presented
detection and so on. And these are
used to secure systems that we have
in an organization.
What are the assets that need to be
secured? Who do they need to be
secured from?
P3_L1 Cyber Security_ Page 2
GaTech OMSCS – CS 6035: Introduction to Information Security
So let's talk a little bit more about this
organizational context. We said,
there's something of value that is
under threat, so we need to worry
about securing it. But what other
reasons may be there for us to worry
about this problem?
While there may be legal and
compliance reasons, financial data and
health data, for example, HIPAA
mandates how you can share online
health data or distill health data and things like that. One solution that we've been talking about is that
of course there are various kind of technical controls. For me to use these technical controls, I have to
understand what kind of risk that I'm facing. What is the threat source? What is that threat landscape
for me? Of course the technical solution or control that I have is going to have an associated cost. I have
to worry about what that cost is, and, what is the benefit of actually deploying this particular solution
that we're talking about?
So what are the challenges that
we're going to face when we have
this task of managing cyber security
for the organization that we're
talking about? We said we have to
know what are the assets that are of
value and are they under risk? Also,
sort of understand the threats. And,
how serious are those threats? So
when we talk about risk, actually
we're going to look at this a little bit more, but risk is really the likelihood of an attack, okay? So
probability of an attack. It's not the worst case but the worst can happen. It's sort of trying to compute
the likely case in some sense.
So continuing with the challenges, even
if I sort of identify my assets and threat
source, and perhaps the likelihood of
attacks, then I have to worry about, well
what can I do about it? What sort of
solutions are out there or controls that
exist? Deciding that of course is a
challenge. We did talk about cost-
benefit and the trade off that are there
when you think about the deploying
various solutions. So, of course we want to do into a cost effective manner. It sounds simple, but doing
that, again, is a serious challenge. Obviously we have to argue that the cost is less than the reduction in
risk we're going to have. Finally, we know that when you look at sort of the threat landscape, and I think
P3_L1 Cyber Security_ Page 3
GaTech OMSCS – CS 6035: Introduction to Information Security
in the context of database security, we did the question where we said, what are the threats? External
hackers or insiders, and we say in one of the surveys, insiders and unauthorized access was ranked
higher than external hackers. So we have to of course, understand the people and the process that we
have.
The question's asking if you think
that it should be part of this policy,
Georgia Tech's policy. I mean, if you
are responsible for managing
security at a University like Georgia
Tech would the staff, student's, and
faculty, would they need to adhere
by the kind of requirements these
options present? If you agree, then
you check that. If you don't agree,
then of course, you leave that.
By requiring that the passwords are
changed periodically we are sort of
ensuring that it's going to be less likely
that someone who is not the right user is
going to be able to gain access to an
account. So, this is actually part of the
policy we're going to see later on.
And if there is a compromise, if a computer is hacked, if a password is stolen, then we have to report it
to somebody who's responsible for cyber security at Georgia Tech, maybe in your unit or could be the
university wide, but yes our policy does, so this option is also there.
The third one says Georgia Tech computers cannot be used to download illegal content, example of that
here is child pornography. It's absolutely a part of that
Our next question is about a
botnet operator. So let's say it
compromises a number of
computers in an organization.
These computers are running
malware, so these are the bots,
and they're sending lots of spam
email, but they don't look at any
sensitive data. They're all just using
the computational resources and
the network resources to pump
out lots of spam. So, sensitive data, they don't do that, or they don't even interfere with any legitimate
activities that may be going on on those machines. So, if this happens, tons of spam email sent by
computers on your network, what should you do? I guess this is one of those situations, again, where
P3_L1 Cyber Security_ Page 4
GaTech OMSCS – CS 6035: Introduction to Information Security
compromises happened, and when something goes wrong, how do we respond to it? That's what we're
thinking about here.
The abuse of resources by this unauthorized
parties. We have to detect and act on it, so the
first option is the right one. You really won't
want to recommend the second option
because although sensitive data is not sent
out, as I said, you may get blacklisted eventually, you wouldn't be able to communicate, so of course this
legitimate activities will be impacted
So let's talk about sort of planning
for security. When we talk about
security here, obviously we're talking
about cyber security. So of course,
the first thing you're going to ask is,
you talk about what is of value what
are the assets? What needs to be
secured? You've been asked to come
in and plan. The next thing you have
to say is if something has to be
secured, whose responsibility is it to
do that? So who is responsible for it? Okay once we do that, the next thing then we're going to say well
security is going to require some controls okay, so once you have that, you have to say we know who is
responsible for it. We know what kind of things they're doing or what controls they're putting in place,
but are people really supported to do what they need to do? Do they have the budgets? Do they have
the authority? And one thing to keep in mind is that no matter how well we do all these things that we
are talking about. The risk is not going to be zero. So the chance, or likelihood that something might go
wrong, well it's going to be there. And if something does go wrong, fortunately if that were to happen,
how do we respond to that? How do we recover from that adverse event that has happened because
some control either didn't exist or didn't function as it should have. And of course if we had people who
are responsible for doing certain things in our security planning that we did and something bad happens,
there has to be accountability. So in the planning process we always have to keep in mind that we're
never going to get 100% security. Okay. The risk is never going to be zero so we have to worry about, we
sort of focus on prevention, detection but then of course we have to focus on response and recovery as
well. And the planning process has to cover all those aspects.
P3_L1 Cyber Security_ Page 5
GaTech OMSCS – CS 6035: Introduction to Information Security
The first part of security planning is
to start doing inventory of our
assets. What is that we have which
is of value? And something that is of
value of course, has to have some
risk to it. So there has to be a threat.
That is the source of that risk that is
faced by this particular asset.
So the service is the software, the
hardware, these are the assets that
we have. And we have to concern
ourselves about securing them.
So, when you think about cyber security and planning for it, of course, you have to worry about all these
assets, or the list of what needs to be secured has to include all these.
When you talk about the software, so this is sort of the hardware. When it comes to software, we're
running operating systems on these servers, or laptops, or mobile devices. The databases that store
large amounts of data, perhaps, the services that are talking about the applications actually we have on
the devices. Again when it comes to software and services we have to worry about that.
And of course the databases or the file systems, they're storing lots of data, either structured data or in
files.
Some of the data is going to be sensitive. Some of it could be highly sensitive. Could be your Lexile
property, you could in employed accords and things like that, so of course we have to say where this
data resides. What kind database, which server, and are we securing the server, the database, and the
data that's stored in it.
And whenever you talk about assets and securing them, securing them from whom? Are we concerned
about external attackers or hackers? They could be cyber criminals. They could be motivated for some
other reason. Activists, for example, activists perhaps don't like you or your business or whatever it is.
So is it remote hackers that concern us, when it comes to securing all these assets that we are talking
about? Or it's insiders, it's employees within the organization.
Instructor Notes: VA Fails Security Audit
o in this question, you're actually asked
to sort of think about what are some of
the challenges that potentially can sort
of help explain why the VA did not do
well on this cyber security audit that was
done by the Inspector General. So there
are three options, and check all the ones
that you think are possible reasons that
P3_L1 Cyber Security_ Page 6
GaTech OMSCS – CS 6035: Introduction to Information Security
may have contributed to the sorry state of cyber security that existed in the VA and resulted in a failing
grade.
So the first option here is saying the VA
needs to manage, or the CIO who's
explaining why they got the poor grade.
It's talking about a huge number of
devices. So this is how the complexity
gets you reason saying no we have such a huge problem, okay? And that's why we not able to fully
address it. And actually this is one of the explanations he gave.
The next option here says lack of sense of urgency in fixing vulnerabilities. And the CIO actually did not
say he did say that you know they take vulnerabilities seriously, so this wasn't that reason.
The last option here is choosing to support key functions even when this could introduce vulnerabilities.
This is kind of interesting. We say sometimes security gets in the way. These organizations have to get
certain things done. And when it you have to choose between you know not being able to do something
and having security of course you're going to say no, this needs to get done. And even if there's some
vulnerability that exists, I have to take the risk. Because the risk of not being able to do it is, is greater.
So the CIO actually did say that there are situations where they run into that they must support certain
functions knowing very well that support those functions are critical. They need to be supported, but
supporting them is going to introduce certain vulnerabilities.
We talk about people who are
responsible for cyber security. Well,
the Chief Information Security
Officer, or CISO sometimes also
called CSO, Chief Security Officer, is
the executive who is responsible for
information security in a company.
If you think Target had a CISO when
the leaks happened, you check yes.
Otherwise you check no.
The answer to this question is the second one. They did not have a CISO, or CISO, at the
time. They did have a CIO, and she was fired, who was victim of one of this breach. And
we're going to talk about later on who's responsible, who sort of entirely focuses on
cybersecurity. The CISO's job is to do that. I should say that post-breach, they did actually
end up hiring a Chief Information Security Officer who came from General Electric, where
he was responsible cybersecurity and risk.
P3_L1 Cyber Security_ Page 7
GaTech OMSCS – CS 6035: Introduction to Information Security
So security planning, of course, has to
address this question of what sort of
controls make the most sense given
our assets and given our threat,
posture, and so on. So what are some
of these controls?
So first thing that you have to worry
about is identity and access
management. This should come as no
surprise because you've been talking
with authentication. That tells us who
is making a request for any kind of
resource we have in the system, and
then we have access management. So
Identity Access Management is a buzzword you hear all the time. Access management basically says if
somebody is making a request for a resource, do they have permission to access that resource?
So, credentialing is essentially deciding that the person is, we're not going to worry about what you
need to show where to show who you are. And based on that they're going to create an account for you.
And they're going to decide what kind of access should be granted to you.
Using passwords, then, for example, you may have password policies. How long the password has to be.
How frequently it has to be changed. We talked about the Georgia Tech policy for example. Some places
may have a multi factor authentication for example, they may require that you have a token in relation
to a password and things like that.
Then we have our assets we are talking about, we have networks and we have hosts, servers and
desktops and so on. So we have to have defenses for those as well.
So we may have firewalls who control what comes into our network or our that leaves our network. We
may have Intrusion Detection and Prevention Systems to look at the traffic with the network level then
look at network traffic or host activity, and so on, and decide if there is something suspicious that may
be going on.
Another controller solution we might acquire is that people have anti-virus systems running on their
machines. People talk about their effectiveness and question how good they are, but there's not going
to be one solution that takes care of everything or one control that takes care of everything. They all
help you increase the level of assurance, as we said, that you are secure. So we may require this.
If people access our system, the network's from outside, we may require that we have a VPN solution, a
Virtual Private Network solution. If they bring your own devices, that might necessitate something else.
We know that the software, we are talking about systems and controls, so the software we run on our
systems may, vulnerabilities may be discovered and patches may become available.
And when we talk about controls I think we're talking technological controls. These examples of course,
password management or identity management, firewalls and so on. So it looked like those, but not a
P3_L1 Cyber Security_ Page 8
GaTech OMSCS – CS 6035: Introduction to Information Security
control is how do we educate our users? So this could be, for example, some sort of periodic thing you
run. We've seen many companies, for example, to educate their employees so they don't fall for
phishing attacks. Monthly or they have these things where they send you an email and if you fall for it,
this is not a real attack. This is sort of used to train and educate you that you shouldn't be falling for
those kind of things.
So we talked about security planing
sort of, consist of many different
parts, the last one was we talked
about controls. Next, we talk what
we call a security policy that you
have. Who talking daily about
enterprise security policy. You could
have policies at national level or
something like that. Federal
government may have one across its
different agencies, and each agency
may have its own and things like
that, but if you think about this in the
context of an enterprise, security planning requires that you have some sort of a security policy, what
exactly is a security policy?
A security policy really sort of at the high level articulate, what are the security objectives are? What is
that want to? What goals do we have? We want to maintain confidentiality. We want to make sure that
sensitive is not disclosed to parties not authorized to see it. We want our systems to be available. We
don't want our data to be corrupted. We don't want sensitive data to get into the hands. We want to be
legally compliant or whatever. Cause you can think of all the kind of security objectives somebody might
have. Which actually motivate what a policy is.
So often this high level articulation requires it would include some sort of a legal, business and
regulatory rationale for why the policy has what it does. While legal and regulatory you don't really have
lot of choice. Business, reasons tell you why it's good for the enterprise or for the company. And what's
good for the company, of course, is good for its employees. So that's the articulation of the outlined
reasons why we want to have the kind of policy that we do.
So the policy is really what you should do and what should not be done.
So we talked about passwords, for example. What kind of password you should choose, what the size
and length of your password, things like that.
We may have web and email policy, for example, can use surf the web while you're at work.
The policy actually might say, if something were to go wrong there is some security event that occurs,
what sort of response is that we're going to have. Do you need, if your machine gets compromised. Do
you had informed somebody for example.
The security policy or the dos and don'ts, and we saw some examples of those, of course they may have
to do with prevention, so bad things don't happen. They may have to do with detection, so compromise
P3_L1 Cyber Security_ Page 9
GaTech OMSCS – CS 6035: Introduction to Information Security
how you find out that there was a breach may have to do with how we respond to that sort of a thing
and how remediation occurs, and of course it must address the concerns and impact and that could any
of these things have. So rationale, articulation of why things need to be the way the policy says they
should be and if it doesn't sort of address the concerns and needs and impact it may have on users of
course the policy may not be well accepted.
So we talked about organizations
as part of their security planning
need to have a security policy.
While Georgia Tech has a
computer and network use policy,
we talked about do's and don'ts.
What is okay to do, and what you
should not do. So let's quickly sort
of look at some things that are
there in the Georgia Tech
computer and network use policy.
It does articulate, it does talk about what some of the guiding principles are. Why does the policy look
the way it does?
First of all, we want the policy guiding principle is that we want in order to protect important IT
resources that Georgia Tech has. So when you protect, you're talking about protecting the data, the
services, and things like that which are enabled by those resources.
Another guiding principle is that we don't let anything illegal happen that involves our computer
systems, our IT systems.
So these are the guiding principles, but you should read the policy. And here, we're just going to talk
about sort of couple of quick highlights, things that you might think jump out and say, why do we have
this?
So it talks about copyright and intellectual property, actually. So why is it talking about? Of course, as a
research university, Georgia Tech creates intellectual property and so on, and that intellectual property
resides on our computers. But at the same time, state campuses, they used to have a problem where
people would download music. In particular, they will download illegal music, and universities got into
trouble because of that. So we're obviously addressing that explicitly in the policy. Remember, the policy
is about dos and don'ts, and if it is copyrighted material or there's intellectual property, how that should
be handled. Of course, it talks about that.
Interestingly, it also talks about export controls. While universities have people from all over the world,
and people work with counterparts in other countries and things like that, when there's exchange of
things across national boundaries, of course, export control becomes an issue. And that's why it's
interesting that it sort makes its way into this policy. But again, this is sort of the guiding principle here,
is that there are any legal requirements we are okay with them.
Georgia Tech's policy actually also, remember one of the things we said, we have to make sure that the
people who responsible for it can be held accountable and things like that. So it does address
P3_L1 Cyber Security_ Page 10
GaTech OMSCS – CS 6035: Introduction to Information Security
responsibility for securing the resources or the assets that we have, and it's kind of a distributed
responsibility at Georgia Tech.
When you look at sort of the larger network Office of Information Technology which is a central
organization for the entire university, well they're responsible for it.
But if you look at individual devices, laptops, servers, or desktops, all that is the responsibility of the unit
or the individual whose machine it is. A unit for example, School of Computer Science or the College of
Computing, for example, would be responsible for the computers that are used by their staff, faculty,
and students. But protecting the Georgia Tech network that is the responsibility of the central office. As I
said, you should read the policy and all the different aspects that are covered by it.
The question is, should the policy
address personal use of university
resources? Remember, this is sort of
dos and don'ts, so in some sense, you
should say, well, yeah, it should. And
if it addresses it, does it say blanket,
no personal use of university
resources or are there some
exceptions?
Actually, if you read the policy, and we said the policy sort of describes the dos and
don'ts and where they come from, [ersonal use is allowed to some degree. They say it's
incidental personal use is okay. So it's all right if you send a message to your friend or
you family member. Again, sort of need to use your judgement when incidental personal
use ends and personal use that is inconsistent with this part of the policy starts. So, yet,
it's not blanket prohibition, but of course, I can't be using Georgia Tech computers to support a business
that I haven't assigned.
So, next question actually is about
data, about students, their grades for
example, what is that motivated by,
okay? So, the two options, regulatory
reasons or the data is sensitive and it's
the right thing to do, okay? So, choose
either one or both as you wish.
P3_L1 Cyber Security_ Page 11
GaTech OMSCS – CS 6035: Introduction to Information Security
Actually student data has to be protected,
a regulatory reason there is FERPA. We
talked about HIPAA when health data
where FERPA is in the educational context.
Student grades and their performance is of
course their personal information and you can't release that or let somebody hack into your system.
Instructor Notes: Anthems Breach Response
Anthem is Warning Customers
Fairly recently, there was a large scale
breach. Anthem, actually, I was
personally affected by it, because I do
have insurance in Blue Cross Blue
Shield, and so Anthem has all these
health insurance that they offer these
companies in different parts of the
country. And they had a breach, and
Close to 80 million customers data was perhaps stolen by whoever breached their systems. So this
question is about, actually, what happened after that breach, okay. How did Anthem respond to it? Did
they respond well, or they did not? Okay, that's the question.
So when it said somebody didn't respond well to an adverse thing that happened.
Reasonable people of course can have different answers and agree to disagree. They did a
number of things that were kind of right. They actually discovered it themselves. It wasn't
in the newspapers that they had been hacked. They fairly quickly actually reached out to
law enforcement, also customers and so on. So a number of people feel that they actually
did a good job, there were some things that they didn't do as well according to others.
One was that since they responded fairly quickly, they didn't know all the details of the response was
kind of weird. Others said, well, they didn't inform other key stake holders, or people that they had
business with, and things like that. But overall, I think tone was positive, so I'm going to pick a yes here.
If you read more about it and you have a different opinion and you have a good justification for it, here
it's okay to choose a no.
So we said we were going to have
controls in place, that we're going to
have people responsible, we're going
to have policy to inform people of our
do's and don'ts and things like that,
but that's not going to reduce our risk
to zero. There's still the possibility,
because there are unknown
vulnerabilities, where people became
P3_L1 Cyber Security_ Page 12
GaTech OMSCS – CS 6035: Introduction to Information Security
victims of a phishing attack, we hear about those on a regular basis. So the risk is not going to go down
to zero, something could still go wrong, despite having the best planning and best management for
cyber security. So if there is a risk, how do we sort of get a sense of how much risk is that we still have?
What kind of risk are we dealing with?
Assessing such risk is important
because we talked about cost benefit.
So if you're going to make investment
in cyber security, those investment
decisions have to be based on risk
and its reduction. So you're going to
pay for a certain control. How much is
the risk being reduced?
And they say risk is going to be
reduced because it's never going to
be zero. The only way to make it zero is you disconnect from the rest of the world. But then you can't do
anything useful.
So some risk is going to remain, and if the risk remains, well, how do you quantify it if your investments
are going to be based? Investments passed a certain control, what are you going to pay for it? Certainly,
there's a number. So if you're assessing risk or quantifying it, how exactly do you? It'll be great to say,
this is my risk and this is what I can do to deal with it, but how do you assess risk? And one of the things
we're going to find out is that quantifying it is actually not easy. There are various frameworks to sort of
see what you do or don't do that may pose some degree of risk, but actually quantifying it is what is
hard, so that's what we're talking about.
So if we talk about quantifications,
is there a formula for risk or the
risk exposure we have?
Risk is really, we said, how likely,
the probability of an adverse
security event happening. So the
first thing you have to say, well
there is a threat out there, they
may come after me. I have some
controls in place, but they may be
able to get around them. And actually, I might get compromised, may experience a breach or whatever
it is. So what is the likelihood of that? So you have to have the probability, then you have to multiple by
the impact of that adverse event.
If it's going to cost me $10 million to deal with that. Well, the probability is half. That's way too much.
But if it is half and it's going to cost you $10 million, your risk is $5 million. We said quantifying, of course
we had to quantify both of these quantities. The probability, as well as the impact or the loss that you're
going to suffer as a result of the adverse event that we're talking about.
P3_L1 Cyber Security_ Page 13
GaTech OMSCS – CS 6035: Introduction to Information Security
So there's something called risk
leverage, because we like to
reduce our risk exposure. And one
way we can do that is by having
some sort of a control in place. A
control we know comes with a
cost.
So risk leverage is for a given
control. Talking about quantifying
it and then sort of, if it's too high,
you don't like it, we can try to reduce it by putting in one or more controls. So when you put a control
you can ask what the risk level of that control is.
So, the way to sort of compute that is that you say, what was my risk exposure before or without the
control that is under consideration? That's without deploying that. Minus the risk exposure after this
control is deployed. This difference really is nothing but the amount by which the risk is reduced
because of this control that we're going to put into our enterprise. So, that's the decrees in risk divided
by the cost of that control that we're talking about. We've been saying, we have to have cost benefit
analysis. This is how much risk. This is what happens to risk if we do something about unacceptable level
of risk. So this is the cost of that control, that we have in the denominator here. So, if you divide the
reduction in risk by the cost, that gives you the risk leverage.
For any control that you have, risk leverage should be greater than 1. It makes no sense for it to be less
than 1 because, in that case you're saying, your risk reduction actually is smaller than the cost. It's not
very smart that you pay more and, overall, you're not in a better place than you were before in terms of
the cost and whatever risk that you have. So, this is how we compute the leverage, and whenever you
talk about a particular control, if you do this and the value is not greater than 1, then of course that
control should not be considered.
We said risk assessment is
challenging, we don't understand all
the threats, we don't know what
our vulnerabilities are of course, so
it's two playing two. Likelihood of a
successful attack of course is going
to depend on what sort of
vulnerabilities you might have and
who's trying to target you.
But we said, well if you can come up
with a probability and what
happens as a result of an attack, then you can compute the risk, that's how you quantify or assess the
risk. And you can try to reduce it, but that's really a question of managing that, how do we manage?
What options do we have for managing the risk that our business is exposed to on the cyber front.
P3_L1 Cyber Security_ Page 14
GaTech OMSCS – CS 6035: Introduction to Information Security
So we talked about assessing it, but
if it's too high, then of course, we'd
like to reduce it. So how do you
reduce cyber risk?
As we said before we get into
reduction, assessing required the
likelihood as well as the impact. So
how do you assess the impact? It's
the expected loss we're talking
about, so it's expected losses, really
loss multiply the probability, so we
do have get to the loss, and when you talk about loss it could be reputation loss, target of core suffered
including degrees and sales. It's the cost of calling somebody in. So, for example, if you're Sony and you
call FireEye or Mandiant to come figure out what happened, I'm sure they paid for that Mandiant or
FireEye got compensated really well. Your response, it may be legal costs, you may have to buy identity
theft protection for your customers and things like that. It's real dollars, reputational. What you do in
the aftermath. All that has to add up to sort of the cost or the loss that you would attribute to a certain
attack. And expected I said was that value multiplied by the probability. So that's really risk. Risk was
probability times impact, so maybe the impact is a loss. So let's just talk about loss here.
So this one would still be talking about you're assessing risk. Now let's talk about how do we manage
risk. So the only three things you can do once you come up with some sort of a risk estimate.
1) You can say well, I can live with it. In that case, you're accepting the risk. You may want to
transfer it. So the risk is transferred to another party. So if something bad happens to you, the
consequences or the cost is going to be borne by somebody else. That somebody else is going to
do it only if they are paid to be in that business. And that business is the insurance business. So
you can buy insurance. And by buying insurance, you're transferring it to whoever insures you.
2) The other option is you can reduce it. How do you reduce it? Well, you're going to reduce it by
deploying new technology solutions, and maybe a more expensive, more effective firewall. You
can reduce by educating your people or having training and things like that. More security
awareness, of course, is going to ensure that it's less likely that they make a mistake, so that's
going to reduce the likelihood of the probability of some adverse event. Which we know a
factor, the way we compute our risks.
So, managing once you have an estimate of the risk, there are a couple of options on how you can
deal with that risk. As we said this transfer thing happens in a lot of other domains. You buy
insurance for your car, for your health and things like that.
P3_L1 Cyber Security_ Page 15
GaTech OMSCS – CS 6035: Introduction to Information Security
Now that we talked about risk, and
we said risk is actually probably
multiplied by impact. Impact is the
loss you incur or suffer as a result
of the breach. So, this questions is
about, how do you figure out that
loss? So, the company, we talked
with Anthem for example, or
Target, stores sensitive data,
customer data. Data that could be
used by identity theft for example,
or credit card numbers and things
like that. So stores sensitive
customer data. Impact of a breach of such data. And remember the risk was probability times
impact. So this is saying, what are we going to include in the impact?
First one is cost of purchasing identity
theft protection for your customers. So
Anthem actually offered that to me.
Some banks offered when they had a
breach to their customers and so on. So
this is a cost that is definitely because
of this breach that we have had.
Loss of business due to reduced customer confidence. Well, that is an impact of this breach, as well.
It is a loss and it impacts you adversely. So, that should figure into the impact of this event.
Compensation for new cyber security personnel the company hires to better manage cyber security
in the future. Well, this is, if you include this or not, actually happened as a result. Maybe you
wouldn't have done it if you didn't if you didn't have this breach, but this is really sort of investment
in the future. So, in the future, we don't have such a breach, or don't get attacked. Act the way we
did this case. So this is really part of the response. It's how you get to a more secure state. This
impact is probably not something that should be included, the loss that occurs because of this
particular incident, or this breach. This is something that probably should have been there and if it
was there then this situation wouldn't have happened.
P3_L1 Cyber Security_ Page 16
GaTech OMSCS – CS 6035: Introduction to Information Security
There are two options. One is we
look at cost and risk reduction. So
one is $100K. That is reducing the
risk by 150. The other one is 250
and reducing the risk by 500. So,
the question is, which solution
would you recommend?
So how can we answer? Of
course, one is cheaper but the
risk reduction is also lot smaller,
it's 150 only. And it's the cheaper
because it's 100K, but the risk is only reduced by 150 here. Other one is two and a half times as more
expensive, but it's reducing the risks lot more, 500K.
So, we said one way we can think about it is risk leverage. So the risk leverage was
reduction in risk, so the first case, it's 150, divided by the cost, and that's 100. So the risk
leverage is 1.5 for the first solution, or the cheaper solution. So this is 1.5. For the more
expensive solution it's 500, the amount, this is how much the risk is reduced by, divided by 250 which is
the cost. So risk leverage is higher for the more expensive solution, and based on that
reasoning you would recommend this one [more expensive solution].
So cyber insurance was one way
to, remember managing risk
accepted, transfer it. So cyber
insurance is how you transfer it. Is
not very popular. Based on a 2014
survey, what percentage of
customer's major insurance
brokers were interested in buying
cyber insurance? There is more to
read about it, but car insurance is
mandated, you have to have it.
So when it comes to cyber, the
question is how many people actually are interested in buying cyber insurance. Small, which is
really, the exact number is not important. Is small or significant? These are the two buckets you're
asked to choose from. So, what do you think? Which answer is the right one? Think and mark, and
then we'll talk about the solution.
P3_L1 Cyber Security_ Page 17
GaTech OMSCS – CS 6035: Introduction to Information Security
I guess it gave away when it says it's still not very popular,
of course, a lot of people not interested in buying it. There
are a variety of reasons actually. People who are selling
cyber insurance have too many exclusions. It's not really
worth the cost. You pay for it and when you need it they
say this this is excluded and things like that. So people are interested in insurance when they think it's a
good value for them, which means there are not too many exclusions and the cost is low, and those
things don't hold when it comes to cyber insurance. So not very popular not a lot of people are actually
asking for it and buying it actually. So that's what this link has more information about it. You should
read it.
So the whole idea of security planning
and security management is to be
better prepared when it comes to
cyber security. So, if your enterprise,
your company, if your ask how well
prepared you are, how good is the
state of cyber security? Really, that's
what the cyber security posture is. So,
cyber security posture, how do we
address our security, how do we
prepare ourselves for cyber security,
how do we handle when something
goes wrong.
The posture can either be reactive, unfortunately, in many cases, this is what it is. What does reactive
mean? Well, we worry about it, because we're sort of forced to do it.
Because there's a regulation compliance requirements they say you must do so. And we react to that
regulation that comes down our throats.
Or it's customer's demands, customer's saying I will not do business with you unless you have that. Lot
of companies these days, especially business to business, B2B, they don't want to business with
someone who has lax cyber security. So again, we react to this demand that comes from somebody we
want to do business with.
It could be in response to something bad that happens to us, okay. So breach for example, the target,
Home Depot examples, everybody talks about. So, we react to the adverse event that we suffered, so
that's another example of what reactive security posture is.
And, finally, it may be in response to events that occur, our competition may have suffered. One bank,
for example, suffers a bridge and other banks may react to that by making sure that the vulnerabilities
that were exploited don't exist in their IT systems. So all these are examples of, so this is a reactive
posture, I said, unfortunately security is event driven when something bad happens. People say, we
need it and so we need to do something about. But this is what is called a reactive posture to cyber
security.
P3_L1 Cyber Security_ Page 18
GaTech OMSCS – CS 6035: Introduction to Information Security
Of course, it's better to have what is
called a proactive approach to
security. You plan for it, that's what
security planning is talking about.
You work hard to assess your risk,
you do things to reduce it, look at
the cost and do that before either
you're forced because of regulation
or forced because something bad
happens to you and you respond to
it reactively. So what are some
examples of proactive things that companies should be doing?
Well first of all, it should be somebody's job to worry about cyber securities and assets, how they
protect it, how people are educated, cyber security insurance, having a good policy. Making sure people
are held responsible and empowered to do things, and all the things we talked about when it comes to
security planning and management. So having a champion whose job it is to worry about it, a champion
should have influence. If is doesn't, he or she doesn't have influence of course you're not going to get
anything meaningful done.
So one thing people talk about, for example, is well, is this proactively addressed at the highest level in
an organization? Talk about the board level conversation. The board addresses various kind of risks an
enterprise has to deal with. Is cyber security risk one of those, or is there a conversation about it? Is
there a conversation about what needs to be done to reduce that risk? Is there an investment made in
cyber security controlled in solutions and personnel and things like that?
If that's done before bad things happen, that would be a proactive approach. It's again unfortunately
not aware this is happening in every company. In fact, one of the things that happened we said target
hired a CSO, who does the CSO report to? Does the CSO report to CIO? Well when it's not talking about
the highest level it doesn't report to the CEO. The CEO maybe doesn't bring it up at the board level and
things like that. So proactive means somebody, the champion, looks ahead, has the influence that's
necessary and has support at the highest levels and that would be a proactive posture for cyber security.
If you are the person who has to
champion cyber security and get
the company to a proactive cyber
security posture, how do you make
your case? You're champion, it's
your job to be as well prepared as
possible given the cost benefits and
risk tolerance and so on. What are
the kind of arguments you can
make?
P3_L1 Cyber Security_ Page 19
GaTech OMSCS – CS 6035: Introduction to Information Security
The easiest argument to make is
the bottom line argument, or the
economic argument that it's going
to save us money. Of course
security doesn't make money.
Security we would say it's a cost. It
doesn't bring money in, but we
could lose money because of that.
The economic argument we can
make is, the return on investment
argument, or the ROI argument.
Saying, if you don't do this, we're going to lose $10 million. If you do this, it's only going to cost us 1
million and we save 5 million and the losses we're going to suffer are going to be reduced by half. Then
of course it's an investment you make, you're putting out one million but you're saving five million. So
that is a pretty good return on investment that we have. So the economic argument of course makes
sense when you say that by coming up with a budget to put a control in place. The cost of that we're
going to have is going to result in savings that are much greater than the cost. Significant savings greater
than the cost, so there is in a way a return on the investment. This is money we're going to lose that
we're not going to lose now. And that's how our bottom line is going to be in a better state.
Of course this does require that you estimate the cost benefits that we're talking about, and
unfortunately, it's pretty tricky.
Cost and benefits, either you can exactly quantify them, so that would be data driven, or its perception.
So with perception it's sort of what they perceived to be the risk, and what they perceived the risk
reduction, maybe if we do A or B, or something like that. Versus sort of actually knowing those
probabilities and those impact numbers that you are talking about. So you're going to make an
argument. This is all fine and good, but a lot of times it comes to perception, and then people would say,
well, this is their opinion. How do you know for sure? Do you have some hard numbers? And
unfortunately, making this argument is difficult because a lot of times those hard numbers are not easy
to come by.
So we've been talking about security
planning and management. There
are many sort of different pieces
that make up this whole process of
planning and then managing the
security. How do we bring it all
together? If you're going to go
explain this to someone in a few
minutes. What are the things you
should be talking about.
Well first of all you're going to say
that there are things that are of
P3_L1 Cyber Security_ Page 20
GaTech OMSCS – CS 6035: Introduction to Information Security
value which are at risk. Maybe your
reputation, maybe your intellectual
property, there are assets that are
of value which are at risk.
So then you're going to talk about
the risk comes from certain threats
sources. Not only there are bad guys
out there. Of course, we have
certain vulnerabilities, those are the
attack vectors, that's why those
threat sources would be able to do
us harm. That's why we need to
worry about, the risk comes from the fact, not just because we have something of value, but that thing
could be harmed or could be breached. So the threats and attack vectors, really talking about threats
and vulnerabilities. Together they come together, result in an attack. So an attack then leads to a
breach. And that's where we have the adverse consequences. So if we have that, we have to talk about
things that are of value - we have to talk about threats. These two are the reasons that help us explain
that there is something at risk. And the amount or level of risk that we may have.
And the way to manage that risk is to plan for security, implement whatever controls that are
meaningful, and then sort of manage that in terms of controls, people, processes and things like that.
And all that has to be done.
Again, this controls that we're talking about, of course we're going to look at the cost. The benefits they
offer? What impact they have? How user friendly they are? Things like that. So we have to sort of look
into the controls that we have, what their effectiveness is.
Then we have to identify people. It's their job to worry about security. We have to empower them to do
it. They have to have the budget, they have to be able to have policies that can be enforced and things
like that. And people have to be held responsible and accountable. Because we know that something
was wrong. They should be called to answer what exactly happened.
And no matter how well you do that, we have to plan for something going wrong. And when something
goes wrong, a response is going to be needed. Remediation has to happen. There shouldn't be any
surprises. We should be prepared and have a plan in place saying if something bad were to happen, this
is how we're going to respond to it.
Of course, people as we said, need to be aware of the importance of security. The guiding principles, the
do's and don'ts, all the things we were talking about under security policy so we need to think about
that.
And finally we need to understand and people have to recognize that a proactive option is what gets you
ahead of the threats in some sense. Threats change continuously. If you're just going to be in reactive
mode something new is going to come and hit you and you're going to suffer the same sort of thing that
you did before. So proactively addressing the risk and the threats and the vulnerabilities and having a
champion to do that is another part of this security planning and management that we're talking about.
P3_L1 Cyber Security_ Page 21
GaTech OMSCS – CS 6035: Introduction to Information Security
Overall understand what is of value, why there's risk to it which is the threats and the vulnerabilities
we're talking about. And then plan, implement, manage, and do that all proactively. That's sort of
bringing it all together when it comes to security planning and management.
Instructor Notes: PWC Report
According to this report, this yes/no
question saying, are we budgeting,
making larger allocations for cyber
security, as the threats become
more sophisticated?
According to this report that I'm talking about, and this is fairly recent, the answer is
no. In fact, they report a slight dip in 2014. So people are not investing. Either they
don't have the money to invest, they don't think they're getting a good return on it,
maybe they don't understand the risk very precisely. If it's vague then of course it's
hard to convince someone to put out the dollars to do that. So now cyber security
budgets or investments in cyber security are not dramatically going up.
We talked about sort of reactive and
proactive security measures. So this
is saying, we have two options here.
Which is you would say is an example
of proactive security? Remember
reactive is sort of post something bad
happening, it's the cleaning up and
doing something in response.
Proactive is sort of getting ahead of
that, so which one of these two you
would say is proactive measure?
The first one is not really proactive. The
regulation is sort of forcing you to do
something and when you comply, you
essentially, you're reacting to the
regulation and doing what they demand
that you do. But the other one is Chief
Risk Officer of the company addressing
cyber risk regularly at the highest level. And risk and investigation discussed, I would say that is
P3_L1 Cyber Security_ Page 22
GaTech OMSCS – CS 6035: Introduction to Information Security
proactive. Because you do this on a regular basis. And highest level means you do something to address
them as well. So this is proactive versus reactive that we had discussed.
We saw that managing cyber security
is a complex undertaking because it
has technical, people, and policy
dimensions. We studied the
tradeoffs that exist when we
consider various security controls in
the context of an organization.
Security management covered how
we can explore these tradeoffs. And
pick the right solutions to manage
the cyber risk that is faced by an
organization.