the art of performing cyber risk assessments › resources › documents...the art of performing...
TRANSCRIPT
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 1
The Art of Performing
Cyber Risk Assessments
Agenda!
Current State
Cyber Incident Response Readiness
Checklist & Standards
Preparation
Getting Started: Cybersecurity Program
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 2
Current State
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 3
Verizon Data Breach Investigations
Report (DBIR)
The Verizon Data Breach Investigations Report (DBIR) identified the following state of
cybersecurity
Verizon Data Breach Investigations
Report (DBIR) (Cont’d..)
DDoS attacks are almost always (98%) targeted at large organizations
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 4
Annual Cybersecurity Report
State of Cybersecurity: Facts
Adversaries have more tools at their disposal
Adversaries are taking advantage of:
Lapses in patching & updating
Luring users into socially engineered traps
Injecting malware into supposedly legitimate online content
27% of connected 3rd party cloud apps introduced by employees into
the enterprise posed a high security risk
Spams account for 65% of emails; & about 10% of spam is malicious
Most organizations use more than five security products & more than
five security vendors
Ransomware Cyber-attacks
Prepared
Ransomware has ballooned into a
$1B business for criminal
enterprises (Cisco Report)
Average amount paid per ransom,
$1,077 (Symantec Report)
# of ransomware detections in
2016, about 500,000 (Symantec
Report)
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 5
IoT + DDoS = Disruption!
84% of large businesses have experienced at least one DDoS
attack in past 12 months (WSJ)
DDoS attacks cost firms $2.5 M or more in lost revenue (WSJ)
Average of 414,985 DDoS incidents/month in 2016
DDoS attack speeds ~ 800 gigabits/second in 2016
IoT-driven Internet Wobble on Oct 21, 2016:
Why it Matters Now!
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 6
The IoT Cyber Challenge
Hackers have learned how to take control of these devices located in
homes & businesses to remotely order the devices to attack specific
Internet addresses
By controlling & coordinating tens of thousands of devices, hackers
can attack a victim with data arriving at 500-1,000 gigabytes per
second, overwhelming the ability of the targeted servers to deal with
them & ultimately making them fail
FDA has issued warnings concerning several medical devices that
could be hacked & harm a patient. It’s certainly possible that some
devices could be exploited to gain further access to your network &
data
Cyber Attacks: Global & Sophisticated
Iran, North Korea, China, Russia…
Use common SQL injection, spear phishing & sophisticated malware to gain initial access
Next, used privilege escalation exploits to compromise additional systems & move deeper
inside the compromised firm
• How robust is your patch management?
• Perform annual comprehensive risk assessments?
• Conduct quarterly vulnerability assessments?
• Completed a Business Impact Analysis (BIA)?
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 7
Cyber Attack Lifecycle
HIPAA Fines 2017
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 8
Cost of Breaches: Nine Figure Risk!
Healthcare Cybersecurity Challenge
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 9
Cyber Incident Response Readiness
OCR Breach Notification Form
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 10
Breach Notification Form
Tactics Used in Data Breaches
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 11
Breach Readiness Plan
Preparation
Detection & Analysis
Containment, Eradication,
& Recovery
Post-Incident Activity
Four Key Areas
Checklist & Standards
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 12
Checklist for Risk Assessment
# AreaSTATUS
CommentsYES NO
1Document Regulations (Federal, State) & Standards That
Business is Mandated to Comply (Privacy, Security) With☐ ☐
2 Assess Policies (Privacy, Security) ☐ ☐
3 Assess Procedures (IT, Security) ☐ ☐
4 Review Asset Management Process & Documents ☐ ☐
5 Review Vendor (Business Associate) Agreements ☐ ☐
6 Assess Deployed Security Controls ☐ ☐
7 Identify Missing Security Controls ☐ ☐
8 Assess State of Encryption Implementation ☐ ☐
9 Review Cloud Security for Deployed Apps & PII/EPHI ☐ ☐
Checklist for Risk Assessment (Cont’d..)
# AreaSTATUS
CommentsYES NO
10Conduct Technical Vulnerability Assessment (External,
Internal)☐ ☐
11 Conduct Wireless Assessment ☐ ☐
12 Review Firewall Architecture & Configuration ☐ ☐
13 Review Mission Critical Applications & Their Security ☐ ☐
14 Assess Requirements for Penetration Testing ☐ ☐
15 Evaluate Risk Management Program ☐ ☐
16 Assess Quality/Depth of Security Awareness Training ☐ ☐
17 Review Information Security Skill Capabilities ☐ ☐
18Assess Executive Priority/Reporting Structure for Security &
Compliance☐ ☐
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 13
Compliance Mandates
ISO 27001
PCI DSS NIST
ISO 27001: A Global Standard
ISO 27002
Information Security Policies
Organization of Information Security
Human Resource Security
Asset Management
Access Control
Cryptography
Physical & Environmental Security
Operations Security
Communications Security
System Acquisition, Development & Maintenance
Supplier Relationships
Information Security Incident Management
Information Security Aspects of Business Continuity Management
Compliance
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 14
PCI DSS: Important Reference
PCI DSS Requirements Testing Procedures
12.1 Establish, publish, maintain, & disseminate a
security policy that accomplishes the following:
12.1 Examine the information security policy & verify that
the policy is published & disseminated to all relevant
personnel (including vendors & business partners).
12.1.1 Addresses all PCI DSS requirements. 12.1.1 Verify that the policy addresses all PCI DSS
requirements.
12.2 Includes an annual process that identifies
threats, & vulnerabilities, & results in a formal risk
assessment.
(Examples of risk assessment methodologies include
but are not limited to OCTAVE, ISO 27005 & NIST SP
800-30).
12.2.a Verify that an annual risk assessment process is
documented that identifies threats, vulnerabilities, &
results in a formal risk assessment.
NIST SP 800-30 REV 1: Risk Assessment
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 15
HITRUST CSF
Self-Assessment Validation Certification
Preparation
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 16
Preparing for an Assessment
Enterprise Security Plan
Risk Analysis (most recent)
Risk Management Plan (addressing risks identified in the Risk Analysis)
Security violation monitoring reports
Vulnerability scanning plans
Results from most recent vulnerability scan
Network penetration testing policy & procedure
Results from most recent network penetration test
List of all user accounts with access to systems which store, transmit, or access
PII (for active & terminated employees)
Configuration standards to include patch management for systems which store,
transmit, or access PII (including workstations)
Encryption or equivalent measures implemented on systems that store, transmit,
or access PII
Documentation Updated?
Risk Assessment Preparation
Prevention, detection, containment, & correction of security violations
Employee background checks & confidentiality agreements
Establishing user access for new & existing employees
List of authentication methods used to identify users authorized to access PII
List of individuals & contractors with access to PII to include copies pertinent business
associate agreements
List of software used to manage & control access to the Internet
Detecting, reporting, & responding to security incidents
Physical security
Encryption & decryption of PII
Mechanisms to ensure integrity of data during transmission – including portable media
transmission
Policies, Procedures & More…
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 17
Risk Assessment Preparation (Cont’d..)
Organization chart to include staff members responsible for compliance including the
protection of PII
Examples of training courses or communications delivered to staff members to ensure
awareness & understanding of PII policies & procedures
Policies & procedures governing the use of virus protection software
Data backup procedures
IT Disaster Recovery Plan (DRP)
Disaster recovery test plans & results
Analysis of information systems, applications, & data groups according to their
criticality & sensitivity
Inventory of all information systems to include network diagrams listing hardware &
software used to store, transmit or maintain PII
Inventory log recording the owner & movement of media & devices that contain PII
Other Documentation Done?
Credible Vulnerability Assessment?
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 18
Getting Started: Cybersecurity Program
An Annual Assessment!
1
6
Cybersecurity: A Lifecycle
EvaluateSecurity
Responsibility
Risk Analysis
Security
Strategy &
Policies
Remediate
BA Supply Chain
Training
4
3
7
2
5
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 19
Cybersecurity Program
Cyber Action Required
Annually!
Repeat all areas above, annually!
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 20
Control Your Excitement!
+1.949.528.5224 [email protected]|
Perfecting the Art of Cyber Defense
The Art of Performing Cyber Risk Assessments
© ecfirst. All Rights Reserved. 2017. 21
Certification Training