the art of performing cyber risk assessments › resources › documents...the art of performing...

The Art of Performing Cyber Risk Assessments

© ecfirst. All Rights Reserved. 2017. 1

The Art of Performing

Cyber Risk Assessments

Agenda!

Current State

Cyber Incident Response Readiness

Checklist & Standards

Preparation

Getting Started: Cybersecurity Program



Current State



Verizon Data Breach Investigations

Report (DBIR)

The Verizon Data Breach Investigations Report (DBIR) identified the following state of

cybersecurity

Verizon Data Breach Investigations

Report (DBIR) (Cont’d..)

DDoS attacks are almost always (98%) targeted at large organizations



Annual Cybersecurity Report

State of Cybersecurity: Facts

Adversaries have more tools at their disposal

Adversaries are taking advantage of:

Lapses in patching & updating

Luring users into socially engineered traps

Injecting malware into supposedly legitimate online content

27% of connected 3rd party cloud apps introduced by employees into

the enterprise posed a high security risk

Spams account for 65% of emails; & about 10% of spam is malicious

Most organizations use more than five security products & more than

five security vendors

Ransomware Cyber-attacks

Prepared

Ransomware has ballooned into a

$1B business for criminal

enterprises (Cisco Report)

Average amount paid per ransom,

$1,077 (Symantec Report)

# of ransomware detections in

2016, about 500,000 (Symantec

Report)



IoT + DDoS = Disruption!

84% of large businesses have experienced at least one DDoS

attack in past 12 months (WSJ)

DDoS attacks cost firms $2.5 M or more in lost revenue (WSJ)

Average of 414,985 DDoS incidents/month in 2016

DDoS attack speeds ~ 800 gigabits/second in 2016

IoT-driven Internet Wobble on Oct 21, 2016:

Why it Matters Now!



The IoT Cyber Challenge

Hackers have learned how to take control of these devices located in

homes & businesses to remotely order the devices to attack specific

Internet addresses

By controlling & coordinating tens of thousands of devices, hackers

can attack a victim with data arriving at 500-1,000 gigabytes per

second, overwhelming the ability of the targeted servers to deal with

them & ultimately making them fail

FDA has issued warnings concerning several medical devices that

could be hacked & harm a patient. It’s certainly possible that some

devices could be exploited to gain further access to your network &

data

Cyber Attacks: Global & Sophisticated

Iran, North Korea, China, Russia…

Use common SQL injection, spear phishing & sophisticated malware to gain initial access

Next, used privilege escalation exploits to compromise additional systems & move deeper

inside the compromised firm

• How robust is your patch management?

• Perform annual comprehensive risk assessments?

• Conduct quarterly vulnerability assessments?

• Completed a Business Impact Analysis (BIA)?



Cyber Attack Lifecycle

HIPAA Fines 2017



Cost of Breaches: Nine Figure Risk!

Healthcare Cybersecurity Challenge



Cyber Incident Response Readiness

OCR Breach Notification Form



Breach Notification Form

Tactics Used in Data Breaches



Breach Readiness Plan

Preparation

Detection & Analysis

Containment, Eradication,

& Recovery

Post-Incident Activity

Four Key Areas

Checklist & Standards



Checklist for Risk Assessment

# AreaSTATUS

CommentsYES NO

1Document Regulations (Federal, State) & Standards That

Business is Mandated to Comply (Privacy, Security) With☐ ☐

2 Assess Policies (Privacy, Security) ☐ ☐

3 Assess Procedures (IT, Security) ☐ ☐

4 Review Asset Management Process & Documents ☐ ☐

5 Review Vendor (Business Associate) Agreements ☐ ☐

6 Assess Deployed Security Controls ☐ ☐

7 Identify Missing Security Controls ☐ ☐

8 Assess State of Encryption Implementation ☐ ☐

9 Review Cloud Security for Deployed Apps & PII/EPHI ☐ ☐

Checklist for Risk Assessment (Cont’d..)

# AreaSTATUS

CommentsYES NO

10Conduct Technical Vulnerability Assessment (External,

Internal)☐ ☐

11 Conduct Wireless Assessment ☐ ☐

12 Review Firewall Architecture & Configuration ☐ ☐

13 Review Mission Critical Applications & Their Security ☐ ☐

14 Assess Requirements for Penetration Testing ☐ ☐

15 Evaluate Risk Management Program ☐ ☐

16 Assess Quality/Depth of Security Awareness Training ☐ ☐

17 Review Information Security Skill Capabilities ☐ ☐

18Assess Executive Priority/Reporting Structure for Security &

Compliance☐ ☐



Compliance Mandates

ISO 27001

PCI DSS NIST

ISO 27001: A Global Standard

ISO 27002

Information Security Policies

Organization of Information Security

Human Resource Security

Asset Management

Access Control

Cryptography

Physical & Environmental Security

Operations Security

Communications Security

System Acquisition, Development & Maintenance

Supplier Relationships

Information Security Incident Management

Information Security Aspects of Business Continuity Management

Compliance



PCI DSS: Important Reference

PCI DSS Requirements Testing Procedures

12.1 Establish, publish, maintain, & disseminate a

security policy that accomplishes the following:

12.1 Examine the information security policy & verify that

the policy is published & disseminated to all relevant

personnel (including vendors & business partners).

12.1.1 Addresses all PCI DSS requirements. 12.1.1 Verify that the policy addresses all PCI DSS

requirements.

12.2 Includes an annual process that identifies

threats, & vulnerabilities, & results in a formal risk

assessment.

(Examples of risk assessment methodologies include

but are not limited to OCTAVE, ISO 27005 & NIST SP

800-30).

12.2.a Verify that an annual risk assessment process is

documented that identifies threats, vulnerabilities, &

results in a formal risk assessment.

NIST SP 800-30 REV 1: Risk Assessment



HITRUST CSF

Self-Assessment Validation Certification

Preparation



Preparing for an Assessment

Enterprise Security Plan

Risk Analysis (most recent)

Risk Management Plan (addressing risks identified in the Risk Analysis)

Security violation monitoring reports

Vulnerability scanning plans

Results from most recent vulnerability scan

Network penetration testing policy & procedure

Results from most recent network penetration test

List of all user accounts with access to systems which store, transmit, or access

PII (for active & terminated employees)

Configuration standards to include patch management for systems which store,

transmit, or access PII (including workstations)

Encryption or equivalent measures implemented on systems that store, transmit,

or access PII

Documentation Updated?

Risk Assessment Preparation

Prevention, detection, containment, & correction of security violations

Employee background checks & confidentiality agreements

Establishing user access for new & existing employees

List of authentication methods used to identify users authorized to access PII

List of individuals & contractors with access to PII to include copies pertinent business

associate agreements

List of software used to manage & control access to the Internet

Detecting, reporting, & responding to security incidents

Physical security

Encryption & decryption of PII

Mechanisms to ensure integrity of data during transmission – including portable media

transmission

Policies, Procedures & More…



Risk Assessment Preparation (Cont’d..)

Organization chart to include staff members responsible for compliance including the

protection of PII

Examples of training courses or communications delivered to staff members to ensure

awareness & understanding of PII policies & procedures

Policies & procedures governing the use of virus protection software

Data backup procedures

IT Disaster Recovery Plan (DRP)

Disaster recovery test plans & results

Analysis of information systems, applications, & data groups according to their

criticality & sensitivity

Inventory of all information systems to include network diagrams listing hardware &

software used to store, transmit or maintain PII

Inventory log recording the owner & movement of media & devices that contain PII

Other Documentation Done?

Credible Vulnerability Assessment?



Getting Started: Cybersecurity Program

An Annual Assessment!

1

6

Cybersecurity: A Lifecycle

EvaluateSecurity

Responsibility

Risk Analysis

Security

Strategy &

Policies

Remediate

BA Supply Chain

Training

4

3

7

2

5



Cybersecurity Program

Cyber Action Required

Annually!

Repeat all areas above, annually!



Control Your Excitement!

+1.949.528.5224 [email protected]|

Perfecting the Art of Cyber Defense



Certification Training