Upload
trannhi
View
216
Download
0
Embed Size (px)
Citation preview
Cybersecurity Risk
Management
Peter Frøkjær, MBA, CISM, CISSP, CEH, CCNP
Products and Solutions Security Officer
In: dk.linkedin.com/in/froekjaer/
: +45 6155 2021 / +1 530 683 5388
Unrestricted
About ISACA
Founded in 1969; non-profit, independent association that helps
members achieve greater trust in, and value from, their information systems
Has more than 140,000 constituents in 200 countries and more than 190
chapters worldwide
Sponsors international conferences and education
Publishes original research
Develops international IS audit and control standards
Offers CISA, CISM, CGEIT and CRISC certifications
Developed and continually updates the COBIT, Val IT
and Risk IT frameworks, as well as the IT Assurance Framework and
Business Model for Information Security
isaca.org
Risk: A Balance Is Essential
• Risk and value are two sides of the same coin.
• Risk is inherent to all Businesses.
Enterprises need to ensure that opportunities for
value creation are not missed by trying to
eliminate all risk.
Risk Anasysis Definitions
Asset:
An asset is any tangible or intangible thing or characteristic that has value to an organization.
There are many types of assets. Some of these include obvious things like machines, facilities,
patents, and software. But the term can also include less obvious things like services, information,
and people, and characteristics like reputation and image or skill and knowledge.
Threat:
Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner
that can result in harm; a potential cause of an unwanted incident.
Vulnerability:
A vulnerability is a weakness in an asset or group of assets. An asset’s weakness could allow it to
be exploited and harmed by one or more threats.
Risk:
Risk is the combination of the probability of an event and its consequence. (ISO/IEC 73)
Risk is the probable frequency and probable magnitude of future loss. (FAIR)
Probabilities are derived from the combination of threat, vulnerability, and asset characteristics
RI$K – Set the scene
Pa
ge
fairwiki.riskmanagementinsight.com
Now, identify the following components
within the scenario. What were the:
• Threats
The earth and the force of gravity
that it applies to the tire and rope
• Vulnerabilities
The frayed rope
• Asset
The bald tire
• Risks
Very low
Manage Risks
Top 10 Businesses Risks globally by AON – 2015:
1. Damage to reputation/brand
2. Economic slowdown/slow recovery
3. Regulatory/legislative changes
4. Increasing competition
5. Failure to attract or retain top talent
6. Failure to innovate/meet customer needs
7. Business interruption
8. Third-party liability
9. Computer crime/hacking/viruses/malicious code
10. Property damage
2015-Global-Risk-Management-Report-230415.pdf
Some of the Risk’s
• Financial risk
• Company's ability to manage its debt and financial
leverage
• Business risk
• Company's ability to generate sufficient revenue to
cover its operational expenses
• Cyber risk (Business & Financial risk)
• Company’s activities online, internet trading,
electronic systems and technological networks, as
well as storage of personal data, IP etc.
Cyber/IT Risk – Where it’s a little different
ExploytabilityCyber Threats
Best Practises
t
Legislation/Compliance
Residual risk
after mitigation
Risk Identification and Assessment
FAIR (Factor Analysis of Information Risk
Exposure
*
Exploitability
Based on business
Business Impact such as:
Services diliverables,
brand impact, financial
impact etc.
Guiding Principles of a Risk program
Always connect to enterprise objectives.
Align the management of Cyber-related business risk with
overall enterprise risk management.
Balance the costs and benefits of managing risk.
Promote fair and open communication of Cyber risk.
Establish the right tone from the top while defining
and enforcing personal accountability for operating
within acceptable and well-defined tolerance levels.
Understand that this is a continuous process
and an important part of daily activities.
Thank You – Q&A
AVAuth
WAF
DLP
AD
WLAN
DPI
URL
FW
IDS
Event Enrichment
Lo
ca
tion
Iden
tity
Div
isio
nB
us
ine
ss
Da
ta V
alu
e
Asset V
alu
eG
eo
Info
Re
gu
latio
n
CIR
C
NCC
SCC
Th
rea
ts
Inc
ide
nts
As
se
ts
GRC
Security
EventsMed
High
Low
VPN
MDM
uVM
SB
AI
Ag
gre
gatio
n
References / Links
The current threat landscape
Cyber Kill Chain
Deconstructing The Cyber Kill Chain
Advanced persistent threat – defined
Verizon Data Breach Investigations Report
Mandiant Reports
Symantec Security Response Publications
Trustwave Global Security Report 2014
Secret Service Downloads
US CERT
EU CERT
OWASP Top 10
OWASP ESAPI for PHP: Strong, Simple Security Controls for PHP Developers
SANS - Critical Security Controls
Hackmageddon, 1-15-december 2014 Cyber Attacks Timeline
SC Magazineuk - Top 10 issues in IT security for 2014
National Vulnerability Database
PCI DSS v3
Pa
ge
References / Links
Frameworks and Resources…
Digitaliseringsstyrelsen - Styring af informationssikkerhed efter ISO-27001 (Danish)
ISACA – COBIT
ISACA - CSX (Cybersecurity)
ISO27001 Security
DS - Standardpakke It-sikkerhed (Danish site)
Best Management Practice - ITIL
ITIL- ISO/IEC 20000
NIST
Unified Compliance Frameworks (UCF)
OSSTMM
http://ddosattackprotection.org/blog/cyber-security-blogs/
https://www.scadahacker.com/ (SCADA)
Pa
ge