Upload
vodien
View
215
Download
0
Embed Size (px)
Citation preview
Presented by: Debra Banning, VP, Information Security Center of Expertise
Effective Risk-Based
Information Security Programs
Experis | December 2014 2
Effective Risk-Based Information Security Programs
Today’s Agenda
• Current Risk Environment
• What Can We Learn?
• Increasing Information Risk Management
• Actions that Reduce Your Risk
• Closing
2
Current Risk Environment
Experis | December 2014 4
Effective Risk-Based Information Security Programs
Enterprise
Headquarters:
Router
Server
Hub
Firewall
Data
LAN
Remote Access
Regional Office
Regional Office
Supplier Supplier
Customer
Customer
Supplier
Customer
Customer
Customer
Customer
Customer
Customer
Supplier
Supplier
Supplier
Supplier
Internet accessible systems are exposed
to an increasingly hostile world —including some
threats launched through your clients and vendors
Operational Expansion
Experis | December 2014 5
Effective Risk-Based Information Security Programs
Recent Headlines Illustrate the Current Risk Landscape
Experis | December 2014 6
Effective Risk-Based Information Security Programs
Cyber Space – Business Perspective
• Pervasive – Can reach all around the
Globe in a click to promote and conduct
your business
• Informative – Information can be readily
obtained increasing business productivity
• Trusting – A business brand can be
established Globally by being present on
the Internet
• Collaborative – Entire Supply chains can
share information through multiple medias
Experis | December 2014 7
Effective Risk-Based Information Security Programs
Cyber Space – Attack Perspective
• Pervasive – Attacks can originate from
anywhere on the Globe
• Informative – Attackers can gain and
correlate information about any
organization or person that can be used
to advance their purpose
• Trusting – Attackers can execute attacks
based on user’s “trust” of information and
applications found on internet
• Collaborative – Attackers unite to quickly
launch massive distributed attacks
Experis | December 2014 8
Effective Risk-Based Information Security Programs
Types of Information at Risk
Critical Data
Intellectual Property /
Trade Secrets
Corporate Strategy
Unreleased Financial
Information
Personal Health
Information (PHI)
Personally Identifiable Information
(PII)
System
Data and
Configuration
Settings
Experis | December 2014 9
Effective Risk-Based Information Security Programs
How Much is Your Personal Information Worth?
Black Market Value for Personal Information • Medical records along with health insurance ID: $47.62
• Social Security Numbers coupled with personal information: $14.02
• Debit card/pin-code combinations: $9.55
• U.S. credit card record: $.75 - $.97
• Social Media account credentials: $16 - $325
• Traffic redirections: $130
• On-line buying habits and contact information: <$.30
Source: Ponemon Institute/Wall Street Journal/Experis Research
Experis | December 2014 10
Effective Risk-Based Information Security Programs
How Much is Protection Really Worth?
The amount individuals would pay to protect their personal
information varies widely, based on the information being protected:
• Social Security number/government ID: $240/year
• Credit Card number: $150/year
• Electronic or Physical Histories: $52 - $59/year
• Health Industry Medical Records: $38/year
• On-line buying habits and social profiles: $3 - $5.70/year
• Contact Information (phone number, e-mail, mailing address): $4.20/year
Source: “What’s Your Personal Data Worth” by Tim Money, Jan. 18, 2011, designmind.frogdays.com blog
Experis | December 2014 11
Effective Risk-Based Information Security Programs
Through Which Lens Do You View Data Protection?
Consumer
• Can I trust the product will protect
my sensitive information?
• Are the data protection features
easy to use and configure?
• Does the product allow me to set
different levels of protection?
• Can the protection interoperate
seamlessly with my other products?
• Does the product automatically
update itself to maintain protection?
Producer
• How important is data protection to your consumers?
• What type of data will your product collect, process, store or transmit?
• Will your product be used in high security environments?
• What regulatory or legal requirements will your product need to meet?
• Can data protection differentiate your product in the marketplace?
What can we learn?
Experis | December 2014 13
Effective Risk-Based Information Security Programs
Breaches and Cyber Threats Challenge the Status Quo
• Speed and control of change management
• Management of security waivers/exceptions
• Definition of ‘Insider’ and ‘Outsider’
• Depth/scope of vendor assessments
• Visibility across full IT/IS supply chain
• Suitability of security in outsourced services
• Effectiveness of periodic account reviews
• Effectiveness of single-factor authentication
13
Experis | December 2014 14
Effective Risk-Based Information Security Programs
Event Analysis Reveals Common Attack Vectors
Many significant breaches
start with social engineering
attacks
• Phishing, spear-phishing
are suspected in several
of the largest breaches
• Targets include
employees, suppliers and
third-party contractors
Most organizations have
too great a susceptibility
to this form of attack
*POS – Point Of Sale
Attackers use credentials
to gain a foothold on
internal network
• Immediately begin
to survey the
environment they
now have access to
• Identify possible data
repositories and
business systems
(e.g., POS* network)
Attackers should not be
able to easily transit
across internal networks
Attack then moves to
core business systems
or credential repositories
• Either set up shop to
glean data over time or
just steal large files
• Often set up their own
repository for data to
facilitate exfiltration
Common controls
should preclude actions
seen in large breaches
Experis | December 2014 15
Effective Risk-Based Information Security Programs
Analysis Also Reveals Basic Access Control Flaws
User accounts had
privileges that were not
required for assigned
duties or allowed access
to resources in excess
of required privileges
• What periodic risk
reviews might have
exposed this?
• Would additional
network segmentation
reduce this risk?
Core repositories allowed
bulk access and/or
transfer of sensitive data,
both within the company
and via exfiltration
• Would proper risk
review processes
preclude granting this
level of access?
• Could reducing
aggregation of
data into any single
repository reduce
this risk?
Production systems
(e.g., POS network) used
weak access controls,
insufficient segregation of
duties and inadequate
activity monitoring
• What monitoring,
reporting and audits
could reduce these
critical risks?
• Would mandatory multi-
factor authentication
eliminate most of these
attack vectors?
Experis | December 2014 16
Effective Risk-Based Information Security Programs
Common Oversight Flaws Elevated the Level of Risk
Exploits often existed for
months before discovery,
and were most often
reported by law
enforcement or external
security researcher
• Why haven’t latent
threats, like APTs*,
been elevated as
critical risks?
• Shouldn’t this be part of
most organization’s
annual audit plan?
*APTs – Advanced Persistent Threats
Some recent attacks
appear to follow the same
pattern as previous attacks
in the same industry –
pointing to a lack of
urgency to take action
• What does it take to
convince management
to learn from others’
mistakes?
• Why didn’t these
patterns drive changes
in the standard of
due care?
It appears some POS
software and change
control processes had
inadequate oversight
and monitoring of
software updates
• One attack purportedly
involved multiple
updates of the attack
software
• Why weren’t basic
software release
control and
validation employed?
Increasing Information Risk
Management
Experis | December 2014 18
Effective Risk-Based Information Security Programs
Value and Risk of an Organization’s Information
LOW Information Value Threat Vulnerability
Counter-measures
Risk
Consolidated
financial
information
Customer
personal
information
Internal office
memorandums (non-confidential)
Confidential
executive
memorandums
MED
HIGH $$$ $$ $
$$$
$$$
$$
$
LOW
Experis | December 2014 19
Effective Risk-Based Information Security Programs
Data loss is not the only way breaches cause harm!
Source: http://www.emc.com/collateral/other/emc-trust-curve-es.pdf
Because breaches result in a wide variety of impacts that must be considered,
the governance response to breaches must go well beyond just IT controls
Loss of employee productivity
Loss of revenue
Loss of customer confidence/loyalty
Loss of an incremental business opportunity
Loss of business to a competitor
Delay in product/service development
Loss of a new business opportunity
Loss of customers
Damage to company brand and reputation
Loss of repeat business
Delay in getting product/service to market
Damage to company stock
0% 10% 20% 30% 40% 45%
45%
39%
32%
27%
27%
26%
26%
26%
23%
20%
16%
10%
19
Experis | December 2014 20
Effective Risk-Based Information Security Programs
The Security Governance Paradigm is Changing
• 2013: the President issued Executive Order 13636
- Improving Critical Infrastructure Cybersecurity
• One year later, NIST released the Framework for
Improving Critical Infrastructure Cybersecurity
• Extends the classic security life cycle (Protect,
Detect, Respond and Recover) to include Identify
• The new model is more proactive - Business and
Governance are now key aspects of managing risk
• The related roadmap includes data analytics,
supply chain risk management and continuous
monitoring
• An emerging imperative is enhancing the role of
Internal Audit in evaluating risk management
Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
Cybersecurity Framework
- Core Structure
20
Experis | December 2014 21
Effective Risk-Based Information Security Programs
Oversight is Evolving to Meet the Challenge
Tools increase
visibility and tracking
• GRC tools and risk
analytics are more
common
• Provide better data,
but none are a
silver bullet
• Establish a common
source of data for
metrics and reports
• Create a link
between cyber risk
and enterprise risk
Adoption of
formal frameworks
• Cobit 5, ISO 27000
Series, NIST SP
800 Series
• Each requires some
customization to
align to your specific
business needs
• High degree of
overlap between
frameworks reduces
total control set
Audit focus
is expanding
beyond controls
• Focus changing to
finding the root
cause vs. just finding
the defect
• More recognition
of the importance of
process risk over
just technology risk
• Proactive discussion
of strategic risk with
the businesses
Experis | December 2014 22
Effective Risk-Based Information Security Programs
Relationship between Internal Audit and IT Security
Internal Auditors were once thought of as go-to only for issues relating
to financial controls, while IT Security dealt with technology controls
Now, IT Security is still adept at managing technology risks, while Internal
Audit is recognized as experts in characterizing all risks to the business
Internal Audit has the ear of the Board of Directors, which makes them a
very effective advocate in framing the importance of IT Security controls
Internal Audit monitor traditional risk but also look for the presence and
impact of emerging risk, such as breaches and other cyber threats
Internal Audit is rarely utilized to its full potential, especially in the IT area
IT Security, in most cases, does not see Internal Audit as a team
member that adds value – and that needs to change
Actions that Reduce Your Risk
Experis | December 2014 24
Effective Risk-Based Information Security Programs
Assess your risk management hierarchy
Information Systems and
IT Business Partners
Business Processes
and Applications
Organization Structure, Goals and Strategies
Multiple risk tiers
Requires a risk champion
Address systems and architectures
Flexible, but consistent
STRATEGIC
RISK
FOCUS
TACTICAL
RISK
FOCUS
Experis | December 2014 25
Effective Risk-Based Information Security Programs
Actions that Reduce Your Risk
Define and adopt a formal
cyber security strategy for
your organization
• Make it an integral part of
the strategies for every
contributing function
• Review with Executive Committee
at least twice per year
• Identify an actionable and
pragmatic roadmap for security
• Review cyber risk posture and
actions at least monthly
• Update dashboards, reports and
metrics to make issues visible.
Create a process-driven
security capability
• Establish a formal information
security management system
• Adopt a standard risk and control
framework to support program
• Create visible, integrated program
resourcing for all security activities
• Mandate the formal acceptance of
risks for unfunded security projects
Experis | December 2014 26
Effective Risk-Based Information Security Programs
Actions that Reduce Your Risk (continued)
Reevaluate your current IT
security processes and controls
• Strengthen production system access
controls to require strong
authentication
• Establish an isolated release control
/change management mechanism
• Reduce access and retrieval rights to
aggregated or core data repositories
• Review and revise third party access
controls and account privileges
• Establish integrity monitoring controls
for key systems and repositories
• Eliminate broad remote access to
internal systems
Create a formal crisis
management function in
your organization
• Integrate all enterprise incident
response functions
• Include supporting roles outside of
IT/IS (e.g., Law, HR, Compliance)
• Define a decision/escalation tree,
and grant authority to key roles
Experis | December 2014 27
Effective Risk-Based Information Security Programs
Actions that Reduce Your Risk (continued)
Create a breach response plan to ensure your
organization is prepared
• Reporting – Ensure employees know who to contact and what information
to provide if/when a potential breach is discovered
• Roles - Define an Data Breach Response Team (members, roles and
responsibilities) with the appropriate knowledge to evaluate data breaches
• Actions – Include breach declaration, response escalation, system isolation,
shut down, recovery, data scrubbing, evidence collection, chain of custody
• Communications – Define specific protocols for each stakeholder group,
including internal, customer, shareholders, authorities, media
• Breach Notification – Create predefined procedures for notifying affected
parties, based on the different notification triggers
Experis | December 2014 28
Effective Risk-Based Information Security Programs
Actions that Reduce Your Risk (continued)
Evolve your IT/IS cyber
operations capabilities to
be more agile
• Create a critical cyber skills
matrix and populate it for
your organization
• Identify key players in your
organization for incident and
breach response
• Establish a roadmap and action
plans to eliminate any gaps
• Define succession plan for critical
decision makers
*VPN – Virtual Private Network, **WAF – Web Application Firewall, ***VDI – Virtual Desktop Infrastructure
Reduce your cyber risk
profile and attack surface
• Create an organizational bias against
retaining sensitive information
• Mandate multi-factor VPN* for
all access to sensitive data
repositories
• Implement protocol restrictions
and filters (e.g., WAF**) at all
boundaries
• Utilize tiered security architecture
to segregate critical data
• Use VDI*** to eliminate local
storage of sensitive data on laptops
Experis | December 2014 29
Effective Risk-Based Information Security Programs
Actions that Reduce Your Risk (continued)
Increase your cyber
detection capabilities
• Establish mandatory standards
for system and application
logging
• Implement anomalous use
scanning in network and
system monitoring
• Deploy ingress/egress filtering
and data leakage prevention
• Utilize more analytics and
automation in log and alert
management
Increase threat knowledge
through focused security
awareness training
• Use role-based/scenario-
based training methods
• Provide job reference
materials to enforce messages
• Ensure skills training for
critical roles (e.g., system
administrators)
• Be aware of desensitizing
staff by providing too
many messages
Experis | December 2014 30
Effective Risk-Based Information Security Programs
Actions that Reduce Your Risk (continued)
Review your current audit
processes (internal/external)
• Ensure they include appropriate use of data
analytics and root cause analysis
• Update your organization’s audit threat profile to
include common breach attack vectors and other
forms of cyber threats occurring in your industry
• Invite Internal Audit to host or contribute to
periodic strategic risk reviews that include an
assessment of cyber risks and incidents
affecting your organization’s peers
• Have Internal Audit regularly review incident
response procedures and data integrity controls
used for business critical systems and data
• Regularly audit and test your organization’s
susceptibility to phishing attacks and other
forms of social engineering
Ensure Third Parties are
Protecting Your Data
• Third-Parties – Vendors, Business Partners
and other third parties play a critical role in
protecting your critical and sensitive data
• Service Level Agreements - Clearly define
data protection and breach notification
requirements, and the consequences for
failing to protect data
• Vendor Management Program - Include
examination and reporting of required data
protection, including self-assessments and
site inspections
• Risk Management Program – Proactively
work with vendors to identify and remediate
risks, or choose alternate vendors
(preferably before a breach occurs!)
Experis | December 2014 31
Effective Risk-Based Information Security Programs
How Partnering With Internal Audit Can Help!
Perform Risk Assessments to identify high risk information assets
Provide periodic reviews and feedback concerning the
completeness and effectiveness of security controls
Perform IT Security Audits where the IT Organization has
identified a potential weakness in the environment
Perform continuous auditing of IT preventative controls
Report and escalate IT Issues and IT needs to Audit Committee
Act as a trusted advisor and risk consultant, but not a policeman
Closing
Experis | December 2014 33
Effective Risk-Based Information Security Programs
Summary
Cyber threats are constantly changing the game
Data breaches will continue to focus on
finding and exploiting the weak links in
systems and people
The speed of threat evolution requires
similar agility in the control and risk
management environments
Audit plays a key role in evaluating the
adequacy of your risk identification and
management processes
Risk/vulnerability assessments and audits are
useful, but ONLY if you address the findings
A strong partnership between IT Security
and Internal Audit will make a real difference
in managing risk 33
Questions?
Experis | December 2014 35
Effective Risk-Based Information Security Programs
Debra Banning
Vice President
Information Security Center of Expertise
Experis
703.336.8169