• Home

  • Documents

  • The Risk of Applying Traditional Security “Risk” Models I
2
18 Maryland Cybersecurity Resource Guide 2016 Baltimore Business Journal If you are a small, customer focused business, do you… • Know that your customer facing wireless is secure? • Have issues with your Point-of-Sale systems? • Have customers who reported that their credit card was stolen from your establishment? • Have problems with your internet “going down”? • Have reported breach or compromise of your systems? SIXGEN can answer these questions for you and more. www.SIXGENllc.com 410-874-3590 SIXGEN provides on-call, IT and Cyber Security solutions to small and medium-size retail and service businesses. FREE Cyber Security credit card PCI scan for the first 200 small businesses who call Securing your organization today is difficult. With recorded data breaches increasing 450% in a year and new cyber attacks focusing on people first and technology second, coupled with an ocean of products claiming they fix it all. -- WHERE DO YOU START? YOU START BY KNOWING WHERE YOU STAND. Truly understanding your current risk is the only effective way to develop a realistic plan to manage that risk. We built this company for that purpose. To help you figure out where your cyber risks are and develop a plan to manage them. Eliminate the Weak Link, 410.295.7601 / 866.841.0777 | www.anchortechnologies.com | @Path2Protection BREACH HOTLINE: 866.841.0777, OPTION #8 or [email protected] Cyber risk identification through technology and human assessment Governance, Risk and Compliance Incident response and investigation Cyber Risk Management solutions 14-year-old firm, with proven and referenceable methodology Cyber Security Experts A Quality Cyber Security Strategy Matters. I magine spending millions of dollars on “securing” your company only to discover that an employee took your crown jewels to a competitor. The impacts are devastating. Millions of dollars in R&D lost, reputation is tarnished, and your business goodwill suffers. This is, unfortunately, not an uncommon occurrence and one that occurs despite the billions of dollars spent on traditional security. So why do these types of compromises continue to occur? Misplaced Threat Focus and False Assumption Traditional security focuses on external threats yet many breaches succeed simply by exploiting basic security flaws (unpatched software, factory server password settings, etc.) and the social engineering of insiders. Moreover, a significant amount of breaches are intentionally facilitated by trusted insiders themselves. Thus, focusing only on the outside hacker misses the mark because insiders, through poor security practices, negligence, or intentional misconduct, are the weak link in the cyber security chain. In addition, traditional security falsely assumes that insider threats cannot be prevented. As such, most controls and resources are dedicated to detecting network threats only, which loses sight of the real problem – insider threats. As a result, the cycle of compromises and breaches continues. Solution #1 – Focus on Insider Threats Over two-thirds of all security events are caused by insiders. Verizon DBIR (2014) “Employees are the most cited culprits of security incidents.” PWC Global State of Information Security Survey (2014) The great majority of intellectual property theft is committed by insiders. United States IP Comm. Report on Theft of American IP (2013) Risk is Largely Misunderstood Traditional security risk management views risk in several ill-defined ways. The first is that risk equals threat. The second is that risk equals vulnerability. A third position defines risk as threat plus vulnerability. The problem with all three is that they fail to properly combine the three essential components of risk – impact, threat, and vulnerability. Solution #2 – Properly Define Risk True risk is the likelihood that a given asset can be compromised by an identified threat via a current vulnerability. The asset is the key component of risk since it is the particular asset whose compromise could have deleterious effects on your The Risk of Applying Traditional Security “Risk” Models By Shawn Thompson Founder and President Insider Threat Management Group, LLC www.itmg.co 1000110011110110010011000101110101 10011011100110100011001111011001011000101110101110111 00100110001011 1110111000110101011 1010101100110111001101000110011110 01011101110001101010110011011100110100011001111011001 0011010001100111 0110010011000101110 00010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110 0001011101011101110001101010110011 11110110010011000101110101110111000110101011001101110 111000110101011001 1011100110100011001

The Risk of Applying Traditional Security “Risk” Models I

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: The Risk of Applying Traditional Security “Risk” Models I

18 Maryland Cybersecurity Resource Guide 2016 Baltimore Business Journal

If you are a small, customer focused business, do you…

• Know that your customer facing wireless is secure?

• Have issues with your Point-of-Sale systems?

• Have customers who reported that their credit card was

stolen from your establishment?

• Have problems with your internet “going down”?

• Have reported breach or compromise of your systems?

SIXGEN can answer these questions for you and more.

www.SIXGENllc.com

410-874-3590

SIXGEN provides on-call, IT and Cyber Security solutions to small and medium-size retail and service businesses.

Free Cyber Security credit card PCI scanfor the first 200 small businesses who call

Securing your organization today is difficult. With recorded data breaches increasing 450% in a year and new cyber attacks focusing on people first and technology second, coupled with an ocean of products claiming they fix it all. -- WHERE DO YOU START?

YOU START BY KNOWING WHERE YOU STAND.

Truly understanding your current risk is the only effective way to develop a realistic plan to manage that risk. We built this company for that purpose. To help you figure out where your cyber risks are and develop a plan to manage them.

Eliminate the Weak Link,

410.295.7601 / 866.841.0777 | www.anchortechnologies.com | @Path2Protection

BREACH HOTLINE: 866.841.0777, OPTION #8 or [email protected]

• Cyber risk identification throughtechnology and human assessment

• Governance, Risk and Compliance• Incident response and investigation• Cyber Risk Management solutions• 14-year-old firm, with proven and

referenceable methodology• Cyber Security Experts

A Quality Cyber Security Strategy Matters.

Imagine spending millions of dollars on “securing” your company only to discover that an employee took your crown

jewels to a competitor. The impacts are devastating. Millions of dollars in R&D lost, reputation is tarnished, and your business goodwill suffers. This is, unfortunately, not an uncommon occurrence and one that occurs despite the billions of dollars spent on traditional security. So why do these types of compromises continue to occur?

Misplaced Threat Focus and False Assumption

Traditional security focuses on external threats yet many breaches succeed simply by exploiting basic security flaws (unpatched software, factoryserver password settings, etc.) andthe social engineering of insiders.Moreover, a significant amount ofbreaches are intentionally facilitated

by trusted insiders themselves. Thus, focusing only on the outside hacker misses the mark because insiders, through poor security practices, negligence, or intentional misconduct, are the weak link in the cyber security chain. In addition, traditional security falsely assumes that insider threats cannot be prevented. As such, most controls and resources are dedicated to detecting network threats only, which loses sight of the real problem – insider threats. As a result, the cycle of compromises and breaches continues.

Solution #1 – Focus on Insider ThreatsOver two-thirds of all security events are caused by insiders. Verizon DBIR (2014)

“Employees are the most cited culprits of security incidents.” PWC Global State of Information Security Survey (2014)

The great majority of intellectual property theft is committed by insiders. United States IP Comm. Report on Theft of American IP (2013)

Risk is Largely MisunderstoodTraditional security risk management views risk in several ill-defined ways. The first is that risk equals threat. The second is that risk equals vulnerability. A third position defines risk as threat plus vulnerability. The problem with all three is that they fail to properly combine the three essential components of risk – impact, threat, and vulnerability.

Solution #2 – Properly Define Risk True risk is the likelihood that a given asset can be compromised by an identified threat via a current vulnerability. The asset is the key component of risk since it is the particular asset whose compromise could have deleterious effects on your

The Risk of Applying Traditional Security “Risk” Models

By Shawn Thompson

Founder and President

Insider Threat Management Group, LLC

www.itmg.co

011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001011000101110101110111000010001100111101100100110001011101011101110001101010110011011100110100011001111011001011000101110101110111000010001100111101100100110001011101011101110001101010110011011100110100011001111011001011000101110101110111000010001100111101100100110001011101011101110001101010110011011100110100011001111011001011000101110101110111000110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001001110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001001110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001001110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001001100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011

011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001011000101110101110111000110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001001

100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011

www.itmg.co
Page 2: The Risk of Applying Traditional Security “Risk” Models I

Baltimore Business Journal Maryland Cybersecurity Resource Guide 2016 19

A better vision for information security

You’ve spent millionson technology,

but are you more secure?Deep Run has the answer.

Learn more at www.tedco.md/cif

Supporting technologies toward commercialization in the realm of privacy or security in a networked environment

Initial funding up to $100,000 with the potential of an additional $125,000

60 day review cycle

Applications are accepted monthly

t : @MDTEDCO f : MDTEDCO

The Risk of Applying Traditional Security “Risk” Models

business. Stated another way, without a defined impact to an asset, there is no risk. Similarly, if there is no threat or vulnerability there is also no risk to an asset. It is the combination of all three that define and capture the true risk posed to an asset.

Traditional Assessments - Wrong Questions and Wrong Problem

Traditionally, security managers have relied on NIST, COBIT, and ISOO frameworks for measuring “risk.” These frameworks, however, only provide a way to assess network centric organizational risk not insider risk. They are vulnerability models and do little to inform an organization about specific asset risks. Thus, a security manager seeking to protect critical assets will be left with many unanswered questions.

Solution #3 – Apply an Asset-Focused Insider Risk ModelEffective security requires an effective security risk model that assesses and manages risk by focusing on insiders’ interaction with critical assets. All threats are not equal, nor are all vulnerabilities and assets. Effective risk management requires risk prioritization. First, assets must be properly identified and impacts determined. Second, specific threats and vulnerabilities related to each asset must be identified. Third, risks to each asset must be properly measured (Risk = Impact [Threat * Vulnerability]). Lastly, mitigation strategies are developed. Through this method, an organization can more effectively apply security measures in the most efficient and cost-effective manner leading to an enhanced security risk posture.

Northeastern Maryland Tech Council (NMTC) Presents:CYBER INSECURITYMarch 14, 2016 | 11:30AM-1PMPSA Financial, 11311 McCormick RoadHunt Valley, MD 21031 (Fifth floor)

Learn expert ways to protect the lifeblood of your business - your data. Take away valued information on employee education, where and how to mitigate risk when you have an intrusion, and what to do after attack.

PANEL• Dr. Michael O’Leary, Chairperson, Dept. of Mathematics, Towson

University• Valerie Corekin, CPCU, ARM, PSA Insurance & Financial Services,

Risk Solutions Group• Casey Corcoran, FourV Systems• Blazer Catzen, Catzen Forensics and System Source

For details & registration visit: www.nmtc.org/events/cyber-insecurity/The Cybersecurity Association of Maryland, Inc. (CAMI) is proud to be partnering with NMTC on this event.

SAVE-THE-DATECybersecurity Association of Maryland, Inc. Presents:CYBER TAILGATE PARTY 2016May 5, 2016 | 4:30-7:30 PM

It’s a casual parking lot party at: Skyline Technology Solutions6956 Aviation Blvd | Glen Burnie, MD 21061

Drinks | Food | Fun | Music | NetworkingMore details coming soon. Stay tuned at www.MDcyber.com/maryland-cybersecurity-events/

011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001011000101110101110111000110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001001100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011

011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011011000101110101110111000110101010011011100110100011001111011001011000101110101110111000110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001011000101110101110111000010001100111101100100110001011101011101110001101010110011011100110100011001111011001011000101110101110111000010001100111101100100110001011101011101110001101010110011011100110100011001111011001011000101110101110111000010001100111101100100110001011101011101110001101010110011011100110100011001111011001011000101110101110111000010001100111101100100110001011101011101110001101010110011011100110100011001111011001011000101110101110111000110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001001110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001001110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001001110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001001110101011001101110011010001100111101100100110001011101011101110001101010110011011100110100011001111011001001100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011100010111010111011100011010101100110111001101000110011110110010011000101110101110111000110101011001101110011


PROSECUTING CYBERTERRORISTS: APPLYING TRADITIONAL JURISDICTIONAL FRAMEWORKS

PROSECUTING CYBERTERRORISTS: APPLYING TRADITIONAL JURISDICTIONAL FRAMEWORKS

Documents
Case Study: Applying NIST Risk Management Framework to

Case Study: Applying NIST Risk Management Framework to

Documents
Applying the Ohio Risk Assessment to Misdemeanants

Applying the Ohio Risk Assessment to Misdemeanants

Documents
Applying Non-Traditional ILI Technology to …...Applying Non-Traditional ILI Technology to Challenging Pipeline Segments for Transmission Integrity Management American Gas Association

Applying Non-Traditional ILI Technology to …...Applying Non-Traditional ILI Technology to Challenging Pipeline Segments for Transmission Integrity Management American Gas Association

Documents
Applying risk management_to_your_business_continuity_management_efforts

Applying risk management_to_your_business_continuity_management_efforts

Business
Applying COSO’s Enterprise Risk Management — Integrated Framework

Applying COSO’s Enterprise Risk Management — Integrated Framework

Documents
Practical result of applying risk management

Practical result of applying risk management

Documents
Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques

Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques

Documents
Applying lean thinking to risk management in product ...orbit.dtu.dk/files/137975680/DS87_Vol2_DesProc_DesOrg_219.pdf · APPLYING LEAN THINKING TO RISK MANAGEMENT IN PRODUCT DEVELOPMENT

Applying lean thinking to risk management in product ...orbit.dtu.dk/files/137975680/DS87_Vol2_DesProc_DesOrg_219.pdf · APPLYING LEAN THINKING TO RISK MANAGEMENT IN PRODUCT DEVELOPMENT

Documents
Www.theiia.org Applying COSO’s Enterprise Risk Management — Integrated Framework

Www.theiia.org Applying COSO’s Enterprise Risk Management — Integrated Framework

Documents
Project Risk Management Applying the Three Lines of ... · PDF file3 Introduction 4 Enterprise Risk Management 6 Project Risk Management 8 Bridging the Gap – Applying Three Lines

Project Risk Management Applying the Three Lines of ... · PDF file3 Introduction 4 Enterprise Risk Management 6 Project Risk Management 8 Bridging the Gap – Applying Three Lines

Documents
Applying COPULA Function to Risk MANAGEMENT - GRAVITAS

Applying COPULA Function to Risk MANAGEMENT - GRAVITAS

Documents
Applying Portfolio Credit Risk Models to Retail Portfolios

Applying Portfolio Credit Risk Models to Retail Portfolios

Documents
APPLYING RISK AND BUSINESS PRINCIPLES TO PRIORITIZE

APPLYING RISK AND BUSINESS PRINCIPLES TO PRIORITIZE

Documents
Constructing and Applying Risk Scores in the Social Scienceshummedia.manchester.ac.uk/institutes/cmist/archive-publications/... · Constructing and Applying Risk Scores in the Social

Constructing and Applying Risk Scores in the Social Scienceshummedia.manchester.ac.uk/institutes/cmist/archive-publications/... · Constructing and Applying Risk Scores in the Social

Documents
Guide for Applying the Risk Management Framework to ...nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP...Guide for Applying the Risk Management Framework to Federal Information

Guide for Applying the Risk Management Framework to ...nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP...Guide for Applying the Risk Management Framework to Federal Information

Documents
Improving compliance of applying fall risk precautions

Improving compliance of applying fall risk precautions

Healthcare
Applying Unit Tests & Test-Driven Development€¦ · Applying Unit Tests & Test-Driven Development Don.McGreal@ImprovingEnterprises.com @donmcgreal ... Unit Testing - Traditional

Applying Unit Tests & Test-Driven Development€¦ · Applying Unit Tests & Test-Driven Development [email protected] @donmcgreal ... Unit Testing - Traditional

Documents
Applying Stochastic Programming Models in Financial Risk

Applying Stochastic Programming Models in Financial Risk

Documents
AR - Applying Big Data to Risk Management

AR - Applying Big Data to Risk Management

Documents
Applying COSO’s Enterprise Risk Management Integrated … de Riesgos/[P… · Applying COSO’s Enterprise Risk Management —Integrated Framework September 29, 2004. Today’s

Applying COSO’s Enterprise Risk Management Integrated … de Riesgos/[P… · Applying COSO’s Enterprise Risk Management —Integrated Framework September 29, 2004. Today’s

Documents
Applying Agile Methodologies to Traditional Publishing

Applying Agile Methodologies to Traditional Publishing

Documents
Factor Investing and Risk Allocation: From Traditional to ... · An EDHEC-Risk Institute Publication 3 Factor Investing and Risk Allocation: From Traditional to Alternative Risk Premia

Factor Investing and Risk Allocation: From Traditional to ... · An EDHEC-Risk Institute Publication 3 Factor Investing and Risk Allocation: From Traditional to Alternative Risk Premia

Documents
Presentation 3: Applying Risk: Key Risk Management Tools

Presentation 3: Applying Risk: Key Risk Management Tools

Documents
Applying spatial regression to evaluate risk factors for

Applying spatial regression to evaluate risk factors for

Documents
Practically Applying Sourcing Grids for Risk Management

Practically Applying Sourcing Grids for Risk Management

Business
fi Applying Traditional Military Principles to Cyber …...169 Applying Traditional Military Principles to Cyber Warfare Abstract: Utilizing a variety of resources, the conventions

fi Applying Traditional Military Principles to Cyber …...169 Applying Traditional Military Principles to Cyber Warfare Abstract: Utilizing a variety of resources, the conventions

Documents
Applying Agile methodologies within the context of traditional project governance · 2017-11-11 · Applying Agile methodologies within the context of traditional project governance

Applying Agile methodologies within the context of traditional project governance · 2017-11-11 · Applying Agile methodologies within the context of traditional project governance

Documents
Applying Non-Traditional ILI Technology to Challenging

Applying Non-Traditional ILI Technology to Challenging

Documents
Understanding and Applying Risk Analysis

Understanding and Applying Risk Analysis

Documents