Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Understanding Cyber Risk
Presented by: Nikki Ingram, CISSP, Cybersecurity Risk Engineer
Terminology
Cyber basics
2
Cyber Having to do with a computer or a computing system
IoT “Internet of Things” relates to any device that can be connected to the internet.
Threat
Any circumstance or event with the potential to cause harm to an information system.
Related terms:
Threat actor = Bad guy
Threat vector = Modus operandi
Vulnerability Any condition that leaves an information system open to a threat
Exploitation The successful execution of a threat via a present vulnerability
RiskA relative measure based on the likelihood of an exploitation and the resulting impact of
the adverse event on the organization
© Zurich American Insurance Company
How is electronic data damaged?
Program errors
or omissionsPhysical destruction
3
Deletion
© Zurich American Insurance Company
Viruses
Data breach scenario
Scenario• Lockdown of hospital’s computer systems
• 140 applications impacted
Method
of attack
• Virus loaded to system
• Accessed via the parking garage systems
Loss
• Loss of patient data and records
• Inability to intake patients
• Extensive record transfer costs
• Bitcoin ransom demand
Claim
• $17+ million in damages: Lost revenue, restoration of IT
system and digital assets, breach of privacy, additional
costs for courier services
Attacker’s
profile
• Sophisticated: Remote desktop protocol (RDP)
• Brute force: Password cracking via a remote server
4© Zurich American Insurance Company
Cyberthreats: Threat Targets
5
Cyberthreats: Threat Sources
6
Cyberthreats: Risk Consequences
7
Terminology
Cyber Threat Actors
8
White Hat Ethical Hackers
Black Hat Nefarious Hackers
Gray Hat Can either be good or bad
Script Kiddies Amateur ‘Hackers’
State/Nation Advanced Persistent Threat (APT)
Nature Natural Disasters or Physical Damage
© Zurich American Insurance Company
Why is there so much interest in cyber?Potential event scenarios and impact
PHYSICAL
DAMAGE
BUSINESS
INTERRUPTION
Cyberattack on power generation plant
leads to a “Business Blackout”
Denial-of-service attack (Mass DoS),
preventing access to e-commerce sites
Cloud service provider failure
Ransomware attack that interrupts business
operations
Plant explosion caused by industrial control
system attack
9© Zurich American Insurance Company
Key exposures: Statistics to consider
243 Median number of days
advanced attacks are on the
network before being
detected
70%Percentage of breaches
associated with nation-state
or state-affiliated actors
involved phishing
10%Percentage of email
credentials of Fortune 500
employees on the dark web
58%Percentage of victims
categorized as small
businesses
Common passwords
“123456,” “password,” “!@#$%^&,” “qwerty,” “12345,”
“123456789,” “aa123456,” “1234567,” “fútball,” “iloveyou,”
“admin,” “Tequiero,” “mariposa,” “login,” “abc123,” “estrella,”
“654321,” “bonita,” “Contraseñsa” Splashdata 2018
23% Percentage of users who
share their network
passwords with colleagues
IS Decisions - FROM Brutus to Snowden
$148Average cost per lost or stolen record
2018 Cost of Data Breach Studay; Global Overview, Ponemon
2.9 billionRecords leaked in 2017
(this only counts publicly-
disclosed breaches)
IBM 2018Cyber Security Intelligence Index
2018 Verizon DBIR
Mandiant
2018 Verizon DBIR
2018 Verizon DBIR
2018 Vericlouds
28% Likelihood of a recurring
material breach over the next
two years
2018 Cost of Data Breach Study;
Global Overview, Ponemon
10© Zurich American Insurance Company
Physical damage scenario
Scenario Targeted malicious attack against steel plant
Method
of attack
Access to the enterprise´s office network via a spear phishing
email. By gathering admin login credentials, access obtained
to the industrial process network.
Loss
Massive Ethernet traffic on the process network
Failure of control components, which prevented a controlled
shutdown of the furnace
Claim
• €20 million ground-up loss
• Physical damage and business interruption
• Partial coverage under the property reinsurance treaty
Attacker’s
profile
Had expert knowledge of the plant’s IT systems,
including industrial control system
11© Zurich American Insurance Company
Cyber event and insurance overlaps and gaps
PROPERTY DAMAGE BUSINESS
INTERRUPTION
THEFT of FUNDS
SELF-DRIVING
AUTO ATTACK
INVESTOR or
SHAREHOLDER
LAWSUITS
DIGITAL ASSET
REPLACEMENT
12© Zurich American Insurance Company
It’s not the physical electronic data
processing media that data resides on
GENERAL PROVISION
Example: What is the cyber provision on a property policy?
The loss, destruction, manipulation or corruption of
electronic data and programs/software
CYBER PROVISION
13© Zurich American Insurance Company
The future of cyber: 5 key considerations
1. Frequency: Cyber events will continue to increase.
2. Severity: Impact of cyber events are still unclear.
3. Risk Type: It is a systemic risk (i.e., WannaCry, Petya,
notPetya) and not always targeted.
4. Risk Transfer can alleviate some concerns, but solution
has to extend beyond insurance.
5. Risk Engineering: Investment in infrastructure and
changes in culture can help mitigate exposures.
14© Zurich American Insurance Company
What is your tolerance for risk?
Business interruption scenario
Scenario
• Attack on hotel/casino webpages
• Inappropriate image published and sites disabled
• Online booking was offline for one week
Method
of attack
• Malware planted on 1,100 computers and 200 servers
Loss
• Three physical locations shut down
• Significant impact to online gambling business
• Employee and customer data implicated
Claim
• $100 million in damages and business interruption
• Significant computer forensics, data restoration and
alleged business interruption
Attacker’s
profile
Targeted based on political beliefs of the business owner;
vengeance-based; “hacktivism” via a nation-state
15© Zurich American Insurance Company
How can you manage your cyber risk?
Does my business
have cyber exposure?
Lucky…Are you sure?
Prevention
Preparation
YesNo
Risk Transfer
16© Zurich American Insurance Company
Controlling cyber exposures
Zurich’s Cyber Risk Assessment approach is based on the
NIST* Framework for Improving Critical Infrastructure Cybersecurity
*National Institute of Standards and Technology (U.S.)
IDENTIFY PROTECT DETECT RESPOND RECOVER
17© Zurich American Insurance Company
The NIST Framework What is the customer protecting?
Develop the organizational
understanding to manage
cybersecurity risks to systems,
assets, data and capabilities.
Information asset inventory:
• Data, classified
• Hardware
• Software
• Operating systems
o Versions
o Patch levels
Risk assessment: By asset or class of assets
IDENTIFY
18© Zurich American Insurance Company
The NIST Framework How are the identified assets protected?
Develop and implement the
appropriate safeguards to
ensure delivery of critical
infrastructure services.
Protective controls:
• Network perimeter
o Firewalls
o Intrusion detection/prevention
• User endpoints
o Desktops, laptops (internal and remote)
• Servers
o Hardened, standard configuration
o Application whitelisting
Segmentation
PROTECT
19© Zurich American Insurance Company
Enterprise network
DMZ
WEB APPS
ROUTE
R
SWITCH
IDS/IPS
INTERNET
20© Zurich American Insurance Company
Enterprise network with segmentation
DMZ
WEB APPS
ROUTE
R
SWITCH
SECURE SEGMENT
IDS/IPS
INTERNET
IDS/IPS
21© Zurich American Insurance Company
The NIST FrameworkHow are the identified assets protected? (continued)
Develop and implement the
appropriate safeguards to
ensure delivery of critical
infrastructure services.
Protective controls:
On the data
• Segmentation
• Encryption
• Restricted access
• Multifactor authentication
PROTECT
o At rest
o In transit
o On backups
o On removable devices
o User access
o Privileged access
o Third-party access
22© Zurich American Insurance Company
The NIST Framework How does the customer know when something is amiss?
Develop and implement the
appropriate activities to identify
the occurrence of a
cybersecurity event.
DETECT
23
IDS/IPS
SIEM = Security Information and Event Management
© Zurich American Insurance Company
The NIST FrameworkWhen a problem is identified, is the customer prepared to respond?
Develop and implement the
appropriate activities to take
action regarding a detected
cybersecurity event.
Formal documented incident response plan:
• Assigns roles and responsibilities
• Includes all levels up to C-suite and board of
directors
• Includes arrangements with breach service
providers
• Tested regularly
RESPOND
24© Zurich American Insurance Company
The NIST Framework If systems are damaged or unavailable, are there alternative arrangements to keep the business operating?
Develop and implement the
appropriate activities to maintain
plans for resilience and to
restore any capabilities or
services that were impaired due
to a cybersecurity event.
Document plans for disaster recovery
and business continuity:
• Prioritize systems and application
• Have recovery time objectives
• Have recovery point objectives
• Have alternate data center facilities
• Have manual workarounds
• Test plans regularly
RECOVER
25© Zurich American Insurance Company
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline,
which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a
helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should
consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this
publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this
information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every
acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific
insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.
© 2019 Zurich American Insurance Company. All rights reserved.
26
Thank you