Understanding Cyber Risk

Understanding Cyber Risk

Presented by: Nikki Ingram, CISSP, Cybersecurity Risk Engineer

Terminology

Cyber basics

2

Cyber Having to do with a computer or a computing system

IoT “Internet of Things” relates to any device that can be connected to the internet.

Threat

Any circumstance or event with the potential to cause harm to an information system.

Related terms:

Threat actor = Bad guy

Threat vector = Modus operandi

Vulnerability Any condition that leaves an information system open to a threat

Exploitation The successful execution of a threat via a present vulnerability

RiskA relative measure based on the likelihood of an exploitation and the resulting impact of

the adverse event on the organization

© Zurich American Insurance Company

How is electronic data damaged?

Program errors

or omissionsPhysical destruction

3

Deletion


Viruses

Data breach scenario

Scenario• Lockdown of hospital’s computer systems

• 140 applications impacted

Method

of attack

• Virus loaded to system

• Accessed via the parking garage systems

Loss

• Loss of patient data and records

• Inability to intake patients

• Extensive record transfer costs

• Bitcoin ransom demand

Claim

• $17+ million in damages: Lost revenue, restoration of IT

system and digital assets, breach of privacy, additional

costs for courier services

Attacker’s

profile

• Sophisticated: Remote desktop protocol (RDP)

• Brute force: Password cracking via a remote server

4© Zurich American Insurance Company

Cyberthreats: Threat Targets

5

Cyberthreats: Threat Sources

6

Cyberthreats: Risk Consequences

7

Terminology

Cyber Threat Actors

8

White Hat Ethical Hackers

Black Hat Nefarious Hackers

Gray Hat Can either be good or bad

Script Kiddies Amateur ‘Hackers’

State/Nation Advanced Persistent Threat (APT)

Nature Natural Disasters or Physical Damage


Why is there so much interest in cyber?Potential event scenarios and impact

PHYSICAL

DAMAGE

BUSINESS

INTERRUPTION

Cyberattack on power generation plant

leads to a “Business Blackout”

Denial-of-service attack (Mass DoS),

preventing access to e-commerce sites

Cloud service provider failure

Ransomware attack that interrupts business

operations

Plant explosion caused by industrial control

system attack


Key exposures: Statistics to consider

243 Median number of days

advanced attacks are on the

network before being

detected

70%Percentage of breaches

associated with nation-state

or state-affiliated actors

involved phishing

10%Percentage of email

credentials of Fortune 500

employees on the dark web

58%Percentage of victims

categorized as small

businesses

Common passwords

“123456,” “password,” “!@#$%^&,” “qwerty,” “12345,”

“123456789,” “aa123456,” “1234567,” “fútball,” “iloveyou,”

“admin,” “Tequiero,” “mariposa,” “login,” “abc123,” “estrella,”

“654321,” “bonita,” “Contraseñsa” Splashdata 2018

23% Percentage of users who

share their network

passwords with colleagues

IS Decisions - FROM Brutus to Snowden

$148Average cost per lost or stolen record

2018 Cost of Data Breach Studay; Global Overview, Ponemon

2.9 billionRecords leaked in 2017

(this only counts publicly-

disclosed breaches)

IBM 2018Cyber Security Intelligence Index

2018 Verizon DBIR

Mandiant

2018 Verizon DBIR

2018 Verizon DBIR

2018 Vericlouds

28% Likelihood of a recurring

material breach over the next

two years

2018 Cost of Data Breach Study;

Global Overview, Ponemon


Physical damage scenario

Scenario Targeted malicious attack against steel plant

Method

of attack

Access to the enterprise´s office network via a spear phishing

email. By gathering admin login credentials, access obtained

to the industrial process network.

Loss

Massive Ethernet traffic on the process network

Failure of control components, which prevented a controlled

shutdown of the furnace

Claim

• €20 million ground-up loss

• Physical damage and business interruption

• Partial coverage under the property reinsurance treaty

Attacker’s

profile

Had expert knowledge of the plant’s IT systems,

including industrial control system


Cyber event and insurance overlaps and gaps

PROPERTY DAMAGE BUSINESS

INTERRUPTION

THEFT of FUNDS

SELF-DRIVING

AUTO ATTACK

INVESTOR or

SHAREHOLDER

LAWSUITS

DIGITAL ASSET

REPLACEMENT


It’s not the physical electronic data

processing media that data resides on

GENERAL PROVISION

Example: What is the cyber provision on a property policy?

The loss, destruction, manipulation or corruption of

electronic data and programs/software

CYBER PROVISION


The future of cyber: 5 key considerations

1. Frequency: Cyber events will continue to increase.

2. Severity: Impact of cyber events are still unclear.

3. Risk Type: It is a systemic risk (i.e., WannaCry, Petya,

notPetya) and not always targeted.

4. Risk Transfer can alleviate some concerns, but solution

has to extend beyond insurance.

5. Risk Engineering: Investment in infrastructure and

changes in culture can help mitigate exposures.


What is your tolerance for risk?

Business interruption scenario

Scenario

• Attack on hotel/casino webpages

• Inappropriate image published and sites disabled

• Online booking was offline for one week

Method

of attack

• Malware planted on 1,100 computers and 200 servers

Loss

• Three physical locations shut down

• Significant impact to online gambling business

• Employee and customer data implicated

Claim

• $100 million in damages and business interruption

• Significant computer forensics, data restoration and

alleged business interruption

Attacker’s

profile

Targeted based on political beliefs of the business owner;

vengeance-based; “hacktivism” via a nation-state


How can you manage your cyber risk?

Does my business

have cyber exposure?

Lucky…Are you sure?

Prevention

Preparation

YesNo

Risk Transfer


Controlling cyber exposures

Zurich’s Cyber Risk Assessment approach is based on the

NIST* Framework for Improving Critical Infrastructure Cybersecurity

*National Institute of Standards and Technology (U.S.)

IDENTIFY PROTECT DETECT RESPOND RECOVER


The NIST Framework What is the customer protecting?

Develop the organizational

understanding to manage

cybersecurity risks to systems,

assets, data and capabilities.

Information asset inventory:

• Data, classified

• Hardware

• Software

• Operating systems

o Versions

o Patch levels

Risk assessment: By asset or class of assets

IDENTIFY


The NIST Framework How are the identified assets protected?

Develop and implement the

appropriate safeguards to

ensure delivery of critical

infrastructure services.

Protective controls:

• Network perimeter

o Firewalls

o Intrusion detection/prevention

• User endpoints

o Desktops, laptops (internal and remote)

• Servers

o Hardened, standard configuration

o Application whitelisting

Segmentation

PROTECT


Enterprise network

DMZ

EMAIL

WEB APPS

ROUTE

R

SWITCH

IDS/IPS

INTERNET


Enterprise network with segmentation

DMZ

EMAIL

WEB APPS

ROUTE

R

SWITCH

SECURE SEGMENT

IDS/IPS

INTERNET

IDS/IPS


The NIST FrameworkHow are the identified assets protected? (continued)


appropriate safeguards to

ensure delivery of critical

infrastructure services.

Protective controls:

On the data

• Segmentation

• Encryption

• Restricted access

• Multifactor authentication

PROTECT

o At rest

o In transit

o On backups

o On removable devices

o User access

o Privileged access

o Third-party access


The NIST Framework How does the customer know when something is amiss?


appropriate activities to identify

the occurrence of a

cybersecurity event.

DETECT

23

IDS/IPS

SIEM = Security Information and Event Management


The NIST FrameworkWhen a problem is identified, is the customer prepared to respond?


appropriate activities to take

action regarding a detected

cybersecurity event.

Formal documented incident response plan:

• Assigns roles and responsibilities

• Includes all levels up to C-suite and board of

directors

• Includes arrangements with breach service

providers

• Tested regularly

RESPOND


The NIST Framework If systems are damaged or unavailable, are there alternative arrangements to keep the business operating?


appropriate activities to maintain

plans for resilience and to

restore any capabilities or

services that were impaired due

to a cybersecurity event.

Document plans for disaster recovery

and business continuity:

• Prioritize systems and application

• Have recovery time objectives

• Have recovery point objectives

• Have alternate data center facilities

• Have manual workarounds

• Test plans regularly

RECOVER


The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline,

which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a

helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should

consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this

publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this

information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every

acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific

insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.

© 2019 Zurich American Insurance Company. All rights reserved.

26

Thank you

Documents

Understanding Cyber Risk