cyber warriors at work - isaca curacaoisacacuracao.com/wp-content/uploads/2016/10/deloitte...a...

© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean

Cyber Warriors at Work

Riding the wave of tech trends

0

Willemstad, 19 October 2016

Mario Flores & Roy Jansen


Contents

Setting the scene - threat Landscape more complex than ever

Cyber Warfare

The need for a new breed CISO

Cyber Value at Risk

© 2016 Deloitte Dutch Caribbean

Organizations are spending more money and paying more attention than they

ever have …

… but for many the problem seems to be getting worse

$82 billion Organizations will spend

on information security in 2016

according to Gartner

2


The most common answers focus on the “adversary” … who is increasingly determined and sophisticated …

3


and the view that adversaries are well funded … often by organized crime

and in some cases can even be “state sponsored”

4


But this is just one side of the coin …

5


The things that organizations do to innovate and drive performance are the very things that create cyber risk


We have connected our economy and our society using platforms designed for sharing information … not protecting it


Organizations must trust people every day


Industry knowledge matters … because cyber risks vary significantly by sector … as do regulatory

requirements


Cyber Warfare

The 5th dimension of war

10


Hacktivism or Cyber Warfare?

US Central Command Twitter Account Hacked (2015)

11


Definition

What is Cyber Warfare?

12


Targets

Cyber Warfare

13

Military Networks

Government Agencies

Power Plants

Stock Exchange

Transportation Infrastructure

Telco‟s

eCommerce & Financial

Media Companies


Examples of what we know

Cyber Espionage and Warfare is here (and has been for some years)

14

1

2

3

4

5

2009 – Ghostnet Cyber espionage by China infiltrating 103 countries‟high-value political, media and economic locations

2013 – Russia allegedly Ukraine‟s power grid and leaving areas without energy

2014 – US finds evidence of Chinese Government infiltrating systems of airlines, technology companies and contractors involved in the movement of Troops & Military equipment

2016 – Russia allegedly Hacking e-mails of the democratic party and Hillary‟s Campaign manager to influence presidential elections

2010 - StuxNet Computer Worm, Flame and Nitro Zeus by the US NSA


Simple facts

Cyber Warfare

15

Billions of dollars being invested in State Sponsored Cyber Warfare

The supposed “Air Gap” provides an unreal sense of security

Significant increase seen in State

organized cyber attacks

Particularly aimed at social, financial and political impact, and

not so much physical.

Industrial Control Systems typically have older less secure technology and are not hardened

Raw Materials are readily available on

the Internet


The world‟s scariest search engine

Shodan in the world of Internet of Things

16


Searching for Vestas Wind Turbines

ICS Scan

17


Moxa Oncell it is…..

Accessing the Turbine configuration module

18


Searching for default passwords

Moxa Manual

19


Searching for default passwords

Moxa Manual

20


Open Sesame…..

Applying default passwords

21


Wind Turbine, where is thou?

IP Geo-location

22


Seek and you will find

Google Maps

23


How to stem the threat?

Cyber Warfare – we are inherently vulnerable

24

01 International Cooperation

02 Cyber treaties

03 Offensive vs Defensive

04 Options

- Between States - Between States and the Private Sector

- 1675 Strasbourg Agreement (1st treaty banning chemical weapons)

- 1967 Treaty of Tlatelolco (no nuclear arms in Latin America and Caribbean)

- 1990 Chemical Weapons Accord

This is dummy text it is not here to be read. The is just text to show where you could insert text. This is dummy text.


Key capabilities to combat and control Cyber Warfare

Global Cyber Maturity Curve

25


The New CISO

Leading the strategic security organization

26


CISO‟s former professional roles

Managing vital functions

27


A new type of cyber warrior

The fours faces of the CISO

28


Shifting dimensions

The evolving CISO role

29


Why do companies struggle?

Challenges in creating a strategic security organization

30

Narrow perspective

Limited exposure & knowledge of overall business

Communication

Struggle to communicate and interact with business leaders. Cyber is considered a technical problem.

Talent

Lack of security talent (quantity and capability) keeps CISO from focusing on the big picture

False sense of security

Executives think compliance equals security (especially in regulated industries)

Competing Agendas

Other priorities prevent C-suite from elevating enterprise security


To see where we’re going:

Could someone turn on the lights?


Progress made over the last years is growing increasingly rapidly

2015 2014 2013 2012 2011

Start of a Journey with the World Economic Forum

This report calls for a common approach for Cyber Value at Risk. It introduces the Cyber Value at Risk concept and identifies key components for cyber risk modelling. On the other hand, suitable modelling methodologies, existing limitations and solutions are discussed. Wider pick-up of Cyber Value at Risk models will amplify their quality and use through better data availability.

This report introduces main principles for cyber resilience, guidelines for cyber resilience program development against a generic maturity model as well as an executive level checklist that may help identify one‟s current position. It identifies the most important components in understanding and dealing with cyber risks as well as the wider impact from society-wide interconnectedness.

In 2011, the Forum launched the Risk & Responsibility in a Hyperconnected World initiative.

Throughout 2012 and 2013, the Forum discussed changing cyber risks with key organisations around the globe representing over 1 trillion US$ in annual revenue and nearly 4 million FTEs.

During 2014, a new discussion emerged in the Forum around methodologies to measure and quantify cyber risks at the enterprise, market, national and international (trade) levels.

Key result of the project is the Partnership for Cyber Resilience (PCR), which launched in Davos, during the 2012 Annual Meeting

Key result was the report: Towards the Quantification of Cyber Threats, presented at Davos early 2015

32

http://www3.weforum.org/docs/WEF_IT_PartneringCyberResilience_Guidelines_2012.pdf

https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/risk/deloitte-nl-cyber-risk-report-2015.pdf


Benefit & objectives

Cyber Value at Risk

33 Insert your footer here

Given a successful cyber attack, a company will not lose more than X amount of money over period of time with 95% accuracy

The goal of Cyber Value at Risk is to standardize and unify different factors (vulnerabilities, assets, attacker profile) into a single normal distribution that can quantify the value at risk in case of a cyber attack


Value impact from abuse of Information Assets, limited by controls

Operationalizing Cyber Value at Risk

Security

contro

ls

Information Assets Threats

Threat profiles 1. Espionage 2. Advanced Crime 3. Bulk Crime 4. Hacktivism

Information Assets 1. Privacy-related 2. Business clients 3. Intellectual property 4. Strategic information 5. Operational continuity 6. Liquidity integrity 7. Control integrity

Cyber security controls 1. Protection from entry 2. Protection from abuse 3. Detection and

response 4. Resilience and

recovery

Based on the Forum‟s initiative and further research and public data the report „Cyber Value at Risk in The Netherlands‟ was published in April 2016

In this report, the risk levels for the 14 largest sectors in The Netherlands are presented, providing a view of the current Dutch cyber threat landscape. The high level underlying structure per sector is depicted below.


Industry specific impact & threat profile levels

Oil, Gas & Chemicals



Public Sector



Banking



Defense & Areospace


The need for cyber risk quantification has five components

And associated requirements depicted below

Trust-based business

Risk transfer

Risks managed

Security optimal

Secure society

Identifying third party contribution and diversification

Identifying risks to social

values

Identifying right focus and

direction

Identifying trade-offs in security

architecture

Identifying added value of

business and trust


From qualitative to quantitative approaches

Main distinguishing features D

escription

Benefits

Required

Semi-quantitative Quantitative Qualitative

Qualitative risk assessment against

• Cyber risk framework

• Capability maturity model

• Compliance checklist, etc.

Additional quantitative indicators

• Monitored threat levels

• Performance and risk dashboard

• Incident and loss database

Unifying quantitative metric

• Cyber risk model

• Threats linked to business value

• Parameters, data, assumptions

• Relatively easy to start

• Starting point for discussion at CRO level

• Cyber risk management based on targets and limits

• Better evidencing of controls (not uniformely)

• Integrated risk management

• Business-rational budgeting, prioritization, optimization, etc.

• Uniform impact assessment of individual control effectiveness

• Interpretation and translation

• Judgement of relative importance of components

• Identifying metrics

• Regular measurements / data

• Judgement of relative importance of components

• Iterative process for development and implementation of risk model

• Identifying data sources

• Validation and back-testing


Some initial thoughts:

• Cyber space – defined as possibilities emerging from connected technologies

• Risks in cyber space lead to many types of non-cyber risks (examples below)

• Purpose of cyber risk controls is mitigating value loss also linked to other risk types

How can this complexity be managed? Unifying cyber risk model

How can effectiveness of controls be determined? Value at Risk metrics

However, cyber risk requires new types of control

Most known risks have a link with cyber risk

Risk category

Sub-category

Examples of impact from cyber breach

Operational risks

Legal risk

Claims following

cyber incident

Regulatory risk

Fines for non-compliance following breach

Business continuity

Revenue lost due to cyber disruption

Fraud risk

Overpayment commissions

through portal

Information risk

Most cyber breaches

Financial risks

Market risk

Trade losses due to system

unavailability

Credit risk

Selection risk increase after

reputation loss

Liquidity risk

Run on the bank due to

privacy breach


High-level Cyber Value at Risk model structure

Three main components: controls, threat landscape and value impact

High-level design of Cyber Value at Risk model

Controls, metrics,

dashboard

Threat intel,

detection results

Financials, BIA

1. Controls

2. Threats

Attack process model

Fraction abused

3. Value impact

Value at Risk


Linking the operational and managerial levels

Feedback mechanism ensures quality control

43

Operational level: attack process model

a) Protection from entry

b) Breach detection and response

d) Abuse detection and response

Accumulating Losses

c) Protection of abuse

• DDoS • 3rd party

• Insider • Backdoor

Other Attacks

Targeting Abuse Entry

e) Recovery of losses

Management level: plan-do-check-act cycle

Plan

Do Check

Act Performance

settings

Performance execution

Threat assessments

Impact assessments

Performance monitoring

Threat monitoring

Incident monitoring

Assumption settings

Performance adjustments

Assumption adjustments

Monitoring Execution Optimisation Adjustments


A multitude of cyber risk quantification methodologies exist, each having pros and cons

Cyber risk quantification methodologies

44

Factor models E.g. FAIR framework + Holistic approach possible - Can lead to large number of parameters

Scenario analysis and simulation E.g. Monte Carlo simulation, attack-defense trees + Flexible, tailored and detailed results - Large amount of data

System dynamics E.g. large Dutch bank identifying long term cycles + Especially suited for modeling feedback loops - Time delays impede evidencing in complex organizations

Behavioral modeling E.g. agent-based modeling + Insight in complex ecosystem with multiple parties - Defining right interactions upfront not straightforward

Combinations and other techniques E.g. sensitivity analysis, data analytics, information engineering, expert models Cyber risk

quantification methods

Scenario analysis and

simulation

System dynamics

Behavioral modeling


simulation

System dynamics

Behavioral modeling

Deloitte Cyber Value at Risk

approach


simulation

System dynamics

Behavioral modeling


simulation

System dynamics

Behavioral modeling

Deloitte Cyber Value at Risk combines


Business management of cyber risk

Actionable insight based on dashboard

Dashboard

Cyber resilience framework

Cyber risk dashboard displays: • Exposure to cyber risks based on Cyber risk threat levels Cyber security in portfolio

• Plotted against Risk Appetite • Resulting in cyber Value at Risk

Cyber threat intelligence (CTI)

Cyber risk quant model

Cyber security analytics

Input

Threat scenarios

Cyber risk control data

Cyber risk vision

Cyber risk appetite

Incident data

Result

Cyber security effective

Cyber security efficient

Cyber risk managed

Cyber ecology secure


A multi-disciplinary approach for comprehensive view on cyber risk

Cyber Value at Risk network – academic research


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.nl/about for a more detailed description of DTTL and its member firms.

Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries bringing world-class capabilities, insights, and high-quality service to address clients‟ most complex business challenges. To learn more about how Deloitte‟s approximately 225,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
