Mission AssuranceCyber Risks and the Impact on Your OrganizationJerry Vevon, Vice PresidentJonathan Allen, Senior Associate

Orlando, FL22 March 2010

0

This document is confidential and is intended solely for the use and information of the client to whom it is addressed.

Agendag

Overview of Cyber threats and vulnerabilities

Cyber Resiliency

Managing Cyber Risks through Enterprise Risk Management

Moving towards Cyber Assurance

Questions

1

Questions

By 2020 there will be almost 3 billion internet users, driving massive new investments in infrastructure, technology, and new security architectures

1990 2010

< 1 million 1 6 billion

Where we’re going

Where we’ve beenInternet Users

In China

Internet Users

< 1 million 1.6 billion

CellPhones

11 million 3 billion

2005 2020

111m 660m

2

http://www.personalizemedia.com/garys-mobile-industry-count/

Over 500,000 web sites were compromised in 2008

– 2009 witnessed a 60% increase in DoDalone

The threats are more diverse and capable, increasing both the frequency and magnitude of attacks

alone

Symantec generates >10,000 threat signatures a day compared to 1,000 per week just a few years ago

Attacks on Estonia, Latvia, Lithuania, and in 2008 Georgia during its war against Russia

Current controversy between China & Google

3

in China (cyber attacks and civil liberties)

“Sabotaging the System” November 8, 2009http://www.cbsnews.com/video/watch/?id=5578986n&tag=contentMain;contentBody

… and continues to grows as the web continues to evolve

4

Buffer Overflow– Microsoft "Code Red" Worm, July 2001: Estimated cost was over $1.2 billion dollars (BBC

News) SQL Injection– Guess com Feb 2002: Security flaws placed consumers' credit card numbers at risk to hackers

Exploitable defects in software lead to vulnerabilities and great risks to organizations

Guess.com, Feb 2002: Security flaws placed consumers credit card numbers at risk to hackers– Petco.com, Nov 2004: Security flaws allowed hackers to access consumers’ credit card

information– T.J. Maxx. Dec 2006. Affected accounts, including all major credit cards, exceeded 45.7 millionSymantec, Internet Security Threat Report 2008 – 48% of reported vulnerabilities would be addressed by Software Assurance Hacking into US Predator drones, Dec 2008– Militants in Iraq used $26 off-the-shelf software to intercept live video feeds providing them with

information they need to evade or monitor U.S. military operations

5

information they need to evade or monitor U.S. military operations F-35 Jet Fighter Program Breached, Apr 2009– Hackers were able to copy several terabytes of data on the $300 billion Joint Strike Fighter

project, which may make it easier to defend against the aircraft

Root cause of security challenges:– Gartner estimated that 75% of breaches due to security flaws

in software– NIST estimates that 92% of vulnerabilities are in software

The cost of fixing a bug in the field is approximately $30,000 vs. $5,000

… costing nearly $60 billion USD a year according to NIST estimates

during coding (NIST, “The Economic Impacts of Inadequate Infrastructure for Software Testing 2002” )

The Gartner Group estimated that system downtime caused by software vulnerabilities would triple from 5% to 15% by 2008 for firms that did not take proactive security steps

“Software development organizations that perform security code reviews will experience a 60% decrease in critical vulnerabilities found in production environments” Gartner, April 2006

Symantec Corp released the findings of its global 2010 State of Enterprise Security study

6

– The study found that 42% of organizations rate security their top issue. – 75% of organizations experienced cyber attacks in the past 12 months. – Cost enterprise businesses an average of $2 million per year. – Enterprise security is becoming more difficult due to understaffing, new IT initiatives that

intensify security issues and IT compliance issues

Resilient Cyber Enterprises (future)

Resilience

Cyber security efforts must evolve from a traditional defense model to better reflect today’s complex operating environment

System Complexity

Device- and Process-Focused

Security Castles(1980s)

Risk-informed Security Processes (1990s)

Adaptive Risk Security Processes (2000s)

SecurityResilient Cyber Enterprises have the capacity to absorb attacks and

perturbations to their cyber systems without a negative

operational impact

7

Security

Data Informing Knowing

Basic Formative Complex

Time

Definition: The capacity of a system to withstand the damage of a cyber attack, and to continue operating without impact on output or function. A resilient system is able to incorporate functional changes without altering the quality of the service it delivers.

Cyber Resilience recognizes an organization’s cyber weaknesses and capitalizes on its strengths to ensure a secure, available infrastructure

Cyber Resilience introduces a new way of viewing risk– Cybersecurity looks at the threat associated with an attack– Cyber Resilience focuses on the consequence of an attack

Considers first what we want to protect and then works backwards to determine the most effective strategy for protecting the asset

Can not be added on after an attack has already begun – resilience must be either built into new systems or retrofitted to current systems

8

systems or retrofitted to current systems– “Baking in” resilience from the start is always the most preferable approach

Security is not sacrificed for the sake of resilience; security complements continuity activities to ensure a secure and available operating environment

Shift of thinking in terms of

“defense”…

…to thinking in terms of

“resilience”Implications

As our organizations expand from the micro to the macro level, it is no longer acceptable to protect our own parts of the system with little regard for

Cyber Resilience moves beyond traditional cyber defense strategies and focuses on continuing operations after an attack

Isolated Interconnectedacceptable to protect our own parts of the system with little regard for interconnections. The assets themselves create a dynamic, complex system of systems, leveraging this interconnectedness to heal itself following an attack or disruption.

Reactive Adaptive

Responding to a disruption or attack in a deliberate manner with a goal of optimizing availability calls for a forward looking approach to anticipate, assess, act and adapt to changes in the environment. Planning and resources shift focus from preventing an attack to staying operational if an attack gets through

Threat Consequence

At the time of a disruption, resilient organizations don’t care why a system fails, who the attackers are, or what their goals might be. All that matters is that what needs to be operational sta s operational to minimi e the impact of the

9

q needs to be operational stays operational to minimize the impact of the disruption.

Rigid Resilient

Resilient organizations withstand systemic shocks, discontinuities and disruptions – moving from a hardened approach toward resilience requires the integration of strategy, policy changes, operations, technology, culture, and management across the extended enterprise.

Proactive planning to mitigate outages to the IT infrastructure are needed to reach the next stage of preparedness

Creation of a more resistant system/ organization– Reduced impact (internal & external)– Faster Recovery Times

Reduction and containment of potential damage

Mission Assurance-Related Initiatives

Reduction and containment of potential damage– Public Image– Economic– Security

Goodwill creation amongst shareholders– Citizens– Institutions– Partners – Media

Increased transparency in risk management to ease decision making

10

Clear definition of roles and responsibilitiesIntegrated Computer Network Defense with Mission

Assurance

Multi-Tiered Enterprise Risk Management for a Cyber Organization

MissionActivities

RiskActivities

Strong cyber programs manage risk from an "enterprise” view by looking at how all business units can impact cyber operations

Management of Specific Business 

Functions

Strategy Development & 

Executive Decision Making

Management of Federal 

Requirements

Risk‐Based Decision Making & Capital Allocation

REFRisk Executive

Function

DR Cyber Policy

Cyber Ops

11

Day‐to‐Day Operations

System Lifecycle Risk Management

…to make risk-informed decisions regarding which cyber program investments are optimal and “buy down” the most risk

REF

Risks ?Key Questions

What are the key risks to my mission?How effectively can we mitigate or

capitalize on those risks?

DR Cyber Policy

Cyber Ops

Risks Risks Risks

Risks

? ? ?

?

capitalize on those risks?Which capabilities (resources) should we

invest in?How can we help make our collective

operations more resilient?

Optimal Enterprise Risk Mitigation Options

12

Cyber Risk Mitigation Decisions

? ? ? 1 Implement stronger software security controls

2 Develop information security metrics program

3 Provide stronger executive insight into operations

4 Enhance training program

5 Conduct bi-annual continuity exercises

Mission /Business

Mission Functions

Mi i P

Leadership / C2Management

LayerContinuity of Operations Plan

(COOP)

Identify mission critical systems

Establishing cyber resilience relies upon matching the mission requirements against both the technology and infrastructure…

Layers

ApplicationLayers

Infrastructure

Mission Processes

Staff and Critical Skills

Data

Applications

Servers / Workstations

Networks

Information Technology Contingency & Disaster

Recovery Plan(ITCP & ITDRP)

Res

ilien

ce P

lann

ing

Identify mission critical systemsto include users and associated data

Identify IT requirements andcoordinate with the Facility and infrastructure owners

13

People

LayersFacility Security Plan

(FSP) Facilities / Services

…with effective contingency planning for facilities, systems, processes, and personnel

IT Continuity and Resilience capabilities mitigate potential impacts from a loss or disruption in critical IT services and infrastructure

I/T Resilience

– Proactive implementation of infrastructure, security, and processes that withstandprocesses that withstand business interruptions to production operations as well as provide Business Continuity/ Disaster Recovery capabilities to enhance overall preparedness

– Coordination across the entire IT organization to ensure infrastructure is

14

…supporting risk-informed decision making by organizational leadership and reducing redundant infrastructure investments

properly architected to mitigate vulnerabilities while maximizing investment

New Global Drivers… …require a strategic shift… …to protect missions within thecyber domain

Mission Assurance Programs have the unique ability to ensure organizations are prepared to meet the world’s new challenges

People

Processes

Technology

“An Aware Culture”

“A Focus on Resiliency”

“Agile and Mission-Ready”Mission Resilient

Enterprise

15

Strategy & PolicyStrategy & Policy OperationsOperations TechnologyTechnology People & CulturePeople & Culture ManagementManagement

Mission Integration Areas

Booz Allen Hamilton has been at the forefront of strategy and technology consulting for more than 95 years. Providing a broad range of services in strategy, operations, organization and change, information technology,

Booz | Allen | Hamilton

Jonathan AllenSenior Associate

Booz | Allen | Hamilton

Jerry VevonVice President

gy, p , g g , gy,systems engineering, and program management, Booz Allen is committed to delivering results that endure.

To learn more, visit www.boozallen.com.

16

8283 Greensboro DriveMcLean VA 22102 USA

Tel 703-377-7194Allen_Jonathan@bah.com

One Dulles Center13200 Woodland Park Road

Herndon VA 20171 USATel (703) 377-7687

Vevon_Jerry@bah.com