mission assurance cyber risks and the impact on your ... · moving towards cyber assurance...
TRANSCRIPT
Mission AssuranceCyber Risks and the Impact on Your OrganizationJerry Vevon, Vice PresidentJonathan Allen, Senior Associate
Orlando, FL22 March 2010
0
This document is confidential and is intended solely for the use and information of the client to whom it is addressed.
Agendag
Overview of Cyber threats and vulnerabilities
Cyber Resiliency
Managing Cyber Risks through Enterprise Risk Management
Moving towards Cyber Assurance
Questions
1
Questions
By 2020 there will be almost 3 billion internet users, driving massive new investments in infrastructure, technology, and new security architectures
1990 2010
< 1 million 1 6 billion
Where we’re going
Where we’ve beenInternet Users
In China
Internet Users
< 1 million 1.6 billion
CellPhones
11 million 3 billion
2005 2020
111m 660m
2
http://www.personalizemedia.com/garys-mobile-industry-count/
Over 500,000 web sites were compromised in 2008
– 2009 witnessed a 60% increase in DoDalone
The threats are more diverse and capable, increasing both the frequency and magnitude of attacks
alone
Symantec generates >10,000 threat signatures a day compared to 1,000 per week just a few years ago
Attacks on Estonia, Latvia, Lithuania, and in 2008 Georgia during its war against Russia
Current controversy between China & Google
3
in China (cyber attacks and civil liberties)
“Sabotaging the System” November 8, 2009http://www.cbsnews.com/video/watch/?id=5578986n&tag=contentMain;contentBody
… and continues to grows as the web continues to evolve
4
Buffer Overflow– Microsoft "Code Red" Worm, July 2001: Estimated cost was over $1.2 billion dollars (BBC
News) SQL Injection– Guess com Feb 2002: Security flaws placed consumers' credit card numbers at risk to hackers
Exploitable defects in software lead to vulnerabilities and great risks to organizations
Guess.com, Feb 2002: Security flaws placed consumers credit card numbers at risk to hackers– Petco.com, Nov 2004: Security flaws allowed hackers to access consumers’ credit card
information– T.J. Maxx. Dec 2006. Affected accounts, including all major credit cards, exceeded 45.7 millionSymantec, Internet Security Threat Report 2008 – 48% of reported vulnerabilities would be addressed by Software Assurance Hacking into US Predator drones, Dec 2008– Militants in Iraq used $26 off-the-shelf software to intercept live video feeds providing them with
information they need to evade or monitor U.S. military operations
5
information they need to evade or monitor U.S. military operations F-35 Jet Fighter Program Breached, Apr 2009– Hackers were able to copy several terabytes of data on the $300 billion Joint Strike Fighter
project, which may make it easier to defend against the aircraft
Root cause of security challenges:– Gartner estimated that 75% of breaches due to security flaws
in software– NIST estimates that 92% of vulnerabilities are in software
The cost of fixing a bug in the field is approximately $30,000 vs. $5,000
… costing nearly $60 billion USD a year according to NIST estimates
during coding (NIST, “The Economic Impacts of Inadequate Infrastructure for Software Testing 2002” )
The Gartner Group estimated that system downtime caused by software vulnerabilities would triple from 5% to 15% by 2008 for firms that did not take proactive security steps
“Software development organizations that perform security code reviews will experience a 60% decrease in critical vulnerabilities found in production environments” Gartner, April 2006
Symantec Corp released the findings of its global 2010 State of Enterprise Security study
6
– The study found that 42% of organizations rate security their top issue. – 75% of organizations experienced cyber attacks in the past 12 months. – Cost enterprise businesses an average of $2 million per year. – Enterprise security is becoming more difficult due to understaffing, new IT initiatives that
intensify security issues and IT compliance issues
Resilient Cyber Enterprises (future)
Resilience
Cyber security efforts must evolve from a traditional defense model to better reflect today’s complex operating environment
System Complexity
Device- and Process-Focused
Security Castles(1980s)
Risk-informed Security Processes (1990s)
Adaptive Risk Security Processes (2000s)
SecurityResilient Cyber Enterprises have the capacity to absorb attacks and
perturbations to their cyber systems without a negative
operational impact
7
Security
Data Informing Knowing
Basic Formative Complex
Time
Definition: The capacity of a system to withstand the damage of a cyber attack, and to continue operating without impact on output or function. A resilient system is able to incorporate functional changes without altering the quality of the service it delivers.
Cyber Resilience recognizes an organization’s cyber weaknesses and capitalizes on its strengths to ensure a secure, available infrastructure
Cyber Resilience introduces a new way of viewing risk– Cybersecurity looks at the threat associated with an attack– Cyber Resilience focuses on the consequence of an attack
Considers first what we want to protect and then works backwards to determine the most effective strategy for protecting the asset
Can not be added on after an attack has already begun – resilience must be either built into new systems or retrofitted to current systems
8
systems or retrofitted to current systems– “Baking in” resilience from the start is always the most preferable approach
Security is not sacrificed for the sake of resilience; security complements continuity activities to ensure a secure and available operating environment
Shift of thinking in terms of
“defense”…
…to thinking in terms of
“resilience”Implications
As our organizations expand from the micro to the macro level, it is no longer acceptable to protect our own parts of the system with little regard for
Cyber Resilience moves beyond traditional cyber defense strategies and focuses on continuing operations after an attack
Isolated Interconnectedacceptable to protect our own parts of the system with little regard for interconnections. The assets themselves create a dynamic, complex system of systems, leveraging this interconnectedness to heal itself following an attack or disruption.
Reactive Adaptive
Responding to a disruption or attack in a deliberate manner with a goal of optimizing availability calls for a forward looking approach to anticipate, assess, act and adapt to changes in the environment. Planning and resources shift focus from preventing an attack to staying operational if an attack gets through
Threat Consequence
At the time of a disruption, resilient organizations don’t care why a system fails, who the attackers are, or what their goals might be. All that matters is that what needs to be operational sta s operational to minimi e the impact of the
9
q needs to be operational stays operational to minimize the impact of the disruption.
Rigid Resilient
Resilient organizations withstand systemic shocks, discontinuities and disruptions – moving from a hardened approach toward resilience requires the integration of strategy, policy changes, operations, technology, culture, and management across the extended enterprise.
Proactive planning to mitigate outages to the IT infrastructure are needed to reach the next stage of preparedness
Creation of a more resistant system/ organization– Reduced impact (internal & external)– Faster Recovery Times
Reduction and containment of potential damage
Mission Assurance-Related Initiatives
Reduction and containment of potential damage– Public Image– Economic– Security
Goodwill creation amongst shareholders– Citizens– Institutions– Partners – Media
Increased transparency in risk management to ease decision making
10
Clear definition of roles and responsibilitiesIntegrated Computer Network Defense with Mission
Assurance
Multi-Tiered Enterprise Risk Management for a Cyber Organization
MissionActivities
RiskActivities
Strong cyber programs manage risk from an "enterprise” view by looking at how all business units can impact cyber operations
Management of Specific Business
Functions
Strategy Development &
Executive Decision Making
Management of Federal
Requirements
Risk‐Based Decision Making & Capital Allocation
REFRisk Executive
Function
DR Cyber Policy
Cyber Ops
11
Day‐to‐Day Operations
System Lifecycle Risk Management
…to make risk-informed decisions regarding which cyber program investments are optimal and “buy down” the most risk
REF
Risks ?Key Questions
What are the key risks to my mission?How effectively can we mitigate or
capitalize on those risks?
DR Cyber Policy
Cyber Ops
Risks Risks Risks
Risks
? ? ?
?
capitalize on those risks?Which capabilities (resources) should we
invest in?How can we help make our collective
operations more resilient?
Optimal Enterprise Risk Mitigation Options
12
Cyber Risk Mitigation Decisions
? ? ? 1 Implement stronger software security controls
2 Develop information security metrics program
3 Provide stronger executive insight into operations
4 Enhance training program
5 Conduct bi-annual continuity exercises
Mission /Business
Mission Functions
Mi i P
Leadership / C2Management
LayerContinuity of Operations Plan
(COOP)
Identify mission critical systems
Establishing cyber resilience relies upon matching the mission requirements against both the technology and infrastructure…
Layers
ApplicationLayers
Infrastructure
Mission Processes
Staff and Critical Skills
Data
Applications
Servers / Workstations
Networks
Information Technology Contingency & Disaster
Recovery Plan(ITCP & ITDRP)
Res
ilien
ce P
lann
ing
Identify mission critical systemsto include users and associated data
Identify IT requirements andcoordinate with the Facility and infrastructure owners
13
People
LayersFacility Security Plan
(FSP) Facilities / Services
…with effective contingency planning for facilities, systems, processes, and personnel
IT Continuity and Resilience capabilities mitigate potential impacts from a loss or disruption in critical IT services and infrastructure
I/T Resilience
– Proactive implementation of infrastructure, security, and processes that withstandprocesses that withstand business interruptions to production operations as well as provide Business Continuity/ Disaster Recovery capabilities to enhance overall preparedness
– Coordination across the entire IT organization to ensure infrastructure is
14
…supporting risk-informed decision making by organizational leadership and reducing redundant infrastructure investments
properly architected to mitigate vulnerabilities while maximizing investment
New Global Drivers… …require a strategic shift… …to protect missions within thecyber domain
Mission Assurance Programs have the unique ability to ensure organizations are prepared to meet the world’s new challenges
People
Processes
Technology
“An Aware Culture”
“A Focus on Resiliency”
“Agile and Mission-Ready”Mission Resilient
Enterprise
15
Strategy & PolicyStrategy & Policy OperationsOperations TechnologyTechnology People & CulturePeople & Culture ManagementManagement
Mission Integration Areas
Booz Allen Hamilton has been at the forefront of strategy and technology consulting for more than 95 years. Providing a broad range of services in strategy, operations, organization and change, information technology,
Booz | Allen | Hamilton
Jonathan AllenSenior Associate
Booz | Allen | Hamilton
Jerry VevonVice President
gy, p , g g , gy,systems engineering, and program management, Booz Allen is committed to delivering results that endure.
To learn more, visit www.boozallen.com.
16
8283 Greensboro DriveMcLean VA 22102 USA
One Dulles Center13200 Woodland Park Road
Herndon VA 20171 USATel (703) 377-7687