risk assessments
TRANSCRIPT
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Risk Assessments
Office of the CISO
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
2
:/whoami/
– 20+ years in IT and Information Security
– Former CSO, CISO, Privacy Director
– Bachelor's in Computer Science
– MBA
– Adjunct Professor at University of Dallas
– Certifications:
• Cybersecurity
• SANS GSEC
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
3
Who is Optiv?
Security Consulting• Strategy
• Risk
• Architecture and Planning
• Incidence Assurance and Response
• Compliance
• Applications Security
• Attack, Vulnerability and Penetration
Testing
• Security Awareness and Training
Security Operations• Monitoring
• Malware Detection
• Malware Analysis
• Technology Support
• Staffing
Security Technology• Education
• Assessment and Validation
• Selection
• Sourcing
• Implementation
• Integration
Every security problem
Every level of
engagement
Project
• Products
• Services
Problem
• Architectures
• Integrated solutions and
bundles
• Services
Program
• Functions, department
• Business advice
• Services
Every security aspect• Strategy
• Management and Planning
• Defenses and Controls
• Monitoring and Operations
Every security service
Client
centric
approach
Centered on each client’s
unique needs and priorities
Client
data and
intellectual
propertyInsider
threats
Mobility
Compliance
and regulations
Security
awareness
Cloud infrastructure
services
Evolving technology
landscape
Third-party riskAdvanced threat
Internet of
Things (IoT)
Threat
intelligence
Distributed
denial of service
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
4
Agenda
Third Party / Cloud
Considerations
IOT ConsiderationsRisk Assessments
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
5
The focus has changed from protecting the IT infrastructure to
managing the information risk to the organization
Securing the
Organization
CISO Secure the internal
organization
Understand and manage
the risk of third parties
Understand and manage
regulatory risks
Communicate information
risk in business termsBusiness Acumen
Regulatory Compliance
Management
Third-Party Risk
Management
Information
Security
CIRO
Evolution of the CISO
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
6
Risk Management
Enterprise Risk Management
IT Risk Management
Risk Assessments
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
7
Risk Definitions
• Assets – Anything of value
• Specifically the costs associated with what we’re trying to protect
• Threat (Agents) – Anything that can exploit a vulnerability
• Must compromise an asset (have an impact)
• Vulnerability – A weakness or gap in our controls
• Controls are not adequate to fully address threat concerns
• Controls – Actions taken to mitigate threat effectiveness
• Administrative, Logical, Physical
• Preventative, Corrective, Detective
• RISK = The potential for an asset to experience negative consequences
as a result of a threat exploiting a vulnerability.
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
8
Risk Equation
Risk = Assets * Threats * Vulnerabilities
Countermeasures (controls)
• Assets – what we are trying to protect
• Threats – what we are trying to protect against
• Vulnerability – what we are trying to address
• Controls – what we are doing to address them
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
9
Another View of the Risk Equation
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
10
Asset Valuation
ISO 22317
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
11
Research Threat Landscape
Information Security is the preservation of confidentiality, integrity, and availability of information and information systems
Organized Criminals Hacktivists Groups Nation-States Competitors Internal / External
Mo
tiva
tio
n Financial gain - Sale information on black market. Use trusted partner data for further attacks
Politics, ideology, business disruption, or reputation
Politics, economics, intellectual property, or military advantage
Intellectual property, competitive advantage,customer data
Financial gain, intellectual property, or malicious destruction, non-malicious actions
Targ
etIn
form
atio
n
Personal Identifiable Information (PII), Personal Health Information (PHI),Trusted Partner Information, FinancialAccounts, Credit Cards
Destroy data or disrupt business to lose credibility, influence, competitiveness, or stock value
Intellectual Property, Competitive Formulas and Processes
Intellectual Property, Growth, M&A Plans, Financial Results, Pricing, Competitive Formulas and Processes
Combination of all groups
Act
or
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
12
Vulnerability Assessment
Threat MappingUsing an
Attack Tree
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
13
Vulnerability Analysis
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
14
Controls Assessment
ISO 27000
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
15
Controls Assessment
RIIOT Approach
• Review documents
• Interview key personnel
• Inspect controls
• Observe behaviour
• Test controls
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
16
Define and Prioritize Risks
Impact Likelihood Risk
Critical Frequent R1.1Impact of
OccurrenceFrequent Probable Conceivable Improbable Remote
Critical Probable R1.3 Critical R1.1 R1.3 R2.3 R3.5 R4.7
High Frequent R1.2 High R1.2 R2.1 R3.3 R3.6 R4.8
Critical Conceivable R2.3 Moderate R2.2 R3.1 R3.4 R4.5 R5.3
High Probable R2.1 Low R3.2 R4.1 R4.4 R4.6 R5.4
Moderate Frequent R2.2 Informational R4.2 R4.3 R5.1 R5.2 R5.5
Critical Improbable R3.5
High Conceivable R3.3
High Improbable R3.6
Moderate Probable R3.1 Risk Ranking Value
Moderate Conceivable R3.4 R1.1 100
Low Frequent R3.2 R1.2 98
Critical Remote R4.7 R1.3 96
High Remote R4.8 R2.1 94
Moderate Improbable R4.5 R2.2 87
Low Probable R4.1 R2.3 80
Low Conceivable R4.4 R3.1 71
Low Improbable R4.6 R3.2 61
Informational Frequent R4.2 R3.3 51
Informational Probable R4.3 R3.4 41
Moderate Remote R5.3 R3.5 31
Low Remote R5.4 R3.6 21
Informational Conceivable R5.1 R4.1 20
Informational Improbable R5.2 R4.2 18
Informational Remote R5.5 R4.3 16
R4.4 14
R4.5 12
R4.6 10
R4.7 8
R4.8 6
R5.1 4
R5.2 3
R5.3 2
R5.4 1
R5.5 0
Likelihood of Occurrence
• Likelihood and Impact are DERIVED Characteristics
– Impact = Asset Worth X Scale
– Likelihood = Exploitability X Exposure
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
17
Define and Prioritize Risks - Another View
Business Impact
Pro
babi
lity
of F
ailu
re/E
xplo
itL
MH
ML H
IT Risk Assessment
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
18
Risk Register
Category Definition Likelihood ImpactMitigation Complexity
Risk Rank
Data ExfiltrationUnauthorized access and/or theft of IP or sensitive data
High High High 1
Insider ThreatPrivilege misuse by disgruntled or careless employee and/or trusted third party
High High Medium 2
Spear Phishing / SocialEngineering
Targeted email with malicious link / malware High High Medium 3
Data Leakage / LossExposure of sensitive information on endpoints and Cloud apps
High High Medium 4
Compromised PrivilegedCredentials
Stolen login ID provides authorized access to an attacker
Medium High Medium 5
Malware / RansomwareSoftware that is intended to damage or disable computers and computer systems
Medium High High 6
Advanced PersistentThreat Attack
Advanced attack by well-funded adversary over a long period
Medium High High 7
Exploit of KnownSecurity Flaws
Systems do not conform to configuration standards; patches not applied regularly
Medium High Medium 8
External WebsiteCompromise
Branded websites and external applications defaced or damaged
Medium Medium Medium 9
Social Media Facebook, Twitter, etc. where brand information could be posted
Medium Low Medium 10
In
creased
ris
k
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
19
Another Method for Determining Risk
DREAD model:
Damage potential – How great is the damage if the vulnerability is exploited?
Reproducibility – How easy is it to reproduce the attack?
Exploitability – How easy is it to launch an attack?
Affected users – As a rough percentage, how many users are affected?
Discoverability – How easy is it to find the vulnerability?
Risk = Min(D, (D+R+E+A+D) / 5)
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
20
Compliance <> Security
May need to conduct other assessments:
Credit Card Data
PCI DSS
Personal Health Information
HIPAA
Security Risk Assessment tool
www.HealthIT.gov/security-risk-assessment
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
21
Agenda
Third Party / Cloud
Considerations
IOT ConsiderationsRisk Assessments
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
22
Customers don’t care about your business partners.
They entrust you with the information.
Brand DamageLoss of Customer Loyalty
LawsuitsIncreased
Scrut iny Higher Audit Costs
Litigation
Eroded Share Value
Co
nse
qu
en
ce
s:
Are You Responsible for a Breach at a Third Party?
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
23
(1) Source: Key findings from The Global State of Information
Security® Survey 2014, PWC, CSO Magazine
(2) 2014 Cost of Data Breach Study: Global Analysis,
Ponemon Institute, May 2014
Your are not in control of the
response or communications
Responding is more complex
and time consuming
51%
of All Breaches
Come from Third
Parties(1)
The Cost of a Breach
at a Third Party is
Higher than an
Internal Breach (2)
Third-Party Breaches
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
24
The Future Looks Bleak
Gartner predicts that through 2020 all security
incidents realized in the cloud will be broken down
by a 95% to 5% ratio.
– 5% of all cloud ecosystem breaches will be CSP’s fault
– 95% will be the fault of the customer
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
25
The Real Cloud Picture
Unmanaged Approved and
Managed
• Typical enterprise has on
average 613 cloud
applications in use
• 88% of those not
considered enterprise ready
• Over 90% are being
used without
knowledge or approval
of enterprise
Source: Netskope January 2015
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
26
Cloud Risks
Loss of Direct Control
• The security and continuity controls are in the hands of the provider
• Threat of malicious insider is extended to cloud provider
Data Protection
• A shared environment can offer more avenues for data loss
• Dynamic movement of data between clouds makes protection complex
• Complete data destruction is very difficult in shared cloud
Governance is hard
• Due diligence is costly with duplication of effort
• no true standard of care
• Lack of a trusted third party assessor
Protecting sensitive data is more complex in cloud environment
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
27
More Cloud Risks
Regulatory Compliance
• Cloud computing security and retention issues can arise with respect to complying
various data privacy and protection regulations
Legal Discovery / Forensics
• Provider may not provide security incident logs without violating other client
agreements
• Electronic forensics is more challenging and must be established in advance
Cloud Service Provider
• Once you have migrated your systems to a cloud provider it is expensive and
difficult to change. Exit strategy needs to be completed prior to engagement
• The consolidation of multiple organizations into a single infrastructure presents an
attractive high-value target
Additional considerations when migrating to cloud services
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
28
Third Party Risk Process
Business
Profile
Risk –
Who Are
They?
2
How Are They
Protecting the
Information?
3
1Relationship Risk
– What Are They
Doing for Us?
4
Control
Validation
5
Monitoring
and
Reporting
- Regulatory or Contract Exposure
- Data Exposure
- Business Process Exposure1
- Financial Strength
- Geopolitical / Country Risk
- Breach History or Indication2
- Electronic Validation
- Onsite Validation
- Control Evidence4
- Changes in Relationship
- Changes in Business
- Changes in Controls5
- Standardized, Service Type
- ISO27001/NIST
- HIPAA/STAR3
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
29
Match the Level of Due Diligence to Inherent Risk
Inherent Risk is a Function of Relationship and
Profile Risk
Tier 1
• Strategic accounts (high
revenue dependence)
• Regulatory/contract
requirements
• High reputation risk
• “Trusted” relationships 29
Tier 2
• Lower volume with no or
minimal sensitive data
• Lower revenue risk
• Business operations risk
• Some business profile
risk
Tier 3
• No sensitive data
• Minimal reputation risk
• Minimal or no revenue
dependence
• “Trusted” relationship
with low-level access
Risk Tiers Based on Inherent Risk
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
30
Tier 1 Assessments
Fully Validated
• Validate (not a complete list)
• Security policies
• Incident response plan and procedures
• Detection & Monitoring Systems (e.g. SEIM, SOC)
• Business continuity/disaster recovery plan and test results
• Vulnerability management procedures and sample reports
• Security awareness, training and completion log
• Last independent security assessment - status of high risks
Tip: Multiple sites and
outsourcing by third-party
significantly increases
level of effort
Tier 1 Due Diligence
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
31
Partially Validated
Tier 2 Assessments
Tier 3 Assessments
Self Attest of Controls
Random Audit
Self Attest of Controls
Tier 2 and 3 Assessments
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
32
Due Diligence Frequency
•Match Due Diligence to the Associated Risk– Tier One
• Annual – Fully Validated Controls Assessment
• Quarterly – Penetration and Vulnerability Scan Results
• Monthly – Touch Base on Incident Response and Contact Management
– Tier Two
• Annual – Validation of Primary Controls
• Quarterly – Incident Response Contact Management
– Tier Three
• Annual – Self Assessment and Random Audits When Possible
• Annual – Incident Response Contact Management
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
33
• On April 5, USA Today published results from survey of 40 banks and found:
• 30% don’t require third-party vendors to notify of security breach
• Less than 50% conduct onsite assessments of third-parties
• Approximately 20% do not conduct on-site assessments of service providers
33
1.5%
- 2%6% - 8% 90% - 95%
Average Enterprise Has 1000s of Third-Parties
Tier 1 Tier 2 Tier 3
Third-Party Risk – Current Situation
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
34
The Key Question:
“What data of ours can be breached?”
• Relationship Exposure Inventory – Risk Registry
• Maintain a relationship list (type and quantity)
• Relationship “Creep”
• Due diligence is performed during the first contract
• Relationship grows over time
• Increased liability without updating the risk exposure metrics
Relationship Exposure Inventory
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
35
Third-Party Contracts
Right to
Audit
Security
Service Level
Agreement
Breach
Notification
Restrictions on
Outsourcing
Security Safeguards
Indemnification,
Cyber Insurance, etc.
Exit
Strategy
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
36
• Match Due-Diligence to Risk and Type of Service
• Minimize Ambiguity
• How You Ask Questions is as Important as What You Ask
• SSAE16 SOC 2 review
• Provides information pertaining to the IT controls that has been certified by an accredited firm
Tip: Make sure scope matches the services being provided.
• Questionnaires
• Popular
• Onsite Third-Party Validation
• Costly and Time Prohibitive
• Cloud Security Alliance
Control Assessments
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
37
Cloud Security Alliance
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
38
CSA Security Trust & Assurance Registry (STAR)
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
39
• Response Red Flags
• “Sorry I can’t give you that. It is confidential”
• “I’ll send it to you after our legal review”
• People Red Flags
• Evasive answers -Shifty eyes
• Long explanations
• Governance Red Flags
• No formal training and awareness program
• Security organization is a side job, no executive oversight
• Security Technology Red Flags
• Vulnerability management is not fully implemented
• Threat management is incomplete or nonexistent.
• No IM, privileged access, two factor authentication
What to Watch For
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
40
When to Review
During the RFP
Process
When the
Relationship Changes
When a Regulation
Changes
When the Business
Profile Risk ChangesAt Least Annually
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
41
90 Days
+ 90 Days
Begin due diligence on critical third parties
Evaluate your risk inventory and assign risk tier
Start slow – Get
quick wins
Within Three Months, You Should:
Beyond Three Months, Establish:
✓ ✓ ✓
A tiered program to
evaluate risk
A remediation plan to address deficient controls
Reporting
program✓ ✓ ✓
How to Apply What You Have Learned
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
42
Agenda
Third Party / Cloud
Considerations
IOT ConsiderationsRisk Assessments
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
43
1. 50 to 200 billion connected devices by 2020
“Number of connected devices worldwide will rise from 15 billion today to 50
billion by 2020.” - Cisco
2. $1.7 trillion in spending by 2020
“Global spending on IoT devices & services will rise from $656 billion in 2014
to $1.7 trillion in 2020.” - IDC
3. The $79 billion smart-home industry
“Smart-home industry generated $79.4 billion in revenue in 2014 and is
expected to rise substantially as mainstream awareness of smart appliances
rises.” - Harbor Research & Postscapes
4. 90% of cars will be connected by 2020
“By 2020, 90% of cars will be online, compared with just 2% in 2012
supporting in-car infotainment, autonomous-driving, and embedded OS
markets” - Telefonica
5. 173.4 million wearable devices by 2019
“Global wearable device shipments will surge from 76.1 million in 2015 to
173.4 million units by 2019.” - IDC
Chart source: http://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html
State of the Internet of Things (IOT)
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
44
IOT Drawbacks
• Designed with strict constraints
– Low power consumption
– Small memory and disk space
– Minimal processing power
– Little human interaction
– Reduced options
• Weak update mechanisms
– Devices are not engineering for patching
– Lack of alerting regarding need for patching
– Challenges in notification and delivery of patches
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
45
IOT Misconceptions
• “ My devices are too simple to be exploited by an attacker.”
• “ My devices are too old or too customized to be targeted.”
• “ My devices are not capable of being updated, therefore there are no
security controls at my disposal.”
• “My vendors are not delivering patches.”
• “ The risks posed by my IOT devices are not as severe as other more
traditionally connected machines, therefore these devices are a lower
priority.”
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
46
IOT Challenges
• No end to vulnerabilities
• Little compatibility with enterprise infrastructure
• Rise of Shadow-IT
– Devices are easy to purchase, install and use
• More consumer to business cross-over
• Need to interact with groups that may not be
used to working with IT and IT Security or may
think they don’t need to work with them at all
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
47
IOT Assessments
• Need to follow traditional risk assessment approaches
– RIIOT process will be key
– Engage vendor and industry groups
– Step-up awareness efforts
• Catch it early during vetting process
• Remediation is the challenge
– May have rely on a rip and replace strategy
– Adopt a micro-segmentation architecture
– Rely on upstream and downstream controls
– Technology cannot be the only solution
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
48
Goal = Minimize Impacts of a Breach
• Hard costs from disruption or destruction of infrastructure
• Increased scrutiny from third parties
• Attrition of employees or management
• Diminished brand value
• Profitability
• Revenue, Customer Retention
• Damage Repair - $200+ per stolen identity
Loss of Intellectual
Property
• Competitive advantage
• New market opportunities
• Long term growth
Reputation Operational
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
49
QuestionsBrian [email protected]
@bdwtexas
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.