risk assessments

Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.

Risk Assessments

Office of the CISO


2

:/whoami/

– 20+ years in IT and Information Security

– Former CSO, CISO, Privacy Director

– Bachelor's in Computer Science

– MBA

– Adjunct Professor at University of Dallas

– Certifications:

• Cybersecurity

• SANS GSEC


3

Who is Optiv?

Security Consulting• Strategy

• Risk

• Architecture and Planning

• Incidence Assurance and Response

• Compliance

• Applications Security

• Attack, Vulnerability and Penetration

Testing

• Security Awareness and Training

Security Operations• Monitoring

• Malware Detection

• Malware Analysis

• Technology Support

• Staffing

Security Technology• Education

• Assessment and Validation

• Selection

• Sourcing

• Implementation

• Integration

Every security problem

Every level of

engagement

Project

• Products

• Services

Problem

• Architectures

• Integrated solutions and

bundles

• Services

Program

• Functions, department

• Business advice

• Services

Every security aspect• Strategy

• Management and Planning

• Defenses and Controls

• Monitoring and Operations

Every security service

Client

centric

approach

Centered on each client’s

unique needs and priorities

Client

data and

intellectual

propertyInsider

threats

Mobility

Compliance

and regulations

Security

awareness

Cloud infrastructure

services

Evolving technology

landscape

Third-party riskAdvanced threat

Internet of

Things (IoT)

Threat

intelligence

Distributed

denial of service


4

Agenda

Third Party / Cloud

Considerations

IOT ConsiderationsRisk Assessments


5

The focus has changed from protecting the IT infrastructure to

managing the information risk to the organization

Securing the

Organization

CISO Secure the internal

organization

Understand and manage

the risk of third parties

Understand and manage

regulatory risks

Communicate information

risk in business termsBusiness Acumen

Regulatory Compliance

Management

Third-Party Risk

Management

Information

Security

CIRO

Evolution of the CISO


6

Risk Management

Enterprise Risk Management

IT Risk Management

Risk Assessments


7

Risk Definitions

• Assets – Anything of value

• Specifically the costs associated with what we’re trying to protect

• Threat (Agents) – Anything that can exploit a vulnerability

• Must compromise an asset (have an impact)

• Vulnerability – A weakness or gap in our controls

• Controls are not adequate to fully address threat concerns

• Controls – Actions taken to mitigate threat effectiveness

• Administrative, Logical, Physical

• Preventative, Corrective, Detective

• RISK = The potential for an asset to experience negative consequences

as a result of a threat exploiting a vulnerability.


8

Risk Equation

Risk = Assets * Threats * Vulnerabilities

Countermeasures (controls)

• Assets – what we are trying to protect

• Threats – what we are trying to protect against

• Vulnerability – what we are trying to address

• Controls – what we are doing to address them


9

Another View of the Risk Equation


10

Asset Valuation

ISO 22317


11

Research Threat Landscape

Information Security is the preservation of confidentiality, integrity, and availability of information and information systems

Organized Criminals Hacktivists Groups Nation-States Competitors Internal / External

Mo

tiva

tio

n Financial gain - Sale information on black market. Use trusted partner data for further attacks

Politics, ideology, business disruption, or reputation

Politics, economics, intellectual property, or military advantage

Intellectual property, competitive advantage,customer data

Financial gain, intellectual property, or malicious destruction, non-malicious actions

Targ

etIn

form

atio

n

Personal Identifiable Information (PII), Personal Health Information (PHI),Trusted Partner Information, FinancialAccounts, Credit Cards

Destroy data or disrupt business to lose credibility, influence, competitiveness, or stock value

Intellectual Property, Competitive Formulas and Processes

Intellectual Property, Growth, M&A Plans, Financial Results, Pricing, Competitive Formulas and Processes

Combination of all groups

Act

or


12

Vulnerability Assessment

Threat MappingUsing an

Attack Tree


13

Vulnerability Analysis


14

Controls Assessment

ISO 27000


15

Controls Assessment

RIIOT Approach

• Review documents

• Interview key personnel

• Inspect controls

• Observe behaviour

• Test controls


16

Define and Prioritize Risks

Impact Likelihood Risk

Critical Frequent R1.1Impact of

OccurrenceFrequent Probable Conceivable Improbable Remote

Critical Probable R1.3 Critical R1.1 R1.3 R2.3 R3.5 R4.7

High Frequent R1.2 High R1.2 R2.1 R3.3 R3.6 R4.8

Critical Conceivable R2.3 Moderate R2.2 R3.1 R3.4 R4.5 R5.3

High Probable R2.1 Low R3.2 R4.1 R4.4 R4.6 R5.4

Moderate Frequent R2.2 Informational R4.2 R4.3 R5.1 R5.2 R5.5

Critical Improbable R3.5

High Conceivable R3.3

High Improbable R3.6

Moderate Probable R3.1 Risk Ranking Value

Moderate Conceivable R3.4 R1.1 100

Low Frequent R3.2 R1.2 98

Critical Remote R4.7 R1.3 96

High Remote R4.8 R2.1 94

Moderate Improbable R4.5 R2.2 87

Low Probable R4.1 R2.3 80

Low Conceivable R4.4 R3.1 71

Low Improbable R4.6 R3.2 61

Informational Frequent R4.2 R3.3 51

Informational Probable R4.3 R3.4 41

Moderate Remote R5.3 R3.5 31

Low Remote R5.4 R3.6 21

Informational Conceivable R5.1 R4.1 20

Informational Improbable R5.2 R4.2 18

Informational Remote R5.5 R4.3 16

R4.4 14

R4.5 12

R4.6 10

R4.7 8

R4.8 6

R5.1 4

R5.2 3

R5.3 2

R5.4 1

R5.5 0

Likelihood of Occurrence

• Likelihood and Impact are DERIVED Characteristics

– Impact = Asset Worth X Scale

– Likelihood = Exploitability X Exposure


17

Define and Prioritize Risks - Another View

Business Impact

Pro

babi

lity

of F

ailu

re/E

xplo

itL

MH

ML H

IT Risk Assessment


18

Risk Register

Category Definition Likelihood ImpactMitigation Complexity

Risk Rank

Data ExfiltrationUnauthorized access and/or theft of IP or sensitive data

High High High 1

Insider ThreatPrivilege misuse by disgruntled or careless employee and/or trusted third party

High High Medium 2

Spear Phishing / SocialEngineering

Targeted email with malicious link / malware High High Medium 3

Data Leakage / LossExposure of sensitive information on endpoints and Cloud apps

High High Medium 4

Compromised PrivilegedCredentials

Stolen login ID provides authorized access to an attacker

Medium High Medium 5

Malware / RansomwareSoftware that is intended to damage or disable computers and computer systems

Medium High High 6

Advanced PersistentThreat Attack

Advanced attack by well-funded adversary over a long period

Medium High High 7

Exploit of KnownSecurity Flaws

Systems do not conform to configuration standards; patches not applied regularly

Medium High Medium 8

External WebsiteCompromise

Branded websites and external applications defaced or damaged

Medium Medium Medium 9

Social Media Facebook, Twitter, etc. where brand information could be posted

Medium Low Medium 10

In

creased

ris

k


19

Another Method for Determining Risk

DREAD model:

Damage potential – How great is the damage if the vulnerability is exploited?

Reproducibility – How easy is it to reproduce the attack?

Exploitability – How easy is it to launch an attack?

Affected users – As a rough percentage, how many users are affected?

Discoverability – How easy is it to find the vulnerability?

Risk = Min(D, (D+R+E+A+D) / 5)


20

Compliance <> Security

May need to conduct other assessments:

Credit Card Data

PCI DSS

Personal Health Information

HIPAA

Security Risk Assessment tool

www.HealthIT.gov/security-risk-assessment

http://www.healthit.gov/security-risk-assessment


21

Agenda

Third Party / Cloud

Considerations



22

Customers don’t care about your business partners.

They entrust you with the information.

Brand DamageLoss of Customer Loyalty

LawsuitsIncreased

Scrut iny Higher Audit Costs

Litigation

Eroded Share Value

Co

nse

qu

en

ce

s:

Are You Responsible for a Breach at a Third Party?


23

(1) Source: Key findings from The Global State of Information

Security® Survey 2014, PWC, CSO Magazine

(2) 2014 Cost of Data Breach Study: Global Analysis,

Ponemon Institute, May 2014

Your are not in control of the

response or communications

Responding is more complex

and time consuming

51%

of All Breaches

Come from Third

Parties(1)

The Cost of a Breach

at a Third Party is

Higher than an

Internal Breach (2)

Third-Party Breaches


24

The Future Looks Bleak

Gartner predicts that through 2020 all security

incidents realized in the cloud will be broken down

by a 95% to 5% ratio.

– 5% of all cloud ecosystem breaches will be CSP’s fault

– 95% will be the fault of the customer


25

The Real Cloud Picture

Unmanaged Approved and

Managed

• Typical enterprise has on

average 613 cloud

applications in use

• 88% of those not

considered enterprise ready

• Over 90% are being

used without

knowledge or approval

of enterprise

Source: Netskope January 2015


26

Cloud Risks

Loss of Direct Control

• The security and continuity controls are in the hands of the provider

• Threat of malicious insider is extended to cloud provider

Data Protection

• A shared environment can offer more avenues for data loss

• Dynamic movement of data between clouds makes protection complex

• Complete data destruction is very difficult in shared cloud

Governance is hard

• Due diligence is costly with duplication of effort

• no true standard of care

• Lack of a trusted third party assessor

Protecting sensitive data is more complex in cloud environment


27

More Cloud Risks

Regulatory Compliance

• Cloud computing security and retention issues can arise with respect to complying

various data privacy and protection regulations

Legal Discovery / Forensics

• Provider may not provide security incident logs without violating other client

agreements

• Electronic forensics is more challenging and must be established in advance

Cloud Service Provider

• Once you have migrated your systems to a cloud provider it is expensive and

difficult to change. Exit strategy needs to be completed prior to engagement

• The consolidation of multiple organizations into a single infrastructure presents an

attractive high-value target

Additional considerations when migrating to cloud services


28

Third Party Risk Process

Business

Profile

Risk –

Who Are

They?

2

How Are They

Protecting the

Information?

3

1Relationship Risk

– What Are They

Doing for Us?

4

Control

Validation

5

Monitoring

and

Reporting

- Regulatory or Contract Exposure

- Data Exposure

- Business Process Exposure1

- Financial Strength

- Geopolitical / Country Risk

- Breach History or Indication2

- Electronic Validation

- Onsite Validation

- Control Evidence4

- Changes in Relationship

- Changes in Business

- Changes in Controls5

- Standardized, Service Type

- ISO27001/NIST

- HIPAA/STAR3


29

Match the Level of Due Diligence to Inherent Risk

Inherent Risk is a Function of Relationship and

Profile Risk

Tier 1

• Strategic accounts (high

revenue dependence)

• Regulatory/contract

requirements

• High reputation risk

• “Trusted” relationships 29

Tier 2

• Lower volume with no or

minimal sensitive data

• Lower revenue risk

• Business operations risk

• Some business profile

risk

Tier 3

• No sensitive data

• Minimal reputation risk

• Minimal or no revenue

dependence

• “Trusted” relationship

with low-level access

Risk Tiers Based on Inherent Risk


30

Tier 1 Assessments

Fully Validated

• Validate (not a complete list)

• Security policies

• Incident response plan and procedures

• Detection & Monitoring Systems (e.g. SEIM, SOC)

• Business continuity/disaster recovery plan and test results

• Vulnerability management procedures and sample reports

• Security awareness, training and completion log

• Last independent security assessment - status of high risks

Tip: Multiple sites and

outsourcing by third-party

significantly increases

level of effort

Tier 1 Due Diligence


31

Partially Validated

Tier 2 Assessments

Tier 3 Assessments

Self Attest of Controls

Random Audit

Self Attest of Controls

Tier 2 and 3 Assessments


32

Due Diligence Frequency

•Match Due Diligence to the Associated Risk– Tier One

• Annual – Fully Validated Controls Assessment

• Quarterly – Penetration and Vulnerability Scan Results

• Monthly – Touch Base on Incident Response and Contact Management

– Tier Two

• Annual – Validation of Primary Controls

• Quarterly – Incident Response Contact Management

– Tier Three

• Annual – Self Assessment and Random Audits When Possible

• Annual – Incident Response Contact Management


33

• On April 5, USA Today published results from survey of 40 banks and found:

• 30% don’t require third-party vendors to notify of security breach

• Less than 50% conduct onsite assessments of third-parties

• Approximately 20% do not conduct on-site assessments of service providers

33

1.5%

- 2%6% - 8% 90% - 95%

Average Enterprise Has 1000s of Third-Parties

Tier 1 Tier 2 Tier 3

Third-Party Risk – Current Situation


34

The Key Question:

“What data of ours can be breached?”

• Relationship Exposure Inventory – Risk Registry

• Maintain a relationship list (type and quantity)

• Relationship “Creep”

• Due diligence is performed during the first contract

• Relationship grows over time

• Increased liability without updating the risk exposure metrics

Relationship Exposure Inventory


35

Third-Party Contracts

Right to

Audit

Security

Service Level

Agreement

Breach

Notification

Restrictions on

Outsourcing

Security Safeguards

Indemnification,

Cyber Insurance, etc.

Exit

Strategy


36

• Match Due-Diligence to Risk and Type of Service

• Minimize Ambiguity

• How You Ask Questions is as Important as What You Ask

• SSAE16 SOC 2 review

• Provides information pertaining to the IT controls that has been certified by an accredited firm

Tip: Make sure scope matches the services being provided.

• Questionnaires

• Popular

• Onsite Third-Party Validation

• Costly and Time Prohibitive

• Cloud Security Alliance

Control Assessments


37

Cloud Security Alliance


38

CSA Security Trust & Assurance Registry (STAR)


39

• Response Red Flags

• “Sorry I can’t give you that. It is confidential”

• “I’ll send it to you after our legal review”

• People Red Flags

• Evasive answers -Shifty eyes

• Long explanations

• Governance Red Flags

• No formal training and awareness program

• Security organization is a side job, no executive oversight

• Security Technology Red Flags

• Vulnerability management is not fully implemented

• Threat management is incomplete or nonexistent.

• No IM, privileged access, two factor authentication

What to Watch For


40

When to Review

During the RFP

Process

When the

Relationship Changes

When a Regulation

Changes

When the Business

Profile Risk ChangesAt Least Annually


41

90 Days

+ 90 Days

Begin due diligence on critical third parties

Evaluate your risk inventory and assign risk tier

Start slow – Get

quick wins

Within Three Months, You Should:

Beyond Three Months, Establish:

✓ ✓ ✓

A tiered program to

evaluate risk

A remediation plan to address deficient controls

Reporting

program✓ ✓ ✓

How to Apply What You Have Learned


42

Agenda

Third Party / Cloud

Considerations



43

1. 50 to 200 billion connected devices by 2020

“Number of connected devices worldwide will rise from 15 billion today to 50

billion by 2020.” - Cisco

2. $1.7 trillion in spending by 2020

“Global spending on IoT devices & services will rise from $656 billion in 2014

to $1.7 trillion in 2020.” - IDC

3. The $79 billion smart-home industry

“Smart-home industry generated $79.4 billion in revenue in 2014 and is

expected to rise substantially as mainstream awareness of smart appliances

rises.” - Harbor Research & Postscapes

4. 90% of cars will be connected by 2020

“By 2020, 90% of cars will be online, compared with just 2% in 2012

supporting in-car infotainment, autonomous-driving, and embedded OS

markets” - Telefonica

5. 173.4 million wearable devices by 2019

“Global wearable device shipments will surge from 76.1 million in 2015 to

173.4 million units by 2019.” - IDC

Chart source: http://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html

State of the Internet of Things (IOT)


44

IOT Drawbacks

• Designed with strict constraints

– Low power consumption

– Small memory and disk space

– Minimal processing power

– Little human interaction

– Reduced options

• Weak update mechanisms

– Devices are not engineering for patching

– Lack of alerting regarding need for patching

– Challenges in notification and delivery of patches


45

IOT Misconceptions

• “ My devices are too simple to be exploited by an attacker.”

• “ My devices are too old or too customized to be targeted.”

• “ My devices are not capable of being updated, therefore there are no

security controls at my disposal.”

• “My vendors are not delivering patches.”

• “ The risks posed by my IOT devices are not as severe as other more

traditionally connected machines, therefore these devices are a lower

priority.”


46

IOT Challenges

• No end to vulnerabilities

• Little compatibility with enterprise infrastructure

• Rise of Shadow-IT

– Devices are easy to purchase, install and use

• More consumer to business cross-over

• Need to interact with groups that may not be

used to working with IT and IT Security or may

think they don’t need to work with them at all


47

IOT Assessments

• Need to follow traditional risk assessment approaches

– RIIOT process will be key

– Engage vendor and industry groups

– Step-up awareness efforts

• Catch it early during vetting process

• Remediation is the challenge

– May have rely on a rip and replace strategy

– Adopt a micro-segmentation architecture

– Rely on upstream and downstream controls

– Technology cannot be the only solution


48

Goal = Minimize Impacts of a Breach

• Hard costs from disruption or destruction of infrastructure

• Increased scrutiny from third parties

• Attrition of employees or management

• Diminished brand value

• Profitability

• Revenue, Customer Retention

• Damage Repair - $200+ per stolen identity

Loss of Intellectual

Property

• Competitive advantage

• New market opportunities

• Long term growth

Reputation Operational


49

QuestionsBrian [email protected]

@bdwtexas
