effective risk-based information security programs - isaca presentations... · effective risk-based...

Presented by: Debra Banning, VP, Information Security Center of Expertise

Effective Risk-Based

Information Security Programs

Experis | December 2014 2

Effective Risk-Based Information Security Programs

Today’s Agenda

• Current Risk Environment

• What Can We Learn?

• Increasing Information Risk Management

• Actions that Reduce Your Risk

• Closing

2

Current Risk Environment



Enterprise

Headquarters:

Router

Server

Hub

Firewall

Data

LAN

Remote Access

Regional Office

Regional Office

Supplier Supplier

Customer

Customer

Supplier

Customer

Customer

Customer

Customer

Customer

Customer

Supplier

Supplier

Supplier

Supplier

Internet accessible systems are exposed

to an increasingly hostile world —including some

threats launched through your clients and vendors

Operational Expansion



Recent Headlines Illustrate the Current Risk Landscape



Cyber Space – Business Perspective

• Pervasive – Can reach all around the

Globe in a click to promote and conduct

your business

• Informative – Information can be readily

obtained increasing business productivity

• Trusting – A business brand can be

established Globally by being present on

the Internet

• Collaborative – Entire Supply chains can

share information through multiple medias



Cyber Space – Attack Perspective

• Pervasive – Attacks can originate from

anywhere on the Globe

• Informative – Attackers can gain and

correlate information about any

organization or person that can be used

to advance their purpose

• Trusting – Attackers can execute attacks

based on user’s “trust” of information and

applications found on internet

• Collaborative – Attackers unite to quickly

launch massive distributed attacks



Types of Information at Risk

Critical Data

Intellectual Property /

Trade Secrets

Corporate Strategy

Unreleased Financial

Information

Personal Health

Information (PHI)

Personally Identifiable Information

(PII)

System

Data and

Configuration

Settings



How Much is Your Personal Information Worth?

Black Market Value for Personal Information • Medical records along with health insurance ID: $47.62

• Social Security Numbers coupled with personal information: $14.02

• Debit card/pin-code combinations: $9.55

• U.S. credit card record: $.75 - $.97

• Social Media account credentials: $16 - $325

• Traffic redirections: $130

• On-line buying habits and contact information: <$.30

Source: Ponemon Institute/Wall Street Journal/Experis Research



How Much is Protection Really Worth?

The amount individuals would pay to protect their personal

information varies widely, based on the information being protected:

• Social Security number/government ID: $240/year

• Credit Card number: $150/year

• Electronic or Physical Histories: $52 - $59/year

• Health Industry Medical Records: $38/year

• On-line buying habits and social profiles: $3 - $5.70/year

• Contact Information (phone number, e-mail, mailing address): $4.20/year

Source: “What’s Your Personal Data Worth” by Tim Money, Jan. 18, 2011, designmind.frogdays.com blog



Through Which Lens Do You View Data Protection?

Consumer

• Can I trust the product will protect

my sensitive information?

• Are the data protection features

easy to use and configure?

• Does the product allow me to set

different levels of protection?

• Can the protection interoperate

seamlessly with my other products?

• Does the product automatically

update itself to maintain protection?

Producer

• How important is data protection to your consumers?

• What type of data will your product collect, process, store or transmit?

• Will your product be used in high security environments?

• What regulatory or legal requirements will your product need to meet?

• Can data protection differentiate your product in the marketplace?

What can we learn?



Breaches and Cyber Threats Challenge the Status Quo

• Speed and control of change management

• Management of security waivers/exceptions

• Definition of ‘Insider’ and ‘Outsider’

• Depth/scope of vendor assessments

• Visibility across full IT/IS supply chain

• Suitability of security in outsourced services

• Effectiveness of periodic account reviews

• Effectiveness of single-factor authentication

13



Event Analysis Reveals Common Attack Vectors

Many significant breaches

start with social engineering

attacks

• Phishing, spear-phishing

are suspected in several

of the largest breaches

• Targets include

employees, suppliers and

third-party contractors

Most organizations have

too great a susceptibility

to this form of attack

*POS – Point Of Sale

Attackers use credentials

to gain a foothold on

internal network

• Immediately begin

to survey the

environment they

now have access to

• Identify possible data

repositories and

business systems

(e.g., POS* network)

Attackers should not be

able to easily transit

across internal networks

Attack then moves to

core business systems

or credential repositories

• Either set up shop to

glean data over time or

just steal large files

• Often set up their own

repository for data to

facilitate exfiltration

Common controls

should preclude actions

seen in large breaches



Analysis Also Reveals Basic Access Control Flaws

User accounts had

privileges that were not

required for assigned

duties or allowed access

to resources in excess

of required privileges

• What periodic risk

reviews might have

exposed this?

• Would additional

network segmentation

reduce this risk?

Core repositories allowed

bulk access and/or

transfer of sensitive data,

both within the company

and via exfiltration

• Would proper risk

review processes

preclude granting this

level of access?

• Could reducing

aggregation of

data into any single

repository reduce

this risk?

Production systems

(e.g., POS network) used

weak access controls,

insufficient segregation of

duties and inadequate

activity monitoring

• What monitoring,

reporting and audits

could reduce these

critical risks?

• Would mandatory multi-

factor authentication

eliminate most of these

attack vectors?



Common Oversight Flaws Elevated the Level of Risk

Exploits often existed for

months before discovery,

and were most often

reported by law

enforcement or external

security researcher

• Why haven’t latent

threats, like APTs*,

been elevated as

critical risks?

• Shouldn’t this be part of

most organization’s

annual audit plan?

*APTs – Advanced Persistent Threats

Some recent attacks

appear to follow the same

pattern as previous attacks

in the same industry –

pointing to a lack of

urgency to take action

• What does it take to

convince management

to learn from others’

mistakes?

• Why didn’t these

patterns drive changes

in the standard of

due care?

It appears some POS

software and change

control processes had

inadequate oversight

and monitoring of

software updates

• One attack purportedly

involved multiple

updates of the attack

software

• Why weren’t basic

software release

control and

validation employed?

Increasing Information Risk

Management



Value and Risk of an Organization’s Information

LOW Information Value Threat Vulnerability

Counter-measures

Risk

Consolidated

financial

information

Customer

personal

information

Internal office

memorandums (non-confidential)

Confidential

executive

memorandums

MED

HIGH $$$ $$ $

$$$

$$$

$$

$

LOW



Data loss is not the only way breaches cause harm!

Source: http://www.emc.com/collateral/other/emc-trust-curve-es.pdf

Because breaches result in a wide variety of impacts that must be considered,

the governance response to breaches must go well beyond just IT controls

Loss of employee productivity

Loss of revenue

Loss of customer confidence/loyalty

Loss of an incremental business opportunity

Loss of business to a competitor

Delay in product/service development

Loss of a new business opportunity

Loss of customers

Damage to company brand and reputation

Loss of repeat business

Delay in getting product/service to market

Damage to company stock

0% 10% 20% 30% 40% 45%

45%

39%

32%

27%

27%

26%

26%

26%

23%

20%

16%

10%

19



The Security Governance Paradigm is Changing

• 2013: the President issued Executive Order 13636

- Improving Critical Infrastructure Cybersecurity

• One year later, NIST released the Framework for

Improving Critical Infrastructure Cybersecurity

• Extends the classic security life cycle (Protect,

Detect, Respond and Recover) to include Identify

• The new model is more proactive - Business and

Governance are now key aspects of managing risk

• The related roadmap includes data analytics,

supply chain risk management and continuous

monitoring

• An emerging imperative is enhancing the role of

Internal Audit in evaluating risk management

Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

Cybersecurity Framework

- Core Structure

20



Oversight is Evolving to Meet the Challenge

Tools increase

visibility and tracking

• GRC tools and risk

analytics are more

common

• Provide better data,

but none are a

silver bullet

• Establish a common

source of data for

metrics and reports

• Create a link

between cyber risk

and enterprise risk

Adoption of

formal frameworks

• Cobit 5, ISO 27000

Series, NIST SP

800 Series

• Each requires some

customization to

align to your specific

business needs

• High degree of

overlap between

frameworks reduces

total control set

Audit focus

is expanding

beyond controls

• Focus changing to

finding the root

cause vs. just finding

the defect

• More recognition

of the importance of

process risk over

just technology risk

• Proactive discussion

of strategic risk with

the businesses



Relationship between Internal Audit and IT Security

Internal Auditors were once thought of as go-to only for issues relating

to financial controls, while IT Security dealt with technology controls

Now, IT Security is still adept at managing technology risks, while Internal

Audit is recognized as experts in characterizing all risks to the business

Internal Audit has the ear of the Board of Directors, which makes them a

very effective advocate in framing the importance of IT Security controls

Internal Audit monitor traditional risk but also look for the presence and

impact of emerging risk, such as breaches and other cyber threats

Internal Audit is rarely utilized to its full potential, especially in the IT area

IT Security, in most cases, does not see Internal Audit as a team

member that adds value – and that needs to change

Actions that Reduce Your Risk



Assess your risk management hierarchy

Information Systems and

IT Business Partners

Business Processes

and Applications

Organization Structure, Goals and Strategies

Multiple risk tiers

Requires a risk champion

Address systems and architectures

Flexible, but consistent

STRATEGIC

RISK

FOCUS

TACTICAL

RISK

FOCUS



Actions that Reduce Your Risk

Define and adopt a formal

cyber security strategy for

your organization

• Make it an integral part of

the strategies for every

contributing function

• Review with Executive Committee

at least twice per year

• Identify an actionable and

pragmatic roadmap for security

• Review cyber risk posture and

actions at least monthly

• Update dashboards, reports and

metrics to make issues visible.

Create a process-driven

security capability

• Establish a formal information

security management system

• Adopt a standard risk and control

framework to support program

• Create visible, integrated program

resourcing for all security activities

• Mandate the formal acceptance of

risks for unfunded security projects



Actions that Reduce Your Risk (continued)

Reevaluate your current IT

security processes and controls

• Strengthen production system access

controls to require strong

authentication

• Establish an isolated release control

/change management mechanism

• Reduce access and retrieval rights to

aggregated or core data repositories

• Review and revise third party access

controls and account privileges

• Establish integrity monitoring controls

for key systems and repositories

• Eliminate broad remote access to

internal systems

Create a formal crisis

management function in

your organization

• Integrate all enterprise incident

response functions

• Include supporting roles outside of

IT/IS (e.g., Law, HR, Compliance)

• Define a decision/escalation tree,

and grant authority to key roles




Create a breach response plan to ensure your

organization is prepared

• Reporting – Ensure employees know who to contact and what information

to provide if/when a potential breach is discovered

• Roles - Define an Data Breach Response Team (members, roles and

responsibilities) with the appropriate knowledge to evaluate data breaches

• Actions – Include breach declaration, response escalation, system isolation,

shut down, recovery, data scrubbing, evidence collection, chain of custody

• Communications – Define specific protocols for each stakeholder group,

including internal, customer, shareholders, authorities, media

• Breach Notification – Create predefined procedures for notifying affected

parties, based on the different notification triggers




Evolve your IT/IS cyber

operations capabilities to

be more agile

• Create a critical cyber skills

matrix and populate it for

your organization

• Identify key players in your

organization for incident and

breach response

• Establish a roadmap and action

plans to eliminate any gaps

• Define succession plan for critical

decision makers

*VPN – Virtual Private Network, **WAF – Web Application Firewall, ***VDI – Virtual Desktop Infrastructure

Reduce your cyber risk

profile and attack surface

• Create an organizational bias against

retaining sensitive information

• Mandate multi-factor VPN* for

all access to sensitive data

repositories

• Implement protocol restrictions

and filters (e.g., WAF**) at all

boundaries

• Utilize tiered security architecture

to segregate critical data

• Use VDI*** to eliminate local

storage of sensitive data on laptops




Increase your cyber

detection capabilities

• Establish mandatory standards

for system and application

logging

• Implement anomalous use

scanning in network and

system monitoring

• Deploy ingress/egress filtering

and data leakage prevention

• Utilize more analytics and

automation in log and alert

management

Increase threat knowledge

through focused security

awareness training

• Use role-based/scenario-

based training methods

• Provide job reference

materials to enforce messages

• Ensure skills training for

critical roles (e.g., system

administrators)

• Be aware of desensitizing

staff by providing too

many messages




Review your current audit

processes (internal/external)

• Ensure they include appropriate use of data

analytics and root cause analysis

• Update your organization’s audit threat profile to

include common breach attack vectors and other

forms of cyber threats occurring in your industry

• Invite Internal Audit to host or contribute to

periodic strategic risk reviews that include an

assessment of cyber risks and incidents

affecting your organization’s peers

• Have Internal Audit regularly review incident

response procedures and data integrity controls

used for business critical systems and data

• Regularly audit and test your organization’s

susceptibility to phishing attacks and other

forms of social engineering

Ensure Third Parties are

Protecting Your Data

• Third-Parties – Vendors, Business Partners

and other third parties play a critical role in

protecting your critical and sensitive data

• Service Level Agreements - Clearly define

data protection and breach notification

requirements, and the consequences for

failing to protect data

• Vendor Management Program - Include

examination and reporting of required data

protection, including self-assessments and

site inspections

• Risk Management Program – Proactively

work with vendors to identify and remediate

risks, or choose alternate vendors

(preferably before a breach occurs!)



How Partnering With Internal Audit Can Help!

Perform Risk Assessments to identify high risk information assets

Provide periodic reviews and feedback concerning the

completeness and effectiveness of security controls

Perform IT Security Audits where the IT Organization has

identified a potential weakness in the environment

Perform continuous auditing of IT preventative controls

Report and escalate IT Issues and IT needs to Audit Committee

Act as a trusted advisor and risk consultant, but not a policeman

Closing



Summary

Cyber threats are constantly changing the game

Data breaches will continue to focus on

finding and exploiting the weak links in

systems and people

The speed of threat evolution requires

similar agility in the control and risk

management environments

Audit plays a key role in evaluating the

adequacy of your risk identification and

management processes

Risk/vulnerability assessments and audits are

useful, but ONLY if you address the findings

A strong partnership between IT Security

and Internal Audit will make a real difference

in managing risk 33

Questions?



Debra Banning

Vice President

Information Security Center of Expertise

Experis

703.336.8169

[email protected]

effective risk-based information security programs - isaca presentations... · effective risk-based...

Documents