Cyber Risk Resilience - v7isacacuracao.com/.../10/Cyber-Risk-Resilience-Sheets.pdf ·...

1

Cyber Risk Resilience

Deloitte Dutch Caribbean13 October 2015

Mastering Leadership, Strategy and

Change in the Cyber Information Age

© Deloitte Dutch Caribbean 2015

Introductions

© Deloitte Dutch Caribbean 2015 2

Mario FloresPartner

Mario is a Partner at Deloitte Dutch Caribbean. He is

responsible for the Risk Advisory and Technology

Consulting departments.

Arjan KlunderManager

Arjan is a Manager at Deloitte Dutch Caribbean, and is

responsible for the Cyber Security strategy and

initiatives within Deloitte Dutch Caribbean.

Part

1

The need for resilience in this

new Cyber Age

What are the new risks in this new Cyber Age

and why do we need Cyber Risk Resilience?

Obtaining Cyber Risk Resilience as an

organization

How to obtain Cyber Risk Resilience to survive

in this new Cyber Age

Part

2

2

The need for

resilience

in this new Cyber Age

Arjan Klunder



What is this new Cyber Age?

4

3


Prehistoric agesFew inventions

Stone Age, Bronze Age, Iron Ages

Middle agesVarious inventions

Invention of Mills,

Printing Press, Medicine

Modern agesMany inventionsE.g. Industrial Age,

Atomic Age, Space Age,

Computers, and the

Internet4

Cyber

Age

?


Prehistoric agesFew inventions

Stone Age, Bronze Age, Iron Ages

Middle agesVarious inventions

Invention of Mills,

Printing Press, Medicine

Modern ages

Many inventionsIndustrial Age, Atomic

Age, Space Age,

Computers, and the

Internet4

Cyber

Age

?

TE

CH

NO

LO

GY

AD

VA

NC

EM

EN

T �

TE

CH

NO

LO

GY

AD

VA

NC

EM

EN

T �

TIME �TIME �

4

7© Deloitte Dutch Caribbean 2015

“ Land was the raw material

of the agricultural age.

Iron was the raw material of

the industrial age.

Data is the raw material

of the cyber age. ”

– Alec Ross


What is Cyber?

5

Our world and our society is becoming more and more digital

And at an ever faster pace!

9

Increased use of digital technology


6

The real world and virtual world is blending

11


An enormous amount of data being is being collected


7


How Target figured out a teen girl was pregnant before her father did

Source: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did, Forbes (2012)

13

Everything gets connected

“In 2018, Earth will be

home to 7.6 billion people.

By contrast, some 25

billion devices will by

then be connected”

– Kevin Ashton, 2009


8

The internet of thingsThe world is becoming hyper connected


THEINTERNETOFTHINGS

15

New technologies & applications

• Virtual reality

• 3D Printing (e.g. printed prototypes or hip

replacements)

• Drones (e.g. postal packages being sent via drones)

• Smart Machines & Robotics

Technology enables new models

• Cloud computing (e.g. highly standardized global services)

• Social Media

• Data analytics driven business

Rapid adoption of new technologies and

new business models


9

Exponential growth



Sounds great this Cyber Age! What’s the catch?

18

10


New technologies means new vulnerabilities

19


Hyper connectivity means being exposed

20

11

Devices connected to the internet in the Caribbean>

Are they secure enough?21

22

Who is targeting your organization?

12

Attacker Determ ination

Att

acker

So

ph

isti

ca

tio

n

Accidental

D iscovery

M alware

Insider

Lone H acker /

H obbyist

Business

Partner

‘Script kiddy’D isgruntled

ex-Em ployee

D isgruntled

Custom er

C om petitor

D isgruntled

ex-IT

Adm inistrator

‘H acktivism ’

C yber

Terrorism

Hacker

C ollectives

O rganised C rim e

State-sponsored

Cyber W arfare

Who is targeting your organization?


Targeted and Non-targeted attacks

Some thoughts

� Attackers and researchers scan every IP in the public domain daily;� Non-targeted attacks can have significant impact;� A majority of the security incidents are caused by non-targeted attacks;� Non-targeted attacks can lead to targeted attacks;

Targeted Attacks

Focused on your day-to-day business activities, for example by:� Cybercriminals; steal data, steal money, affect continuity� Disgruntled employees; compromise systems from the inside� Hacktivists; having moral reasons to attack

Non-Targeted Attacks

Mass-spread malware via email, websites, usb’s aiming to:� Infect systems/servers for botnets� Encrypt data and force organizations to pay (ransomware)� Create stepping stone for consequent targeted attack

!© Deloitte Dutch Caribbean 2015 24

13

How big is the problem?


Source: The Global Risks Landscape 2015 (World Economic Forum)

How big is the problem?

TNO: “cybercrime costs at least 10 billion euros annually” or 1.5 to 2 percent of our

GDP, the cost is more in the region of 20 to 30 billion euros (McAfee, Symantec,

Eurostat, KLPD and Govcert.nl)

Ponemon Institute:

� 90% of US companies have been victim of a cyber attack in the last 12 months

� Nearly 60% reported two or more breaches in the last 12 months

� More than 50% stated they have little confidence of being able to stave off further attacks in the

next 12 months


14

Privémailbox Belgische premier

gekraaktGepubliceerd: 31 mei 2013 15:00

De privémailbox van de Belgische premier Elio Di Rupo is gekraakt. Onbekende aanvallers braken in op

zijn account en maakten honderden e-mails van de premier buit, die ze vervolgens naar een Belgische

krant stuurden.

Dat meldt de Belgische krant De Morgen vrijdag.

De krant ontving een anoniem poststuk met een cd-rom waarop honderden verouderde e-mails van Di Rupo waren

gebrand. De elektronische post dateert uit de jaren 2004 tot en met 2008, toen de huidige Belgische premier nog

leider was van de Parti Socialiste.

Cyber attacks are increasing in numbers

27

The impact can be enormous


15

Reactive To

Hobby hackers

Mostly small and simple attacks

Simple viruses

Not organized or coordinated

Technical interest in vulnerabilities

Organized cyber crime and hackers

Complex attacks

Sophisticated malware (based on zero day exploits)

Highly organized (e.g. hacker collectives, criminal organizations)

Wide range of motives

From

The threat landscape has changed


Reactive Proactive

Static Dynamic

Reactive

Preventative Monitor, detect & respond

Guarding the perimeter Guarding the environment

Closed / Keep out Open / Connected

The need for a paradigm shift towards cyber risk resilience


16

Cyber Intelligence Center | Business Plan | 15 December 2014 Strictly Private & Confidential

� Perimeter based defense is obsolete. The days that you

could passively protect your most valuable assets behind a

big wall are over.

� In the hyper connected world, the doors in the wall are open

for your people, partners and clients to access your

environment. So just assume the danger will also get in.

� Although it isn’t possible for any organization to be 100%

secure, it is possible to use a mix of processes for

prevention, detection and response to keep cyber risk below

an acceptable level.

� To be open and secure at the same time you need a pro-

active defense that not only tries to prevent an intrusion, but

is able to detect it timely when it happens and then respond

adequately

� To be effective and well balanced, a cyber-defense must

have three key characteristics. It needs to be secure, vigilant

and resilient.

Cyber

Resilience

Open and

vulnerable

Level of connectivity

Level of security

Closed and

secure

Cyber

Resilience

The need for a paradigm shift towards cyber risk resilience100% prevention is impossible. Resilience is needed !

Compromise


Being

VIGILANT

means having threat

intelligence and situational

awareness to anticipate and

identify harmful behavior.

Being

RESILIENT

means being prepared and

having the ability to

recover from cyber

incidents and minimize

their impact.

Being

SECURE

means having risk-prioritized

controls to defend critical

assets against known and

emerging threats.


17

Obtaining

Cyber Risk Resilience

as an organization

Mario Flores

How to obtain resilience?

The very innovations that drive business growth create first order cyber risks.

Regulatory

compliance

Growth /

innovation

Operational

efficiency

Risk

management

BUSINESS VALUE

GOVERNANCE

Identify top risks, align investments, develop an executive-led cyber risk program and adapt to changes in business

strategies and threats

Secure

Capabilities

Take a measured,

risk-prioritized

approach to defend

against known and

emerging threats

Infrastructure security

Data protection

Identity and access

management

Vigilance

Capabilities

Develop situational

awareness and

threat intelligence to

identify harmful

behavior

Threat intelligence

Security operations

Resilience

Capabilities

Have the ability to

recover from and

minimize the impact

of cyber incidents

Incident readiness

Incident recovery

Business resilience

and recovery

A robust cyber risk program is integral to business success. While

being “secure” is more important than ever, there is a growing

need to be constantly “vigilant” and “resilient” in the face of shifting

cyber threats.

What is my

risk

appetite?

What is my

business strategy

and related cyber

risk?

Who are my

adversaries

and their

motives?

What critical

assets are

they interested

in?What tactics

might my

adversaries use

to attack?

What governance,

processes and

capabilities

does my business

need?


18

Cyber Incident ResponseResilience requires proper Incident Response capabilities

• Sets tone-at-the-top

• Aligns strategy with organizational goals

• Provides mechanism for cross-functional communication

• Avoids “tunnel vision” when planning response and recovery strategies

• Reduces adverse impact to business operations and revenue streams during incidents

• Aligns IR efforts with Security Management and IT engineering initiatives

• Create technology architecture that can rapidly adapt to and recover from cyber incidents

• Improve situational awareness

• Confirm applications are highly resistant to standard attack vectors

• Demonstrate alignment with obligations

• Embrace a risk-based approach that puts focus on high impact areas

• Strengthen organizational readiness for addressing regulator and law enforcement inquiries

• Protect revenue, IT, physical, and personal assets

• Respond to unplanned events with minimal disruption

• Plan for and recover from disruptions quickly, regardless of specific incident characteristics

• Develop a remediation plan that incorporates short and long term goals

• Close identified technical and business process gaps

• Monitor technology infrastructure for repeat events

Strategy

Governance

Business Operations

Technology

Remediation

Risk &

Compliance

Organizations

should perform

activities within each

of the six Incident

Response

disciplines to enable

rapid adjustments

during Incident

Response

situations that

involve dynamic

internal and external

changes.


It starts by understanding your organizational risk appetite

� Cyber criminals

� Hacktivists

� Nation states

� Malicious insiders

� Rogue suppliers

� Competitors

� Skilled individual hacker

� Sensitive data

� Financial fraud (e.g. wire transfer,

payments)

� Business disruption (building

systems, etc.)

� Threats to health & safety

Who might attack?

What are they after and what key business

risks must we mitigate?

What tactics might they use?

� Spear phishing, drive by

download, etc.

� Software or hardware

vulnerabilities

� Third party compromise

� Stolen credentials

� Control systems compromise


19


Starting your journey>.but which road to take?

Five actionable movesIncrease your operational capabilities

� You constantly read about hacked

companies. You know about an increase of

sophisticated attacks. You’re aware that

prevention on its own is no longer enough.

Your board and stakeholders are expecting you

to move ahead.

� You need to comply with policies, legislation

and to be in sync with your risk management

principles.

Proposed 5 next steps

1. Execute an agile gap analysis and

create a roadmap

2. Design and implement a Target

Operating Model

3. Roll our your initial operational capability

4. Run your first cyber simulation

5. Keep on building your maturity


20

1. Execute and agile gap analysis and create a roadmapUnderstand where you are, where you’d like to be and what is needed to bridge

the gaps

The first step: understand where you are, decide where you’d like

to be and create an actionable roadmap to bridge the gaps.

1. Determination of the current state against a best practice

Security Operations capability model (ex. ISO 27000/1, CIP –

Critical Infrastructure Protection, NIST Cybersecurity

Framework, Standard of Good practice, etc.)

2. Determination, in conjunction with your business objectives, of

the future desired state

3. Identification of gaps per assessed area

4. Construction a prioritized roadmap with people, processes and

technology work packages, indicating priorities, addressed

risks and estimated costs


2. Design and implement a Target Operating Model (TOM)Design how Security Operations will fit into the organization and provide value to

the business

A Security Operations TOM is the blueprint on how your

operational capability will bring value to your businesses,

defining the position in the organization as well the necessary

structure to deliver added value security services. A TOM needs to

be designed and implemented covering:

� People

� Processes and

� Technology

Aspects of the TOM should include:

� Security Operations Center (SOC) Governance

� Operational policies, procedures and technical instructions

� SOC service catalogue

� Job profiles and staff augmentation


21

Service Catalogue (1)A number of services underpin an Information Security Operating Model


Service Catalogue (2)A number of services underpin an Information Security Operating Model


22

3. Deploy your Initial Operational CapabilitySecurity Operations need to fit into the organization and provide value to the

business

Having understood the existing gaps and the supporting

operating model, it’s time to build the necessary capabilities.

� Implement an initial capability, using selected delivery methods:

in-house, fully outsourced and hybrid. Outsourced and hybrid

are considered managed services, whereas in-house is

operated by the client

� If required outsource and implement a custom and dedicated

SOC for you, in which a third party takes care of absolutely

everything


4. Run your first cyber simulationPractice a major incident blending incident response and crisis management

Once your initial capability is in place, it’s time to put it

to the test. There are no better learning lessons that those

derived from real incidents, but they are obviously unwanted.

Therefore, a professional cyber simulation can be as

valuable, without negative effects of a real breach. The

benefits of cyber simulation are multiple:

� Ability to improve the overall cyber defensive capabilities

by executing a red and blue flag exercise, which will show

the resilience level against different attacks, and the

corresponding level of defensive capabilities

� Generate board level and business leader awareness on

APT resilience

� Motivate teaming and enhance relations of different

departments

� Create the foundation to connect incident response with

crisis management, and connect both activities together


23

5. Continuously improve and elevate your maturityFrom an initial operational to a fully operational capability

Security Operations is a journey. Therefore, there is a

need to continuously adjust the capability level to the

different threats and innovations of the relevant actors.

This can be done in conjunction with the results of the gap

analysis:

� People: Career management advisory, staff

augmentation, training and in/outsourcing SOC

functions.

� Processes and governance: Adjusting the services

catalogue, designing and implementing new services,

update the procedure catalogue.

� Technology: Maintenance of existing technology and

additions to the existing footprint, including security

engineering efforts


Security Maturity PlanningUnderstand where we are today and where we want to be in the future


10%10%

30%30%

35%35%

Not World-Class World-Class

Level of Security Program Maturity

Rela

tive S

ecu

rity

Pro

gra

m M

atu

rity

Distribution of typical large global 2000 companiesSource: Gartner

• No formalized

security activities

exist

• Ad hoc controls

implemented over

time

• Tasks are

informal and

uncoordinated

• Processes

undefined and

staff changes

cause failures.

• Security

processes are ad

hoc, disconnected

and disorganized

• Advocates exist

but no formal

program in place

• Limited but

increasing

acceptance of the

need for a formal

program

• Processes fully

mature

• Investments and

decisions are

linked

• Stakeholders

feedback used to

adjust & improve

as people,

technology and

bus. requirements

change

• Part of culture &

and is an integral,

inseparable part of

operations &

decision making

• Performance

highly predictable

• Goals, practices, &

performance metrics

• Processes

formalized &

implemented.

• Formal governance

& compliance model

exists

• Formal program vision

outlined and mgt. buy-

in secured

• Requirements &

responsibilities defined

• Implementation

initiated & gaps

identified

• Comm. & education

rolled out

24


Cyber Threat Intelligence

What is Cyber Threat IntelligenceWhy do we need it?

� Organizations face challenges to keep track of the

emerging threat landscape.

� Organizations lack process capabilities for taking timely

action on the real-time intelligence.

� With emerging technologies, there is a proportional rise in

complexity of managing cyber assets which creates

several telltale security misconfigurations.

Cyber Threat Intelligence manages collecting, correlating,

enriching and distributing actionable and proactive cyber

intelligence data to help organizations put themselves in a

defensive posture against emerging cyber threats.


25

What constitutes Intelligence

� Vulnerabilities and Exploits� Zero-day vulnerabilities

� Popular attack surfaces

� Exploit Kits

� Vendor notifications and Patches� Technologies and Popular Vendors

� Advisories and Alerts

� Patches, upgrades and security bulletins

� APT campaigns� Targeted attack patterns

� Threat actors involved

� Threat tactics, tools and malware

� Vulnerabilities Exploited

� Geographical region targeted

� Profiles of the affected victims

� Independent Researcher’s works� Proof of Concept for Exploits

� Discovery of Zero-day vulnerabilities

� Cyber Security Incidents� Data Breaches

� Identity and financial thefts

� Infiltration and Exfiltration attempts

� Malware activity and Traffic analysis� Latest malware proliferation

� Infected platforms

� Signatures and Hashes

� Malware Authors

� Source code

� Geographical Expanse

� Botnet and DDoS activity

� Command and Control servers

� Underground Forums and IRC Channels� Discussions on hacking, malware

� Identity data disclosure, doxes

� Posts on Malware and Exploit kits

� Sale of Identity and Financial data

� Emerging Cybercrime-as-a-service groups

� Indicators of Compromise� Malicious IP addresses

� Malicious Domains

� IDS/ IPS, Yara, etc., signatures

� Social Engineering and Phishing Campaigns� On going Phishing and spam campaigns

� Geographical regions

� Spear-Phishing Emails

� Phishing domains


Open Intelligence SourcesFrom Search engines to feeds

Primary Search Engines• Google• Yahoo• Bing• Lycos• ....

Country Specific Search Engines• Japanese and Chinese• Middle East• European• Latin American• Asia Pacific....

Paste Sites, File Repositories and Data Leak sites• Pastebin• Anonfiles• QuickLeak• WikiLeak…..

Miscellaneous• Shodanhq• Robtex• Datalossdb• IP/Domain search sources• …..

Security Researchers• Brian Krebs• Mikko Hypponen• Pierluigi Paganini• Antivirus Vendors

Product Vendors• Microsoft• Cisco• Adobe• Java• ....

Hackers and Cyber Criminals• lampeduza.net• rescator.net• toxic0de.net• maldev.net• ...

Freelance Malware Analysts• Malwaredontneedcoffee• Kafeine• Malwaremustdie• Pwndizzle• ...

Twitter• Security Researchers• Hackers• Hacktivist groups• Vendor Tweets• .....

Feeds• Dark Reading• Sans ISC• The State of Security• Hackread• Exploit DB

Feeds• CNET• USCERT• ICS CERT• Wired• The register

Feeds• Office of inadequate security• Trend Micro Simply Security• Krebs on Security• Information Week• …

26

Threat Intelligence FrameworkActionable Intelligence

A comprehensive approach to maximize the value gained from collecting, correlating, enriching and distributing intelligence data

Technology

Configuration

Data

Infrastructure &

ApplicationLogs

•Commercial Feeds•Law Enforcement•Industry Associations•Underground Forums•Hash databases•GEOIP data

•Honeynets•Watch-list monitoring•Vulnerability scanning•Vulnerable web application monitoring•Web page virus scanning•BGP Hi-Jack monitoring•DNS Poison monitoring

•Fraud investigations•Security event data•Security incident feeds•Abuse mailbox info•Vulnerability data•Human intelligence

External Cyber Threat Intelligence Feeds

Cyber Threat Intelligence

Analysis

•Keyword Monitoring•File Monitoring•Monitoring of under ground and criminal websites for confidential information

Internal Threat Intelligence Feeds

Proactive Surveillance

Information Leakage Intelligence

Threat Intelligence

&Incident

Reporting

Security, Fraud and Operational

Risk Teams

Observe, Orient,

Decide, Act

51

The OODA CycleActionable Intelligence

Monitoring and Collection

Previous

Experience

Correlate

New

IntelAnalyze Decision Action

Implicit guidance and control

Observe Orient Decide Act

CTI

Internal

Environ

ment


27

Consider all angles:

Don’t overlook managing 3rd party risk

Third Party RiskWhat is a third party?

Extended enterprise/third-party landscape (Illustrative)

Agents

Affiliates or

subsidiariesJoint ventures

Contractors

Vendors

Business partners

Government

organizations

Law firms

Service providers

• Any individual or entity, which is not a direct employee, which provides a

product/ service to, or on behalf of, the sourcing organization

• Typically managed at both the engagement and relationship levels


28

What Third Party Risks Should be Managedpossible inherent and unique risks

Risk category Description

Inherent risk to

the product/

service

Cyber risk • Ensuring confidentiality, integrity, availability of information assets

Compliance/legal risk • Actions inconsistent with legal, policy or regulatory requirements

Operations risk • Third-party failures resulting in impact to IT or business operations

Contractual risk • Inability to deliver product/service to contractual requirements

Business continuity risk • Inability to continue providing product/services

Intellectual property risk • Inappropriate use of intellectual property by the third party

Risks unique to

the third party

Financial risk • Inability to meet contractual obligations due to financial difficulties

Reputation risk • Third-party issues impacting organization’s brand and reputation

Geopolitical risk • Region/ country-specific factors affecting the third party/ business

Strategic risk • Third party not aligned with the organization’s strategic objectives

Credit risk • Inability to make obligated payments

Quality risk • Inability to deliver product/service in line with quality expectations


Conclusion


29

Critical Success Factors

Cyber Risk

Response (CIR)

Executive Crisis

Management

Legal, Risk, &

Compliance

The Plan

Supported by

Technology

Simulate the

EventOperations

Cyber

Education

Response

Team

Educate executives on crisis

communication plans and their

associated responsibilities.

Setting tone at the top of

organizational hierarchies has

cascading impacts.

Prevent your plans from

becoming “shelf ware” by

training your CIR team

periodically.

Carefully select CIR team

members and confirm they

have the requisite skills and

experience to perform

responsibilities outlined in

the plan.

Involve business operations in

cyber Incident Response

planning so that mission critical

processes and systems are

available when crises occur.

Simulate realistic incidents

regularly. By exercising the plan,

organizations can build “muscle

memory” and respond more

effectively and consistently.

Organizations should

embrace technologies that

enable operational

resiliency and proactive

detection and response

capabilities.

Simple, flexible and distributed

plans provide guidance to

responsible parties throughout

the organization. Understand

where external help is needed

and have contracts and

capabilities in place

beforehand.

Determining legal, regulatory, and

compliance issues in the midst of a

crisis is a bad place to be. Prepare

ahead and incorporate these

considerations into the CIR plan.

57

You will be hackedIt is not a question of ‘if’ but ‘when’

You will be asked:

� Were you aware of the risk?

� Which measures did you take to prevent and

manage this attack?

Your answer should be:

� Yes, I was aware of the risk

� Yes, I have taken the necessary measures.

Including: penetration testing, patching, threat

intelligence, awareness, etc. 4 and 4

� We were able to contain the impact because

of our detect and respond capabilities


30

Questions & Discussion


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member

firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL

and its member firms.

Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in

more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s

more than 210,000 professionals are committed to becoming the standard of excellence.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this

communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication

© 2015. For more information, contact Deloitte Touche Tohmatsu Limited.

Cyber Risk Resilience - v7isacacuracao.com/.../10/Cyber-Risk-Resilience-Sheets.pdf ·...

Documents

Transcript of Cyber Risk Resilience - v7isacacuracao.com/.../10/Cyber-Risk-Resilience-Sheets.pdf ·...