IDENTIFYING YOUR AGENCY’S VULNERABILITIES

Annie Searle, Principal, ASA Risk Consultants

Emergency Management Cyber Security Summit

April 30, 2013

www.anniesearle.com

Twitter = @anniesearle

Operational Vulnerabilities = Risks

• An operational risk assessment will show you where gaps

may have opened up in your existing programs

• People – human error, failure to follow procedures

• Process – no procedure or bad procedures

• Systems – breakdown of automated processes, especially

in technology infrastructure

• External – Mother Nature, critical dependencies on other

sectors, vendors

• It’s this operational risk lens that allows you to enact

change in your programs and fine tune procedures.

2Copyright ASA 2013

Types of operational risk

• People

• Internal fraud

• External fraud

• Legal/liability losses

• Processes

• Processing errors

• Noncompliance

• Inappropriate business

practices

• Systems

• Systems Failures

• Security breaches

• Continuity of operations

• External Events

• Natural disasters

• Cyber and bio threats

• Geopolitical events

3Copyright ASA 2013

Detecting risk early *

• Don’t Rely upon historic data to predict future events

• Don’t focus on narrow measures of risk – assuming (for instance) that daily measures always apply

• Don’t overlook knowable risks – not making correlation

• Find hidden risks – sometimes deliberate, sometimes unconscious

• Improve your communication – higher you go, the less technical you must sound

• Do manage in real time – rapid change on market risks with fluctuations in the market

*Rene M. Stultz, ―Six Ways Companies Mismanage Risk,‖ March 2009 Harvard Business Review article

© 2012 Copyright Annie Searle & Associates LLC 4

Recent Studies on Risk Strategy

• New Protiviti study sponsored by COSO surveyed more

than 200 directors.

• Nearly 2/3 of directors reported that board oversight or

monitoring is ad hoc or not done at all.

• New PWC study suggests rethinking risk strategy in light

of nontraditional risks—social media, digital

technology, competition from global markets, global talent

demands.

• ImpactFactor study: Half of those surveyed spent

$50,000 or less annually to ―audit and assess suppliers.‖

80% indicated they manage the primary vendor only.

• Few companies have a program in place to extend

through multiple layers of suppliers and subcontractors.

Copyright ASA 2013 5

Can you identify the risk before

contracting with a vendor?• Most deficiencies need to be fixed.

• What is the cost of outsourcing the risk versus the cost of

mitigating the risk before you outsource?

• Risk management must be proactive especially when a

company is in an arena where flags are up – mergers and

acquisitions.

• My former company is a good example of inheriting

vendor risk through acquisitions. To keep good

employees, applications and contractors were often kept

as well. Rather than integrate platforms for home

loans, up to 12 systems were running at a single point in

time, off old contracts.

Vendors, IP and IT * --

Risks are not all with large vendors• Intellectual Property Theft:

• Contract janitor steals customer account information from hard

copy documents lying out on desks, and uses it to obtain credit

cards in customers’ names. Accounts drained of over $200,000.

• Contractor stole and sold trade secret drawings marked for

destruction. Loss estimated at $100 million.

• IT Sabotage:

• Security guard allowed unauthorized access to data center from an

expired ID carried by a manager, who unplugged cameras and

stole tapes with records of 80,000 employees.

• Contract programmer tricked janitor into unlocking an office where

he downloaded sensitive source code onto removable media to

take to his new boss, a competitor.* Carnegie Mellon CERT study on insider threats

© 2012 Copyright Annie Searle & Associates LLC 7

Manage Risk First Via the Contract

People

• Require background

checks scaled in

sophistication to criticality

of business processes

you are giving the

vendor, but be mindful of

contract janitors as well.

Process

• Bind the vendor in the

contract on all compliance-

related issues.

• Identify in contract the time

frame in which you expect

vendor’s attention.

• Trap for potential worst case

scenarios and for additional

layers of subcontractors.

(more)

© 2012 Copyright Annie Searle & Associates LLC 8

Manage Risk First Via the Contract

Systems

• Require proof of additional layers of security and redundancy that vendor has in place.

• Consider geopolitical location if data centers are involved.

• If using cloud, then how will you audit them?

• Insist upon site visits with audit to critical vendors.

External Events

• Closely review business

continuity plans using an

hazards incident and

vulnerability assessment

(HIVA).

• Find critical gaps in both

your own and vendor’s

plans based on increased

global complexity for

transactions processing.

© 2012 Copyright Annie Searle & Associates LLC 9

Close the gaps

• Distinguish ―common‖ disruptions from unusual ones.

• Build partnerships – utilize the ISACS within critical infrastructure sectors to share information. Join InfraGard. Participate in PNWER exercises.

• Stay current on pending regulation/legislation that may affect your program.

• Ensure that your business lines can report issues/suspicious activity.

• Track all disruptions.

• Look for patterns or repetition

• Speedy detection will result in a more rapid response

• Containment and recovery includes preparing customers, monitoring and managing social media as well as traditional media.

• Ask for funds to close the gaps once you have identified issues that can be solved only with money.

© 2012 Copyright Annie Searle & Associates LLC 10

Re-examine “big picture”

• What could a disruptive event look like?

• What are the potential business impacts?

• What are the competitive impacts?

• What are the upstream and downstream impacts on the

value chain?

• What is the level of readiness and resilience of

• Company

• Suppliers

• Distributors

• Customers

• Wider resilience can mean a higher market ratings, with a

rating premium up to 20%.

© 2012 Copyright Annie Searle & Associates LLC 11

Writing a persuasive recommendation

• Your technical staff may have prepared the most exhaustive

analysis possible

• Edit/revise it to eliminate acronyms, overly-technical terms

• Attach this analysis to your executive summary

• Assume that your CEO will not read the whole document

• Create a one page summary with all information required to

make the decision/fund your project

• Must be written in English, not acronyms

• Consider related information the CEO may have

• Newspaper reports, evening news stories

• Social media chatter, stories on Huffington Post, etc.

• Professional meetings, regulator briefing

Format of executive summary

• Background information

• High level description of problem in your particular industry

• Current situation

• Steps already taken by your company

• Gaps that remain

• Risk exposure

• Likelihood and probability of impacts if nothing is done

• At minimum requirements to prevent financial loss

• Optimum solution

• Action requested

• Cost and timeline for minimum response

• Cost and timeline for optimum solution

CYBER RISK ASSESSMENT

Mary Gardner, Information Security Officer

Emergency Management Cyber Security Summit

April 30, 2013

meg333@gmail.com

Definitions

• Risk• A probability or threat of damage caused by external or internal

vulnerabilities. May be avoided through preemptive action.

• Vulnerability• A flaw or weakness in system security

procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.1

• Threat

• natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. 2

1 Nist 800-30

2 DHS Risk Lexicon

Why?

• Work Smarter not Harder

• Identify and Prioritize High Risk Vulnerabilities

• Prioritize Work Based on Risk and Effort

• Reduce Likelihood of Breach

• Regulatory Requirements for Notification

• $200.00 per Record for Notification

• Inform Incident Response

• Identification of Vulnerabilities Can Assist Incident Response

Teams

How?• Determine Scope

• What are our IT Assets

• Which are the Most Important

• Where do they reside?

• Classify the Assets

• Which will Cause the Most Harm if Compromised

• Identify Threats and Vulnerabilities

• Assess Risk of Threats Exploiting Vulnerabilities

• Identify Steps to Mitigate

• Management may choose to accept or transfer risk rather than

Mitigate

Identifying Threats

• People

• Insiders

• Third Parties

• Software

• Malware

• Spyware

• Natural Disaster

• Flooding, earthquake, storms

• Disease

• Power Outages

People• Insiders

• http://www.fbi.gov/about-us/investigate/counterintelligence/the-

insider-threat

• Public Porn FTP Site Running on Corporate Server

• (USB hard drive) stolen from the vehicle of a DHHS employee

• 3rd Parties

• Hackers

• Advanced Persistent Threats

• Stuxnet

People – How to Assess• Insiders

• Define Risk Appetite

• Background Checks

• 3rd Party Insider Risk Assessment

• 3rd Parties

• Research

• Understand your Business Model

• Intellectual Property

• Business Advantage

• Controversial Products or Practices

• Vendors

• Onsite Risk Assessment

• 3rd Party Assessment

Vulnerabilities

• Network

• Configuration

• Remote Access

• Wireless

• Software

• Input Validation

• Authentication / Authorization

• Configuration/Deployment

• Vendor

• All of the Above

Identifying Vulnerabilities

• Vulnerability Scanning

• Penetration Testing

• Social Engineering Assessments

• Threat Awareness/Monitoring

Vulnerability Scanning

• Multiple Tools and Services

• Qualys, Nessus, Rapid7

• Most focus on Network

• Scans Generate Lots of Data

• False Positives

• Low Risk Issues

• Process Is Key

• Baseline Knowledge

• Change Management

• Customized Reporting

• Risk if Exploit

• Cost and Effort to Mitigate

Penetration Testing

• Requires Expertise

• Can be Expensive

• Generally Outsourced

• Makes an Impact on Management

• Easy to Communicate Value

• Better Buy In on Remediation

• View of Security Posture

• Identify Design and Application Flaws

• Combine with Social Engineering

Managing a Penetration Test

• Define Scope

• What is the Target

• What is the Timeline

• Who Needs to Know

• Vet the Staff

• Are they Qualified

• Will they be a Good Partner

• Help Write a Great Report

• Understanding of the Business

• Written in English

• Clear Next Steps

Questions