Click here to load reader

Identifying Your Agency's Vulnerabilities

  • View

  • Download

Embed Size (px)

Text of Identifying Your Agency's Vulnerabilities

  • 1. IDENTIFYING YOUR AGENCYS VULNERABILITIESAnnie Searle, Principal, ASA Risk ConsultantsEmergency Management Cyber Security SummitApril 30, 2013www.anniesearle.comTwitter = @anniesearle

2. Operational Vulnerabilities = Risks An operational risk assessment will show you where gapsmay have opened up in your existing programs People human error, failure to follow procedures Process no procedure or bad procedures Systems breakdown of automated processes, especiallyin technology infrastructure External Mother Nature, critical dependencies on othersectors, vendors Its this operational risk lens that allows you to enactchange in your programs and fine tune procedures.2Copyright ASA 2013 3. Types of operational risk People Internal fraud External fraud Legal/liability losses Processes Processing errors Noncompliance Inappropriate businesspractices Systems Systems Failures Security breaches Continuity of operations External Events Natural disasters Cyber and bio threats Geopolitical events3Copyright ASA 2013 4. Detecting risk early * Dont Rely upon historic data to predict future events Dont focus on narrow measures of risk assuming (forinstance) that daily measures always apply Dont overlook knowable risks not making correlation Find hidden risks sometimes deliberate, sometimesunconscious Improve your communication higher you go, the lesstechnical you must sound Do manage in real time rapid change on market riskswith fluctuations in the market*Rene M. Stultz, Six Ways CompaniesMismanage Risk, March 2009 Harvard Business Review article 2012 Copyright Annie Searle & Associates LLC 4 5. Recent Studies on Risk Strategy New Protiviti study sponsored by COSO surveyed morethan 200 directors. Nearly 2/3 of directors reported that board oversight ormonitoring is ad hoc or not done at all. New PWC study suggests rethinking risk strategy in lightof nontraditional riskssocial media, digitaltechnology, competition from global markets, global talentdemands. ImpactFactor study: Half of those surveyed spent$50,000 or less annually to audit and assess suppliers.80% indicated they manage the primary vendor only. Few companies have a program in place to extendthrough multiple layers of suppliers and subcontractors.Copyright ASA 2013 5 6. Can you identify the risk beforecontracting with a vendor? Most deficiencies need to be fixed. What is the cost of outsourcing the risk versus the cost ofmitigating the risk before you outsource? Risk management must be proactive especially when acompany is in an arena where flags are up mergers andacquisitions. My former company is a good example of inheritingvendor risk through acquisitions. To keep goodemployees, applications and contractors were often keptas well. Rather than integrate platforms for homeloans, up to 12 systems were running at a single point intime, off old contracts. 7. Vendors, IP and IT * --Risks are not all with large vendors Intellectual Property Theft: Contract janitor steals customer account information from hardcopy documents lying out on desks, and uses it to obtain creditcards in customers names. Accounts drained of over $200,000. Contractor stole and sold trade secret drawings marked fordestruction. Loss estimated at $100 million. IT Sabotage: Security guard allowed unauthorized access to data center from anexpired ID carried by a manager, who unplugged cameras andstole tapes with records of 80,000 employees. Contract programmer tricked janitor into unlocking an office wherehe downloaded sensitive source code onto removable media totake to his new boss, a competitor.* Carnegie Mellon CERT study on insider threats 2012 Copyright Annie Searle & Associates LLC 7 8. Manage Risk First Via the ContractPeople Require backgroundchecks scaled insophistication to criticalityof business processesyou are giving thevendor, but be mindful ofcontract janitors as well.Process Bind the vendor in thecontract on all compliance-related issues. Identify in contract the timeframe in which you expectvendors attention. Trap for potential worst casescenarios and for additionallayers of subcontractors.(more) 2012 Copyright Annie Searle & Associates LLC 8 9. Manage Risk First Via the ContractSystems Require proof ofadditional layers ofsecurity and redundancythat vendor has in place. Consider geopoliticallocation if data centersare involved. If using cloud, then howwill you audit them? Insist upon site visits withaudit to critical vendors.External Events Closely review businesscontinuity plans using anhazards incident andvulnerability assessment(HIVA). Find critical gaps in bothyour own and vendorsplans based on increasedglobal complexity fortransactions processing. 2012 Copyright Annie Searle & Associates LLC 9 10. Close the gaps Distinguish common disruptions from unusual ones. Build partnerships utilize the ISACS within criticalinfrastructure sectors to share information. Join InfraGard.Participate in PNWER exercises. Stay current on pending regulation/legislation that may affectyour program. Ensure that your business lines can report issues/suspiciousactivity. Track all disruptions. Look for patterns or repetition Speedy detection will result in a more rapid response Containment and recovery includes preparing customers, monitoringand managing social media as well as traditional media. Ask for funds to close the gaps once you have identified issues thatcan be solved only with money. 2012 Copyright Annie Searle & Associates LLC 10 11. Re-examine big picture What could a disruptive event look like? What are the potential business impacts? What are the competitive impacts? What are the upstream and downstream impacts on thevalue chain? What is the level of readiness and resilience of Company Suppliers Distributors Customers Wider resilience can mean a higher market ratings, with arating premium up to 20%. 2012 Copyright Annie Searle & Associates LLC 11 12. Writing a persuasive recommendation Your technical staff may have prepared the most exhaustiveanalysis possible Edit/revise it to eliminate acronyms, overly-technical terms Attach this analysis to your executive summary Assume that your CEO will not read the whole document Create a one page summary with all information required tomake the decision/fund your project Must be written in English, not acronyms Consider related information the CEO may have Newspaper reports, evening news stories Social media chatter, stories on Huffington Post, etc. Professional meetings, regulator briefing 13. Format of executive summary Background information High level description of problem in your particular industry Current situation Steps already taken by your company Gaps that remain Risk exposure Likelihood and probability of impacts if nothing is done At minimum requirements to prevent financial loss Optimum solution Action requested Cost and timeline for minimum response Cost and timeline for optimum solution 14. CYBER RISK ASSESSMENTMary Gardner, Information Security OfficerEmergency Management Cyber Security SummitApril 30, [email protected] 15. Definitions Risk A probability or threat of damage caused by external or internalvulnerabilities. May be avoided through preemptive action. Vulnerability A flaw or weakness in system securityprocedures, design, implementation, or internal controls that couldbe exercised (accidentally triggered or intentionally exploited) andresult in a security breach or a violation of the systems securitypolicy.1 Threat natural or manmade occurrence, individual, entity, or action thathas or indicates the potential to harmlife, information, operations, the environment, and/or property. 21 Nist 800-302 DHS Risk Lexicon 16. Why? Work Smarter not Harder Identify and Prioritize High Risk Vulnerabilities Prioritize Work Based on Risk and Effort Reduce Likelihood of Breach Regulatory Requirements for Notification $200.00 per Record for Notification Inform Incident Response Identification of Vulnerabilities Can Assist Incident ResponseTeams 17. How? Determine Scope What are our IT Assets Which are the Most Important Where do they reside? Classify the Assets Which will Cause the Most Harm if Compromised Identify Threats and Vulnerabilities Assess Risk of Threats Exploiting Vulnerabilities Identify Steps to Mitigate Management may choose to accept or transfer risk rather thanMitigate 18. Identifying Threats People Insiders Third Parties Software Malware Spyware Natural Disaster Flooding, earthquake, storms Disease Power Outages 19. People Insiders Public Porn FTP Site Running on Corporate Server (USB hard drive) stolen from the vehicle of a DHHS employee 3rd Parties Hackers Advanced Persistent Threats Stuxnet 20. People How to Assess Insiders Define Risk Appetite Background Checks 3rd Party Insider Risk Assessment 3rd Parties Research Understand your Business Model Intellectual Property Business Advantage Controversial Products or Practices Vendors Onsite Risk Assessment 3rd Party Assessment 21. Vulnerabilities Network Configuration Remote Access Wireless Software Input Validation Authentication / Authorization Configuration/Deployment Vendor All of the Above 22. Identifying Vulnerabilities Vulnerability Scanning Penetration Testing Social Engineering Assessments Threat Awareness/Monitoring 23. Vulnerability Scanning Multiple Tools and Services Qualys, Nessus, Rapid7 Most focus on Network Scans Generate Lots of Data False Positives Low Risk Issues Process Is Key Baseline Knowledge Change Management Customized Reporting Risk if Exploit Cost and Effort to Mitigate 24. Penetration Testing Requires Expertise Can be Expensive Generally Outsourced Makes an Impact on Management Easy to Communicate Value Better Buy In on Remediation View of Security Posture Identify Design and Application Flaws Combine with Social Engineering 25. Managing a Penetration Test Define Scope What is the Targ

Search related