Presentation by Larry Clinton, President of the Internet Security Alliance (ISA) to the 66th Annual Fowler Seminar on Oct 12 2012 titled Evolution of the Cyber Threat - A Unified Systems Approach.

1. Larry Clinton
President & CEO
Internet Security Alliance
lclinton@isalliance.org
703-907-7028
202-236-0001
www.isalliance.org

2. During the Last Minute…
• 45 new viruses
• 200 new malicious web sites
• 180 personal identities stolen
• 5,000 new versions of malware created
• 2 million dollars lost

3. Advanced Persistent
Threat—What is it?
• Well funded
• Well organized---state supported
• Highly sophisticated---NOT ―hackers‖
• Thousands of custom versions of malware
• Escalate sophistication to respond to
defenses
• Maintain their presence and ―call-home‖
• They target vulnerable people more than
vulnerable systems

4. ISA Goals
• Promote thought leadership in the field of
cyber security
• Advocate to government for pro security
policies consistent with the ISA mission
• Promote the development and adoption of
sound security programs practices and
technologies in the public and private sectors
• Enhance the foundation of the organization

5. ISAlliance
Mission Statement
ISA seeks to integrate advanced technology
with business economics and public policy to
create a sustainable system of cyber security.

6. ISA Board of Directors
• Tim McKnight VP CISO Northrop Grumman (Board Chair)
• Jeff Brown VP CISO Raytheon (Board First V Chair)
• Garry McAlum, VP CSO USAA (Board Second V Chair)
• Dr. Pradeep Khosla, Dean CMU School of Engendering and Computer
Science
• Valerie Abend, Bank of New Your/Mellon financial
• Barry Hensley, Dell/SecureWorks
• Lt General (Ret.) Charlie Croom, VP Cyber Security, Lockheed Martin
• Marc Sachs, VP Government Affairs and Homeland Security, Verizon
• Julie Taylor, VP Government Systems, SAIC
• Joe Bounomo, CEO, Direct Computer Resources
• Tom Kelly, Boeing
• JR Reagan, CEO, AVG
• Brian Raymond, Director Security and Technology NAM

8. The Internet
Changes Everything
• The way our brains function
• Concepts of Privacy
• Principles of National Defense
• Economics
• Security

9. Are you thinking About
Security All Wrong?
• Hackers?
• ―I’m safe or They Don’t Care about me‖
• Breaches?
• Firewalls and passwords?
• Networks ?
• Perimeter Defense---keep the bad guys out
YOU ARE THINKING ABOUT THIS ALL
WRONG

10. APT
• ―The most revealing difference is that when
you combat the APT, your prevention efforts
will eventually fail. APT successfully
compromises any target it desires.‖----M-
trend Reports

11. The APT----Average
Persistent Threat
―The most sophisticated, adaptive and
persistent class of cyber attacks is no longer
a rare event…APT is no longer just a threat
to the public sector and the defense
establishment …this year significant
percentages of respondents across industries
agreed that APT drives their organizations
security spending.‖ PricewaterhouseCoopers
Global Information Security Survey
September 2011

12. % Who Say APT Drives
Their Spending
• 43% Consumer Products
• 45% Financial services
• 49% entertainment and media
• 64% industrial and manufacturing sector
• 49% of utilities
PWC 2011 Global Information Security Survey

13. Are we thinking of APT
all wrong?
• ―Companies are countering the APT
principally through virus protection (51%) and
either intrusion detection/prevention solutions
(27%) –PWC 2011
• ―Conventional information security defenses
don’t work vs. APT. The attackers
successfully evade all anti-virus network
intrusion and other best practices, remaining
inside the targets network while the target
believes they have been eradicated.‖---M-
Trend Reports 2011

14. We Are Not Winning
―Only 16% of respondents say their
organizations security policies address APT.
In addition more than half of all respondents
report that their organization does not have
the core capabilities directly or indirectly
relevant to countering this strategic threat.

15. Why is this the case?
• The vast majority of Sr management---and
the majority of all employees---are digital
immigrants
• Cyber Security is not, just, an ―IT‖ problem
• There are short term economic incentives to
be insecure (e.g. VOIP, long supply chains,
Cloud computing
• ―Insiders‖ (including lawyers and PR/sales
Execs) are the single biggest cyber security
vulnerability

16. Technology or Economics?
―Security failure is caused as least as often
by bad incentives as by bad technological
design… everywhere we look we see online
risk allocated poorly…people who connect
their machines to risky places do not bear
full consequences of their actions. And
developers are not compensated for costly
efforts to strengthen their code‖ Anderson &
Moore ―Economics of Information Security‖
Anderson and Moore ―The Economics of Information

17. Cost Issues: CSIS 2010
Overall, cost was most frequently cited as
“the biggest obstacle to ensuring the security
of critical networks. p14
Making the business case for cybersecurity
remains a major challenge, because
management often does not understand either
the scale of the threat or the requirements for
a solutions. p14
The number one barrier is the security folks
who haven’t been able to communicate the
urgency well enough and they haven’t actually
been able to persuade the decision makers of
the reality of the threat. p14
Making the business case for security could
be a challenge – no one wants to pay their
insurance bill until the building burns down.

18. Cost Issues PWC 2011
• ―Executives worldwide have been reluctant to
release funding to support Info security.
• ―As spending constraint continues ―block and
tackle‖ security capabilities that took decades
to build up are degrading creating new levels
of risk’
• ―Increased risk elevates the importance of
security & ongoing cost reduction makes
adequate security difficult to achieve.‖
• 47% reported decreasing info security
spending in 2010, same as in 2009‖

19. Now… the Harsh Reality
• Only 13% of the Executives polled by PWC
actually had done what is considered to be
―adequate‖ security.
• Most executives didn’t have an overall
security strategy, had not reviewed the
effectiveness of their strategy or knew what
types of breaches had hit them in the past 12
months.
• Only 1 in 3 said their companies had a policy
for dealing with employee use of social media

20. There Are Things We
Can Do
• Need to take a more strategic approach
• Focus on internal analysis and incident
response i.e. more Intel gathering & analysis
• Shut down the low hanging vulnerabilities
• Get serious @ effective user training
• Re- architect IT as needed
• Participate in information exchange
organizations

21. Roach Motel: Bugs Get In Not Out
• No way to stop determined intruders
• Stop them from getting back out (w/data) by
disrupting attackers command and control
back out of our networks
• Identify web sites and IP addresses used to
communicate w/malicious code
• Cut down on the ―dwell time‖ in the network
• Don’t stop attacks—make them less useful

22. Cyber Insurance:
A Brief History
• Traditional Insurance Policies to Cover Business Loss –
– (1) Business Personal Insurance Policies (first-party loss)
– (2) Business Interruption Policies
– (3) Commercial General Liability (CGL) or Umbrella Liability Policies (for damage to third parties)
– (4) Errors and Omissions Insurance (for Corp. Officers)
• 1970s – Development of specialized policies that typically extended crime insurance to cover
against outsider gaining physical access to computer systems
• 1998 – Advent of Hacker Insurance Policies
• 2000 – Early Forms of Cyber Insurance (1st and 3rd Party) Appear
 1st Party – Generally, covers destruction or loss of information
assets, internet business interruption, cyber extortion, DDoS loss, PR
reimbursement, fraudulent EFTs
 3rd Party – Generally, covers claims arising from Internet
content, security, tech errors and omissions as well as defense costs
 Post 9/11 – Increased risk (e.g., Code Red, Nimda, Klez
[2001], Slammer [2003), awareness, and regulation
(e.g., HIPAA, GLB, SOX, HITECH, CA SB 1386), lead to more

23. State of the Market
Cyber Risk Insurance Providers
 Number of Carriers – Betterly Report survey
finds an increase of Cyber Insurers from 19 in
2010 to 29 in 2011
 An increase of over 52%
 Annual U.S. Gross Written Premiums (GWP) –
Betterly Report estimates an increase from
$600M to $800M over the past survey year
 An increase of 33%
 Market Drivers – 3rd Party Privacy Breach
Policies
Betterly, Richard. ―Cyber/Privacy/Media Liability Market Survey –
2011.‖ The Betterly Report (2011): Web.
http://betterley.com/samples/CyberRisk11_nt.pdf
Armin, Jart. ―Hackers Take Notice: Cyber-Insurance is on the Rise.‖
internet evolution. 27 June 2011: Web.
http://www.internetevolution.com/author.asp?section_id=717&doc_id=2307
82

24. Zurich v. Sony
 Basic Facts – April and May intrusions into the Sony PlayStation
Network (PSN) and other systems led to Sony temporarily
shutting down PSN and possible exposure of personal data of
100M+ users. In May, Sony looked to its CGL policy providers for
helping paying for the data breach
 Lawsuit – In July, Zurich – Sony’s CGL insurance provider – filed
the above suit against Sony seeking , among other
things, indemnification from Sony against its class action
suits, arguing that the CGL does not cover cyber attacks.

25. Cyber Insurance
and Public Policy
 2002 – The National Strategy to Secure Cyber Space – Market-based approach, but no
need for incentives; policy makers think insurance not ready for prime time
 2004 – Congress Creates the ―Corporate Information Security Working Group‖ w/Subgroup
on incentives; cyber insurance is advocated
 2006 – Internet Security Alliance (ISA) issues White Paper, ―Using Cyber-Insurance to
Improve Cyber-Security: Legislative Solutions for the Insurance Market‖; testifies before
Commerce and HLS
 2007 – ANSI & ISA publish The Financial Impact of Cyber Risk: 50 Questions Every CFO
Should Ask, with a chapter devoted to insurance & financial risk management
 2009 – Citing ISA publications, the Obama Administration’s
Cyberspace Policy Review advocates use of market
incentives, including cyber insurance
 2009 – DHS Cross Sector Cyber Security Working Group (all
critical sectors) advocates use of cyber insurance

26. Cyber Insurance
and Public Policy
 2010 – ISA and ANSI publish follow-up, ―The Financial Management of Cyber Risk: An
Implementation Framework for CFOs,‖ which also includes a chapter and discussion of
cyber insurance
 2010– White House holds spring conference call with insurance industry, academics, and
govt. on the use of cyber insurance
 2010– Dept. of Commerce issues Notice of Inquiry on economics of cyber
security, including requests for information on of cyber insurance
 2011 – U.S. Chamber of Commerce, TechAmerica, Business Software Alliance, Center for
Democracy and Technology, and ISA co-author and publish White Paper, Improving our
Nation’s Cybersecurity through the Public‐Private Partnership, advocating a market-based
approach to cybersecurity including the promotion of cyber insurance.
2011 – Dept. of Commerce publishes its follow-up Green Paper, and asks how insurance can
lead to enhanced cyber security
2012 – October 22 DHS Conference on how to stimulate the market for first party cyber
insurance

27. 50 Questions Every CFO
Should Ask (2008)
It is not enough for the information technology
workforce to understand the importance of cyber
security; leaders at all levels of government and
industry need to be able to make business and
investment decisions based on knowledge of risks
and potential impacts. – President’s Cyber Space
Policy Review May 30, 2009 page 15
ISA-ANSI Project on Financial Risk Management
of Cyber Events: ―50 Questions Every CFO
should Ask ----including what they ought to be
asking their General Counsel and outside
counsel. Also, HR, Bus Ops, Public and Investor
Communications & Compliance

28. Financial Management of
Cyber Risk (2010)

29. ANSI-ISA Program
• Outlines an enterprise wide process to attack
cyber security broadly and economically
• CFO strategies
• HR strategies
• Legal/compliance strategies
• Operations/technology strategies
• Communications strategies
• Risk Management/insurance strategies

30. What CFO needs to do
• Own the problem
• Appoint an enterprise wide cyber risk team
• Meet regularly
• Develop an enterprise wide cyber risk
management plan
• Develop an enterprise wide cyber risk budget
• Implement the plan, analyze it regularly, test
and reform based on feedback

31. Human Resources
• Recruitment
• Awareness
• Remote Access
• Compensate for cyber security
• Discipline for bad behavior
• Manage social networking
• Beware of vulnerability especially from IT and
former employees

32. Legal/Compliance Cyber
Issues
• What rules/regulations apply to us and
partners?
• Exposure to theft of our trade secrets?
• Exposure to shareholder and class action
suits?
• Are we prepared for govt. investigations?
• Are we prepared for suits by customers and
suppliers?
• Are our contracts up to date and protecting
us?

33. Operations/IT
• What are our biggest vulnerabilities? Re-
evaluate?
• What is the maturity of our information
classification systems?
• Are we complying with best
practices/standards
• How good is our physical security?
• Do we have an incident response plan?
• How long till we are back up?---do we want
that?

34. Communications
• Do we have a plan for multiple audiences?
--general public
--shareholders
--Govt./regulators
--affected clients
--employees
---press

35. Financial Management of
Cyber Risk – PHI Project

36. Cyber Risk Management Reference Framework
Before During After
Stakeholder (Govern) (Respond) (Contain)
Before an incident and as governance During an incident possibly After a breach involving successfu
programs escalating to as breach exfiltration.
Board of What responsibility • Receive breach • Re-evaluate current cyber
• Set an adequate standard of due
does the BOD engage notifications and governance oversight and
Directors in, such as … care
governance updates standard of due care
• Evaluate periodically cyber risk
• Re-evaluate standard of du
governance effectiveness
Audit What responsibility • Receive risk realization care
• Review annual cyber risk
does the AC engage updates • Re-evaluate risk tolerance
Committee in, such as … management assessment
• Receive cyber incident • Re-evaluate cyber risk &
• Issue cyber risk & incident
consequence updates incident disclosure
disclosure, as per SEC guidance
• Participate in business impact
analysis
Business • Monitor damage to
What responsibility do • Set cyber risk tolerance
business including • Re-evaluate cyber risk
(Office of CEO, business stakeholders • Participate in defining risk
engage in, such as … revenues, margins, and tolerance
BU GM) management options
brand damage
• Make cyber risk management
decision
• Re-evaluate resource alloc
Financial What responsibility do • Participate in financial • Receive updates as to the for cyber risk management
Stakeholders financial stakeholders cost/benefit analysis of different cost impact of incident or • Re-evaluate risk managem
engage in, such as … risk management options breach options for top cyber agen
(e.g., CFO)
threats
• Define and oversee cyber risk
management program
• Participate in cyber threat agent
analysis • Monitor breach and cyber
Risk • Participate in business impact risk trends
What responsibility do • Evaluate effectiveness of c
analysis • Measure risk
Management risk stakeholders breach response and cybe

37. ISA Extended Cyber Risk Management Project
DIB, IT and Financial Services (spring fall
2012)
• Enterprise-wide Team - All utilize cross-functional, cross-organizational team to
assess and manage risk
• Attention at Highest Levels - This team may have just one layer between it and
the Board/CEO, but items they determine to be top items are reported at this level
• CISO Owns Risk Decisions and Decision-making - Within 1 DIB member, all
projects and programs have to be cleared by the CISO, who also determines risk
tolerance levels in accordance with Senior Leadership guidance
•Risk Management Approach Utilized - All utilize a risk management approach in
which risks are assessed, mapped, and impact and probability is explored; plans are
developed, and the highest level of executives and Board are notified.
• Security Awareness Through Internal Testing - Unannounced tests company wide
which are then tied to incentive system. For one company, such an phishing
initiatives reduced click through rates from 5 to 2.5%.

38. Growth toward Enterprise
wide cyber management
• In 2008 only 15% of companies had
enterprise wide risk management teams for
privacy/cyber
• In 2011 87% of companies had cross
organizational cyber/privacy teams
• Major firms (E & Y) are now including ISA
Financial Risk Management in their
Enterprise Programs
• Even govt. (e.g. DOE) has now adopted
these principles for their sector risk
management

39. House GOP Task Force
& ISA Policy Positions
ISA Social Contract House GOP Cybersecurity Task
Force Recommendations
• ―Menu‖ of Market Incentives Tied • ―Menu‖ of Market Incentives Tied
to Voluntary Adoption of Cyber to Voluntary Adoption of Cyber
Security Measures Security Measures, p.7
• Regulation CANNOT Keep Up – • Regulation CANNOT Keep Up –
By the Time It Is Created, It Is By the Time It Is Created, It Is
Outdated Outdated, p.7
• Streamline Regulation in return for • Allow Access to Streamlined
increased voluntary security Regulation as an Incentive and to
measures Reduce Government Costs, p.8
• Limited Liability for Good Actors • Limited Liability for Good Actors,
p.9
• Utilize Tax Incentives and Tie • Utilize Tax Incentives and Tie
Grant Funding to Cyber Security Grant Funding to Cyber Security,

40. Larry Clinton
President & CEO
Internet Security Alliance
lclinton@isalliance.org
703-907-7028
202-236-0001
www.isalliance.org

41. Senate (Admin) bill
moves toward ISA
ISA Policy Positions HSGAC Bill – S.3414
• The Public-Private Partnership: • The Public-Private Partnership:
Codification of the NIPP Framework, Codification of the NIPP Framework,
• A Voluntary, Incentives-Based • A Voluntary, Incentives-Based
Approach, Approach,
• Liability Incentives – Among other liab. • Liability Incentives –Punitive Damages
inctvs, Punitive Damages protections protections,
• Govt Procurement as an incentive • Procurement Incentives – Collab.
toward greater security, examine Govt Procurement as an
incentive toward greater security,
• Cost-Benefit Analysis of Suggested • Cost-Benefit Analysis of Suggested
Cybersecurity Measures, Cybersecurity Measures,