Risk Assessments

Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Risk Assessments
Office of the CISO

2
:/whoami/
– 20+ years in IT and Information Security
– Former CSO, CISO, Privacy Director
– Bachelor's in Computer Science
– MBA
– Adjunct Professor at University of Dallas
– Certifications:
• Cybersecurity
• SANS GSEC

3
Who is Optiv?
Security Consulting
• Strategy
• Risk
• Architecture and Planning
• Incidence Assurance and Response
• Compliance
• Applications Security
• Attack, Vulnerability and Penetration
Testing
• Security Awareness and Training
Security Operations
• Monitoring
• Malware Detection
• Malware Analysis
• Technology Support
• Staffing
Security Technology
• Education
• Assessment and Validation
• Selection
• Sourcing
• Implementation
• Integration
Every security problem
Every level of
engagement
Project
• Products
• Services
Problem
• Architectures
• Integrated solutions and
bundles
• Services
Program
• Functions, department
• Business advice
• Services
Every security aspect
• Strategy
• Management and Planning
• Defenses and Controls
• Monitoring and Operations
Every security service
Client
centric
approach
Centered on each client’s
unique needs and priorities
Client
data and
intellectual
property
Insider
threats
Mobility
Compliance
and regulations
Security
awareness
Cloud infrastructure
services
Evolving technology
landscape
Third-party riskAdvanced threat
Internet of
Things (IoT)
Threat
intelligence
Distributed
denial of service

4
Agenda
Third Party / Cloud
Considerations
IOT ConsiderationsRisk Assessments

5
The focus has changed from protecting the IT infrastructure to
managing the information risk to the organization
Securing the
Organization
CISO Secure the internal
organization
Understand and manage
the risk of third parties
Understand and manage
regulatory risks
Communicate information
risk in business terms
Business Acumen
Regulatory Compliance
Management
Third-Party Risk
Management
Information
Security
CIRO
Evolution of the CISO

6
Risk Management
Enterprise Risk Management
IT Risk Management
Risk Assessments

7
Risk Definitions
• Assets – Anything of value
• Specifically the costs associated with what we’re trying to protect
• Threat (Agents) – Anything that can exploit a vulnerability
• Must compromise an asset (have an impact)
• Vulnerability – A weakness or gap in our controls
• Controls are not adequate to fully address threat concerns
• Controls – Actions taken to mitigate threat effectiveness
• Administrative, Logical, Physical
• Preventative, Corrective, Detective
• RISK = The potential for an asset to experience negative consequences
as a result of a threat exploiting a vulnerability.

8
Risk Equation
Risk = Assets * Threats * Vulnerabilities
Countermeasures (controls)
• Assets – what we are trying to protect
• Threats – what we are trying to protect against
• Vulnerability – what we are trying to address
• Controls – what we are doing to address them

9
Another View of the Risk Equation

10
Asset Valuation
ISO 22317

11
Research Threat Landscape
Information Security is the preservation of confidentiality,
integrity, and availability of information and information
systems
Organized Criminals Hacktivists Groups Nation-States Competitors Internal / External
Motivation
Financial gain - Sale
information on black
market. Use trusted
partner data for further
attacks
Politics, ideology,
business disruption, or
reputation
Politics, economics,
intellectual property, or
military advantage
Intellectual property,
competitive advantage,
customer data
Financial gain,
intellectual property, or
malicious destruction,
non-malicious actions
Target
Information
Personal Identifiable
Information (PII), Personal
Health Information (PHI),
Trusted Partner
Information, Financial
Accounts, Credit Cards
Destroy data or disrupt
business to lose
credibility, influence,
competitiveness, or
stock value
Intellectual Property,
Competitive Formulas and
Processes
Intellectual Property,
Growth, M&A Plans,
Financial Results, Pricing,
Competitive Formulas and
Processes
Combination of all
groups
Actor

12
Vulnerability Assessment
Threat Mapping
Using an
Attack Tree

13
Vulnerability Analysis

14
Controls Assessment
ISO 27000

15
Controls Assessment
RIIOT Approach
• Review documents
• Interview key personnel
• Inspect controls
• Observe behaviour
• Test controls

16
Define and Prioritize Risks
Impact Likelihood Risk
Critical Frequent R1.1
Impact of
Occurrence
Frequent Probable Conceivable Improbable Remote
Critical Probable R1.3 Critical R1.1 R1.3 R2.3 R3.5 R4.7
High Frequent R1.2 High R1.2 R2.1 R3.3 R3.6 R4.8
Critical Conceivable R2.3 Moderate R2.2 R3.1 R3.4 R4.5 R5.3
High Probable R2.1 Low R3.2 R4.1 R4.4 R4.6 R5.4
Moderate Frequent R2.2 Informational R4.2 R4.3 R5.1 R5.2 R5.5
Critical Improbable R3.5
High Conceivable R3.3
High Improbable R3.6
Moderate Probable R3.1 Risk Ranking Value
Moderate Conceivable R3.4 R1.1 100
Low Frequent R3.2 R1.2 98
Critical Remote R4.7 R1.3 96
High Remote R4.8 R2.1 94
Moderate Improbable R4.5 R2.2 87
Low Probable R4.1 R2.3 80
Low Conceivable R4.4 R3.1 71
Low Improbable R4.6 R3.2 61
Informational Frequent R4.2 R3.3 51
Informational Probable R4.3 R3.4 41
Moderate Remote R5.3 R3.5 31
Low Remote R5.4 R3.6 21
Informational Conceivable R5.1 R4.1 20
Informational Improbable R5.2 R4.2 18
Informational Remote R5.5 R4.3 16
R4.4 14
R4.5 12
R4.6 10
R4.7 8
R4.8 6
R5.1 4
R5.2 3
R5.3 2
R5.4 1
R5.5 0
Likelihood of Occurrence
• Likelihood and Impact are DERIVED Characteristics
– Impact = Asset Worth X Scale
– Likelihood = Exploitability X Exposure

17
Define and Prioritize Risks - Another View
Business Impact
ProbabilityofFailure/Exploit
LMH
ML H
IT Risk Assessment

18
Risk Register
Category Definition Likelihood Impact
Mitigation
Complexity
Risk Rank
Data Exfiltration
Unauthorized access and/or theft of IP or
sensitive data
High High High 1
Insider Threat
Privilege misuse by disgruntled or careless
employee and/or trusted third party
High High Medium 2
Spear Phishing / Social
Engineering
Targeted email with malicious link / malware High High Medium 3
Data Leakage / Loss
Exposure of sensitive information on
endpoints and Cloud apps
High High Medium 4
Compromised Privileged
Credentials
Stolen login ID provides authorized access to
an attacker
Medium High Medium 5
Malware / Ransomware
Software that is intended to damage or
disable computers and computer systems
Medium High High 6
Advanced Persistent
Threat Attack
Advanced attack by well-funded adversary
over a long period
Medium High High 7
Exploit of Known
Security Flaws
Systems do not conform to configuration
standards; patches not applied regularly
Medium High Medium 8
External Website
Compromise
Branded websites and external applications
defaced or damaged
Medium Medium Medium 9
Social Media
Facebook, Twitter, etc. where brand
information could be posted
Medium Low Medium 10
Increasedrisk

19
Another Method for Determining Risk
 DREAD model:
Damage potential – How great is the damage if the vulnerability is exploited?
Reproducibility – How easy is it to reproduce the attack?
Exploitability – How easy is it to launch an attack?
Affected users – As a rough percentage, how many users are affected?
Discoverability – How easy is it to find the vulnerability?
 Risk = Min(D, (D+R+E+A+D) / 5)

20
Compliance <> Security
May need to conduct other assessments:
 Credit Card Data
 PCI DSS
 Personal Health Information
 HIPAA
 Security Risk Assessment tool
 www.HealthIT.gov/security-risk-assessment

21
Agenda
Third Party / Cloud
Considerations

22
Customers don’t care about your business partners.
They entrust you with the information.
Brand Damage
Loss of Customer Loyalty
LawsuitsIncreased
Scrutiny Higher Audit Costs
Litigation
Eroded Share Value
Consequences:
Are You Responsible for a Breach at a Third Party?

23
(1) Source: Key findings from The Global State of Information
Security® Survey 2014, PWC, CSO Magazine
(2) 2014 Cost of Data Breach Study: Global Analysis,
Ponemon Institute, May 2014
Your are not in control of the
response or communications
Responding is more complex
and time consuming
51%
of All Breaches
Come from Third
Parties(1)
The Cost of a Breach
at a Third Party is
Higher than an
Internal Breach (2)
Third-Party Breaches

24
The Future Looks Bleak
Gartner predicts that through 2020 all security
incidents realized in the cloud will be broken down
by a 95% to 5% ratio.
– 5% of all cloud ecosystem breaches will be CSP’s fault
– 95% will be the fault of the customer

25
The Real Cloud Picture
Unmanaged Approved and
Managed
• Typical enterprise has on
average 613 cloud
applications in use
• 88% of those not
considered enterprise ready
• Over 90% are being
used without
knowledge or approval
of enterprise
Source: Netskope January 2015

26
Cloud Risks
Loss of Direct Control
• The security and continuity controls are in the hands of the provider
• Threat of malicious insider is extended to cloud provider
Data Protection
• A shared environment can offer more avenues for data loss
• Dynamic movement of data between clouds makes protection complex
• Complete data destruction is very difficult in shared cloud
Governance is hard
• Due diligence is costly with duplication of effort
• no true standard of care
• Lack of a trusted third party assessor
Protecting sensitive data is more complex in cloud environment

27
More Cloud Risks
Regulatory Compliance
• Cloud computing security and retention issues can arise with respect to complying
various data privacy and protection regulations
Legal Discovery / Forensics
• Provider may not provide security incident logs without violating other client
agreements
• Electronic forensics is more challenging and must be established in advance
Cloud Service Provider
• Once you have migrated your systems to a cloud provider it is expensive and
difficult to change. Exit strategy needs to be completed prior to engagement
• The consolidation of multiple organizations into a single infrastructure presents an
attractive high-value target
Additional considerations when migrating to cloud services

28
Third Party Risk Process
Business
Profile
Risk –
Who Are
They?
2
How Are They
Protecting the
Information?
3
1
Relationship Risk
– What Are They
Doing for Us?
4
Control
Validation
5
Monitoring
and
Reporting
- Regulatory or Contract Exposure
- Data Exposure
- Business Process Exposure
1
- Financial Strength
- Geopolitical / Country Risk
- Breach History or Indication
2
- Electronic Validation
- Onsite Validation
- Control Evidence
4
- Changes in Relationship
- Changes in Business
- Changes in Controls
5
- Standardized, Service Type
- ISO27001/NIST
- HIPAA/STAR
3

29
Match the Level of Due Diligence to Inherent Risk
Inherent Risk is a Function of Relationship and
Profile Risk
Tier 1
• Strategic accounts (high
revenue dependence)
• Regulatory/contract
requirements
• High reputation risk
• “Trusted” relationships
29
Tier 2
• Lower volume with no or
minimal sensitive data
• Lower revenue risk
• Business operations risk
• Some business profile
risk
Tier 3
• No sensitive data
• Minimal reputation risk
• Minimal or no revenue
dependence
• “Trusted” relationship
with low-level access
Risk Tiers Based on Inherent Risk

30
Tier 1 Assessments
Fully Validated
• Validate (not a complete list)
• Security policies
• Incident response plan and procedures
• Detection & Monitoring Systems (e.g. SEIM, SOC)
• Business continuity/disaster recovery plan and test results
• Vulnerability management procedures and sample reports
• Security awareness, training and completion log
• Last independent security assessment - status of high risks
Tip: Multiple sites and
outsourcing by third-party
significantly increases
level of effort
Tier 1 Due Diligence

31
Partially Validated
Tier 2 Assessments
Tier 3 Assessments
Self Attest of Controls
Random Audit
Self Attest of Controls
Tier 2 and 3 Assessments

32
Due Diligence Frequency
•Match Due Diligence to the Associated Risk
– Tier One
•Annual – Fully Validated Controls Assessment
•Quarterly – Penetration and Vulnerability Scan Results
•Monthly – Touch Base on Incident Response and Contact Management
– Tier Two
•Annual – Validation of Primary Controls
•Quarterly – Incident Response Contact Management
– Tier Three
•Annual – Self Assessment and Random Audits When Possible
•Annual – Incident Response Contact Management

33
• On April 5, USA Today published results from survey of 40 banks and found:
• 30% don’t require third-party vendors to notify of security breach
• Less than 50% conduct onsite assessments of third-parties
• Approximately 20% do not conduct on-site assessments of service providers
33
1.5%
- 2%
6% - 8% 90% - 95%
Average Enterprise Has 1000s of Third-Parties
Tier 1 Tier 2 Tier 3
Third-Party Risk – Current Situation

34
The Key Question:
“What data of ours can be breached?”
• Relationship Exposure Inventory – Risk Registry
• Maintain a relationship list (type and quantity)
• Relationship “Creep”
• Due diligence is performed during the first contract
• Relationship grows over time
• Increased liability without updating the risk exposure metrics
Relationship Exposure Inventory

35
Third-Party Contracts
Right to
Audit
Security
Service Level
Agreement
Breach
Notification
Restrictions on
Outsourcing
Security Safeguards
Indemnification,
Cyber Insurance, etc.
Exit
Strategy

36
• Match Due-Diligence to Risk and Type of Service
• Minimize Ambiguity
• How You Ask Questions is as Important as
What You Ask
• SSAE16 SOC 2 review
• Provides information pertaining to the IT controls
that has been certified by an accredited firm
Tip: Make sure scope matches the services being provided.
• Questionnaires
• Popular
• Onsite Third-Party Validation
• Costly and Time Prohibitive
• Cloud Security Alliance
Control Assessments

37
Cloud Security Alliance

38
CSA Security Trust & Assurance Registry (STAR)

39
• Response Red Flags
• “Sorry I can’t give you that. It is confidential”
• “I’ll send it to you after our legal review”
• People Red Flags
• Evasive answers -Shifty eyes
• Long explanations
• Governance Red Flags
• No formal training and awareness program
• Security organization is a side job, no executive oversight
• Security Technology Red Flags
• Vulnerability management is not fully implemented
• Threat management is incomplete or nonexistent.
• No IM, privileged access, two factor authentication
What to Watch For

40
When to Review
During the RFP
Process
When the
Relationship Changes
When a Regulation
Changes
When the Business
Profile Risk Changes
At Least Annually

41
90
Days
+ 90
Days
Begin due
diligence on critical
third parties
Evaluate your risk
inventory and
assign risk tier
Start slow – Get
quick wins
Within Three Months, You Should:
Beyond Three Months, Establish:
✓ ✓ ✓
A tiered program to
evaluate risk
A remediation plan
to address deficient
controls
Reporting
program✓ ✓ ✓
How to Apply What You Have Learned

42
Agenda
Third Party / Cloud
Considerations

43
1. 50 to 200 billion connected devices by 2020
“Number of connected devices worldwide will rise from 15 billion today to 50
billion by 2020.” - Cisco
2. $1.7 trillion in spending by 2020
“Global spending on IoT devices & services will rise from $656 billion in 2014
to $1.7 trillion in 2020.” - IDC
3. The $79 billion smart-home industry
“Smart-home industry generated $79.4 billion in revenue in 2014 and is
expected to rise substantially as mainstream awareness of smart appliances
rises.” - Harbor Research & Postscapes
4. 90% of cars will be connected by 2020
“By 2020, 90% of cars will be online, compared with just 2% in 2012
supporting in-car infotainment, autonomous-driving, and embedded OS
markets” - Telefonica
5. 173.4 million wearable devices by 2019
“Global wearable device shipments will surge from 76.1 million in 2015 to
173.4 million units by 2019.” - IDC
Chart source: http://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html
State of the Internet of Things (IOT)

44
IOT Drawbacks
•Designed with strict constraints
– Low power consumption
– Small memory and disk space
– Minimal processing power
– Little human interaction
– Reduced options
•Weak update mechanisms
– Devices are not engineering for patching
– Lack of alerting regarding need for patching
– Challenges in notification and delivery of patches

45
IOT Misconceptions
•“ My devices are too simple to be exploited by an attacker.”
•“ My devices are too old or too customized to be targeted.”
•“ My devices are not capable of being updated, therefore there are no
security controls at my disposal.”
•“My vendors are not delivering patches.”
•“ The risks posed by my IOT devices are not as severe as other more
traditionally connected machines, therefore these devices are a lower
priority.”

46
IOT Challenges
•No end to vulnerabilities
•Little compatibility with enterprise infrastructure
•Rise of Shadow-IT
– Devices are easy to purchase, install and use
•More consumer to business cross-over
•Need to interact with groups that may not be
used to working with IT and IT Security or may
think they don’t need to work with them at all

47
IOT Assessments
•Need to follow traditional risk assessment approaches
– RIIOT process will be key
– Engage vendor and industry groups
– Step-up awareness efforts
•Catch it early during vetting process
•Remediation is the challenge
– May have rely on a rip and replace strategy
– Adopt a micro-segmentation architecture
– Rely on upstream and downstream controls
– Technology cannot be the only solution

48
Goal = Minimize Impacts of a Breach
• Hard costs from disruption
or destruction of
infrastructure
• Increased scrutiny from
third parties
• Attrition of employees or
management
• Diminished brand value
• Profitability
• Revenue, Customer
Retention
• Damage Repair - $200+ per
stolen identity
Loss of
Intellectual
Property
• Competitive
advantage
• New market
opportunities
• Long term growth
Reputation Operational

49
Questions
Brian Wrozek
Brian.Wrozek@optiv.com
@bdwtexas

Risk Assessments

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Risk Assessments

Similar a Risk Assessments (20)

Más de JoAnna Cheshire

Más de JoAnna Cheshire (20)

Último

Último (20)

Risk Assessments