Download - Identifying Your Agency's Vulnerabilities
IDENTIFYING YOUR AGENCY’S VULNERABILITIES
Annie Searle, Principal, ASA Risk Consultants
Emergency Management Cyber Security Summit
April 30, 2013
www.anniesearle.com
Twitter = @anniesearle
Operational Vulnerabilities = Risks
• An operational risk assessment will show you where gaps
may have opened up in your existing programs
• People – human error, failure to follow procedures
• Process – no procedure or bad procedures
• Systems – breakdown of automated processes, especially
in technology infrastructure
• External – Mother Nature, critical dependencies on other
sectors, vendors
• It’s this operational risk lens that allows you to enact
change in your programs and fine tune procedures.
2Copyright ASA 2013
Types of operational risk
• People
• Internal fraud
• External fraud
• Legal/liability losses
• Processes
• Processing errors
• Noncompliance
• Inappropriate business
practices
• Systems
• Systems Failures
• Security breaches
• Continuity of operations
• External Events
• Natural disasters
• Cyber and bio threats
• Geopolitical events
3Copyright ASA 2013
Detecting risk early *
• Don’t Rely upon historic data to predict future events
• Don’t focus on narrow measures of risk – assuming (for instance) that daily measures always apply
• Don’t overlook knowable risks – not making correlation
• Find hidden risks – sometimes deliberate, sometimes unconscious
• Improve your communication – higher you go, the less technical you must sound
• Do manage in real time – rapid change on market risks with fluctuations in the market
*Rene M. Stultz, ―Six Ways Companies Mismanage Risk,‖ March 2009 Harvard Business Review article
© 2012 Copyright Annie Searle & Associates LLC 4
Recent Studies on Risk Strategy
• New Protiviti study sponsored by COSO surveyed more
than 200 directors.
• Nearly 2/3 of directors reported that board oversight or
monitoring is ad hoc or not done at all.
• New PWC study suggests rethinking risk strategy in light
of nontraditional risks—social media, digital
technology, competition from global markets, global talent
demands.
• ImpactFactor study: Half of those surveyed spent
$50,000 or less annually to ―audit and assess suppliers.‖
80% indicated they manage the primary vendor only.
• Few companies have a program in place to extend
through multiple layers of suppliers and subcontractors.
Copyright ASA 2013 5
Can you identify the risk before
contracting with a vendor?• Most deficiencies need to be fixed.
• What is the cost of outsourcing the risk versus the cost of
mitigating the risk before you outsource?
• Risk management must be proactive especially when a
company is in an arena where flags are up – mergers and
acquisitions.
• My former company is a good example of inheriting
vendor risk through acquisitions. To keep good
employees, applications and contractors were often kept
as well. Rather than integrate platforms for home
loans, up to 12 systems were running at a single point in
time, off old contracts.
Vendors, IP and IT * --
Risks are not all with large vendors• Intellectual Property Theft:
• Contract janitor steals customer account information from hard
copy documents lying out on desks, and uses it to obtain credit
cards in customers’ names. Accounts drained of over $200,000.
• Contractor stole and sold trade secret drawings marked for
destruction. Loss estimated at $100 million.
• IT Sabotage:
• Security guard allowed unauthorized access to data center from an
expired ID carried by a manager, who unplugged cameras and
stole tapes with records of 80,000 employees.
• Contract programmer tricked janitor into unlocking an office where
he downloaded sensitive source code onto removable media to
take to his new boss, a competitor.* Carnegie Mellon CERT study on insider threats
© 2012 Copyright Annie Searle & Associates LLC 7
Manage Risk First Via the Contract
People
• Require background
checks scaled in
sophistication to criticality
of business processes
you are giving the
vendor, but be mindful of
contract janitors as well.
Process
• Bind the vendor in the
contract on all compliance-
related issues.
• Identify in contract the time
frame in which you expect
vendor’s attention.
• Trap for potential worst case
scenarios and for additional
layers of subcontractors.
(more)
© 2012 Copyright Annie Searle & Associates LLC 8
Manage Risk First Via the Contract
Systems
• Require proof of additional layers of security and redundancy that vendor has in place.
• Consider geopolitical location if data centers are involved.
• If using cloud, then how will you audit them?
• Insist upon site visits with audit to critical vendors.
External Events
• Closely review business
continuity plans using an
hazards incident and
vulnerability assessment
(HIVA).
• Find critical gaps in both
your own and vendor’s
plans based on increased
global complexity for
transactions processing.
© 2012 Copyright Annie Searle & Associates LLC 9
Close the gaps
• Distinguish ―common‖ disruptions from unusual ones.
• Build partnerships – utilize the ISACS within critical infrastructure sectors to share information. Join InfraGard. Participate in PNWER exercises.
• Stay current on pending regulation/legislation that may affect your program.
• Ensure that your business lines can report issues/suspicious activity.
• Track all disruptions.
• Look for patterns or repetition
• Speedy detection will result in a more rapid response
• Containment and recovery includes preparing customers, monitoring and managing social media as well as traditional media.
• Ask for funds to close the gaps once you have identified issues that can be solved only with money.
© 2012 Copyright Annie Searle & Associates LLC 10
Re-examine “big picture”
• What could a disruptive event look like?
• What are the potential business impacts?
• What are the competitive impacts?
• What are the upstream and downstream impacts on the
value chain?
• What is the level of readiness and resilience of
• Company
• Suppliers
• Distributors
• Customers
• Wider resilience can mean a higher market ratings, with a
rating premium up to 20%.
© 2012 Copyright Annie Searle & Associates LLC 11
Writing a persuasive recommendation
• Your technical staff may have prepared the most exhaustive
analysis possible
• Edit/revise it to eliminate acronyms, overly-technical terms
• Attach this analysis to your executive summary
• Assume that your CEO will not read the whole document
• Create a one page summary with all information required to
make the decision/fund your project
• Must be written in English, not acronyms
• Consider related information the CEO may have
• Newspaper reports, evening news stories
• Social media chatter, stories on Huffington Post, etc.
• Professional meetings, regulator briefing
Format of executive summary
• Background information
• High level description of problem in your particular industry
• Current situation
• Steps already taken by your company
• Gaps that remain
• Risk exposure
• Likelihood and probability of impacts if nothing is done
• At minimum requirements to prevent financial loss
• Optimum solution
• Action requested
• Cost and timeline for minimum response
• Cost and timeline for optimum solution
CYBER RISK ASSESSMENT
Mary Gardner, Information Security Officer
Emergency Management Cyber Security Summit
April 30, 2013
Definitions
• Risk• A probability or threat of damage caused by external or internal
vulnerabilities. May be avoided through preemptive action.
• Vulnerability• A flaw or weakness in system security
procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.1
• Threat
• natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. 2
1 Nist 800-30
2 DHS Risk Lexicon
Why?
• Work Smarter not Harder
• Identify and Prioritize High Risk Vulnerabilities
• Prioritize Work Based on Risk and Effort
• Reduce Likelihood of Breach
• Regulatory Requirements for Notification
• $200.00 per Record for Notification
• Inform Incident Response
• Identification of Vulnerabilities Can Assist Incident Response
Teams
How?• Determine Scope
• What are our IT Assets
• Which are the Most Important
• Where do they reside?
• Classify the Assets
• Which will Cause the Most Harm if Compromised
• Identify Threats and Vulnerabilities
• Assess Risk of Threats Exploiting Vulnerabilities
• Identify Steps to Mitigate
• Management may choose to accept or transfer risk rather than
Mitigate
Identifying Threats
• People
• Insiders
• Third Parties
• Software
• Malware
• Spyware
• Natural Disaster
• Flooding, earthquake, storms
• Disease
• Power Outages
People• Insiders
• http://www.fbi.gov/about-us/investigate/counterintelligence/the-
insider-threat
• Public Porn FTP Site Running on Corporate Server
• (USB hard drive) stolen from the vehicle of a DHHS employee
• 3rd Parties
• Hackers
• Advanced Persistent Threats
• Stuxnet
People – How to Assess• Insiders
• Define Risk Appetite
• Background Checks
• 3rd Party Insider Risk Assessment
• 3rd Parties
• Research
• Understand your Business Model
• Intellectual Property
• Business Advantage
• Controversial Products or Practices
• Vendors
• Onsite Risk Assessment
• 3rd Party Assessment
Vulnerabilities
• Network
• Configuration
• Remote Access
• Wireless
• Software
• Input Validation
• Authentication / Authorization
• Configuration/Deployment
• Vendor
• All of the Above
Identifying Vulnerabilities
• Vulnerability Scanning
• Penetration Testing
• Social Engineering Assessments
• Threat Awareness/Monitoring
Vulnerability Scanning
• Multiple Tools and Services
• Qualys, Nessus, Rapid7
• Most focus on Network
• Scans Generate Lots of Data
• False Positives
• Low Risk Issues
• Process Is Key
• Baseline Knowledge
• Change Management
• Customized Reporting
• Risk if Exploit
• Cost and Effort to Mitigate
Penetration Testing
• Requires Expertise
• Can be Expensive
• Generally Outsourced
• Makes an Impact on Management
• Easy to Communicate Value
• Better Buy In on Remediation
• View of Security Posture
• Identify Design and Application Flaws
• Combine with Social Engineering
Managing a Penetration Test
• Define Scope
• What is the Target
• What is the Timeline
• Who Needs to Know
• Vet the Staff
• Are they Qualified
• Will they be a Good Partner
• Help Write a Great Report
• Understanding of the Business
• Written in English
• Clear Next Steps
Questions