Addressing Cybersecurity Risk: Protecting Your Business Docs/About/Organization/NAFC... · •...

• Managing Director• Business Advisory Services Services

• Grant Thornton LLP

CyberSecurity

• Brian Browne

Addressing Cybersecurity Risk:Protecting Your Business

© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd

• Current Trends– Cybersecurity incidents and breaches– Impact

• Assessing Risk– Knowing yourself: Identifying and valuing assets– Knowing yourself: Identifying vulnerabilities– Knowing the enemy: Understanding threats and attacks– Determining risk: Coupling assets, vulnerabilities, and threats

• Preparedness is all...vigilance and response– Improve data security– Adopt a cybersecurity control framework– Manage third party risk– Perform incident response planning

Cybersecurity in 2015

© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 2

Current Trends


Incidents and Breaches


Ripped from the headlines

Target

Kmart Staples

Sony

JPMorgan Chase

BeBe Stores

Dairy Queen



Biggest Data Breaches



Biggest Data Breaches – Transportation Industry



Numbers By Industry

"No industry is immune to security failures. Don’t let a “that won’t happen tome because I’m too X” attitude catch you napping."

Impacts


Target Neiman Marcus eBay Sony

$61 million $4.1 million TBD $171 million

TJ Maxx

$74.6 million

Impacts


Major non-compliance cost categories

• Regulator fines for non-compliance and/or data breach

• Breach discovery, response, and notification

• Litigation costs

• Lost employee productivity in diverting from daily duties

• Opportunity costs in the form of customer churn / losses

• Reputational damage

Impacts


Cost of a data breach

• Indirect costs – what the company spends on existing internal resources to deal with the data breach, such asdata breach notification efforts and investigations of the incident. Also includes the loss of brand value and reputation and customer churn.

• Direct costs – what the company spends to minimize the consequences of a data breach and to assist victims. These costs include engaging forensic experts to help investigate the data breach, hiring a law firm and offering victims identity protection services.

Impacts


Record cost by industry

" . . . heavily regulated industries . . . tend to have a per capita data breach costsubstantially above the overall mean of $217."

Impacts


Factors that reduce the cost of a data breach

Assessing Risk



"It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle."

- Sun Tzu

Assessing Risk


Confidentiality, Integrity, AvailabilityCredit Card DataCustomer / Privacy DataOrder / Freight DataVehicle Data

Order / Freight DataVehicle Data Logistics Data / Applications

Maintenance Data / Applications

Assessing Risk


Risk Assessment Methodology

Identify AssetsIdentify Assets Threat Identification

Threat Identification

Vulnerability IdentificationVulnerability Identification

Impact AnalysisImpact

AnalysisRisk

DeterminationRisk

Determination

Assessing Risk – Identifying Assets


Examples• Data

– Privacy information (e.g., PII)– Health information (e.g., ePHI)– Credit card information (e.g., PCI)– Financial– Company sensitive information (e.g., trade secrets)

• Applications– Externally and customer facing applications– Internal applications that process sensitive information– High availability applications

• IT infrastructure– Servers, databases, network devices

Assessing Risk – Identifying Assets


An Approach• Business Unit / Department Interviews

– Similar to business impact analysis (BIA) approach for business continuity / disaster recovery (BC/DR)

– Interview knowledgeable business personnel to identify key applications and sensitive data captured / processed

– Map applications and data onto IT infrastructure – Capture relevant attributes to assign criticality / impact– Establish initial asset inventory

• Asset Validation– Leverage initial asset inventory– Leveraging judgement

• selectively monitor traffic to/from critical assets to identify "top talkers"• selectively scan "top talkers" for sensitive data

Assessing Risk – Valuing Assets


Example risk attributes• Sensitive data

– Type– Storage volume– Storage duration– Encryption usage and strength

• Access methods and types– Externally accessible– Accessible from public locations (e.g., kiosks)– Mobile – Third party access

• Numbers– Users– Interfaces– Transactions

Assessing Risk – Threats and Attacks


Incident Type Over Time



Incident Type by Threat Actor



Incident Type by Industry

Assessing Risk – Vulnerabilities


Assessment Activities to Identify Vulnerabilities

• Vulnerability Assessment

• Penetration Testing

• Perimeter Network and Firewall Review

• Active Directory Assessment

• Web Application Security Assessment



Vulnerability Assessment

• Identify vulnerabilities as comprehensively as possible

• No attempt to exploit

• Can be performed externally and/or internally

• Can be performed with no credentials or with administrative credentials

• Typically leverages automated tools



Penetration Testing

• Exploit one or more vulnerabilities to gain unauthorized system or data access

• Can be performed externally and/or internally

• Should not be constrained by automated tools results or exploits – should include manual attack methods

• Can include a variety of vectors:– network– wireless– social engineering– physical



Penetration Testing



Perimeter Network and Firewall Review• Review perimeter network architecture

– network ingress and egress points– third party connectivity– internal segmentation to complicate a potential attacker’s ability to penetrate and

restrict unauthorized access– topology and placement of routers, switches, firewalls, virtual private network

(VPN) devices, intrusion detection systems/intrusion prevention systems (IDS/IPS), and gateway security services such as antivirus and authentication services.

– appropriateness of demilitarized zones (DMZs) and their method of implementation

• Firewall configuration review– security features leveraged as effectively as possible– administration / access– logging / monitoring– firewall rules

• default deny inbound and outbound• most restrictive and manageable configuration possible• use specific IP subnets, addresses, and/or ports



Active Directory Assessment

• Active Directory (AD) establishes the internal security foundation for most organizations

• Provides central authentication and authorization services• Allows administrators to assign policies, deploy software, and apply

critical updates to an entire organization• Potential security issues could have systemic implications to the

company’s IT infrastructure. • Review the following areas:

– Forest and domain design

– AD security

– AD administration

– Group Policy configuration

– Domain controller security and health

– Event logging and monitoring



Web Application Security Assessment

• Assesses risks of interactive web applications running on web servers

• Typically will leverage either no credentials or non-privileged (e.g., normal user) credentials

• Common application security control areas that are assessed include, but are not limited to:

– Information leakage– Identification and authentication– Authorization and user role management– Session management– Input validation and error handling– Transmission and storage of sensitive data– Business logic controls– Auditing and logging capabilities

Assessing Risk – Risk Determination


Putting It All Together

Preparedness


Common misconceptions

Data breach preparedness


It will never happen to me

Our network is secure

We are not a big company

We don't have any personal information, so we aren't a target

We have never been attacked


• Reduce sensitive data storage– If you don't need the data, do not collect it or accept it– If you won't need the data in the future, do not store it– Evaluate and reduce the number of authorized storage locations

• Review sensitive data access

• Consider data protection technologies– Data leakage prevention (DLP)– Data encryption– Tokenization

Improve Data Security


• Evaluate and adopt a framework– NIST Cybersecurity Framework– Council for Cybersecurity Critical Security Controls (CSCs)

Adopt Cybersecurity Control Framework


Ado

pt C

yber

secu

rity

Con

trol

Fram

ewor

k


• More regulator and compliance focus on third party risk• More breaches attributed to third parties:

– Target– Goodwill– Jimmy John's– Dairy Queen– Lowe's– AT&T

• Establish program that includes:– Initial Due Diligence– Engagement Due Diligence– Contractual / Procedural Requirements– Monitoring

Manage Third Party Risk


• Paradigm shift from "if we get breached" to "when we get breached"

• Need to establish effective detective mechanisms– Logging and monitoring– Incident detection / prevention systems (IDS/IPS)– Third party notification contacts– Indicators of compromise (IOC) mechanisms / reviews

• Need to establish Incident Response Plan (IRP) that:– Identifies roles and escalation / notification – Defines the activities and priorities within each response phase– Includes containment measures to reduce impact of incident– Includes various forms of training and exercises– Internal and external communications plans to minimize brand impact

Incident Response Planning

Thank you...

Questions?

Date post:	29-Apr-2018
Category:	Documents
Upload:	doanlien
View:	216 times
Download:	2 times

Addressing Cybersecurity Risk: Protecting Your Business Docs/About/Organization/NAFC... · •...

Documents