• Managing Director• Business Advisory Services Services
• Grant Thornton LLP
CyberSecurity
• Brian Browne
Addressing Cybersecurity Risk:Protecting Your Business
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd
• Current Trends– Cybersecurity incidents and breaches– Impact
• Assessing Risk– Knowing yourself: Identifying and valuing assets– Knowing yourself: Identifying vulnerabilities– Knowing the enemy: Understanding threats and attacks– Determining risk: Coupling assets, vulnerabilities, and threats
• Preparedness is all...vigilance and response– Improve data security– Adopt a cybersecurity control framework– Manage third party risk– Perform incident response planning
Cybersecurity in 2015
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 2
Current Trends
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 3
Incidents and Breaches
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 4
Ripped from the headlines
Target
Kmart Staples
Sony
JPMorgan Chase
BeBe Stores
Dairy Queen
Incidents and Breaches
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 5
Biggest Data Breaches
Incidents and Breaches
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 6
Biggest Data Breaches – Transportation Industry
Incidents and Breaches
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 7
Numbers By Industry
"No industry is immune to security failures. Don’t let a “that won’t happen tome because I’m too X” attitude catch you napping."
Impacts
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 8
Target Neiman Marcus eBay Sony
$61 million $4.1 million TBD $171 million
TJ Maxx
$74.6 million
Impacts
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 9
Major non-compliance cost categories
• Regulator fines for non-compliance and/or data breach
• Breach discovery, response, and notification
• Litigation costs
• Lost employee productivity in diverting from daily duties
• Opportunity costs in the form of customer churn / losses
• Reputational damage
Impacts
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 10
Cost of a data breach
• Indirect costs – what the company spends on existing internal resources to deal with the data breach, such asdata breach notification efforts and investigations of the incident. Also includes the loss of brand value and reputation and customer churn.
• Direct costs – what the company spends to minimize the consequences of a data breach and to assist victims. These costs include engaging forensic experts to help investigate the data breach, hiring a law firm and offering victims identity protection services.
Impacts
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 11
Record cost by industry
" . . . heavily regulated industries . . . tend to have a per capita data breach costsubstantially above the overall mean of $217."
Impacts
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 12
Factors that reduce the cost of a data breach
Assessing Risk
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 13
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 14
"It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle."
- Sun Tzu
Assessing Risk
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 15
Confidentiality, Integrity, AvailabilityCredit Card DataCustomer / Privacy DataOrder / Freight DataVehicle Data
Order / Freight DataVehicle Data Logistics Data / Applications
Maintenance Data / Applications
Assessing Risk
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 16
Risk Assessment Methodology
Identify AssetsIdentify Assets Threat Identification
Threat Identification
Vulnerability IdentificationVulnerability Identification
Impact AnalysisImpact
AnalysisRisk
DeterminationRisk
Determination
Assessing Risk – Identifying Assets
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 17
Examples• Data
– Privacy information (e.g., PII)– Health information (e.g., ePHI)– Credit card information (e.g., PCI)– Financial– Company sensitive information (e.g., trade secrets)
• Applications– Externally and customer facing applications– Internal applications that process sensitive information– High availability applications
• IT infrastructure– Servers, databases, network devices
Assessing Risk – Identifying Assets
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 18
An Approach• Business Unit / Department Interviews
– Similar to business impact analysis (BIA) approach for business continuity / disaster recovery (BC/DR)
– Interview knowledgeable business personnel to identify key applications and sensitive data captured / processed
– Map applications and data onto IT infrastructure – Capture relevant attributes to assign criticality / impact– Establish initial asset inventory
• Asset Validation– Leverage initial asset inventory– Leveraging judgement
• selectively monitor traffic to/from critical assets to identify "top talkers"• selectively scan "top talkers" for sensitive data
Assessing Risk – Valuing Assets
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 19
Example risk attributes• Sensitive data
– Type– Storage volume– Storage duration– Encryption usage and strength
• Access methods and types– Externally accessible– Accessible from public locations (e.g., kiosks)– Mobile – Third party access
• Numbers– Users– Interfaces– Transactions
Assessing Risk – Threats and Attacks
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 20
Incident Type Over Time
Assessing Risk – Threats and Attacks
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 21
Incident Type by Threat Actor
Assessing Risk – Threats and Attacks
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 22
Incident Type by Industry
Assessing Risk – Vulnerabilities
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 23
Assessment Activities to Identify Vulnerabilities
• Vulnerability Assessment
• Penetration Testing
• Perimeter Network and Firewall Review
• Active Directory Assessment
• Web Application Security Assessment
Assessing Risk – Vulnerabilities
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 24
Vulnerability Assessment
• Identify vulnerabilities as comprehensively as possible
• No attempt to exploit
• Can be performed externally and/or internally
• Can be performed with no credentials or with administrative credentials
• Typically leverages automated tools
Assessing Risk – Vulnerabilities
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 25
Penetration Testing
• Exploit one or more vulnerabilities to gain unauthorized system or data access
• Can be performed externally and/or internally
• Should not be constrained by automated tools results or exploits – should include manual attack methods
• Can include a variety of vectors:– network– wireless– social engineering– physical
Assessing Risk – Vulnerabilities
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 26
Penetration Testing
Assessing Risk – Vulnerabilities
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 27
Perimeter Network and Firewall Review• Review perimeter network architecture
– network ingress and egress points– third party connectivity– internal segmentation to complicate a potential attacker’s ability to penetrate and
restrict unauthorized access– topology and placement of routers, switches, firewalls, virtual private network
(VPN) devices, intrusion detection systems/intrusion prevention systems (IDS/IPS), and gateway security services such as antivirus and authentication services.
– appropriateness of demilitarized zones (DMZs) and their method of implementation
• Firewall configuration review– security features leveraged as effectively as possible– administration / access– logging / monitoring– firewall rules
• default deny inbound and outbound• most restrictive and manageable configuration possible• use specific IP subnets, addresses, and/or ports
Assessing Risk – Vulnerabilities
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 28
Active Directory Assessment
• Active Directory (AD) establishes the internal security foundation for most organizations
• Provides central authentication and authorization services• Allows administrators to assign policies, deploy software, and apply
critical updates to an entire organization• Potential security issues could have systemic implications to the
company’s IT infrastructure. • Review the following areas:
– Forest and domain design
– AD security
– AD administration
– Group Policy configuration
– Domain controller security and health
– Event logging and monitoring
Assessing Risk – Vulnerabilities
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 29
Web Application Security Assessment
• Assesses risks of interactive web applications running on web servers
• Typically will leverage either no credentials or non-privileged (e.g., normal user) credentials
• Common application security control areas that are assessed include, but are not limited to:
– Information leakage– Identification and authentication– Authorization and user role management– Session management– Input validation and error handling– Transmission and storage of sensitive data– Business logic controls– Auditing and logging capabilities
Assessing Risk – Risk Determination
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 30
Putting It All Together
Preparedness
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 31
Common misconceptions
Data breach preparedness
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 32
It will never happen to me
Our network is secure
We are not a big company
We don't have any personal information, so we aren't a target
We have never been attacked
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 33
• Reduce sensitive data storage– If you don't need the data, do not collect it or accept it– If you won't need the data in the future, do not store it– Evaluate and reduce the number of authorized storage locations
• Review sensitive data access
• Consider data protection technologies– Data leakage prevention (DLP)– Data encryption– Tokenization
Improve Data Security
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 34
• Evaluate and adopt a framework– NIST Cybersecurity Framework– Council for Cybersecurity Critical Security Controls (CSCs)
Adopt Cybersecurity Control Framework
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 35
Ado
pt C
yber
secu
rity
Con
trol
Fram
ewor
k
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 36
• More regulator and compliance focus on third party risk• More breaches attributed to third parties:
– Target– Goodwill– Jimmy John's– Dairy Queen– Lowe's– AT&T
• Establish program that includes:– Initial Due Diligence– Engagement Due Diligence– Contractual / Procedural Requirements– Monitoring
Manage Third Party Risk
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 37
• Paradigm shift from "if we get breached" to "when we get breached"
• Need to establish effective detective mechanisms– Logging and monitoring– Incident detection / prevention systems (IDS/IPS)– Third party notification contacts– Indicators of compromise (IOC) mechanisms / reviews
• Need to establish Incident Response Plan (IRP) that:– Identifies roles and escalation / notification – Defines the activities and priorities within each response phase– Includes containment measures to reduce impact of incident– Includes various forms of training and exercises– Internal and external communications plans to minimize brand impact
Incident Response Planning
Thank you...
Questions?