Date post: | 08-Feb-2017 |
Category: |
Documents |
Upload: | dave-whitelegg |
View: | 61 times |
Download: | 0 times |
Managing Cyber Risk in the EnterpriseSecurity Leadership Summit
Dave Whitelegg CISSPHead of Information Security & PaymentsCapita plc February 2016
The Traditional Information Security Approach
2
Risk
Focus
InformationSecurity
Impact
• Industry Best Practice Information Security• Traditional ‘out of the box’ ‘Security Focus’ and Controls
Frequency
Evolving Threat Landscape
3
Risk
Focus
InformationSecurity
• Attackers are increasingly successful at evading traditional infrastructure-focussed security controls i.e. DDoS, Zero-Day Exploits, Spear Phishing, Social Engineering, Sophisticated Attacks• Growing number of Opportunistic Attacks i.e. Hacktivists, Criminals, Insiders• Cost of Attacks are Falling and Easier to Perform
Impact
Risk
Frequency
Impact
Evolution of Information Security
4
Risk
Focus
Best Practice InfoSec
• ‘One Size’ Security doesn’t fit a ‘diverse’ Enterprise• Best Practices and InfoSec Policy set a ‘Minimum Enterprise Baseline’ for Security• Traditional Best Practice InfoSec + Risk Based Cyber Security
Risk BasedCyber Security
Information Security
Risk
Probability
Assessing and Managing Cyber Risk
5
Likelihood( * )Cyber Risk Impact=F
Target Asset Threat Scenario
Threat Actor
Aims
( * * )Likelihood Vulnerability=F CapabilityMotivation
Cyber Threat Model
6
Threat Actor
Aims
TargetAsset
Threat Scenario
has
which may effect
Using
Causing
Motivation
Capability Threat Intelligence
Identification
Categorisation Threat Model Goals• Categorises Threats, Assets &
Compromise Methodologies• Measure Cyber Risks• Identify Mitigating Controls
Likelihood( * )Cyber Risk Impact=F
Cyber Risk: Targets AssetIdentifying Critical Assets (Criticality Assessment)
Q. What is the Business Impact from a compromise of this assets?
Informational Assets A data set or other information source which has critical value to the
operation of the business. Compromise of this information asset would have material impact on the objectives of the business.
Non-Informational Assets• Physical Infrastructure • Business Operations & Services• People
Q. How Vulnerable are Target Assets to Threat Actors?
7
Threat Model
Threat ActorsThreat Actors general aim is to cause a negative business and/or positive personal impact, through a compromise of an Asset:
Confidentiality Integrity Availability
8
Threat Model
Threat Model
Enterprise
Threats to the Enterprise
Disgruntled Insider
Insider Trader
Press
Criminal Insider
State-sponsored hacker
Researcher
Whistle Blower
Private investigator
Hacktivist
Accidental Insider
Criminal
Third Party
Criminal Group
Competitor
Rogue Trader
Threat Actor Categories Criminal
• Lone actor• Theft of funds/assets• Financial reward
10
Accidental Insider
Disgruntled Insider
Insider Trader
Hacktivist
Whistle-blower
Criminal Insider
Criminal Group
Criminal
State-sponsored hacker
Competitor
Rogue Trader
Press
Researcher
Private investigator
Third Party
Accidental Insider• Friendly insider• Lack of training• Stress
State-Sponsored Hacker• Foreign intelligence-backed hacker• Customised attacks• Geopolitical ideology• Money
Hacktivist• Like-minded
individuals• Chaotic• Defacement / DoS• Political causes• Fun
Cyber Risk: Measuring Threat Levels
Motivation is the qualitative metric used to relatively categorise the intent and dedication of the Threat Actor
High, Medium, Low
Capability is the qualitative metric used to relatively categorise the skills and tools available to the Threat Actor
High, Medium, Low
A Threat Actor’s Threat Level is a function of Capability & Motivation• The likelihood of a risk occurring
i.e. a capable, motivated Threat Actor seeking to compromise a particular information asset is more likely to succeed Threat Intelligence Threat levels aren’t static
11
Capability
Motivation
Threat Model
Threat Actor Aims & Threat ScenariosAims• Hacktivist Group wishes to cause embarrassment to client ‘Company A’
• Disrupt client services• Criminal Insider are self financially motivated to steal customer credit card data• State Sponsored Hacker seeks to destabilise the UK economy
• Negatively affecting the share price of FTSE 100 companies
Threat Scenarios (Specific attack methods with measurable outcomes - Impact)• Hacktivist Group DDoS attack on the Data Centre’s Internet facing Connectivity
• The objective is to take down a client’s hosted web service• Criminal Insider writes down credit card numbers during customer phone call interaction
• The objective is to steal credit card data from the Call Centre, then commit fraud.• State Sponsored DDoS attack on the corporate website at financial year end
• The objective is to prevent release of the company’s annual financial results
12
Threat Model
Cyber Risk Management
13
Risk Treatment• Acceptance and do nothing• Acceptance with a Contingency Plan (when it happens)• Mitigation Plan (Reduce Risk, Avoid, Transfer)
Threat Level
Cyber Risk
Strategic Enterprise Cyber Threat & Risk View
14
Focus Threat Intelligence efforts Focus Enterprise Security efforts
Enterprise InfoSec keeping pace with Evolving Threats
15
Continual Process
Questions?
16
Thank You
Dave Whitelegg
@SecurityExpert
https://www.linkedin.com/in/whitelegg
17