Date post: | 01-Jul-2018 |
Category: |
Documents |
Upload: | nguyendang |
View: | 215 times |
Download: | 0 times |
… and
organizations
must trust people
every day.
We have connected our economy and
society using platforms designed for
sharing information… not protecting it
5 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
State agencies continue to be a target
States collect, share and use
large volumes of the most
comprehensive citizen
information.
The large volume of
information makes states an
attractive target for both
organized cyber criminals and
hacktivists.
6 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
The things states do to more effectively connect and serve
citizens and become more efficient and are the very things
that create or exacerbate cyber risk.
8 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
States rapidly embrace new technology to
better serve constituents, efficiently
Clo
ud
An
aly
tics
Mo
bile
On
lin
e
9 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
Have you anticipated and prepared for the possible outcomes?
It is almost inevitable that your safeguards will fail, at some points.
11 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
In the private sector, boards
increasingly view cyber risk as a first
order business risk.
A sound cyber risk program is not
simply a cost to the business …
it is an integral aspect of achieving
successful mission delivery.
12 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
• The Deloitte-NASCIO
Cybersecurity Study also
provides benchmarking data on
IT security spending
• Others provide average breach
impact data
Use the data wisely….
$3.79M1Ponemon Institute 2015 Cost of Data Breach Study:
Global Analysis, May 2015
and the
average cost
of a cyber
incident is…
$154Globally, the average
per-record cost of
data breach is…
Investing in a cyber risk program –
Elevate your discussion with agency and
state leaders
• Cyber strategy cannot be based solely on
preventing the kind of attack you just saw in the
news.
• Benchmarking against security spend for your
industry may be misleading. Each organization’s
cyber risk profile is distinct.
• The costs and impact of a cyber attack may be
more far-reaching than common references would
indicate. Example: Citizen trust impact
• Improved security controls may not be the most
important investment for your organization.
13 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
Cyber security vulnerabilities
Weak change
management/
ITIL
Poor patch
management
No asset
inventory
Lack of data
classification
No security
framework/
enterprise risk
management
(ERM)
Elements adding to inefficient cyber risk management
14 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
Assessing cyber risks
THREAT MODELING
• What are the possible motives of an
attacker?
• What is the implication of a breach
within the agency, state and external
parties?
ASSET INVENTORY
• Do I know my information assets?
• Where are my high-risk assets?
• Where does sensitive data reside?
SENSITIVE DATA ASSESSMENT
• How should the data be classified?
• What are the data flows of our sensitive
systems?
• How should sensitive data be protected?
SECURITY OPERATIONS
ENTERPRISE RISK ASSESSMENT
INCIDENT RESPONSE
• What systems are in place to detect cyber
incidents?
• What systems are in place to respond to
cyber incidents?
• What systems are in place to manage
risks and where are they?
• When an incident occurs, how will my
organization respond?
15 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
An assessment of the organization’s cybersecurity should evaluate specific capabilities
across multiple domains
Establish a framework V
igila
nt
Se
cu
re
Data management and
protection
Secure development life cycleCybersecurity risk and
compliance management
Threat and
vulnerability management
Resili
en
t
Security operationsSecurity awareness
and training
Crisis management
and resiliency
Risk analytics
Security program and
talent management
Third-party
management
Identity and
access management
Information and
asset management
* The Deloitte cybersecurity framework is aligned with industry standards and maps to Cyber Security Framework, NIST, ISO, COSO, and ITIL.
16 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
Prevention is no longer adequate…
early detection is just as important
Discern Detect Decide
Understand the threat
landscape and
determine which threats
your organization needs
to protect against
Implement the
appropriate detection
mechanisms to
discover threats, early
Use the situational
awareness and
organizational context
to comprehensively
resolve the threat
What do you discern from your logs from
multiple security devices?
17 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
Identify possible business scenarios and run
simulation exercises
A range of scenarios can be used to test specific plans, rehearse interactions
between teams or functions and challenge assumptions
Potential Use Cases:
Inoperability of public/Internet facing
systems; resulting from an
extended distributed cyber attack or
virus/malware attack.
A third-party handling client data;
stores data using systems that are
compromised.
Breach of sensitive customer
information (e.g., bank accounts,
personal information, Credit cards
information)
Critical information systems;
Revenue collections
compromised.
Targeted attack towards
government executives and senior
legislators—to cause a political
impact
Infiltration of APTs and insider
threats compromising large
volumes of customer PII on a
long-term basis (e.g.
18 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
Collaborate on a resiliency plan…
Resiliency
Executive crisis
management
Legal, risk, &
compliance
The plan
Support with
technology
Simulate the
eventOperations
Cyber
education
CIR
response
team
19 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
…effectively manage what is in your control.
Secure.Vigilant.Resilient.TM
Being
VIGILANT
means having threat
intelligence and situational
awareness to anticipate and
identify harmful behavior.
Being
RESILIENT
means being prepared and
having the ability to recover
from, and minimize the
impact of, cyber incidents.
Being
SECURE
means having risk-prioritized
controls to defend critical
assets against known and
emerging threats.
20 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
Cyber Risk Services contact information
Michael Wyatt
Cyber Risk Services State Sector
Programs Leader
Deloitte & Touche LLP
@michaelswyatt
www.linkedin.com/in/mikewyatt
Bari Faudree
Cyber Risk Services State Health
Leader
Deloitte & Touche LLP
David Mapgaonkar
Cyber Risk Services
Deloitte & Touche LLP
22 Managing the Complexity of Cyber Risks Copyright © 2016 Deloitte Development LLC. All rights reserved.
Anatomy of a cyber attackThe lifecycle of a cyber attack involves a progression of several stages
Att
ac
k S
tag
e
Time
Data is
Compromised
Intelligence
Collection
Opening the Door
• Spear phishing
• Drive by download
• Software/hardware
vulnerabilities
• Third-party compromise
Weapon/Malware
Delivery
Maintaining the
Back Door
• Peer to peer
networks
• Search engines
• Social engineering
• Data theft
• Data destruction
• Espionage
• Denial of service
• Unauthorized system
and network access
• Unmonitored ports
• Misconfigured data
loss prevention tools
• Stolen access
credentials
• Spyware
• Ransomware
• Rootkit
• Bot
Time to Exploit: Minutes
Time to Discovery: Months or Longer
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or
other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.