Larry Clinton President & CEOInternet Security Alliance email@example.com 703-907-7028 202-236-0001 www.isalliance.org
During the Last Minute…• 45 new viruses• 200 new malicious web sites• 180 personal identities stolen• 5,000 new versions of malware created• 2 million dollars lost
Advanced Persistent Threat—What is it?• Well funded• Well organized---state supported• Highly sophisticated---NOT ―hackers‖• Thousands of custom versions of malware• Escalate sophistication to respond to defenses• Maintain their presence and ―call-home‖• They target vulnerable people more than vulnerable systems
ISA Goals• Promote thought leadership in the field of cyber security• Advocate to government for pro security policies consistent with the ISA mission• Promote the development and adoption of sound security programs practices and technologies in the public and private sectors• Enhance the foundation of the organization
ISAlliance Mission StatementISA seeks to integrate advanced technologywith business economics and public policy tocreate a sustainable system of cyber security.
ISA Board of Directors• Tim McKnight VP CISO Northrop Grumman (Board Chair)• Jeff Brown VP CISO Raytheon (Board First V Chair)• Garry McAlum, VP CSO USAA (Board Second V Chair)• Dr. Pradeep Khosla, Dean CMU School of Engendering and Computer Science• Valerie Abend, Bank of New Your/Mellon financial• Barry Hensley, Dell/SecureWorks• Lt General (Ret.) Charlie Croom, VP Cyber Security, Lockheed Martin• Marc Sachs, VP Government Affairs and Homeland Security, Verizon• Julie Taylor, VP Government Systems, SAIC• Joe Bounomo, CEO, Direct Computer Resources• Tom Kelly, Boeing• JR Reagan, CEO, AVG• Brian Raymond, Director Security and Technology NAM
The Internet Changes Everything• The way our brains function• Concepts of Privacy• Principles of National Defense• Economics• Security
Are you thinking About Security All Wrong?• Hackers?• ―I’m safe or They Don’t Care about me‖• Breaches?• Firewalls and passwords?• Networks ?• Perimeter Defense---keep the bad guys outYOU ARE THINKING ABOUT THIS ALL WRONG
APT• ―The most revealing difference is that when you combat the APT, your prevention efforts will eventually fail. APT successfully compromises any target it desires.‖----M- trend Reports
The APT----Average Persistent Threat―The most sophisticated, adaptive and persistent class of cyber attacks is no longer a rare event…APT is no longer just a threat to the public sector and the defense establishment …this year significant percentages of respondents across industries agreed that APT drives their organizations security spending.‖ PricewaterhouseCoopers Global Information Security Survey September 2011
% Who Say APT Drives Their Spending• 43% Consumer Products• 45% Financial services• 49% entertainment and media• 64% industrial and manufacturing sector• 49% of utilitiesPWC 2011 Global Information Security Survey
Are we thinking of APT all wrong?• ―Companies are countering the APT principally through virus protection (51%) and either intrusion detection/prevention solutions (27%) –PWC 2011• ―Conventional information security defenses don’t work vs. APT. The attackers successfully evade all anti-virus network intrusion and other best practices, remaining inside the targets network while the target believes they have been eradicated.‖---M- Trend Reports 2011
We Are Not Winning―Only 16% of respondents say their organizations security policies address APT. In addition more than half of all respondents report that their organization does not have the core capabilities directly or indirectly relevant to countering this strategic threat.
Why is this the case?• The vast majority of Sr management---and the majority of all employees---are digital immigrants• Cyber Security is not, just, an ―IT‖ problem• There are short term economic incentives to be insecure (e.g. VOIP, long supply chains, Cloud computing• ―Insiders‖ (including lawyers and PR/sales Execs) are the single biggest cyber security vulnerability
Technology or Economics?―Security failure is caused as least as oftenby bad incentives as by bad technologicaldesign… everywhere we look we see onlinerisk allocated poorly…people who connecttheir machines to risky places do not bearfull consequences of their actions. Anddevelopers are not compensated for costlyefforts to strengthen their code‖ Anderson &Moore ―Economics of Information Security‖ Anderson and Moore ―The Economics of Information
Cost Issues: CSIS 2010 Overall, cost was most frequently cited as“the biggest obstacle to ensuring the security of critical networks. p14 Making the business case for cybersecurity remains a major challenge, becausemanagement often does not understand eitherthe scale of the threat or the requirements for a solutions. p14 The number one barrier is the security folks who haven’t been able to communicate theurgency well enough and they haven’t actuallybeen able to persuade the decision makers of the reality of the threat. p14 Making the business case for security could be a challenge – no one wants to pay their insurance bill until the building burns down.
Cost Issues PWC 2011• ―Executives worldwide have been reluctant to release funding to support Info security.• ―As spending constraint continues ―block and tackle‖ security capabilities that took decades to build up are degrading creating new levels of risk’• ―Increased risk elevates the importance of security & ongoing cost reduction makes adequate security difficult to achieve.‖• 47% reported decreasing info security spending in 2010, same as in 2009‖
Now… the Harsh Reality• Only 13% of the Executives polled by PWC actually had done what is considered to be ―adequate‖ security.• Most executives didn’t have an overall security strategy, had not reviewed the effectiveness of their strategy or knew what types of breaches had hit them in the past 12 months.• Only 1 in 3 said their companies had a policy for dealing with employee use of social media
There Are Things We Can Do• Need to take a more strategic approach• Focus on internal analysis and incident response i.e. more Intel gathering & analysis• Shut down the low hanging vulnerabilities• Get serious @ effective user training• Re- architect IT as needed• Participate in information exchange organizations
Roach Motel: Bugs Get In Not Out• No way to stop determined intruders• Stop them from getting back out (w/data) by disrupting attackers command and control back out of our networks• Identify web sites and IP addresses used to communicate w/malicious code• Cut down on the ―dwell time‖ in the network• Don’t stop attacks—make them less useful
Cyber Insurance: A Brief History• Traditional Insurance Policies to Cover Business Loss – – (1) Business Personal Insurance Policies (first-party loss) – (2) Business Interruption Policies – (3) Commercial General Liability (CGL) or Umbrella Liability Policies (for damage to third parties) – (4) Errors and Omissions Insurance (for Corp. Officers)• 1970s – Development of specialized policies that typically extended crime insurance to cover against outsider gaining physical access to computer systems• 1998 – Advent of Hacker Insurance Policies• 2000 – Early Forms of Cyber Insurance (1st and 3rd Party) Appear 1st Party – Generally, covers destruction or loss of information assets, internet business interruption, cyber extortion, DDoS loss, PR reimbursement, fraudulent EFTs 3rd Party – Generally, covers claims arising from Internet content, security, tech errors and omissions as well as defense costs Post 9/11 – Increased risk (e.g., Code Red, Nimda, Klez , Slammer [2003), awareness, and regulation (e.g., HIPAA, GLB, SOX, HITECH, CA SB 1386), lead to more
State of the Market Cyber Risk Insurance Providers Number of Carriers – Betterly Report survey finds an increase of Cyber Insurers from 19 in 2010 to 29 in 2011 An increase of over 52% Annual U.S. Gross Written Premiums (GWP) – Betterly Report estimates an increase from $600M to $800M over the past survey year An increase of 33% Market Drivers – 3rd Party Privacy Breach Policies Betterly, Richard. ―Cyber/Privacy/Media Liability Market Survey – 2011.‖ The Betterly Report (2011): Web. http://betterley.com/samples/CyberRisk11_nt.pdf Armin, Jart. ―Hackers Take Notice: Cyber-Insurance is on the Rise.‖ internet evolution. 27 June 2011: Web. http://www.internetevolution.com/author.asp?section_id=717&doc_id=2307 82
Zurich v. Sony Basic Facts – April and May intrusions into the Sony PlayStation Network (PSN) and other systems led to Sony temporarily shutting down PSN and possible exposure of personal data of 100M+ users. In May, Sony looked to its CGL policy providers for helping paying for the data breach Lawsuit – In July, Zurich – Sony’s CGL insurance provider – filed the above suit against Sony seeking , among other things, indemnification from Sony against its class action suits, arguing that the CGL does not cover cyber attacks.
Cyber Insurance and Public Policy 2002 – The National Strategy to Secure Cyber Space – Market-based approach, but no need for incentives; policy makers think insurance not ready for prime time 2004 – Congress Creates the ―Corporate Information Security Working Group‖ w/Subgroup on incentives; cyber insurance is advocated 2006 – Internet Security Alliance (ISA) issues White Paper, ―Using Cyber-Insurance to Improve Cyber-Security: Legislative Solutions for the Insurance Market‖; testifies before Commerce and HLS 2007 – ANSI & ISA publish The Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask, with a chapter devoted to insurance & financial risk management 2009 – Citing ISA publications, the Obama Administration’s Cyberspace Policy Review advocates use of market incentives, including cyber insurance 2009 – DHS Cross Sector Cyber Security Working Group (all critical sectors) advocates use of cyber insurance
Cyber Insurance and Public Policy 2010 – ISA and ANSI publish follow-up, ―The Financial Management of Cyber Risk: An Implementation Framework for CFOs,‖ which also includes a chapter and discussion of cyber insurance 2010– White House holds spring conference call with insurance industry, academics, and govt. on the use of cyber insurance 2010– Dept. of Commerce issues Notice of Inquiry on economics of cyber security, including requests for information on of cyber insurance 2011 – U.S. Chamber of Commerce, TechAmerica, Business Software Alliance, Center for Democracy and Technology, and ISA co-author and publish White Paper, Improving our Nation’s Cybersecurity through the Public‐Private Partnership, advocating a market-based approach to cybersecurity including the promotion of cyber insurance. 2011 – Dept. of Commerce publishes its follow-up Green Paper, and asks how insurance can lead to enhanced cyber security 2012 – October 22 DHS Conference on how to stimulate the market for first party cyber insurance
50 Questions Every CFO Should Ask (2008)It is not enough for the information technologyworkforce to understand the importance of cybersecurity; leaders at all levels of government andindustry need to be able to make business andinvestment decisions based on knowledge of risksand potential impacts. – President’s Cyber SpacePolicy Review May 30, 2009 page 15ISA-ANSI Project on Financial Risk Managementof Cyber Events: ―50 Questions Every CFOshould Ask ----including what they ought to beasking their General Counsel and outsidecounsel. Also, HR, Bus Ops, Public and InvestorCommunications & Compliance
ANSI-ISA Program• Outlines an enterprise wide process to attack cyber security broadly and economically• CFO strategies• HR strategies• Legal/compliance strategies• Operations/technology strategies• Communications strategies• Risk Management/insurance strategies
What CFO needs to do• Own the problem• Appoint an enterprise wide cyber risk team• Meet regularly• Develop an enterprise wide cyber risk management plan• Develop an enterprise wide cyber risk budget• Implement the plan, analyze it regularly, test and reform based on feedback
Human Resources• Recruitment• Awareness• Remote Access• Compensate for cyber security• Discipline for bad behavior• Manage social networking• Beware of vulnerability especially from IT and former employees
Legal/Compliance Cyber Issues• What rules/regulations apply to us and partners?• Exposure to theft of our trade secrets?• Exposure to shareholder and class action suits?• Are we prepared for govt. investigations?• Are we prepared for suits by customers and suppliers?• Are our contracts up to date and protecting us?
Operations/IT• What are our biggest vulnerabilities? Re- evaluate?• What is the maturity of our information classification systems?• Are we complying with best practices/standards• How good is our physical security?• Do we have an incident response plan?• How long till we are back up?---do we want that?
Communications• Do we have a plan for multiple audiences?--general public--shareholders--Govt./regulators--affected clients--employees---press
Cyber Risk Management Reference Framework Before During After Stakeholder (Govern) (Respond) (Contain) Before an incident and as governance During an incident possibly After a breach involving successfu programs escalating to as breach exfiltration.Board of What responsibility • Receive breach • Re-evaluate current cyber • Set an adequate standard of due does the BOD engage notifications and governance oversight andDirectors in, such as … care governance updates standard of due care • Evaluate periodically cyber risk • Re-evaluate standard of du governance effectivenessAudit What responsibility • Receive risk realization care • Review annual cyber risk does the AC engage updates • Re-evaluate risk toleranceCommittee in, such as … management assessment • Receive cyber incident • Re-evaluate cyber risk & • Issue cyber risk & incident consequence updates incident disclosure disclosure, as per SEC guidance • Participate in business impact analysisBusiness • Monitor damage to What responsibility do • Set cyber risk tolerance business including • Re-evaluate cyber risk(Office of CEO, business stakeholders • Participate in defining risk engage in, such as … revenues, margins, and toleranceBU GM) management options brand damage • Make cyber risk management decision • Re-evaluate resource allocFinancial What responsibility do • Participate in financial • Receive updates as to the for cyber risk managementStakeholders financial stakeholders cost/benefit analysis of different cost impact of incident or • Re-evaluate risk managem engage in, such as … risk management options breach options for top cyber agen(e.g., CFO) threats • Define and oversee cyber risk management program • Participate in cyber threat agent analysis • Monitor breach and cyberRisk • Participate in business impact risk trends What responsibility do • Evaluate effectiveness of c analysis • Measure riskManagement risk stakeholders breach response and cybe
ISA Extended Cyber Risk Management Project DIB, IT and Financial Services (spring fall 2012)• Enterprise-wide Team - All utilize cross-functional, cross-organizational team toassess and manage risk• Attention at Highest Levels - This team may have just one layer between it andthe Board/CEO, but items they determine to be top items are reported at this level• CISO Owns Risk Decisions and Decision-making - Within 1 DIB member, allprojects and programs have to be cleared by the CISO, who also determines risktolerance levels in accordance with Senior Leadership guidance•Risk Management Approach Utilized - All utilize a risk management approach inwhich risks are assessed, mapped, and impact and probability is explored; plans aredeveloped, and the highest level of executives and Board are notified.• Security Awareness Through Internal Testing - Unannounced tests company widewhich are then tied to incentive system. For one company, such an phishinginitiatives reduced click through rates from 5 to 2.5%.
Growth toward Enterprise wide cyber management• In 2008 only 15% of companies had enterprise wide risk management teams for privacy/cyber• In 2011 87% of companies had cross organizational cyber/privacy teams• Major firms (E & Y) are now including ISA Financial Risk Management in their Enterprise Programs• Even govt. (e.g. DOE) has now adopted these principles for their sector risk management
House GOP Task Force & ISA Policy Positions ISA Social Contract House GOP Cybersecurity Task Force Recommendations• ―Menu‖ of Market Incentives Tied • ―Menu‖ of Market Incentives Tiedto Voluntary Adoption of Cyber to Voluntary Adoption of CyberSecurity Measures Security Measures, p.7• Regulation CANNOT Keep Up – • Regulation CANNOT Keep Up –By the Time It Is Created, It Is By the Time It Is Created, It IsOutdated Outdated, p.7• Streamline Regulation in return for • Allow Access to Streamlinedincreased voluntary security Regulation as an Incentive and tomeasures Reduce Government Costs, p.8• Limited Liability for Good Actors • Limited Liability for Good Actors, p.9• Utilize Tax Incentives and Tie • Utilize Tax Incentives and TieGrant Funding to Cyber Security Grant Funding to Cyber Security,
Larry Clinton President & CEOInternet Security Alliance firstname.lastname@example.org 703-907-7028 202-236-0001www.isalliance.org
Senate (Admin) bill moves toward ISA ISA Policy Positions HSGAC Bill – S.3414• The Public-Private Partnership: • The Public-Private Partnership:Codification of the NIPP Framework, Codification of the NIPP Framework,• A Voluntary, Incentives-Based • A Voluntary, Incentives-BasedApproach, Approach,• Liability Incentives – Among other liab. • Liability Incentives –Punitive Damagesinctvs, Punitive Damages protections protections,• Govt Procurement as an incentive • Procurement Incentives – Collab.toward greater security, examine Govt Procurement as an incentive toward greater security,• Cost-Benefit Analysis of Suggested • Cost-Benefit Analysis of SuggestedCybersecurity Measures, Cybersecurity Measures,