Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
CyberSecurity And Risk Reduction
Match Effort Expenditure to Expected Results
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
2
Introduction
Presenter: Bruce Hafner
President, Clea...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
3
Some terms we will be using to bring the conversatio...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
4
‘Lead, follow, or get out of the way’
Risk
is the po...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
5
Risk is everywhere. Risk can be ignored, accepted, t...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
6
Identify Risk
What is at Risk
Manifestation of Risk
...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
7
Follow a Process
Create processes you
can commit to....
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
8
There are a lot of options when structuring a CyberS...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
9
ID.AM-5
ID.GV-3
ID.RA-2
ID.RA-3
ID.GV-4
ID.AM-4 ID.A...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
Leading to Risk and CyberSecurity maturity
Pragmatic
R...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
11
Groups needed for success
Executive
• CEO
• GC
• CF...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
12
12
3 more groups. Basically Everyone.
Internal
Staf...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
13
Breaking the plan into achievable steps, with multi...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
14
Context for your plan. Ultimately, what are you try...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
15
Employee
Data
• Human Resources
• Facilities
• IT A...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
16
Employee
Data
• Human Resources
• Facilities
• IT A...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
17
Employee
Data
• Human Resources
• Facilities
• IT A...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
18
• Ransomware Infects the email
system
• Patient Dat...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
19
•Ransomware Infects the email system
•Patient Data ...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
20
• Ransomware Infects the email
system
• Patient Dat...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
21
Risk Events have a real financial impact to your or...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
22
• Poor Security on the Web
Application
• Unpatched ...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
23
Risk Events have a real financial impact to your or...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
24
Risk Events have a real financial impact to your or...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
25
Prioritization – Weighing Impact and Probability
Ri...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
26
- Prioritization Through Constraints
Prioritize
Imp...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
27
- Scenario Planning – The Plan
Scenario
Plans
The b...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
28
- Scenario Planning – The What if Plan
Scenario
Pla...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
29
- Scenario Planning – Building the Plan
Scenario
Pl...
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
30
- Scenario Planning – Testing the Plan
Scenario
Pla...
Upcoming SlideShare
Loading in …5
×

Pragmatic CyberSecurity and Risk Reduction

218 views

Published on

At ClearArmor, we maintain that a fully interconnected approach to Risk Management, CyberSecurity, Audit, Compliance, and Governance is the best approach. For many organization, they may not be ready for that journey. In those cases, a pragmatic approach can significantly improve their risk reduction and CyberSecurity postures by building momentum.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Pragmatic CyberSecurity and Risk Reduction

  1. 1. 1 CyberSecurity And Risk Reduction Match Effort Expenditure to Expected Results
  2. 2. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 2 Introduction Presenter: Bruce Hafner President, ClearArmor Corporation Website: ClearArmor Corporation (https://cleararmor.com) Contact Info: info@cleararmor.com Genesis for Presentation: Organizations overwhelmingly need to improve upon their CyberSecurity posture. The single most effective method is to adopt a mature framework such as the NIST CyberSecurity Framework. False starts, limited authority, resource deficiencies, and leadership focus conspire to impede CyberSecurity improvement. Under these circumstances, a pragmatic approach can build momentum. Organizations that are just beginning their Cyber Posture improvement journey may benefit from taking a pragmatic approach to risk reduction.
  3. 3. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 3 Some terms we will be using to bring the conversation forward Business is from Mars Technology is from Venus CyberSecurity & Risk Language Barriers
  4. 4. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 4 ‘Lead, follow, or get out of the way’ Risk is the potential of gaining or losing something of value Risk Mitigation to lessen the impact of a risk event through technology, process, training, etc Risk Prevention Removes the ability for a specific trigger an impacting event Risk Event is caused by a trigger and impacts one or more assets, systems, data types, and or business functions Risk Trigger Is the what causes a risk event to occur Risk Trigger Probability Is the likelihood that a trigger would occur, that causes an event, impacting assets Asset Value Assets have value that can be distilled down to financial and other measures Asset Data Is the type of data that may be stored, transmitted, interacted with by people, systems, process Asset System a set of endpoints (Servers, storage, network, external systems) that fulfill a need Asset Landscape Systems may consist of various isolated groups (Dev, Test, QA) that serve isolated functionality Asset Endpoint A System Landscape may consist of one or more endpoints Asset Software is distributed to various endpoints, that perform some function required by the system Detection Is the ability to monitor, report, and alert to an event Detection Tool Is a technical, business, process that is able to detect a trigger to, or impacting event Detection Method Is the specifics on how the detection tool can identify the impacting event Trigger Detection Is the Tools, methods related to detection of a trigger related to an impacting event Detection Confidence Speaks to the likelihood that a trigger would successfully be able to be monitored Detection Audit Validates that the detection method would be successful Response Scenario Is the situation surrounding response to an impacting event Response Roles Are the roles required to be engaged during various events Response Team The team roles, people, vendors, etc. that are required to be involved during a response. Response Schedule Identifies the time durations that should elapse from the time of event to execute tasks Response Execution Are the actual work items that will be executed by roles/people during the schedule Response Simulation Testing through mechanical and/or team collaborative meetings the response, with all required roles and team members Recovery Of systems, operations, processes, and other areas after an impacting Event Recovery Method Is how recovery will occur. Movement to a DR system, tape restoration, operations relocation Recovery Testing Simulating the method of recovery to validate that the method could successfully occur Recovery Event Is the circumstance that a recovery effort will occur Recovery Point Objective (RPO) is the amount of data expected to be lost Recovery Time Objective (RTO) is the expected time to recover Some terms that will allow business and technology team members to communicate effectively (Lido Anthony Iacocca). General Patton said something like this, ….and maybe Thomas Pain. Communication – A Cyber & Risk Requirement
  5. 5. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 5 Risk is everywhere. Risk can be ignored, accepted, transferred, mitigated, or remediated. Understanding of Risk Related Conflict Driving a Car vs No Job (mitigated) Babies on Planes Vs Injury (accepted)
  6. 6. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 6 Identify Risk What is at Risk Manifestation of Risk Prioritize Risk Impact Value of Risk Cost to Reduce Risk Risk Event Scenario Planning Who is involved When they get involved Why they get involved Who does what Scenario Simulation Scheduling table top sessions Frequency of tests Results of test Improvement of plans In some things, an incomplete or immature process method is better than inaction There is always a more effective way. There is always a less effective way. Results Leading to Risk Reduction
  7. 7. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 7 Follow a Process Create processes you can commit to. Not when convenient, but part of the organizational culture Prioritize If everything is Priority 1, nothing is Priority 1 Involve Everyone Everyone is a participant, at some level. Prepare the Organization Adopt a Standard You Don’t have to boil the ocean to start. You do need to embrace a standard. Change takes deliberate choices. Not difficult, just deliberate. Create a Plan Execute Treat CyberSecurity and Risk Reduction on par with revenue generation, compliance, Measure & Communicate Along the Way Elements to Building Momentum
  8. 8. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 8 There are a lot of options when structuring a CyberSecurity Program. Frameworks, Compliance Requirements, • The Center for Internet Security Critical Security Controls • ISO 27001 • New York State Department for Financial Services Rule 500 • NIST 800-53 and NIST 800-171 • The NIST CyberSecurity Framework – A Risk Based Approach Selection of a Path to Reducing Risk NIST CSF Risk Based Approach Framework of What to Do Not How to Do it CIS Controls Technical Approach More Specific Categories of Activities Various frameworks / controls / regulations have different benefits or compliance requirements
  9. 9. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 9 ID.AM-5 ID.GV-3 ID.RA-2 ID.RA-3 ID.GV-4 ID.AM-4 ID.AM-6 ID.GV-1 ID.GV-2 ID.BE-1 ID.BE-2 ID.BE-3 ID.BE-5ID.BE-4 ID.GV-1 ID.GV-2 ID.GV-3 ID.GV-4 ID.RA-1 ID.RA-2 ID.RA-3 ID.RA-4 ID.RA-5 ID.RA-6 ID.RM-1 ID.RM-2 ID.RM-3 ID.SC-1 ID.SC-2 ID.SC-3 ID.SC-4 ID.SC-5 PR.AC-1 PR.AC-3 PR.AC-5 PR.AC-2 PR.AC-4 PR.AC-6 PR.AT-1 PR.AT-2 PR.AT-3 PR.AT-4 PR.AT-5 PR.DS-1 PR.DS-2 PR.DS-3 PR.DS-4 PR.DS-5 PR.DS-6 PR.DS-7 PR.DS-8 PR.IP-1 PR.IP-2 PR.IP-3 PR.IP-4 PR.IP-5 PR.IP-6 PR.IP-7 PR.IP-8 PR.IP-9 PR.IP-10 PR.IP-11 PR.IP-12 PR.MA-1 PR.MA-2 PR.PT-1 PR.PT-2 PR.PT-3 PR.PT-4 PR.PT-5 DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.AE-5 NIST ID.AM-1 ID.AM-2 ID.RA-1 ID.AM-3 DE.CM-1 DE.CM-2 DE.CM-3 DE.CM-4 DE.CM-5 DE.CM-6 DE.CM-7 DE.CM-8 DE.DP-1 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 RS.RP-1 RS.CO-1 RS.CO-2 RS.CO-3 RS.CO-4 RS.CO-5 RS.AN-1 RS.AN-2 RS.AN-3 RS.AN-4 RS.MI-1 RS.MI-3 RS.MI-2 RS.IM-1 RS.IM-2 RC.RP-1 RC.IM-1 RC.IM-2 RC.C0-1 RC.C0-1 RC.C0-1 ID PR DE NIST Function RS RC KEYS Starting Point – Both Good and Bad
  10. 10. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction Leading to Risk and CyberSecurity maturity Pragmatic Risk Assets Detection Recovery Things to Consider
  11. 11. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 11 Groups needed for success Executive • CEO • GC • CFO • COO Technical • CIO & CISO • Network Team • IT Admin • Service Team Business • Business Heads • Customer Mgmt. • Accounts Mgmt. • Service Team Additional • Facilities • Risk • Audit & Compliance • Board Risk Reduction Requires Team Engagement
  12. 12. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 12 12 3 more groups. Basically Everyone. Internal Staff Risk Reduction Needs Extended Involvement
  13. 13. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 13 Breaking the plan into achievable steps, with multiple teams Risk Reduction Method Risk Objectives Impacts to Risk Objective What Systems Are Involved? Does the Business Know the Value of the Systems? Does IT know the relationship between Systems, Landscapes, and Endpoints? Identifying Risk Events, Triggers, and Probabilities Calculating the Value of Risk Events Cost of Risk Reduction Identifying Risk Event Mitigations & Remediations Cost vs Value Prioritizing Action Creating Scenario Plans Testing your Plans
  14. 14. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 14 Context for your plan. Ultimately, what are you trying to protect? Identification of What You are Protecting Risk Objectives Intellectual Property Reputation Client Trust
  15. 15. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 15 Employee Data • Human Resources • Facilities • IT Administration Can be Impacted By What Functions Impact Risk Objectives Process Requires Identification Activities Impacts to Risk Objective
  16. 16. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 16 Employee Data • Human Resources • Facilities • IT Administration Can be Impacted By • HRIS • Payroll • 401K • Medical Insurance • Access Control • Annual Review • Training Management Using Getting Context – What Business Functions are Involved Process Identifies Impacted Things Systems Involved
  17. 17. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 17 Employee Data • Human Resources • Facilities • IT Administration Can be Impacted By • HRIS • Payroll • 401K • Medical Insurance • Access Control • Annual Review • Training Management Using • HRIS Outage = $22K / Day • HRIS Data Breach = $100K / Incident Value Digging Deeper – Bringing in Technical and Subject Matter Experts Process Identifies Value of Those Things System Value
  18. 18. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 18 • Ransomware Infects the email system • Patient Data is breached and made public • Intellectual Property is stolen and published on the Web • Client Credit card theft from Web based system Risk ‘A’ Event • Web App servers– poor internal security • Web App Servers not Patched • Code injected into app • Payment processor breach Event 4 Could be triggered by ID concerns of events that could impact the organization and what could trigger them Process Identifies Events that Cause Impact Risk Events Risk Triggers
  19. 19. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 19 •Ransomware Infects the email system •Patient Data is breached and made public •Intellectual Property is stolen and published on the Web •Client Credit card theft from Web based system Risk ‘A’ Event •Web App servers– poor internal security •Web App Servers not Patched •Code injected into app •Payment processor breach Event 4 Could be triggered by • The organization believes that Poor security on Web Applications presents a 2.5% chance of triggering an event in any given year •Latency in patching cycles present a 7.5 % chance of triggering an event in any given year •A 2% chance that modified code could cause the event is estimated. •Poor user authentication creates a 5% risk of triggering an event. to hack into web applications code base. Having annual probabilities of The systems impacted by risk events drive value calculations Process Includes Probability & Likelihood Trigger Probabilities
  20. 20. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 20 • Ransomware Infects the email system • Patient Data is breached and made public • Intellectual Property is stolen and published on the Web • Client Credit card theft from Web based system Risk ‘A’ Event • Web App servers– poor internal security • Web App Servers not Patched • Code injected into app • Payment processor breach Event 4 Could be triggered by • OrderSys2020 And potentially impact these systems The systems impacted by risk events help to automate the value of the impact Process Ties Risk Events to Triggers to Systems Identify Impact
  21. 21. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 21 Risk Events have a real financial impact to your organization, direct and indirect - Follow a Process – Risk Events Have a Value Risk Event Cost System Event Trigger Probability Restoration Time Daily Value Direct Impact OrderSys202 0 Client Credit card theft from Web based system Web App servers– poor internal security 2.5% 1.25 $845,000 $26,406.25 OrderSys202 0 Client Credit card theft from Web based system Web App Servers not Patched 7.5% 1.25 $845,000 $79,218.75 OrderSys202 0 Client Credit card theft from Web based system Code injected into app 2% 1.25 $845,000 $21,125.00 OrderSys202 0 Client Credit card theft from Web based system Payment processor breach 5% 1.25 $845,000 $52,812.50 Total Risk Event Value $179,562.50 If This Event caused an erosion of trust that impacted new orders by .25% (1/4 of 1%) over the next year, based on your $845,000 daily value, that would equate to an indirect impact of $7,710,625
  22. 22. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 22 • Poor Security on the Web Application • Unpatched Servers • Lack of baselining systems exposes organizations for code modifications to go undetected • Weak user authentication polices Risk ‘4’ Triggers • Implement code to limit external communications to certain functions • Adopt a practice of Patching test servers within 1 week, and production servers within 3. • Implement Dial Factor Authentication on the web application Mitigations • Technology - Once Code changes have passed testing, and prior to migration to production, baseline system to ensure integrity of code against a known good image. Validate continuously • Business – No App changes are accepted into production until audit confirm policy has been followed Remediations Identifying Mitigations and Remediations - Mitigation & Remediation Reduces Risk & ImpactMitigations & Remediation
  23. 23. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 23 Risk Events have a real financial impact to your organization, direct and indirect - Follow a Process – Risk Events have a Value Risk Event Cost System Event Trigger Probability Restoration Time Daily Value Direct Impact OrderSys202 0 Code injected into the web based customer order system is stealing client credit card information Poor security on Web Application Servers 2.5% 1.25 $845,000 $26,406.25 OrderSys202 0 Code injected into the web based customer order system is stealing client credit card information Modified Application Code 7.5% 1.25 $845,000 $79,218.75 OrderSys202 0 Code injected into the web based customer order system is stealing client credit card information Modified application code 2% 1.25 $845,000 $21,125.00 OrderSys202 0 Code injected into the web based customer order system is stealing client credit card information Poor user authentication creates a 5% risk of triggering an event. to hack into web applications code base. 5% 1.25 $845,000 $52,812.50 Total Risk Event Value $179,562.50 If This Event caused an erosion of trust that impacted new orders by .25% (1/4 of 1%) over the next year, based on your $845,000 daily value, that would equate to an indirect impact of $7,710,625
  24. 24. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 24 Risk Events have a real financial impact to your organization, direct and indirect - Follow a Process – Risk Remediation has a Cost Risk Event Cost System Trigger Counter Measure Cost Duration OrderSys202 0 Web App servers– poor internal security Mitigate – Limit Access $7,500 1 Week OrderSys202 0 Web App Servers not Patched Mitigate - Force patching policy. Reduce patching latency $25,000 2 Months OrderSys202 0 Code injected into app Remediate - Baseline Application Code $12,000 2 Weeks OrderSys202 0 Payment processor breach Mitigate – Vendor Risk Assessment. Vendor Audit. $12,000 2 Months OrderSys202 0 Payment processor breach Transfer – Insurance $75,000 4 Months Total Risk Event Value $131,500 4 Months Remediations can take multiple paths, by multiple teams, with varying degrees of impact
  25. 25. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 25 Prioritization – Weighing Impact and Probability Risk Events High Probability Low Impact High Impact Low Probability High Probability High Impact High Probability Low Impact Low Probability High Impact Low Probability Low Impact
  26. 26. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 26 - Prioritization Through Constraints Prioritize Impact Value vs Cost Time Expertise Availability Regulatory Prioritize
  27. 27. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 27 - Scenario Planning – The Plan Scenario Plans The best-laid plans of mice and men often go awry. (Robert Burns) And In what order? By whom? When would it need to be done What would need to be done? Who would need to be involved? What if ‘X’ happened
  28. 28. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 28 - Scenario Planning – The What if Plan Scenario Plans The best-laid plans of mice and men often go awry. (Robert Burns) Expected Results Deviate Dependencies Fail Communications Fail Team Members are Unavailable What would you do if ‘Y’ Also Happened
  29. 29. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 29 - Scenario Planning – Building the Plan Scenario Plans Identify Team • Executive • Legal • Business Line • Technical • Cyber • Vendor • Partner • Client Scenario Response Setup • Overall Objective • Response Steps • Step Objectives • Step Communications • Step Owners • Step Schedule • Step Approver • Re Evaluation of Team • Re Evaluation of Objectives • Re Evaluation of Steps Leadership Approves • Objective • Team • Steps • Communications • Schedules • Role that can call and event • Role that can accept results
  30. 30. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 30 - Scenario Planning – Testing the Plan Scenario Plans Tabletop Decisions • Will the exercise be scheduled • Will the exercise by unscheduled • What data will be recorded • Will the exercise use deviations • Will the exercise remove participants • Will the exercise have time constraints • Will the exercise limit resources • Who will be the scribe Run the Exercise • Call the Event • Assemble the team • Follow the schedule • Follow the steps • Communicate as planned • Simulate tests • Simulate results • Record issues • Lessons Learned • Plan Updates

×