This document provides a high-level comparative analysis of the cybersecurity programs of two organizations: the Hypothetical Government Agency (HGA) and KNC Health Care. It analyzes their network topologies, critical assets, threats, vulnerabilities, attack trees, security budgets, budget analyses, and workforce recommendations. The analysis finds that HGA's security budget is 4% of expected benefits but it needs more focus on data integrity, lifecycle management and auditing. KNC Health Care has more valuable critical assets, spends more, and has a lower cost-benefit ratio than HGA. Workforce recommendations include expanding roles and hiring new staff for assessments, compliance, and security awareness training.
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Security Risk Analysis of KNC
1. HIGH LEVEL COMPARATIVE ANALYSIS
-HGA AND KNC HEALTH CARE-
HARIPRIYA VENKATACHALAPATHY
for Security Risk Management and Assessment- IA 5200
December 10, 2018
5. 2
11
3
30%
49%
Critical Assets in $
Financial Resources Personnel Information
Contract Documents Business Documents
CRITICAL ASSETS FOR
HGA
12%
CRITICAL ASSETS FOR
KNC HEALTH CARE
42%
33%
21%
Critical Assets in $
Protected Health Information Financial Resources
Medical Equipment Contract Documents
Total = $ 16,500,00Total = $ 24,000,00
6. 6
State Sponsored
Threat Agents
Terrorists
Cyber Criminals
Disgruntled
Employees
Natural Disasters
Hackers
Competitors
THREAT AGENTS
HGAKNC HEALTH CARE
Unauthorized
Access
Virus Prevention
Accidental
Corruption
Network Related
VULNERABLITIES
Unauthorized
Access
Exposure to
Phishing Attacks
Misconfigured
Access Points
SQL Injection
Unsecured Log
Files
15% 10%
0%
2%
4%
6%
8%
10%
12%
14%
16%
HGA KNC Health Care
Exploitation Probability in %
EXPLOITATION PROBABILITIES
7. ATTACK TREES
• Understand attack goals.
• Identify different attack methods.
• Helps to budget.
• Root node is goal.
• Leaf node is attacks:
• Different leaf nodes show different attack methods.
HGA
Disclose
financial
resources
information
Modify payroll
data
Erroneous
modification
Malicious
intent
Disgruntled
employee
Malicious
attacker
Erroneous
processing of
payroll data
Improper
review of data
before commit
System error
Network
attacks
Denial of
Service
Service
interruption
Sniffing
Eavesdropping
Man-in-the-
middle attacks
Unauthorized
access
KNC HEALTH CARE
Leak senstive
data
Unauthorized
access
Unauthorized
device usage
Staff PDAs
Guest wireless
devices
Using
misconfigured
access points
Set up rogue
access points
Data sniffing
Phishing
attacks
Spear phishing Whaling
Business email
compromise
Clone phishing
Compromise
legacy systems
Network
based attacks
Denial of
Service
Eavesdropping
Data sniffing
Man-in-the-
middle
9. SECURITY BUDGET
HGA
Total Budget- Approx. $4,000,000
Administrative- $50,000
OTPs & Digital Signatures- $75,000
SETA- $1,000,000
MOU- $500,000
PC Protection- $50,000
Life Cycle Planning- $25,000
Incident Response- $1,000,000
Audit Trail- $750,000
VPN and DMZ- $13,500
Overall Operational Costs- $500,000
SETA- 25%
Incident Response-
Audit Trail- 19%
KNC HEALTH CARE
Administrative- $500,000
Technical Controls- $1,150,000
SETA- $1,500,000
Legacy Systems Protection- $2,000,000
Incident Response- $1,000,000
Audit Trail- $1,000,000
Lifecycle Management- $750,000
Overall Operational Costs- $500,000
Technical Controls-
14%
SETA- 19%
Legacy Systems
Protection- 25%
Total Budget- Approx. $8,000,000
10. SECURIT
Y
BUDGET
ANALYSI
S
0.07927 0.240210.05333 0.33333
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
Per $ Revenue Per $ Critical Assets
Security Budget Per Category
HGA KNC Health Care
Value in $ HGA KNC Health Care
Security Budget $3,963,500 $8,000,000
Revenue $50,000,000 $150,000,000
Cost of Critical Assets $16,500,000 $24,000,000
Security Budget
per Employee
HGA-
$3963.50
KNC Health
Care- $22222
Benefit
Analysis
Security Risk
Improvement
• HGA- $91,363,714
• KNC Health Care-
$12,500,000
ROI
• HGA- 23 (approx.)
• KNC Health Care- 1.56
Cost Benefit Ratio
• HGA- 0.043
• KNC Health Care- 0.64
11. CYBERSECURITY
WORKFORCE
RECOMMENDATIONS
FOR HGA
• Extend job role tasks:
• Verify encryption.
• Virus scanning programs.
• Customer service and dedicated help desk.
• Documentation.
• New security assessor:
• Oversee procedures.
• New audit compliance regulator:
• Periodic review.
CYBERSECURITY
WORKFORCE
RECOMMENDATIONS
FOR KNC HEALTH
CARE
• Extend job role tasks:
• DBA and team.
• Third-party software testing.
• New SETA:
• For all employees.
• Think about visitor management
program and responsibilities:
• Possibly new roles.
12. THANK YOU
SUMMARY
• HGA:
• Budget is 4% of expected benefit.
• More focus needed on data integrity, lifecycle management and audit trail
mechanism.
• KNC Health Care:
• More valuable critical assets.
• Spend more.
• Lower cost benefit ratio than HGA.
Editor's Notes
High level comparative analysis between HGA and KNC Health Care network.
Considering difference in industries and nature of work done.
HGA mission: Transfer US govt. funds to individuals as paychecks.
KNC Health Care mission: Provide healthcare to patients in area of Florida, USA.
Note difference in size of organization in terms of employees.
Image Source: An Introduction to Computer Security: The NIST Handbook, Barbara Guttman and Edward A. Roback
Network topology of HGA:
Mix of components owned and operated by HGA and other organizations.
System architecture:
PCs for all/most personnel.
Connected to LAN.
LAN server.
Printer pool.
Router to connect to internet for communication with outside agencies.
Modem pool enabled to allow only e-mailing.
Special console restricted ONLY to admins.
WAN to connect to other agencies- owned and operated by third party telecommunication company under government contract.
Mainframes- federal agency controls it and acts as service provider to HGA under MOU.
Important: Modem pool, Console, WAN
KNC Health Care Network Topology: Generated using Visio, with input from KNC Health Care.
Identify main areas:
Outside access.
Database- sensitive data.
Wireless devices- staff tablets and other PDAs.
Medical equipment:
Most are legacy systems, including diagnostic and surgical equipment.
All controls based on securing these.
Network level:
NIDS.
VPN.
VLAN for administrators- secure.
DB security:
DB roles and groups.
No explicit application security controls.
Wireless security:
Use wireless router within internal network.
MAC address whitelisting.
Different critical assets for both organizations.
Total cost and top 3 assets listed for both.
HGA:
Financial Resources -$8,000,000
Personnel Information-$5,000,000
Contract Documents-$2,000,000
Business Documents-$1,500,000
KNC Health Care:
Protected Health Information-$8,000,000
Financial Resources-$5,000,000
Medical Equipment-$10,000,000
Contract Documents-$1,000,000
Extensive but not all-inclusive list of threat agents.
HGA threat agents and KNC Health Care threat agents.
Vulnerabilities vary between both:
Unauthorized Access Unauthorized Access
Virus Prevention Exposure to Phishing Attacks
Accidental Corruption and Loss of Data Misconfigured Access Points
Vulnerabilities Related to Network-Related Attacks SQL Injection
Unsecured Log Files
Considering all the critical assets, various threats and agents and the vulnerabilities present in the system, exploitation probabilities are estimated.
HGA- 15%
KNC Health Care- 10%
Even though KNC HC has more expensive assets and face greater loss exposure to external networks is limited – because only through VPN, no other connections – they have lesser exploitation probability than HGA.
Attack trees:
Find out various attack goals.
Think from attacker perspective.
Detail all possible attack methods.
Leaf is goal.
Nodes are various methods.
Listed attack trees for both HGA and KNC HC.
HGA:
Focus on network-based methods.
KNC:
Phishing and network-based.
Due to high non-technical staff usage.
Not aware of security concerns.
Can be easily fooled.
KNC faces more loss in terms of both asset and vulnerability risk calculations– due to presence of legacy systems, difficult to update and patch.
Budget calculations:
HGA:
Total budget to cover new CISO controls, implement the missing MOT controls, replace modem pool using VPN and zoning the HGA’s network to account for a DMZ is approximately $4m. Security training and awareness, incident response planning and implementing audit trail mechanisms take up 70% of the total budget clearly showing how important these controls are to the HGA and that their implementation is essential for a holistic risk management plan.
Breakdown of costs to implement VPN and DMZ:
VPN Server- $500
Dedicated Server to Implement DMZ- $3,000
Overall Implementation Cost Within HGA- $10,000
--------------------------------------------------------
Total Cost- $13,500
KNC Health Care:
Focus on new technical controls– legacy systems, SETA for ALL employees and protection of legacy systems.
Total budget is $8m approx.
KNC spends more on security to cover controls for its more expensive vulnerabilities and systems.
Spending per critical asset is 10% higher than HGA.
Spending per employee is 5 times that of HGA.
They see lesser ROI.
Cost benefit ratio is 16 times lesser.
HGA sees 96% benefit.
KNC sees only 36% benefit.
New recommendations for both.
Important new roles or extend previous job roles.
Cybersecurity Workforce Recommendations:
Hypothetical Government Agency (HGA):
Extend the job role responsibilities to include full encryption of all communication channels, internal and external: All the communication channels serving as points of interaction within the HGA, its departments and between the HGA and the interconnected agencies must be fully encrypted with sufficiently advanced modes of encryption to prevent password sniffing and other attacks based on monitoring the unencrypted, plaintext traffic in these communication channels.
Appoint a separate security assessor to oversee security procedures and controls for portable systems: A separate action plan has to be drawn up to handle the security controls needed for portable systems in addition to the systems at the HGA. These procedures must focus on coming up with a preemptive security plan with regards to the following:
How these mobile devices must be sanitized or encrypted before being used in conjunction with HGA systems.
Data transfer between portable systems and HGA systems.
Quarantine upon possible security incidents.
Disposal of HGA-related data present on these devices.
Include the job roles of virus scanning, implementing and overseeing virus detection and removal programs with the roles relevant to network specialists: The various departments under the HGA should direct all the administrators responsible for handling system security within their departments to install an automated virus scanning, detection and removal program that will solely operate under the control of the administrator and cannot be overridden or modified by end users.
Reinforce customer service roles to aid and manage a dedicated help desk: The HGA should have a separate help desk in place that can dedicatedly help users troubleshoot day-to-day errors. They should also have a dedicated incident management team that monitors, and reviews incidents submitted by the users via an incident resolving interface. This incident management team will respond first to any security breach.
Software developer should also be responsible for creating and maintaining end user documents and user manuals: Every user should be supplied with a proper user manual following extensive training that should be used to further clarify controls in the hardware and/or software during future periods of time. These manuals and documents should be concise, clear and should serve as the primary troubleshooting guide for users before they approach the help desk.
Hire audit compliance regulator to conduct periodic review and accreditation: The HGA should conduct a periodic assessment of the controls and procedures in place to:
Reevaluate the risk considering new threats and vulnerabilities.
Fully integrate new systems into the HGA after a series of tests on said systems.
Keep the risk management plan current and effective.
Keep the risk management plan integrated between the HGA and interconnected organizations.
Keep with a holistic life cycle methodology to implement an effective risk management plan.
KNC Health Care:
For all database administrators and the employees under his/her team implement the new policies in addition to their existing job roles and tasks:
Anonymize data wherever possible.
Encrypt all data in all states.
Ensure secure review of all data before it is being entered into the database by streamlining data entry followed by supervision by an appointed Database Supervisor which would require the creation of a new role.
Ensure secure software is developed by all third-party software developers by testing in any of the following ways:
Offsite testing at the developer’s site before completing the implementation and deploying in production environment.
Onsite supervised testing and review in the presence of the software development team and its members.
Onsite testing and review by IT team at KNC Health Care.
Update existing network security policies to include an end-to-end provision where data is protected in all the following scenarios:
Data creation.
Data transmission.
Data processing.
Data storage.
Data deletion.
Ensure that this is implemented across all onsite databases and cloud database provisions. Include policies regarding:
Penalties for violations and non-compliance such as denial of access and even termination.
Updates following breaches and/or incidents of non-compliance.
Implement a strong and universal security awareness and training program for ALL the employees at KNC Health Care and not just limited to the employees joining the IT and Networking Department or team:
All employees must undergo 2 weeks of training by authorized network and information security professionals.
Following the training they are required to complete and pass an exam which will test their information security appetite and require that they score a minimum of 80% to complete their training program successfully.
This training must be repeated in the following scenarios:
Once every 12 months.
When and if KNC Health Care System components are updated.
Following a security incident/breach.
Implement a visitor management program that transcends isolating guest networks and includes policies that cover physical and environmental controls as well