2. Slides and Material May NOT be Distributed In Any Format Without Written Permission
Copyright Cyber Risk International Ltd â All Rights Reserved
3. Paul C Dwyer
Paul C Dwyer is an internationally recognised information security expert with over
two decades experience and serves as President of ICTTF International Cyber
Threat Task Force and Co Chairman of the UK NCA National Crime Agency Industry
Group. A certified industry professional by the International Information Systems
Security Certification Consortium (ISC2) and the Information System Audit &
Control Association (ISACA) and selected for the IT Governance Expert Panel.
Paul is a world leading Cyber Security GRC authority. He has been an advisor to
Fortune 500 companies including law enforcement agencies, military (NATO) and
recently advised DEFCOM UK at Westminster Parliament.
He has worked and trained with organisations such as the US Secret Service,
Scotland Yard, FBI, National Counter Terrorism Security Office (MI5), is approved by
the National Crime Faculty and is a member of the High Tech Crime Network
(HTCN).
Paul C Dwyer CEO
Cyber Risk International
9. What is Cyber Crime?
Cyber crime or computer crime as it is
generally known is a form of crime
where the Internet or computers are
used as a medium or method to
commit crime which includes hacking,
copyright infringement, scams, denial
of service attacks, web defacement
and fraud.
10. âactions by a nation-state to penetrate another nation's computers or
networks for the purposes of causing damage or disruption.â
⢠âDigital InfrastructureâŚ.Strategic National Assetâ
President Barack Obama
⢠May 2010 â Pentagon â Cybercom
⢠UK - a cyber-security "operations centreâ (GCHQ)
⢠âFifth Domainâ The Economist
What is Cyber Warfare?
20. Cyber Statistics
⢠Cybercrime costs £27 billion a year in the UK
⢠£1,000 a second
⢠170,000 IDâs are stolen each year â 1 every three seconds
⢠Theft of IP £9.2 billion
(pharmaceuticals, biotechnology, electronics, IT and chemicals)
Source: UK Cabinet Office
21. Cybercrime Drivers
Itâs a business with an excellent economic model.
Other reasons, you name it:
⢠Technology
⢠Internet
⢠Recession
⢠âA safe crimeâ
⢠Itâs easy to get involved
⢠Part of Something
22. Progression of Threats
⢠Last 10 Years from Rudimentary Phishing & 419
⢠Highly complex underground economy
⢠Value between 10âs and 100âs of billions of dollars
⢠Reason for growth
â Internet population
â Incentives
â Division of labour in market
â Experts passing knowledge
â Malicious Tools
⢠Now some âloose knitâ firms and classical mafia style syndicates
23.
24. Crimeware Toolkits
Criminal gangs are creating fake banking apps
Traditional Banking Trojan kits are attacking:
mTAN (Transaction Authentication Number)
⢠Zeus MITMO
⢠Spitmo (SpyEye)
⢠Citmo (Carberp)
⢠Tattanga
New generic mobile kits are being developed independently
of PC kits for Zeus, Ice IX, SpyEye, Citadel, Carberp.
Increasingly industrialized, new distribution channels
Legit apps used with stolen credentials
28. Economic Model - the Actors
⢠User â (Account Credentials)
⢠Financial Institution
⢠Supplier
⢠Acquirer/Middlemen
⢠Agents
⢠Carding Forum
⢠Carders
⢠Fraudster (Consumer)
⢠Retailer
⢠Reshipping / drop zone
⢠Money Mule
Categories
â˘Wholesalers
â˘Retailers
â˘Independent Contractors
29. Security Testing Apps
⢠45 Billion Apps Downloaded
⢠Gartner â300 Billion Annually by 2016â
⢠Majority for Android Market
⢠Open Season for Malware Writers â 1,200% Increase
⢠Approx 40,000 Samples â 95% 12 Months Old
30. Results of Testing
⢠5% Requested User Permission to Make Call Without User
Knowing
⢠3% Could Send a Text Message
⢠âbrickâ the mobile device
⢠Nearly 400 could read authentication details from other apps
⢠R&D Dept for âBad Guysâ â 1 Signature in 2010 for every 2
between 02-09
From PC to Smartphone!
31. Social Media Impact
⢠Distribution Centres for Malware
⢠Anonymous â Botnet
⢠Advertising Revenue Model â Embedded Links
⢠Leveraging http flows between users (C&C / Distribution)
⢠Clean Apps â Update to Dirty Apps
IOT Internet of Things
36. Reconnaissance Weaponisation Delivery Exploitation C2
Lateral
Movement
Exfiltration Maintenance
Gathers Intelligence About
Employee and Assets
Targets Individual (Asset)Bad Guy
Exploit Run â Comms
Established â Command &
Control Server
Move Laterally Across Network
Chooses Weapon from
underground forum
Exfiltrate Data
Protection â Maint Mode
39. Skills Shortage
Skills: Main obstacle to delivering cyber security
Education system is not providing people with
appropriate experience
Immigration is a sensitive subject for
governments
40. Reputation is the NEW target
⢠People have their own
ethics and perceptions
above those of their
employers
⢠Non verified sources of
info
⢠Guilty until proven
innocent
41. CaaS Upgrades to V2.0
⢠Criminals have huge
and diverse talent pool
available
⢠Attacks are becoming
more sophisticated and
targeted
42. Outsourcing Will Backfire
⢠Lack of Governance over
security providers
⢠Alignment with business
and cyber security
strategy
44. BYOC
⢠Amount of information
increasing
exponentially
⢠So is demand for
access, anywhere,
anytime and from any
device
⢠People already have
their own cloud
45. Government and Regulators
⢠Governments have a role
⢠They expect organisations
to do their part
⢠Regulations can not keep
pace with technology
⢠Nobody can protect and
organisation better than
the organisation
46. The Supply Chain
⢠The supply chain springs a leak as the insider
threat comes from outside.
⢠Closer business relationships lead to unforeseen
security challenges
⢠Increased risk complexity
⢠Your business information is your suppliers data.
51. Cyber Risks for You
⢠Tangible Costs
â Loss of funds
â Damage to Systems
â Regulatory Fines
â Legal Damages
â Financial Compensation
⢠Intangible Costs
â Loss of competitive advantage (Stolen IP)
â Loss of customer and/or partner trust
â Loss of integrity (compromised digital assets)
â Damage to reputation and brand
Quantitative vs. Qualitative
46% Reduction in Profits Following Breach
52. Regulatory and Legal
EU Data Privacy Directive
EU Network
Information
Security
Directive
European Convention on
Cybercrime
400+ Others
â 10,000+
Controls â
175 Legal
Jurisdictions
Your
Organisation
53. Responsibility â Convention Cybercrime
All organisations need to be aware of the Conventionâs
provisions in article 12, paragraph 2:
âensure that a legal person can be held liable where the
lack of supervision or control by a natural personâŚhas
made possible the commission of a criminal offence
established in accordance with this Conventionâ.
Now Sit Forward!
56. Operational
Level
Strategic Level
Technical Level
Cyber is a Strategic Issue
56
Macro Security
Micro Security
How do cyber attacks affect, policies,
industry, business decisions?
What kind of policies, procedures and
business models do we need?
How can we solve our security
problems with technology?
57. â˘Loss of market share and reputation
â˘Legal ExposureCEO
â˘Audit Failure
â˘Fines and Criminal Charges
â˘Financial Loss
CFO/COO
â˘Loss of data confidentiality, integrity and/or availability
CIO
â˘Violation of employee privacy
CHRO
â˘Loss of customer trust
â˘Loss of brand reputationCMO
Board Room Discussion
Increasingly companies are appointing CROâs and CISOâs with a direct line to the audit committee.
62. Chuck Georgo
Past Engagements
30+ years public safety and cyber security strategist, business
analyst, systems engineer, and project manager
⢠North Atlantic Treaty Organization
⢠Federal Bureau of Investigation
⢠Naval Criminal Investigative Service
⢠Boston and New York Police Departments
⢠Illinois, Washington, Ohio, and Utah State Fusion Centers
⢠U.S. Navy
Education
⢠Masterâs Degree in Public Administration
⢠Masterâs Degree in Information Architecture
⢠Completed competencies, ISO/IEC 27001:2005 Lead Auditor.
63. In the next 30 minutesâŚ
⢠Scare you a bit
⢠Give you some insight
⢠Make you a little mad
⢠Make you think
⢠Then itâs up to youâŚ.
64. Some factsâŚ
⢠With very minor exception, no one you hire intends to do you
harm on day one.
⢠Something happens to some of them, at work or home that
turns them against you.
⢠And, sadly, you are probably the one to blame for what they
did.
⢠However, there is something you can do to prevent it from
happening.
⢠And it has little to do with technology
78. ⢠Lasted 6 weeks, sent to discharge unit -
Discharge revoked
79. ⢠Sent to intelligence analyst training at Ft.
Huachuca, AZ
80. ⢠Sent to Fort Drum in August 2008; trained
for deployment to Iraq
81. ⢠Met Boyfriend Tyler Watkins, introduced to
Boston hacker community
82. ⢠Two superiors discussed not sending him to IraqâŚ
âhe was a risk to himself and possibly othersâ
âŚbut shortage of intelligence analysts held swayâŚ
83. ⢠Deployed to Baghdad in October 2009,
gained access to multiple classified
networks
84. ⢠Working conditions â 14â15 hour shifts in
a dimly lit secure room â did not help
mental health
87. ⢠On January 24, 2010, he traveled to the U.S.
and attended a party at Boston University's
hacker space.
88. The Unraveling
⢠E-mail to MSgt: suffering from gender identity disorder,
attached a photograph of himself dressed as a woman
⢠Found curled into a fetal position in a storage cupboard, with
a knife at his feet
⢠Hours later, punched female analyst in the face
⢠Brigade psychiatrist: recommended discharge, referring to an
"occupational problem and adjustment disorder."
⢠Finally: was sent to work in the supply office, although his
security clearance remained in place
89. In May 2010, he emailed a mathematician in Boston; told
him he was the source of the "Collateral Murder" video.
90. ⢠Two days later, began chats with Adrian
Lamor, former "grey hat" hacker; this led to
Bradleyâs arrest
91. ⢠All told, Bradley Chelsea Manning had provided
in excess of 750,000 documents to Wikileaks
96. ⢠YesSeeks information outside duties?
⢠YesUnnecessarily copies material?
⢠NoExcessive remote access to network?
⢠MaybeAccesses network at odd times?
⢠YesDisregards security policies?
⢠NoUnreported foreign contact/ travel?
⢠NoUnexplained affluence?
⢠YesSuspicious personal contacts?
⢠YesSuspicious off-duty interests?
⢠YesOverwhelmed by life crises?
⢠YesCareer/work disappointment
⢠NoConcern that they are being investigated
Behavioral
Factors
97. BUT WHAT IS MISSING
FROM ALL OF THIS?
Where is LEADERSHIPâS
responsibility addressed?
98. The Army had many chances to stop him
1. While in basic training
2. While at analyst training
3. When he got to Fort Drum
4. While he was in operational training
5. When he was sent to Iraq
6. In the many counseling sessions
⢠And, there were probably other timesâŚ
99. Who people think is ultimately responsibleâŚ
Iron Mountain â Pricewaterhouse Coopers Study. March 2012
100. You manage tangible assets like furniture,
machinery, and financial instrumentsâŚ
But, do you devote the same care and
attention to your human assets?
102. ⢠Job performance?
⢠Dealing with personal issues?
⢠Access to their leaders?
⢠Security responsibilities?
103. ⢠Authority to do the job?
⢠Resources to do the job?
⢠Easy access to info/systems?
⢠Tools/materials?
⢠Degrees of freedom?
104. ⢠Do they like their job?
⢠Is it still a good fit?
⢠Would they recommend it to others?
⢠Is there family ok?
⢠Are they having financial issues?
106. ⢠Is CEO taking responsibility?
⢠Actively developing sense of loyalty?
⢠Holding line managers accountable?
⢠Practicing MBWA?
⢠Applying good technical measures?
108. ⢠Of 2,031 European office workers
surveyedâŚ
⢠One in three admitted that they had
taken or forwarded confidential
information out of the office
109. ⢠One in seven had taken confidential
information with them to a new job
110. ⢠Another 31% said they would
deliberately remove and share
confidential information if they were
fired
111. Bottom line: if we want Johnny to be
goodâŚ
âŚwe must spend MORE TIME on Johnny!
Address the LEADERSHIP side of the
insider threat problem.
112. THANK YOU
Chuck Georgo
USA 011.410.903.6289
Slides and Material May NOT be Distributed In Any Format Without Written Permission
Copyright Cyber Risk International Ltd â All Rights Reserved
152. Switch Gear â How Do We Deal With This
Cyber Risk Framework
153.
154. Identify
⢠Asset Management
⢠Business Environment
⢠Governance
⢠Risk Assessment
⢠Risk Management Strategy
Protect
⢠Access Control
⢠Awareness and Training
⢠Data Security
⢠Information Protection
Process and Procedures
⢠Maintenance
⢠Protective Technology
Detect
⢠Anomalies and Events
⢠Security Continuous
Monitoring
⢠Detection Process
Respond
⢠Response Planning
⢠Communications
⢠Analysis
⢠Mitigation
⢠Improvements
Recover
⢠Recovery Planning
⢠Improvements
⢠Communications
155. Cyber Security Framework
⢠Describe Current Cyber Security Posture
⢠Describe Target State for Cyber Security
⢠Identify and Prioritise Opportunities for
Improvement (RM)
⢠Assess Progress Towards the Target State
⢠Foster Communications among internal and
external stakeholders
156. Supported By Industry
⢠Standards
⢠Guidance
⢠Best Practices
Pipeline: Aligned with EU Directive on Network Information Security and Data Privacy
157. Getting Buy In
The framework compliments and does not replace,
an organisations risk management processes and IT
security program.
Organisations can use the framework to identify
opportunities to strengthen and communicate its
management of cyber security risk while aligning
with industry practices.
160. Information
'Information is an asset which, like other important
business assets, has value to an organisation and
consequently needs to be suitably protectedâ
ââŚWhatever form the
information takes, or
means by which it is
shared or stored, it
should always be
appropriately
protectedâ ISO 27K
Printed
Written
Transmitted
Video â
Unified
Comms
Web
Verbal
Digitally
Stored
161. What can we do with info?
Create /
Acquire
Manage
Store /
Archive
Share
Search and
Mine
Destroy Process Transmit
Used (Proper
and Improper)
Corrupt Lost Stolen
162. What is information security?
Information security means protecting information and information systems from
unauthorised access, use, disclosure, disruption, modification, perusal, inspection,
recording or destruction.
People Processes Technology
Information
Security
164. People âWho We Areâ
People who use or interact with our Information include:
⢠Share Holders / Owners
⢠Management
⢠Employees
⢠Business Partners
⢠Service Providers
⢠Contractors
⢠Customers / Clients
⢠Auditors
165. Processes âWhat We Doâ
Typical process in an IT Infrastructure could include:
⢠Helpdesk / Service Management
⢠Incident Reporting and Management
⢠Change Requests Process
⢠Request Fullfillment
⢠Access Management
⢠Identity Management
⢠Service Level / Third-party Services Management
⢠IT procurement process
166. Technology âWhat We Useâ
⢠Network Infrastructure:
⢠Cabling, Data/Voice Networks and equipment
⢠Telecommunications services (PABX), including VoIP services , Video Conferencing
⢠Server computers and associated storage devices
⢠Operating software for server computers
⢠Communications equipment and related hardware.
⢠Intranet and Internet connections
⢠VPNs and Virtual environments
⢠Remote access services
⢠Wireless connectivity
167. ISO 27K defines Information Security as the preservation of:
Ensuring that information is accessible
only to those authorised to have access
Safeguarding the accuracy and
completeness of information and
processing methods
Ensuring that authorised users have
access to information and associated
assets when required
CIA Triad
168. Information Security
1. Protects information from a range of threats
2. Ensures business continuity
3. Minimises financial loss
4. Optimises return on investments
5. Increases business opportunities
Business Survival Depends on Information Security
169. What Are Cyber Threats?
Blurred Lines
Cybercrime
Cyber
Warfare
Cyber
Espionage
Cyber
X
Threats VS. Risks
Adversary
170. Security breaches lead to
⢠Reputation loss
⢠Financial loss
⢠Intellectual property loss
⢠Legislative Breaches
⢠Loss of customer confidence
⢠Business interruption costs
⢠Loss of goodwill
171. Some basic definitions
Risk: A possibility that a threat exploits a
vulnerability in an asset and causes damage or loss
to the asset.
Threat: Something that can potentially cause
damage to the organisation, IT Systems or network.
Vulnerability: A weakness in the organisation, IT
Systems, or network that can be exploited by a
threat.
ISMS: Information Security Management System e.g.
ISO 27001
172. Identify Threats
Agent : The catalyst that performs the threat.
â˘Human
â˘Machine
â˘Nature
Motive : Something that causes the agent to act.
â˘Accidental
â˘Intentional
â˘Only motivating factor that can be both accidental
and intentional is human
Results : The outcome of the applied threat. The
results normally lead to the loss of CIA
â˘Confidentiality
â˘Integrity
â˘Availability
173. Traditional âCyberâ Threats
⢠Spam â reportedly 85% of email
⢠Fraud â most debilitating and destructive, pre digital controls are not
sufficient
⢠Commercial Espionage â British Airways
⢠Insider Threats â unauthorised software 78%
⢠Staff â decided to leave has not resigned
⢠Systems Failures â âFat Fingersâ
174. Risk Factors
â˘Employees
â˘External Parties
â˘Low awareness of security issues
â˘Growth in networking and distributed computing
â˘Growth in complexity and effectiveness of hacking tools and viruses
â˘Natural Disasters eg. fire, flood, earthquake
â˘Politics
â˘Products and Technology Vendors
175. Threat Characteristics
⢠Automation: The automation of mundane tasks -
make Denial of Service attacks and large scale junk mail possible,
just as they enable 100% surveillance of the Internet
communications traffic of any organisation.
⢠Data collection: digital data requires minimal
storage space and is easier to harvest and manipulate
⢠Action at a distance: in cyberspace, the
criminal who is targeting your network may be based in Chechnya,
Moldavia or on a Pacific island.
⢠Propagation: the Web enables ideas, skills and
digital tools to be shared around the world within hours. It also
enables techniques to be widely replicated and a vast array of
computers to be linked into any one attack.
176. Categories
⢠Criminal attacks (fraud, theft and grand larceny, identity theft,
hacking, extortion, phishing, IPR and copyright theft, piracy, brand theft,
âspoofingâ)
⢠Destructive attacks (cyber-terrorism, hackers, ex-
employees, vengeful individuals, cyber war, cyber-vandals, anarchists, viruses)
⢠Nerd attacks (Denial of Service attacks, publicity hounds,
adware)
⢠Espionage attacks (data and IPR theft, spyware)
177. Sectors
Each sector has its own niches criminals
⢠Phishers -> consumer financial services
⢠Industrial spies â IP companies
⢠(H)Activists â social impact they disapprove
⢠Hackers â scalp for prestige
⢠Cyber terrorists â hurt the west
⢠Fraudsters â any to siphon cash
178. Threat Groups
Threats originate with people, there are five distinct groups.
⢠Criminals (thieves, fraudsters, organised crime)
⢠Malefactors (hackers, vandals, terrorists, cyber-warriors)
⢠Spies (commercial and governmental)
⢠Undesirables (scam artists, spammers,âethicalâ hackers)
⢠The incompetent, or the simply unaware (staff, contractors, customers and other
third parties)
These people are found both inside and outside an
organisation and can exert an influence out of proportion
to their numbers
179. Computer Misuse Legislation
⢠Computer misuse legislation is relevant in
two ways:
⢠authorities and organisations can take
action under it against cyber-criminals
⢠organisations have to ensure they comply
with it themselves.
⢠Directors can be personally accountable for
any compliance failures.
180. Regulatory and Legal
EU Data Privacy Directive
EU Network
Information
Security
Directive
European Convention on
Cybercrime
400+ Others
â 10,000+
Controls â
175 Legal
Jurisdictions
Your
Organisation
181. Responsibility â Convention Cybercrime
All organisations need to be aware of the Conventionâs provisions in article 12,
paragraph 2:
âensure that a legal person can be held liable where the lack of supervision or
control by a natural personâŚhas made possible the commission of a criminal
offence established in accordance with this Conventionâ.
In other words, directors can be responsible for offences committed by their
organisation simply because they failed to adequately exercise their duty of care.
184. Operational
Level
Strategic Level
Technical Level
Cyber is a Strategic Issue
184
Macro Security
Micro Security
How do cyber attacks affect, policies,
industry, business decisions?
What kind of policies, procedures and
business models do we need?
How can we solve our security
problems with technology?
185. â˘Loss of market share and reputation
â˘Legal ExposureCEO
â˘Audit Failure
â˘Fines and Criminal Charges
â˘Financial Loss
CFO/COO
â˘Loss of data confidentiality, integrity and/or availability
CIO
â˘Violation of employee privacy
CHRO
â˘Loss of customer trust
â˘Loss of brand reputationCMO
Board Room Discussion
Increasingly companies are appointing CROâs and CISOâs with a direct line to the audit committee.
187. Progression of Cyber Crime
⢠Highly complex underground economy
⢠âAmericaâs economy in the 21st century will depend on cyber security.â
Barrack Obama
⢠Value over a trillion dollars
⢠Reason for growth
â Internet population
â Incentives
â Division of labour in market
â Experts passing knowledge
â Malicious Tools
â Recession
⢠Now some âloose knitâ firms and classical mafia style syndicates
188. Summary Risks and Threats
High User Knowledge of IT Systems IP Theft, Sabotage, Misuse Virus Attacks
Systems & Network Failure
Attack or Hack
Lack Of
Documentation
Lapse in Physical
Security
Natural Calamities &
Fire
189. Some ânon cyberâ examples
Piggy backing through doors
Not closing office doors during confidential conference calls
Leaving print outs and faxes in the print room
190. What are the risks to you?
â˘Reality - All of the above!
â˘Weaknesses can come from people, processes or technology
â˘Clients may be the target
â˘You can NOT be a weak link in security
â˘We need to demonstrate and prove we are the best
â˘Security is a journey NOT a destination
â˘A management system is about continual improvement
193. Cyber Risk International Training
A CFO asks a CEO
âWhat happens if we invest in
developing our people and then
they leave us ?â
The CEO Says
âWhat happens if we Don't, and they
stay ?â
194. About Me
ďŹ John Byrne
ďŹ 25 Years Experience
ďŹ Business Owner
ďŹ Certified Trainer with IITD
ďŹ Training Design
ďŹ Training Delivery
ďŹ Associate Trainer for CRI in
Security Awareness
195. The Effects of Training in an Organisation
Investment in Training improves
ďŹ Performance
ďŹ Productivity
ďŹ Profitibility
ďŹ Market Share
ďŹ Competitiveness
ďŹ Employee Morale
ďŹ Employee Loyalty
196. The Effects of a Cyber Attack on an Organisation
ďŹ Customer Trust
ďŹ Customer Confidence
ďŹ Resources
ďŹ Employee Morale
ďŹ Employee Loyalty
ďŹ Competiveness
ďŹ Profitibility
197. Some Stats
According to the Poneom Institute 2014
Report
ďŹ 40 % of Data breaches involved
employees or contractors
ďŹ Fewer customers remained loyal
following a data breach
ďŹ Malicious or Criminal attacks
increased from 34% to 38 %
198. 3 Examples
ďŹ December 2013
ďŹ 110 Million Compromised Records
ďŹ Credit Card and PIN Numbers
ďŹ Spear Phishing on employee of
Targets Air Conditioning Company
199. Chris Hadnagy
ďŹ Employed to to a Social
Engineering Audit on a Theme Park
Ticketing System
ďŹ CEO Said it could not be
comprimised
ďŹ Hadnagy went with family to park
and asked for a discount voucher
to be printed off, it was an infected
PDF
ďŹ They were in
200. Crypto Locker
ďŹ October 2014
ďŹ ABC News Staff were Phished by
fake Australia Post e-mails
reporting failed delivery
ďŹ Staff opened infected attachment
ďŹ CryptoLocker Activated
ďŹ ABC News 24 Suspends
Programming out of Sydney
201. The Weakest Link
ďŹ The Human
ďŹ Social Engineering / Hacking
ďŹ All organisations are open to social
engineering attacks
ďŹ Raising awareness , decreases your
risk
202. Security Awareness Workshops / Campaigns
ďŹ Bring together the organisation
and the employee
ďŹ Communicate the threats
ďŹ Link Personal, Professional and
Organisational Protection
ďŹ Increase Morale and Loyalty
203. Thank You â Stay Connected
johnb@cyberriskinternational.com
+353-(0)86 223 9996
@johnjbbyrne
WE IDENTIFY, MITIGATE AND MANAGE CYBER RISKS
Cyber Risk International
Clonmel House â Forster Way â Swords â Co Dublin â Ireland
+353-(0)1- 897 0234
mail@cyberriskinternational.com
www.cyberriskinternational.com
208. Identify
⢠Asset Management
⢠Business Environment
⢠Governance
⢠Risk Assessment
⢠Risk Management Strategy
Protect
⢠Access Control
⢠Awareness and Training
⢠Data Security
⢠Information Protection
Process and Procedures
⢠Maintenance
⢠Protective Technology
Detect
⢠Anomalies and Events
⢠Security Continuous
Monitoring
⢠Detection Process
Respond
⢠Response Planning
⢠Communications
⢠Analysis
⢠Mitigation
⢠Improvements
Recover
⢠Recovery Planning
⢠Improvements
⢠Communications
209. Cyber Security Framework
Aim: âProvide a prioritised, flexible, repeatable,
performance based, and cost effective
framework for dealing with cyber securityâ
210. Cyber Security Framework
⢠Describe Current Cyber Security Posture
⢠Describe Target State for Cyber Security
⢠Identify and Prioritise Opportunities for
Improvement (RM)
⢠Assess Progress Towards the Target State
⢠Foster Communications among internal and
external stakeholders
212. Getting Buy In
The framework compliments and does not replace,
an organisations risk management processes and IT
security program.
Your Organisation can use the framework to
identify opportunities to strengthen and
communicate its management of cyber security risk
while aligning with industry practices.
213. Scope
âCovering systems and assets, whether physical or virtual,
vital to Your Organisation that the incapacity or
destruction of such systems and assets would have a
debilitating impact on the key operations of the businessâ
aka
âManage cyber security risk for those processes,
information, and systems directly involved in the delivery
of key services in Your Organisationâ
215. Overview of Framework
⢠Risk Based Approach to Managing Cyber
Security Risk
⢠3 Parts
â Framework Core
â Framework Implementation Tiers
â Framework Profile
216. Framework Core
⢠Identify
⢠Protect
⢠Detect
⢠Respond
⢠Recover
Activities, desired outcomes and applicable references.
Provides a high level strategic view of the lifecycle of an
organisations management of cyber security risk.
220. Framework Implementation Tiers
⢠Capability Maturity
⢠Tier 1 â Partial
⢠Tier 2 â Risk Informed
⢠Tier 3 - Repeatable
⢠Tier 4 - Adaptive
Reflects a progression from informal, reactive responses to approaches that are agile
and risk informed.
Tier selection, we need to consider RM practices, threat environment, legal and
regulatory requirements, business objectives and organisational constraints.
221. Framework Profile
⢠Business needs that Your Organisation selects
from the categories and sub categories of the
framework.
⢠Alignment of standards, guidelines, and practices
to the framework core.
⢠Current profile âas isâ state can be compared to
the âto beâ target state. (Comparison profiles)
⢠Used to create roadmap
223. RM and The Framework
⢠Ongoing process of identifying, assessing and
responding to risk.
⢠Likelihood of an event?
⢠Impact?
⢠Acceptable Level of Risk? (Tolerance)
⢠Prioritisation is then possible
⢠Ability to quantify and communicate adjustments to
the program
224. Risk Treatment
⢠Accept
⢠Mitigate
⢠Transfer
⢠Avoid
Your Organisation Cyber Security Framework will utilise RM
processes to inform and priortise decisions. Supports
recurring assessments and validation of business drivers in
order to select appropriate target states.
229. Step 1: Prioritise and Scope
Your Organisation identifies its business/mission objectives and high-
level organisational priorities.
With this information, Your Organisation makes strategic decisions
regarding cybersecurity implementations and determines the scope of
systems and assets that support the selected business line or process.
The Framework can be adapted to support the different business lines
or processes within Your Organisation, which may have different
business needs and associated risk tolerance.
230. Step 2: Orient
Once the scope of the cybersecurity program has
been determined for the business line or process,
Your Organisation identifies related systems and
assets, regulatory requirements, and overall risk
approach.
Your Organisation then identifies threats to, and
vulnerabilities of, those systems and assets.
231. Step 3: Create a Current Profile
We then develop a Current Profile by indicating
which Category and Subcategory outcomes from
the Framework Core are currently being
achieved.
232. Step 4: Conduct a Risk Assessment
This assessment could be guided by Your Organisationâs overall risk
management process or previous risk assessment activities.
We analyse the operational environment in order to discern the
likelihood of a cybersecurity event and the impact that the event could
have on Your Organisation.
It is important to incorporate emerging risks and threat and
vulnerability data to facilitate a robust understanding of the likelihood
and impact of cybersecurity events.
233. Step 5: Create a Target Profile
We will then create a âTarget Profileâ that focuses
on the assessment of the Framework Categories
and Subcategories describing Your Organisationâs
desired cybersecurity outcomes.
It is common for organisations to also develop their
own additional Categories and Subcategories to
account for unique organisational risks.
234. Step 6: Dertermine, Analyse and Prioritise Gaps
We then compare the Current Profile and the Target Profile to determine
gaps.
This facilitates creating a prioritised action plan to address those gaps that
draws upon mission drivers, a cost/benefit analysis, and understanding of risk
to achieve the outcomes in the Target Profile.
We can then determines resources necessary to address the gaps. Using
Profiles in this manner enables Your Organisation to make informed decisions
about cybersecurity activities, supports risk management, and enables the
Your Organisation to perform cost-effective, targeted improvements.
235. Step 7: Implement Action Plan
Your Organisation then determines which actions to take in regards to
the gaps, if any, identified in the previous step. It then monitors its
current cybersecurity practices against the Target Profile.
Your Organisation may repeat the steps as needed to continuously
assess and improve its cybersecurity.
Your Organisation may monitor progress through iterative updates to
the Current Profile, subsequently comparing the Current Profile to the
Target Profile.