CRI "Lessons From The Front Lines" March 26th Dublin

Cyber Executive Briefing
Presenter: Paul C Dwyer
Date: March 26th 2015

Slides and Material May NOT be Distributed In Any Format Without Written Permission
Copyright Cyber Risk International Ltd – All Rights Reserved

Paul C Dwyer
Paul C Dwyer is an internationally recognised information security expert with over
two decades experience and serves as President of ICTTF International Cyber
Threat Task Force and Co Chairman of the UK NCA National Crime Agency Industry
Group. A certified industry professional by the International Information Systems
Security Certification Consortium (ISC2) and the Information System Audit &
Control Association (ISACA) and selected for the IT Governance Expert Panel.
Paul is a world leading Cyber Security GRC authority. He has been an advisor to
Fortune 500 companies including law enforcement agencies, military (NATO) and
recently advised DEFCOM UK at Westminster Parliament.
He has worked and trained with organisations such as the US Secret Service,
Scotland Yard, FBI, National Counter Terrorism Security Office (MI5), is approved by
the National Crime Faculty and is a member of the High Tech Crime Network
(HTCN).
Paul C Dwyer CEO
Cyber Risk International

Overview of Cyber Threat Landscape

THE CYBER WORLD AND
THE PHYSICAL ARE INTEGRATED

Cyber fronts in the Ukraine!
Is it War?

What is Cyber Crime?
Cyber crime or computer crime as it is
generally known is a form of crime
where the Internet or computers are
used as a medium or method to
commit crime which includes hacking,
copyright infringement, scams, denial
of service attacks, web defacement
and fraud.

“actions by a nation-state to penetrate another nation's computers or
networks for the purposes of causing damage or disruption.”
• “Digital Infrastructure….Strategic National Asset”
President Barack Obama
• May 2010 – Pentagon – Cybercom
• UK - a cyber-security "operations centre” (GCHQ)
• “Fifth Domain” The Economist
What is Cyber Warfare?

What Are Cyber Threats?
Cybercrime
Cyber
Warfare
Cyber
Espionage
Cyber
X
Adversary

Cyber Statistics
• Cybercrime costs £27 billion a year in the UK
• £1,000 a second
• 170,000 ID’s are stolen each year – 1 every three seconds
• Theft of IP £9.2 billion
(pharmaceuticals, biotechnology, electronics, IT and chemicals)
Source: UK Cabinet Office

Cybercrime Drivers
It’s a business with an excellent economic model.
Other reasons, you name it:
• Technology
• Internet
• Recession
• “A safe crime”
• It’s easy to get involved
• Part of Something

Progression of Threats
• Last 10 Years from Rudimentary Phishing & 419
• Highly complex underground economy
• Value between 10’s and 100’s of billions of dollars
• Reason for growth
– Internet population
– Incentives
– Division of labour in market
– Experts passing knowledge
– Malicious Tools
• Now some “loose knit” firms and classical mafia style syndicates

Crimeware Toolkits
Criminal gangs are creating fake banking apps
Traditional Banking Trojan kits are attacking:
mTAN (Transaction Authentication Number)
• Zeus MITMO
• Spitmo (SpyEye)
• Citmo (Carberp)
• Tattanga
New generic mobile kits are being developed independently
of PC kits for Zeus, Ice IX, SpyEye, Citadel, Carberp.
Increasingly industrialized, new distribution channels
Legit apps used with stolen credentials

Underground Stock Exchange
• Categories
– Carding Forums
– Dump Vendors
– Non Carding Forums

Cybercrime – A Business!
Copyright - Paul C Dwyer Ltd - All Rights Reserved

Economic Model - the Actors
• User – (Account Credentials)
• Financial Institution
• Supplier
• Acquirer/Middlemen
• Agents
• Carding Forum
• Carders
• Fraudster (Consumer)
• Retailer
• Reshipping / drop zone
• Money Mule
Categories
•Wholesalers
•Retailers
•Independent Contractors

Security Testing Apps
• 45 Billion Apps Downloaded
• Gartner “300 Billion Annually by 2016”
• Majority for Android Market
• Open Season for Malware Writers – 1,200% Increase
• Approx 40,000 Samples – 95% 12 Months Old

Results of Testing
• 5% Requested User Permission to Make Call Without User
Knowing
• 3% Could Send a Text Message
• “brick” the mobile device
• Nearly 400 could read authentication details from other apps
• R&D Dept for “Bad Guys” – 1 Signature in 2010 for every 2
between 02-09
From PC to Smartphone!

Social Media Impact
• Distribution Centres for Malware
• Anonymous – Botnet
• Advertising Revenue Model – Embedded Links
• Leveraging http flows between users (C&C / Distribution)
• Clean Apps – Update to Dirty Apps
IOT Internet of Things

Cybercriminals are Business People!

I’m not joking!
Hack the Human!

Reconnaissance Weaponisation Delivery Exploitation C2
Lateral
Movement
Exfiltration Maintenance
Gathers Intelligence About
Employee and Assets
Targets Individual (Asset)Bad Guy
Exploit Run – Comms
Established – Command &
Control Server
Move Laterally Across Network
Chooses Weapon from
underground forum
Exfiltrate Data
Protection – Maint Mode

Predictions
“I think there is a world market for maybe five computers”
Thomas Watson, Chairman of IBM 1943

Skills Shortage
Skills: Main obstacle to delivering cyber security
Education system is not providing people with
appropriate experience
Immigration is a sensitive subject for
governments

Reputation is the NEW target
• People have their own
ethics and perceptions
above those of their
employers
• Non verified sources of
info
• Guilty until proven
innocent

CaaS Upgrades to V2.0
• Criminals have huge
and diverse talent pool
available
• Attacks are becoming
more sophisticated and
targeted

Outsourcing Will Backfire
• Lack of Governance over
security providers
• Alignment with business
and cyber security
strategy

Information Leaks
• Lack of Classification
• Lack of Knowledge of
“True Value” of
information

BYOC
• Amount of information
increasing
exponentially
• So is demand for
access, anywhere,
anytime and from any
device
• People already have
their own cloud

Government and Regulators
• Governments have a role
• They expect organisations
to do their part
• Regulations can not keep
pace with technology
• Nobody can protect and
organisation better than
the organisation

The Supply Chain
• The supply chain springs a leak as the insider
threat comes from outside.
• Closer business relationships lead to unforeseen
security challenges
• Increased risk complexity
• Your business information is your suppliers data.

Resilience
47
Recognise:
Interdependence
Leadership Role Responsibility
Integrating Cyber Risk Management

The BIGGEST one!
The CEO doesn’t get it!

It’s a IT Cyber Security Problem, Right?

50
Legally It’s a Challenge for the Board!
NO

Cyber Risks for You
• Tangible Costs
– Loss of funds
– Damage to Systems
– Regulatory Fines
– Legal Damages
– Financial Compensation
• Intangible Costs
– Loss of competitive advantage (Stolen IP)
– Loss of customer and/or partner trust
– Loss of integrity (compromised digital assets)
– Damage to reputation and brand
Quantitative vs. Qualitative
46% Reduction in Profits Following Breach

Regulatory and Legal
EU Data Privacy Directive
EU Network
Information
Security
Directive
European Convention on
Cybercrime
400+ Others
– 10,000+
Controls –
175 Legal
Jurisdictions
Your
Organisation

Responsibility – Convention Cybercrime
All organisations need to be aware of the Convention’s
provisions in article 12, paragraph 2:
‘ensure that a legal person can be held liable where the
lack of supervision or control by a natural person…has
made possible the commission of a criminal offence
established in accordance with this Convention’.
Now Sit Forward!

Automatic Governance Event
Fundamental
Uncertainty
Board
Accountability
Are you already compromised?

Operational
Level
Strategic Level
Technical Level
Cyber is a Strategic Issue
56
Macro Security
Micro Security
How do cyber attacks affect, policies,
industry, business decisions?
What kind of policies, procedures and
business models do we need?
How can we solve our security
problems with technology?

•Loss of market share and reputation
•Legal ExposureCEO
•Audit Failure
•Fines and Criminal Charges
•Financial Loss
CFO/COO
•Loss of data confidentiality, integrity and/or availability
CIO
•Violation of employee privacy
CHRO
•Loss of customer trust
•Loss of brand reputationCMO
Board Room Discussion
Increasingly companies are appointing CRO’s and CISO’s with a direct line to the audit committee.

Corporate
Governance
Project
Governance
Risk
Management
Cyber
Governance
Risk
Management
Cyber Governance
Cyber Risk
Legal &
Compliance Operational Technical

Why can’t Johnny be good?
Chuck Georgo
CRI Associate Consultant

Chuck Georgo
Past Engagements
30+ years public safety and cyber security strategist, business
analyst, systems engineer, and project manager
• North Atlantic Treaty Organization
• Federal Bureau of Investigation
• Naval Criminal Investigative Service
• Boston and New York Police Departments
• Illinois, Washington, Ohio, and Utah State Fusion Centers
• U.S. Navy
Education
• Master’s Degree in Public Administration
• Master’s Degree in Information Architecture
• Completed competencies, ISO/IEC 27001:2005 Lead Auditor.

In the next 30 minutes…
• Scare you a bit
• Give you some insight
• Make you a little mad
• Make you think
• Then it’s up to you….

Some facts…
• With very minor exception, no one you hire intends to do you
harm on day one.
• Something happens to some of them, at work or home that
turns them against you.
• And, sadly, you are probably the one to blame for what they
did.
• However, there is something you can do to prevent it from
happening.
• And it has little to do with technology

Jeremy Dieudonne
George Castro
Joseph Pineras
Walter Stephens

Douglas Duchak
No Photo
Available

• Born December 1987, Crescent, OK

• Father – Brian; Mother – Susan
• Met while stationed in Wales

• Built first website at 10, writing code by 13

• Always had a mind of his own

• Parents divorced in 2000, Moved back to
wales in 2001 with mother

• Enlisted in U.S. Army, October 2007

• Lasted 6 weeks, sent to discharge unit -
Discharge revoked

• Sent to intelligence analyst training at Ft.
Huachuca, AZ

• Sent to Fort Drum in August 2008; trained
for deployment to Iraq

• Met Boyfriend Tyler Watkins, introduced to
Boston hacker community

• Two superiors discussed not sending him to Iraq…
“he was a risk to himself and possibly others“
…but shortage of intelligence analysts held sway…

• Deployed to Baghdad in October 2009,
gained access to multiple classified
networks

• Working conditions – 14–15 hour shifts in
a dimly lit secure room – did not help
mental health

• First contact with Wikileaks in November 2009

• Posted on Facebook, he felt alone and hopeless

• On January 24, 2010, he traveled to the U.S.
and attended a party at Boston University's
hacker space.

The Unraveling
• E-mail to MSgt: suffering from gender identity disorder,
attached a photograph of himself dressed as a woman
• Found curled into a fetal position in a storage cupboard, with
a knife at his feet
• Hours later, punched female analyst in the face
• Brigade psychiatrist: recommended discharge, referring to an
"occupational problem and adjustment disorder."
• Finally: was sent to work in the supply office, although his
security clearance remained in place

In May 2010, he emailed a mathematician in Boston; told
him he was the source of the "Collateral Murder" video.

• Two days later, began chats with Adrian
Lamor, former "grey hat" hacker; this led to
Bradley’s arrest

• All told, Bradley Chelsea Manning had provided
in excess of 750,000 documents to Wikileaks

Three classic perspectives
• Personal
• Organizational
• Behavioral

• NoGreed or Financial Need?
• YesAnger/Revenge?
• YesProblems at work?
• YesIdeology/Identification?
• NoDivided Loyalty?
• NoAdventure/Thrill?
• NoVulnerability to blackmail?
• YesEgo/Self-image?
• NoIngratiation?
• YesCompulsive/Destructive Behavior?
• YesFamily problems?
PersonalFactors

• YesAccess to protected materials?
• YesEase of removal?
• MaybeInformation labeling?
• NoUndefined policies?
• YesLax security?
• YesPersonal accountability?
• YesStressful environment?
• NoInsufficient training?
• MaybeOrganizational ethics?
Organizational
Factors

• YesSeeks information outside duties?
• YesUnnecessarily copies material?
• NoExcessive remote access to network?
• MaybeAccesses network at odd times?
• YesDisregards security policies?
• NoUnreported foreign contact/ travel?
• NoUnexplained affluence?
• YesSuspicious personal contacts?
• YesSuspicious off-duty interests?
• YesOverwhelmed by life crises?
• YesCareer/work disappointment
• NoConcern that they are being investigated
Behavioral
Factors

BUT WHAT IS MISSING
FROM ALL OF THIS?
Where is LEADERSHIP’S
responsibility addressed?

The Army had many chances to stop him
1. While in basic training
2. While at analyst training
3. When he got to Fort Drum
4. While he was in operational training
5. When he was sent to Iraq
6. In the many counseling sessions
• And, there were probably other times…

Who people think is ultimately responsible…
Iron Mountain – Pricewaterhouse Coopers Study. March 2012

You manage tangible assets like furniture,
machinery, and financial instruments…
But, do you devote the same care and
attention to your human assets?

• Job performance?
• Dealing with personal issues?
• Access to their leaders?
• Security responsibilities?

• Authority to do the job?
• Resources to do the job?
• Easy access to info/systems?
• Tools/materials?
• Degrees of freedom?

• Do they like their job?
• Is it still a good fit?
• Would they recommend it to others?
• Is there family ok?
• Are they having financial issues?

• Reorganization?
• Downsizing/terminations?
• Lack of promotion/bonus?
• Poor line leadership?
• Personal factors?

• Is CEO taking responsibility?
• Actively developing sense of loyalty?
• Holding line managers accountable?
• Practicing MBWA?
• Applying good technical measures?

THINK IT WON’T HAPPEN
TO YOU?

• Of 2,031 European office workers
surveyed…
• One in three admitted that they had
taken or forwarded confidential
information out of the office

• One in seven had taken confidential
information with them to a new job

• Another 31% said they would
deliberately remove and share
confidential information if they were
fired

Bottom line: if we want Johnny to be
good…
…we must spend MORE TIME on Johnny!
Address the LEADERSHIP side of the
insider threat problem.

THANK YOU
Chuck Georgo
USA 011.410.903.6289
Slides and Material May NOT be Distributed In Any Format Without Written Permission
Copyright Cyber Risk International Ltd – All Rights Reserved

Frontlines – Attack Scenarios

Switch Gear – How Do We Deal With This
Cyber Risk Framework

Identify
• Asset Management
• Business Environment
• Governance
• Risk Assessment
• Risk Management Strategy
Protect
• Access Control
• Awareness and Training
• Data Security
• Information Protection
Process and Procedures
• Maintenance
• Protective Technology
Detect
• Anomalies and Events
• Security Continuous
Monitoring
• Detection Process
Respond
• Response Planning
• Communications
• Analysis
• Mitigation
• Improvements
Recover
• Recovery Planning
• Improvements
• Communications

Cyber Security Framework
• Describe Current Cyber Security Posture
• Describe Target State for Cyber Security
• Identify and Prioritise Opportunities for
Improvement (RM)
• Assess Progress Towards the Target State
• Foster Communications among internal and
external stakeholders

Supported By Industry
• Standards
• Guidance
• Best Practices
Pipeline: Aligned with EU Directive on Network Information Security and Data Privacy

Getting Buy In
The framework compliments and does not replace,
an organisations risk management processes and IT
security program.
Organisations can use the framework to identify
opportunities to strengthen and communicate its
management of cyber security risk while aligning
with industry practices.

Assess
Design
Transform
Sustain

Information
'Information is an asset which, like other important
business assets, has value to an organisation and
consequently needs to be suitably protected’
‘…Whatever form the
information takes, or
means by which it is
shared or stored, it
should always be
appropriately
protected’ ISO 27K
Printed
Written
Transmitted
Video –
Unified
Comms
Web
Verbal
Digitally
Stored

What can we do with info?
Create /
Acquire
Manage
Store /
Archive
Share
Search and
Mine
Destroy Process Transmit
Used (Proper
and Improper)
Corrupt Lost Stolen

What is information security?
Information security means protecting information and information systems from
unauthorised access, use, disclosure, disruption, modification, perusal, inspection,
recording or destruction.
People Processes Technology
Information
Security

People “Who We Are”
People who use or interact with our Information include:
• Share Holders / Owners
• Management
• Employees
• Business Partners
• Service Providers
• Contractors
• Customers / Clients
• Auditors

Processes “What We Do”
Typical process in an IT Infrastructure could include:
• Helpdesk / Service Management
• Incident Reporting and Management
• Change Requests Process
• Request Fullfillment
• Access Management
• Identity Management
• Service Level / Third-party Services Management
• IT procurement process

Technology “What We Use”
• Network Infrastructure:
• Cabling, Data/Voice Networks and equipment
• Telecommunications services (PABX), including VoIP services , Video Conferencing
• Server computers and associated storage devices
• Operating software for server computers
• Communications equipment and related hardware.
• Intranet and Internet connections
• VPNs and Virtual environments
• Remote access services
• Wireless connectivity

ISO 27K defines Information Security as the preservation of:
Ensuring that information is accessible
only to those authorised to have access
Safeguarding the accuracy and
completeness of information and
processing methods
Ensuring that authorised users have
access to information and associated
assets when required
CIA Triad

Information Security
1. Protects information from a range of threats
2. Ensures business continuity
3. Minimises financial loss
4. Optimises return on investments
5. Increases business opportunities
Business Survival Depends on Information Security

What Are Cyber Threats?
Blurred Lines
Cybercrime
Cyber
Warfare
Cyber
Espionage
Cyber
X
Threats VS. Risks
Adversary

Security breaches lead to
• Reputation loss
• Financial loss
• Intellectual property loss
• Legislative Breaches
• Loss of customer confidence
• Business interruption costs
• Loss of goodwill

Some basic definitions
Risk: A possibility that a threat exploits a
vulnerability in an asset and causes damage or loss
to the asset.
Threat: Something that can potentially cause
damage to the organisation, IT Systems or network.
Vulnerability: A weakness in the organisation, IT
Systems, or network that can be exploited by a
threat.
ISMS: Information Security Management System e.g.
ISO 27001

Identify Threats
Agent : The catalyst that performs the threat.
•Human
•Machine
•Nature
Motive : Something that causes the agent to act.
•Accidental
•Intentional
•Only motivating factor that can be both accidental
and intentional is human
Results : The outcome of the applied threat. The
results normally lead to the loss of CIA
•Confidentiality
•Integrity
•Availability

Traditional “Cyber” Threats
• Spam – reportedly 85% of email
• Fraud – most debilitating and destructive, pre digital controls are not
sufficient
• Commercial Espionage – British Airways
• Insider Threats – unauthorised software 78%
• Staff – decided to leave has not resigned
• Systems Failures – “Fat Fingers”

Risk Factors
•Employees
•External Parties
•Low awareness of security issues
•Growth in networking and distributed computing
•Growth in complexity and effectiveness of hacking tools and viruses
•Natural Disasters eg. fire, flood, earthquake
•Politics
•Products and Technology Vendors

Threat Characteristics
• Automation: The automation of mundane tasks -
make Denial of Service attacks and large scale junk mail possible,
just as they enable 100% surveillance of the Internet
communications traffic of any organisation.
• Data collection: digital data requires minimal
storage space and is easier to harvest and manipulate
• Action at a distance: in cyberspace, the
criminal who is targeting your network may be based in Chechnya,
Moldavia or on a Pacific island.
• Propagation: the Web enables ideas, skills and
digital tools to be shared around the world within hours. It also
enables techniques to be widely replicated and a vast array of
computers to be linked into any one attack.

Categories
• Criminal attacks (fraud, theft and grand larceny, identity theft,
hacking, extortion, phishing, IPR and copyright theft, piracy, brand theft,
‘spoofing’)
• Destructive attacks (cyber-terrorism, hackers, ex-
employees, vengeful individuals, cyber war, cyber-vandals, anarchists, viruses)
• Nerd attacks (Denial of Service attacks, publicity hounds,
adware)
• Espionage attacks (data and IPR theft, spyware)

Sectors
Each sector has its own niches criminals
• Phishers -> consumer financial services
• Industrial spies – IP companies
• (H)Activists – social impact they disapprove
• Hackers – scalp for prestige
• Cyber terrorists – hurt the west
• Fraudsters – any to siphon cash

Threat Groups
Threats originate with people, there are five distinct groups.
• Criminals (thieves, fraudsters, organised crime)
• Malefactors (hackers, vandals, terrorists, cyber-warriors)
• Spies (commercial and governmental)
• Undesirables (scam artists, spammers,‘ethical’ hackers)
• The incompetent, or the simply unaware (staff, contractors, customers and other
third parties)
These people are found both inside and outside an
organisation and can exert an influence out of proportion
to their numbers

Computer Misuse Legislation
• Computer misuse legislation is relevant in
two ways:
• authorities and organisations can take
action under it against cyber-criminals
• organisations have to ensure they comply
with it themselves.
• Directors can be personally accountable for
any compliance failures.

Responsibility – Convention Cybercrime
All organisations need to be aware of the Convention’s provisions in article 12,
paragraph 2:
‘ensure that a legal person can be held liable where the lack of supervision or
control by a natural person…has made possible the commission of a criminal
offence established in accordance with this Convention’.
In other words, directors can be responsible for offences committed by their
organisation simply because they failed to adequately exercise their duty of care.

Operational
Level
Strategic Level
Technical Level
Cyber is a Strategic Issue
184
Macro Security
Micro Security
How do cyber attacks affect, policies,
industry, business decisions?
What kind of policies, procedures and
business models do we need?
How can we solve our security
problems with technology?

Progression of Cyber Crime
• Highly complex underground economy
• “America’s economy in the 21st century will depend on cyber security.”
Barrack Obama
• Value over a trillion dollars
• Reason for growth
– Internet population
– Incentives
– Division of labour in market
– Experts passing knowledge
– Malicious Tools
– Recession
• Now some “loose knit” firms and classical mafia style syndicates

Summary Risks and Threats
High User Knowledge of IT Systems IP Theft, Sabotage, Misuse Virus Attacks
Systems & Network Failure
Attack or Hack
Lack Of
Documentation
Lapse in Physical
Security
Natural Calamities &
Fire

Some “non cyber” examples
Piggy backing through doors
Not closing office doors during confidential conference calls
Leaving print outs and faxes in the print room

What are the risks to you?
•Reality - All of the above!
•Weaknesses can come from people, processes or technology
•Clients may be the target
•You can NOT be a weak link in security
•We need to demonstrate and prove we are the best
•Security is a journey NOT a destination
•A management system is about continual improvement

Resilience
191
Recognise:
Interdependence
Leadership Role Responsibility
Integrating Cyber Risk Management

Humans The Last Line of Defence

Cyber Risk International Training
A CFO asks a CEO
“What happens if we invest in
developing our people and then
they leave us ?”
The CEO Says
“What happens if we Don't, and they
stay ?”

About Me
 John Byrne
 25 Years Experience
 Business Owner
 Certified Trainer with IITD
 Training Design
 Training Delivery
 Associate Trainer for CRI in
Security Awareness

The Effects of Training in an Organisation
Investment in Training improves
 Performance
 Productivity
 Profitibility
 Market Share
 Competitiveness
 Employee Morale
 Employee Loyalty

The Effects of a Cyber Attack on an Organisation
 Customer Trust
 Customer Confidence
 Resources
 Employee Morale
 Employee Loyalty
 Competiveness
 Profitibility

Some Stats
According to the Poneom Institute 2014
Report
 40 % of Data breaches involved
employees or contractors
 Fewer customers remained loyal
following a data breach
 Malicious or Criminal attacks
increased from 34% to 38 %

3 Examples
 December 2013
 110 Million Compromised Records
 Credit Card and PIN Numbers
 Spear Phishing on employee of
Targets Air Conditioning Company

Chris Hadnagy
 Employed to to a Social
Engineering Audit on a Theme Park
Ticketing System
 CEO Said it could not be
comprimised
 Hadnagy went with family to park
and asked for a discount voucher
to be printed off, it was an infected
PDF
 They were in

Crypto Locker
 October 2014
 ABC News Staff were Phished by
fake Australia Post e-mails
reporting failed delivery
 Staff opened infected attachment
 CryptoLocker Activated
 ABC News 24 Suspends
Programming out of Sydney

The Weakest Link
 The Human
 Social Engineering / Hacking
 All organisations are open to social
engineering attacks
 Raising awareness , decreases your
risk

Security Awareness Workshops / Campaigns
 Bring together the organisation
and the employee
 Communicate the threats
 Link Personal, Professional and
Organisational Protection
 Increase Morale and Loyalty

Thank You – Stay Connected
johnb@cyberriskinternational.com
+353-(0)86 223 9996
@johnjbbyrne
WE IDENTIFY, MITIGATE AND MANAGE CYBER RISKS
Clonmel House – Forster Way – Swords – Co Dublin – Ireland
+353-(0)1- 897 0234
mail@cyberriskinternational.com
www.cyberriskinternational.com

Cyber Security Framework – Putting it Together

Cyber Security Framework
Aim: “Provide a prioritised, flexible, repeatable,
performance based, and cost effective
framework for dealing with cyber security”

Supported By Industry
• Standards
• Guidance
• Best Practices

Getting Buy In
The framework compliments and does not replace,
an organisations risk management processes and IT
security program.
Your Organisation can use the framework to
identify opportunities to strengthen and
communicate its management of cyber security risk
while aligning with industry practices.

Scope
“Covering systems and assets, whether physical or virtual,
vital to Your Organisation that the incapacity or
destruction of such systems and assets would have a
debilitating impact on the key operations of the business”
aka
“Manage cyber security risk for those processes,
information, and systems directly involved in the delivery
of key services in Your Organisation”

Holisitic Approach
• Cyber Risk Committee
– Legal
– IT
– HR
– Business Lines
– etc

Overview of Framework
• Risk Based Approach to Managing Cyber
Security Risk
• 3 Parts
– Framework Core
– Framework Implementation Tiers
– Framework Profile

Framework Core
• Identify
• Protect
• Detect
• Respond
• Recover
Activities, desired outcomes and applicable references.
Provides a high level strategic view of the lifecycle of an
organisations management of cyber security risk.

Framework Implementation Tiers
• Capability Maturity
• Tier 1 – Partial
• Tier 2 – Risk Informed
• Tier 3 - Repeatable
• Tier 4 - Adaptive
Reflects a progression from informal, reactive responses to approaches that are agile
and risk informed.
Tier selection, we need to consider RM practices, threat environment, legal and
regulatory requirements, business objectives and organisational constraints.

Framework Profile
• Business needs that Your Organisation selects
from the categories and sub categories of the
framework.
• Alignment of standards, guidelines, and practices
to the framework core.
• Current profile “as is” state can be compared to
the “to be” target state. (Comparison profiles)
• Used to create roadmap

RM and The Framework
• Ongoing process of identifying, assessing and
responding to risk.
• Likelihood of an event?
• Impact?
• Acceptable Level of Risk? (Tolerance)
• Prioritisation is then possible
• Ability to quantify and communicate adjustments to
the program

Risk Treatment
• Accept
• Mitigate
• Transfer
• Avoid
Your Organisation Cyber Security Framework will utilise RM
processes to inform and priortise decisions. Supports
recurring assessments and validation of business drivers in
order to select appropriate target states.

Coordination of Implementation
• Executive
• Business / Process
• Implementation / Operations

Steps
• Step 1: Prioritise and Scope
• Step 2: Orient
• Step 3: Create a Current Profile
• Step 4: Conduct a Risk Assessment
• Step 5: Create a Target Profile
• Step 6: Determine, Analyse and Prioritise gaps
• Step 7: Implement Action Plan

Implementation Steps
Prioritise and
Scope
Orient
Create a
Current Profile
Conduct a Risk
Assessment
Create a
Target Profile
Determine,
Analyse and
Prioritise Gaps
Implement
Action

Step 1: Prioritise and Scope
Your Organisation identifies its business/mission objectives and high-
level organisational priorities.
With this information, Your Organisation makes strategic decisions
regarding cybersecurity implementations and determines the scope of
systems and assets that support the selected business line or process.
The Framework can be adapted to support the different business lines
or processes within Your Organisation, which may have different
business needs and associated risk tolerance.

Step 2: Orient
Once the scope of the cybersecurity program has
been determined for the business line or process,
Your Organisation identifies related systems and
assets, regulatory requirements, and overall risk
approach.
Your Organisation then identifies threats to, and
vulnerabilities of, those systems and assets.

Step 3: Create a Current Profile
We then develop a Current Profile by indicating
which Category and Subcategory outcomes from
the Framework Core are currently being
achieved.

Step 4: Conduct a Risk Assessment
This assessment could be guided by Your Organisation’s overall risk
management process or previous risk assessment activities.
We analyse the operational environment in order to discern the
likelihood of a cybersecurity event and the impact that the event could
have on Your Organisation.
It is important to incorporate emerging risks and threat and
vulnerability data to facilitate a robust understanding of the likelihood
and impact of cybersecurity events.

Step 5: Create a Target Profile
We will then create a “Target Profile” that focuses
on the assessment of the Framework Categories
and Subcategories describing Your Organisation’s
desired cybersecurity outcomes.
It is common for organisations to also develop their
own additional Categories and Subcategories to
account for unique organisational risks.

Step 6: Dertermine, Analyse and Prioritise Gaps
We then compare the Current Profile and the Target Profile to determine
gaps.
This facilitates creating a prioritised action plan to address those gaps that
draws upon mission drivers, a cost/benefit analysis, and understanding of risk
to achieve the outcomes in the Target Profile.
We can then determines resources necessary to address the gaps. Using
Profiles in this manner enables Your Organisation to make informed decisions
about cybersecurity activities, supports risk management, and enables the
Your Organisation to perform cost-effective, targeted improvements.

Step 7: Implement Action Plan
Your Organisation then determines which actions to take in regards to
the gaps, if any, identified in the previous step. It then monitors its
current cybersecurity practices against the Target Profile.
Your Organisation may repeat the steps as needed to continuously
assess and improve its cybersecurity.
Your Organisation may monitor progress through iterative updates to
the Current Profile, subsequently comparing the Current Profile to the
Target Profile.

Open Discussion – Chatham House Rules

Thank You – Stay Connected
www.paulcdwyer.com
youtube.com/paulcdwyer
mail@paulcdwyer.com
+353-(0)85 888 1364
@paulcdwyer
WE IDENTIFY, MITIGATE AND MANAGE CYBER RISKS
Clonmel House – Forster Way – Swords – Co Dublin – Ireland
+353-(0)1- 897 0234 xxxxxx
mail@cyberriskinternational.com
www.cyberriskinternational.com

CRI "Lessons From The Front Lines" March 26th Dublin

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (16)

Similar to CRI "Lessons From The Front Lines" March 26th Dublin

Similar to CRI "Lessons From The Front Lines" March 26th Dublin (20)

Recently uploaded

Recently uploaded (20)

CRI "Lessons From The Front Lines" March 26th Dublin