Cyber Risk Management with COBIT 5 Marco Salvato CISA, CISM, CGEIT, CRISC, COBIT 5 Approved Trainer 1
Agenda Common definition of Cyber Risk and related topics Differences between Cyber Security and IS Security Understand the Cyber Warfare: the threats, the actors, the behavior and the motivations How ISACA support us dealing with the Cyber Risk 2
Security Risk? Cyber Risk Cyber Crime Cyber Resiliance 3
4
The Internet of Things (IoT) 5
Why we should take care about cyber risk How many cyber attacks are there in the world? 6
Why we should take care about cyber risk Ten Million Cyber attacks A Day (link) Cyber-attacks Cost $1 Million on Average to Resolve (link) 7
Norse Dark Intelligence http://map.ipviking.com 8
Digital Attack Map http://www.digitalattackmap.com DDOS attack data from Google Datacenters + Arbor Networks 9
Cybersecurity definitions - ISACA The term Cyber Security addresses the governance, management and assurance that go beyond standard information security. Cybersecurity focuses on specific, highly sophisticated forms of attack and covers the technical and social aspects of the attack. Many definitions exist for cybersecurity, and the term is often misunderstood. The official EU definition follows: Cyber Security commonly refers to the safeguards and actions that can be used to protect the cyber domain, both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent networks and information infrastructure. Cyber Security strives to preserve the availability and integrity of the networks and infrastructure and the confidentiality of the information contained therein. Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 10
Cybersecurity definitions - ISACA ISACA defines Cyber Security as follows: The protection of information assets by addressing threats to information that is processed, stored and transported by internetworked information systems. In its Transforming Cybersecurity publication, ISACA further describes Cyber Security as follows: Cyber Security encompasses all that protects enterprises and individuals from intentional attacks, breaches and incidents as well as the consequences. In practice, Cyber Security addresses primarily those types of attack, breach or incident that are targeted, sophisticated and difficult to detect or manage. the focus of Cyber Security is on what has become known as advanced persistent threats (APTs), cyberwarfare and their impact on enterprises and individuals. Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 11
Cybersecurity definitions - ISACA Cyber Risk is an ever-present threat, defined as any risk of financial loss, disruption or damage to the reputation of the organization from some sort of failure to its information technology systems. (Institute of Risk Management) It is possible to identify some main risk categories: losses due to cyber crime and cyber terrorism and cyber sabotage accidental loss of your own or someone else s data physical loss of systems (Critical information infrastructure break down) liability for your information/data (business data, online activities, emails, ) Moreover, Cyber Risk is the risk arising from Cyber Crime, defined by Canadian Law is as follows: Crimes in which the computer is the target of the criminal activity; Crimes in which the computer is a tool used to commit the crime, and; Crimes in which the use of the computer is an incidental aspect of the commission of the crime. Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 12
Cybersecurity definitions - ISACA There are two similar characteristics between Cyber Risk and Cyber Crime: they all have a potential great impact they were all once considered improbable Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 13
Cyber Attack Taxonomy - ISACA Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 14
Information Security and Cybersecurity Focus (PESTLE) - ISACA Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 15
Attacks and Threat Levels - ISACA Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 16
The Threat Attack Techniques Source: McAfee Labs Threat s Report Report Fourth Quarter 2013 17
The Threat Motivation Behind Attacks Source: McAfee Labs Threat s Report Report Fourth Quarter 2013 18
The Threat Distribution of Targets Source: McAfee Labs Threat s Report Report Fourth Quarter 2013 19
The Threat Source: McAfee Labs Threat s Report Report Fourth Quarter 2013 20
The Threat 21
The Target Story (2014) Company background Founded in 1902 Second largest discount retailer in the US after Walmart Ranked 36 th on Fortune 500 (2013) 1,916 stores Revenue (2013) US$72.6 (Source: Wikipedia) The attack Attacked not the central systems of the company but Point Of Sales (PoS) systems. Targeted Windows OS used to acquire data from Card readers. The System perform data encryption in memory: the malware scans the machine memory for Credit Card data. Data is sent externally of the company Data is used for Card Cloning. Attack vector from external third party (Fazio Mechanical Service - FMS): Malware via Phishing email to FMS No enterprise AV used Stolen credentials used to get inside Target systems via HVAC system of FMS in Target. (Source: McAfee Labs Threat Advisory EPOS data Theft) 22
The Target Story (2014) Timeline and costs 23 Dec Company sued by customers Phone scam campaign starts Phishing campaign start 28 Dec All card data stolen Also PIN 7 Feb Credit cards stolen reissued (@ 10$/card, expected 700M $) 18 Feb Target Security reports available from October 2013 but no action taken 24 Feb Share buy-back halted (4M $) 26 Feb Profit -46% for Quarter -5,3% sales Shares value -11% 5 March CIO Resign Compliance Office fired 18 March Target was PCI- DSS compliant: not enough July New CEO appointed Earning -20% Share value 20% Costs: 148M $ (38M $ covered by insurance) December 2013 January 2014 February March July 19 Dec Breach notice to 40M customers 10% discount offered Offered free credit checks to customers 10 Jan Damage perimeter re-estimated: 70M customers 13 Jan Malware detected and removed 22 Jan Lay off 475 employees Stop hiring of 700 planned employees 29 Jan Forensic analysis confirm usage of partner poor security for HVAC system to get inside the network (Fazio Mechanical) 26 March Target sued by banks to recover card reissuing costs Target security auditor sued April - June 100 lawsuits active Regulators investigations 23
The Target Story (2014) Stock effects 19 Dec Breach notify July Operative results published 26 March Bank sues Target 10 Jan 70M breach notify April - June Banks sues Target 24
Cybersecurity Governance Governance over cybersecurity has a much wider scope than governance over information security, due to the multiple facets of cybercrime and cyberwarfare. The cybersecurity governance framework covers enterprise security, social elements and technology. Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 25
ISACA & ENISA ISACA as a nonprofit, global membership association for IT and information systems professionals, ISACA is committed to providing its diverse constituency of more than 115,000 worldwide with the tools they need to achieve individual and organizational success. The benefits offered through our globally accepted research, certifications and community collaboration result in greater trust in, and value from, information systems. Through more than 200 chapters established in more than 80 countries, ISACA provides its members with education, resource sharing, advocacy, professional networking, and a host of other benefits on a local level. ENISA the European Union Agency for Network and Information Security, working for the EU Institutions and Member States. ENISA is the EU s response to these cyber security issues of the European Union. As such, it is the 'pace-setter' for Information Security in Europe, and a centre of expertise. The objective is to make ENISA s web site the European hub for exchange of information, best practices and knowledge in the field of Information Security. This web site is an access point to the EU Member States and other actors in this field. 'ENISA- Securing Europe's Information Society' 26
ISACA European Cybersecurity Implementation Series Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation Series 27
ISACA European Cybersecurity Implementation Series Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 28
ISACA European Cybersecurity Implementation Series Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation Series 29
ISACA Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 30
ISACA European Cybersecurity Implementation Series Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation Series 31
ISACA European Cybersecurity Implementation Series Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation Series 32
ISACA European Cybersecurity Implementation Series Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation 33
ISACA European Cybersecurity Implementation Series Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 34
ISACA European Cybersecurity Implementation Series Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 35
ISACA European Cybersecurity Implementation Series Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 36
ENISA Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 37
ISACA European Cybersecurity Implementation Series Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 38
ISACA European Cybersecurity Implementation Series Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 39
ISACA European Cybersecurity Implementation Series Source: ISACA, 2014, European Cybersecurity Implementation Series, European Cybersecurity Implementation: Overview 40
41
Cybersecurity Nexus 42
In conclusione ISACA ha concentrato i propri sforzi nella realizzazione di molte pubblicazioni sul tema, tra cui la European Cybersecurity Implementation Series, per fornire un supporto all implementazione della sicurezza informatica, in linea con i requisiti europei e le good practise internazionali. Per maggiori informazioni, visitate: www.isaca.org/cobit5 www.isaca.org/cobit5forrisk http://www.isaca.org/chapters5/venice/pages/default.aspx Domande? 43