Post on 03-Aug-2020
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Cyber Warriors at Work
Riding the wave of tech trends
0
Willemstad, 19 October 2016
Mario Flores & Roy Jansen
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Contents
Setting the scene - threat Landscape more complex than ever
Cyber Warfare
The need for a new breed CISO
Cyber Value at Risk
© 2016 Deloitte Dutch Caribbean
Organizations are spending more money and paying more attention than they
ever have …
… but for many the problem seems to be getting worse
$82 billion Organizations will spend
on information security in 2016
according to Gartner
2
© 2016 Deloitte Dutch Caribbean
The most common answers focus on the “adversary” … who is increasingly determined and sophisticated …
3
© 2016 Deloitte Dutch Caribbean
and the view that adversaries are well funded … often by organized crime
and in some cases can even be “state sponsored”
4
© 2016 Deloitte Dutch Caribbean
But this is just one side of the coin …
5
© 2016 Deloitte Dutch Caribbean
The things that organizations do to innovate and drive performance are the very things that create cyber risk
© 2016 Deloitte Dutch Caribbean
We have connected our economy and our society using platforms designed for sharing information … not protecting it
© 2016 Deloitte Dutch Caribbean
Organizations must trust people every day
© 2016 Deloitte Dutch Caribbean
Industry knowledge matters … because cyber risks vary significantly by sector … as do regulatory
requirements
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Cyber Warfare
The 5th dimension of war
10
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Hacktivism or Cyber Warfare?
US Central Command Twitter Account Hacked (2015)
11
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Definition
What is Cyber Warfare?
12
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Targets
Cyber Warfare
13
Military Networks
Government Agencies
Power Plants
Stock Exchange
Transportation Infrastructure
Telco‟s
eCommerce & Financial
Media Companies
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Examples of what we know
Cyber Espionage and Warfare is here (and has been for some years)
14
1
2
3
4
5
2009 – Ghostnet Cyber espionage by China infiltrating 103 countries‟high-value political, media and economic locations
2013 – Russia allegedly Ukraine‟s power grid and leaving areas without energy
2014 – US finds evidence of Chinese Government infiltrating systems of airlines, technology companies and contractors involved in the movement of Troops & Military equipment
2016 – Russia allegedly Hacking e-mails of the democratic party and Hillary‟s Campaign manager to influence presidential elections
2010 - StuxNet Computer Worm, Flame and Nitro Zeus by the US NSA
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Simple facts
Cyber Warfare
15
Billions of dollars being invested in State Sponsored Cyber Warfare
The supposed “Air Gap” provides an unreal sense of security
Significant increase seen in State
organized cyber attacks
Particularly aimed at social, financial and political impact, and
not so much physical.
Industrial Control Systems typically have older less secure technology and are not hardened
Raw Materials are readily available on
the Internet
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
The world‟s scariest search engine
Shodan in the world of Internet of Things
16
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Searching for Vestas Wind Turbines
ICS Scan
17
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Moxa Oncell it is…..
Accessing the Turbine configuration module
18
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Searching for default passwords
Moxa Manual
19
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Searching for default passwords
Moxa Manual
20
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Open Sesame…..
Applying default passwords
21
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Wind Turbine, where is thou?
IP Geo-location
22
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Seek and you will find
Google Maps
23
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
How to stem the threat?
Cyber Warfare – we are inherently vulnerable
24
01 International Cooperation
02 Cyber treaties
03 Offensive vs Defensive
04 Options
- Between States - Between States and the Private Sector
- 1675 Strasbourg Agreement (1st treaty banning chemical weapons)
- 1967 Treaty of Tlatelolco (no nuclear arms in Latin America and Caribbean)
- 1990 Chemical Weapons Accord
This is dummy text it is not here to be read. The is just text to show where you could insert text. This is dummy text.
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Key capabilities to combat and control Cyber Warfare
Global Cyber Maturity Curve
25
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
The New CISO
Leading the strategic security organization
26
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
CISO‟s former professional roles
Managing vital functions
27
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
A new type of cyber warrior
The fours faces of the CISO
28
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Shifting dimensions
The evolving CISO role
29
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Why do companies struggle?
Challenges in creating a strategic security organization
30
Narrow perspective
Limited exposure & knowledge of overall business
Communication
Struggle to communicate and interact with business leaders. Cyber is considered a technical problem.
Talent
Lack of security talent (quantity and capability) keeps CISO from focusing on the big picture
False sense of security
Executives think compliance equals security (especially in regulated industries)
Competing Agendas
Other priorities prevent C-suite from elevating enterprise security
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
To see where we’re going:
Could someone turn on the lights?
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Progress made over the last years is growing increasingly rapidly
2015 2014 2013 2012 2011
Start of a Journey with the World Economic Forum
This report calls for a common approach for Cyber Value at Risk. It introduces the Cyber Value at Risk concept and identifies key components for cyber risk modelling. On the other hand, suitable modelling methodologies, existing limitations and solutions are discussed. Wider pick-up of Cyber Value at Risk models will amplify their quality and use through better data availability.
This report introduces main principles for cyber resilience, guidelines for cyber resilience program development against a generic maturity model as well as an executive level checklist that may help identify one‟s current position. It identifies the most important components in understanding and dealing with cyber risks as well as the wider impact from society-wide interconnectedness.
In 2011, the Forum launched the Risk & Responsibility in a Hyperconnected World initiative.
Throughout 2012 and 2013, the Forum discussed changing cyber risks with key organisations around the globe representing over 1 trillion US$ in annual revenue and nearly 4 million FTEs.
During 2014, a new discussion emerged in the Forum around methodologies to measure and quantify cyber risks at the enterprise, market, national and international (trade) levels.
Key result of the project is the Partnership for Cyber Resilience (PCR), which launched in Davos, during the 2012 Annual Meeting
Key result was the report: Towards the Quantification of Cyber Threats, presented at Davos early 2015
32
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Benefit & objectives
Cyber Value at Risk
33 Insert your footer here
Given a successful cyber attack, a company will not lose more than X amount of money over period of time with 95% accuracy
The goal of Cyber Value at Risk is to standardize and unify different factors (vulnerabilities, assets, attacker profile) into a single normal distribution that can quantify the value at risk in case of a cyber attack
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Value impact from abuse of Information Assets, limited by controls
Operationalizing Cyber Value at Risk
Security
contro
ls
Information Assets Threats
Threat profiles 1. Espionage 2. Advanced Crime 3. Bulk Crime 4. Hacktivism
Information Assets 1. Privacy-related 2. Business clients 3. Intellectual property 4. Strategic information 5. Operational continuity 6. Liquidity integrity 7. Control integrity
Cyber security controls 1. Protection from entry 2. Protection from abuse 3. Detection and
response 4. Resilience and
recovery
Based on the Forum‟s initiative and further research and public data the report „Cyber Value at Risk in The Netherlands‟ was published in April 2016
In this report, the risk levels for the 14 largest sectors in The Netherlands are presented, providing a view of the current Dutch cyber threat landscape. The high level underlying structure per sector is depicted below.
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Industry specific impact & threat profile levels
Oil, Gas & Chemicals
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Industry specific impact & threat profile levels
Public Sector
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Industry specific impact & threat profile levels
Banking
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Industry specific impact & threat profile levels
Defense & Areospace
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
The need for cyber risk quantification has five components
And associated requirements depicted below
Trust-based business
Risk transfer
Risks managed
Security optimal
Secure society
Identifying third party contribution and diversification
Identifying risks to social
values
Identifying right focus and
direction
Identifying trade-offs in security
architecture
Identifying added value of
business and trust
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
From qualitative to quantitative approaches
Main distinguishing features D
escription
Benefits
Required
Semi-quantitative Quantitative Qualitative
Qualitative risk assessment against
• Cyber risk framework
• Capability maturity model
• Compliance checklist, etc.
Additional quantitative indicators
• Monitored threat levels
• Performance and risk dashboard
• Incident and loss database
Unifying quantitative metric
• Cyber risk model
• Threats linked to business value
• Parameters, data, assumptions
• Relatively easy to start
• Starting point for discussion at CRO level
• Cyber risk management based on targets and limits
• Better evidencing of controls (not uniformely)
• Integrated risk management
• Business-rational budgeting, prioritization, optimization, etc.
• Uniform impact assessment of individual control effectiveness
• Interpretation and translation
• Judgement of relative importance of components
• Identifying metrics
• Regular measurements / data
• Judgement of relative importance of components
• Iterative process for development and implementation of risk model
• Identifying data sources
• Validation and back-testing
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Some initial thoughts:
• Cyber space – defined as possibilities emerging from connected technologies
• Risks in cyber space lead to many types of non-cyber risks (examples below)
• Purpose of cyber risk controls is mitigating value loss also linked to other risk types
How can this complexity be managed? Unifying cyber risk model
How can effectiveness of controls be determined? Value at Risk metrics
However, cyber risk requires new types of control
Most known risks have a link with cyber risk
Risk category
Sub-category
Examples of impact from cyber breach
Operational risks
Legal risk
Claims following
cyber incident
Regulatory risk
Fines for non-compliance following breach
Business continuity
Revenue lost due to cyber disruption
Fraud risk
Overpayment commissions
through portal
Information risk
Most cyber breaches
Financial risks
Market risk
Trade losses due to system
unavailability
Credit risk
Selection risk increase after
reputation loss
Liquidity risk
Run on the bank due to
privacy breach
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
High-level Cyber Value at Risk model structure
Three main components: controls, threat landscape and value impact
High-level design of Cyber Value at Risk model
Controls, metrics,
dashboard
Threat intel,
detection results
Financials, BIA
1. Controls
2. Threats
Attack process model
Fraction abused
3. Value impact
Value at Risk
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Linking the operational and managerial levels
Feedback mechanism ensures quality control
43
Operational level: attack process model
a) Protection from entry
b) Breach detection and response
d) Abuse detection and response
Accumulating Losses
c) Protection of abuse
• DDoS • 3rd party
• Insider • Backdoor
Other Attacks
Targeting Abuse Entry
e) Recovery of losses
Management level: plan-do-check-act cycle
Plan
Do Check
Act Performance
settings
Performance execution
Threat assessments
Impact assessments
Performance monitoring
Threat monitoring
Incident monitoring
Assumption settings
Performance adjustments
Assumption adjustments
Monitoring Execution Optimisation Adjustments
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
A multitude of cyber risk quantification methodologies exist, each having pros and cons
Cyber risk quantification methodologies
44
Factor models E.g. FAIR framework + Holistic approach possible - Can lead to large number of parameters
Scenario analysis and simulation E.g. Monte Carlo simulation, attack-defense trees + Flexible, tailored and detailed results - Large amount of data
System dynamics E.g. large Dutch bank identifying long term cycles + Especially suited for modeling feedback loops - Time delays impede evidencing in complex organizations
Behavioral modeling E.g. agent-based modeling + Insight in complex ecosystem with multiple parties - Defining right interactions upfront not straightforward
Combinations and other techniques E.g. sensitivity analysis, data analytics, information engineering, expert models Cyber risk
quantification methods
Scenario analysis and
simulation
System dynamics
Behavioral modeling
Scenario analysis and
simulation
System dynamics
Behavioral modeling
Deloitte Cyber Value at Risk
approach
Scenario analysis and
simulation
System dynamics
Behavioral modeling
Scenario analysis and
simulation
System dynamics
Behavioral modeling
Deloitte Cyber Value at Risk combines
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
Business management of cyber risk
Actionable insight based on dashboard
Dashboard
Cyber resilience framework
Cyber risk dashboard displays: • Exposure to cyber risks based on Cyber risk threat levels Cyber security in portfolio
• Plotted against Risk Appetite • Resulting in cyber Value at Risk
Cyber threat intelligence (CTI)
Cyber risk quant model
Cyber security analytics
Input
Threat scenarios
Cyber risk control data
Cyber risk vision
Cyber risk appetite
Incident data
Result
Cyber security effective
Cyber security efficient
Cyber risk managed
Cyber ecology secure
© 2016 Deloitte Dutch Caribbean © 2016 Deloitte Dutch Caribbean
A multi-disciplinary approach for comprehensive view on cyber risk
Cyber Value at Risk network – academic research
© 2016 Deloitte Dutch Caribbean
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.nl/about for a more detailed description of DTTL and its member firms.
Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries bringing world-class capabilities, insights, and high-quality service to address clients‟ most complex business challenges. To learn more about how Deloitte‟s approximately 225,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2016 Deloitte Dutch Caribbean