Managing Cyber Risk in the EnterpriseSecurity Leadership Summit

Dave Whitelegg CISSPHead of Information Security & PaymentsCapita plc February 2016

The Traditional Information Security Approach

2

Risk

Focus

InformationSecurity

Impact

• Industry Best Practice Information Security• Traditional ‘out of the box’ ‘Security Focus’ and Controls

Frequency

Evolving Threat Landscape

3

Risk

Focus

InformationSecurity

• Attackers are increasingly successful at evading traditional infrastructure-focussed security controls i.e. DDoS, Zero-Day Exploits, Spear Phishing, Social Engineering, Sophisticated Attacks• Growing number of Opportunistic Attacks i.e. Hacktivists, Criminals, Insiders• Cost of Attacks are Falling and Easier to Perform

Impact

Risk

Frequency

Impact

Evolution of Information Security

4

Risk

Focus

Best Practice InfoSec

• ‘One Size’ Security doesn’t fit a ‘diverse’ Enterprise• Best Practices and InfoSec Policy set a ‘Minimum Enterprise Baseline’ for Security• Traditional Best Practice InfoSec + Risk Based Cyber Security

Risk BasedCyber Security

Information Security

Risk

Probability

Assessing and Managing Cyber Risk

5

Likelihood( * )Cyber Risk Impact=F

Target Asset Threat Scenario

Threat Actor

Aims

( * * )Likelihood Vulnerability=F CapabilityMotivation

Cyber Threat Model

6

Threat Actor

Aims

TargetAsset

Threat Scenario

has

which may effect

Using

Causing

Motivation

Capability Threat Intelligence

Identification

Categorisation Threat Model Goals• Categorises Threats, Assets &

Compromise Methodologies• Measure Cyber Risks• Identify Mitigating Controls

Likelihood( * )Cyber Risk Impact=F

Cyber Risk: Targets AssetIdentifying Critical Assets (Criticality Assessment)

Q. What is the Business Impact from a compromise of this assets?

Informational Assets A data set or other information source which has critical value to the

operation of the business. Compromise of this information asset would have material impact on the objectives of the business.

Non-Informational Assets• Physical Infrastructure • Business Operations & Services• People

Q. How Vulnerable are Target Assets to Threat Actors?

7

Threat Model

Threat ActorsThreat Actors general aim is to cause a negative business and/or positive personal impact, through a compromise of an Asset:

Confidentiality Integrity Availability

8

Threat Model

Threat Model

Enterprise

Threats to the Enterprise

Disgruntled Insider

Insider Trader

Press

Criminal Insider

State-sponsored hacker

Researcher

Whistle Blower

Private investigator

Hacktivist

Accidental Insider

Criminal

Third Party

Criminal Group

Competitor

Rogue Trader

Threat Actor Categories Criminal

• Lone actor• Theft of funds/assets• Financial reward

10

Accidental Insider

Disgruntled Insider

Insider Trader

Hacktivist

Whistle-blower

Criminal Insider

Criminal Group

Criminal

State-sponsored hacker

Competitor

Rogue Trader

Press

Researcher

Private investigator

Third Party

Accidental Insider• Friendly insider• Lack of training• Stress

State-Sponsored Hacker• Foreign intelligence-backed hacker• Customised attacks• Geopolitical ideology• Money

Hacktivist• Like-minded

individuals• Chaotic• Defacement / DoS• Political causes• Fun

Cyber Risk: Measuring Threat Levels

Motivation is the qualitative metric used to relatively categorise the intent and dedication of the Threat Actor

High, Medium, Low

Capability is the qualitative metric used to relatively categorise the skills and tools available to the Threat Actor

High, Medium, Low

A Threat Actor’s Threat Level is a function of Capability & Motivation• The likelihood of a risk occurring

i.e. a capable, motivated Threat Actor seeking to compromise a particular information asset is more likely to succeed Threat Intelligence Threat levels aren’t static

11

Capability

Motivation

Threat Model

Threat Actor Aims & Threat ScenariosAims• Hacktivist Group wishes to cause embarrassment to client ‘Company A’

• Disrupt client services• Criminal Insider are self financially motivated to steal customer credit card data• State Sponsored Hacker seeks to destabilise the UK economy

• Negatively affecting the share price of FTSE 100 companies

Threat Scenarios (Specific attack methods with measurable outcomes - Impact)• Hacktivist Group DDoS attack on the Data Centre’s Internet facing Connectivity

• The objective is to take down a client’s hosted web service• Criminal Insider writes down credit card numbers during customer phone call interaction

• The objective is to steal credit card data from the Call Centre, then commit fraud.• State Sponsored DDoS attack on the corporate website at financial year end

• The objective is to prevent release of the company’s annual financial results

12

Threat Model

Cyber Risk Management

13

Risk Treatment• Acceptance and do nothing• Acceptance with a Contingency Plan (when it happens)• Mitigation Plan (Reduce Risk, Avoid, Transfer)

Threat Level

Cyber Risk

Strategic Enterprise Cyber Threat & Risk View

14

Focus Threat Intelligence efforts Focus Enterprise Security efforts

Enterprise InfoSec keeping pace with Evolving Threats

15

Continual Process

Questions?

16

Thank You

Dave Whitelegg

@SecurityExpert

https://www.linkedin.com/in/whitelegg

17