1

Page 1

Cyber Security Defenses

Key Goals for Successful Cyber Security

Page 2

Cyber Security Defenses Key Goals for Successful Cyber Security

Awareness: Recognizing the security chasm

Budget: Building support

People: Gathering the team

Impact: Long term sustainability

2

Page 3

The security chasm

Page 4

The security chasm

3

Page 5

The security chasm

The chasm

Page 6

The security chasm - formed from below

Ops

CSO

Inc.

Resp < Breach investigation Patch management >

Focused on

Threat & vulnerability

mitigation

Office of the CSO (Intra-CSO)

Techno-operations

Techno-babble

CEO GC BOD

CFO CRO

COO

4

Page 7

The security chasm - formed from above

CEO GC BOD

CFO CRO

COO

IT and security phobia

Focus on traditional

business, financial

and operational

risks

Office of the CEO (Inter-CXO)

CIO

Page 8

The impact of the security chasm

Ops

CEO GC BOD

CFO CRO

COO

CISO

Inc.

Resp

The chasm

CIO

< Breach investigation

Office of the CEO (Inter-CXO)

Office of the CISO (Intra-CISO)

Patch management >

Focused on

Threat & vulnerability

mitigation

Focus on traditional

business, financial

and operational

risks

Inadequate

standard of care

Inadequate

level of

protection

5

Page 9

Building Support

Page 10

Global cybercrime economy: opportunistic threat

Implant Root kit

developer

$10K+

for zero day

$500+ $10K+

for zero day

Exploit

developer

Exploit

pack

$1K+

Wizard

$1,000+

Botnet

vendor

$100 per

1000 infections

Recruiter, 100s of

mules/week

Drop

man

Account

buyer Affiliate

Bot-master ID thief Endpoint

exploiters

~4% of bank

customers

Victims

Retain 10%

Secondary

$50

Forger Cashier, mule

bank broker

Keep

10%

Keep

50%

Bulk accounts

$50 per $5K.

Mico

transfers

ATM

Back office

developer

Rogue ware

developer

Payment

system

developer

specialization, innovation, reuse,

bid/purchase exchanges

6

Page 11

Business risk as a function on cyber threat

Cybercrime

Industrial espionage

Hacktivism

Cyber warfare

Cyber terrorism

Attacker degree of capability

Bu

sin

ess r

isk

Higher

likelihood

Lower

likelihood

Higher

likelihood

Lower

likelihood

Medium

likelihood

Very asset type specific

Increasing less separation

between an attacker and its

motives – the community

cooperates to leverage

each others skills, methods

and technology

Low Medium High

Page 12

Attacks target business information of global energy companies

Sources: Global Energy Cyberattacks: “Night Dragon” by McAfee Foundstone Professional Services and McAfee Labs, February 10, 2011

► Targeted cyber attacks against global oil, energy, and

petrochemical companies in November 2009

► Goal:

steal sensitive

competitive

proprietary

operations and

project-financing

information of oil

and gas field bids

and operations

► Source of attacks identified to be China

7

Page 13

Compromising the technology that secures us

Public Key Infrastructure

2 factor authentication

Security Technology vulnerabilities

► RSA SecurID 2 factor authentication compromised:

RSA states “information could… be used to reduce the

effectiveness of [SecurID]

as part of a broader attack."

► Dutch Certificate Authority

DigiNotar compromised

- 531 fraudulent SSL

certificates issued

► Affected: Yahoo, Skype, Facebook,

Twitter, Microsoft’s Windows Updates,

CIA, MI6, Mossad, Google

► Increasing number of patches are

for vulnerability in security technology

Page 14

State sponsored: advanced threat

► Portions of the Chinese

cyber threat assessment

declassified

► Militarized attack units

► Militarized exfiltration units

► Cooperation with local hacker

communities

8

Page 15

Nothing is beyond their reach

► “Computer spies have broken into the Pentagon's

$300 billion Joint Strike Fighter project

-- the Defense Department's costliest

weapons program ever...

► “the intruders were able to

copy and siphon off several

terabytes of data related to

design and electronics

systems, officials say,

potentially making it easier to defend against the craft.”

http://online.wsj.com/article/SB124027491029837401.html#ixzz1dQEQ283S April 29, 2009

Page 16

Connecting the dots

Adobe flash vulnerability

RSA SecurID 2-factor technology

Lockheed Martin systems

Military

secrets

► "Certain characteristics of the attack on RSA

indicated that the perpetrator's most likely

motive was to obtain an element of

security information that could

be used to target

defense secrets…,"

RSA said

► RSA said it had confirmed information

taken from it in March was used

in the attack on Lockheed Martin

9

Page 17

Standard of due

care - disclosure

Enterprise risk

management - cyber

Acceptable level

of compromise

Cyber

Risk

Mgt

Technology risk management to counter cyber threats

Ops

CEO GC BOD

CFO CRO

COO

CISO

Inc.

Resp

Manage to adequate level

CIO

< Exfiltration prevention

& breach investigation Business assurance >

Cyber legal risk

Cyber financial risk

Cyber operational risk

Protect most valued

assets & critical

business systems

Cyber

Risk

Mgt

$

Page 18

Gathering the team

10

Page 19

Attacker degree of capability

Att

ac

ke

r d

eg

ree

of

ca

pa

bil

ity

Medium DOC

Low DOC

Opportunistic

threat

Advanced

threat

Nuisance

threat

High DOC

► Actor: State sponsored (industrial espionage)

► Assets: IP, business systems, control systems

► Motivation: political, military and economic

► Capability: long-term pattern of targeted

attacks (continue until success is achieved),

sophisticated, well funded, state trained

► Targets: governments, companies & activists

► Actor: Organized crime (personal information)

Hactivist (information deemed embarrassing)

► Motivation: profit, revenge

► Capability: short term pattern of attack

(will move on to softer targets), self trained

► Targets: companies with customer information

► Actor: Individuals

► Motivation: fun, challenge, vandalism

► Capability: limited, readily available tools

► Targets: of personal relevance

Page 20

Security is a degree of difficulty

Att

ac

ke

r d

eg

ree

of

ca

pa

bil

ity

Assets

Medium DOC

Low DOC

High Degree of Capability

Opportunistic

threat

Advanced

threat

Nuisance

threat

Rethinking security

11

Page 21

Characteristic of advanced adversaries

Adversary

APT is a human adversary, unlike botnets

Well resourced, sophisticated, protected

Attacks are customized based on target

Persistent

Formally tasked to accomplish a mission - will not stop until successful

Will maintain access/control over time, anticipating discovery with “cat & mouse” plans

Advanced

Operate across full spectrum of intrusion capabilities

Develop new tools/techniques necessary to succeed

Complex execution requiring 3rd party/technology compromises

Page 22

Characteristics of team

► Operational Knowledge

► EMS/SCADA

► ICS/DCS

► Field Devices

► Technical Knowledge

► Information Protection

► Identity and Access Governance

► Perimeter Security

► Tools

► DLP

► IDM/GRC

► SEIM/IDS/IPS

12

Page 23

Long term sustainability

Page 24

How difficult will it be to succeed

Control

systems

PII

IP

Business

systems

?

What

do they want?

Asset

Why

are you targeted?

Target

Attacker

Capability Level

Who

is attacking you?

Threat agent

How difficult will it

be to exfiltrate?

Security

Rethink security: Stop the intent of the attack, not necessarily the attack

13

Page 25

From prevention to preparedness & response

Before

During

After

Respond Govern Contain

► Preparation and planning is key to minimize damage,

meeting fiduciary responsibilities, and reducing the

impact of SEC cyber risk &

incident disclosures

Emerging focus

Page 26

Effective management of cyber risks

Function (stakeholder)

Technology risk management for cyber risks

Govern (ongoing)

Respond (incident & breach)

Contain (damages & liabilities)

Board/

Audit Committee

► Set standard of due care

► Periodically evaluate cyber

risk governance and review

annual cyber risk assessment

► Issue cyber risk disclosures as

per SEC guidance

► Receive breach notifications

and governance updates

► Re-evaluate cyber risk

governance oversight

► Re-evaluate standard of

due care

► Re-evaluate cyber risk

disclosures

Risk

management (e.g., CRO)

► Define and oversee ongoing

technology risk management

program for cyber risks

► Monitor breach and cyber risk

trends and measure risk

management execution

► Evaluate effectiveness

of cyber breach response and

technology risk management,

improve

Legal (e.g., GC)

► Develop cyber risk legal

response strategy

► Approve cyber breach

response program

► Execute breach

communications plan

► Execute authority/regulator

response plan

► Perform cyber risk liability

control (long lived)

Information

security (including incident

response team)

(e.g., CISO)

► Build threat mitigation program

to plan/protect most critical

assets

► Establish incident,

investigation and forensics

response programs; conduct

tests

► Detect and respond to incident

► Execute investigation plans

including incident forensics

► Assess effectiveness of cyber

incident response

► Execute incident remediation

plan, assess effectiveness

14

Page 27

Execution Cyber Risk Management Analysis Cyber Risk Analysis

Making a sound business decision with respect to managing cyber risks

C-suite Management of Cyber Risks

1 2 3 4 5 6 7

Security/Risk LOB/Risk Legal/Risk Risk/LOB Finance/Risk LOB/Risk All

Cyber

threat agent

analysis

Business

impact

analysis

Legal

impact

analysis

Risk

management

options

Financial

cost/benefit

analysis

Cyber risk

management

decision

Cyber risk

management

execution

► The following cyber risk management process is a life cycle that should be conducted

on a periodic basis

Page 28

Benefits to business management

► Meet the standard of due care:

► Become more cyber risk aware (Cyber Threat Analysis)

► Understand the potential impact cyber risk can have on its

business (Business Impact Analysis, Legal Impact Analysis)

► Understand the possible options available to manage the risk (Risk

Management Options)

► Understand the cost implications on managing the risk

(Financial cost/benefit analysis)

► Determine/refine its risk tolerance

► Ability to execute a sound cyber risk management

program based on its risk tolerance

► In the event of an incident, refute claims of inadequate

standard of due care/level of protection – reduce liability

15

Page 29

Further information

Joshua M. Axelrod | CISSP CISA | Senior Manager

Information Security Practice Lead for Power and Utilities

Advisory Services Center of Excellence

Ernst & Young, LLP

Brewery Block 2, 1120 NW Couch Street, Suite 425

Portland, OR 97209-4125, United States of America

Office: +1 503 414 7961 | Mobile: +1 541 760 8395 |

Joshua.Axelrod@ey.com

Website: www.ey.com