Infosec 2014: Meeting Regulation and Compliance Challenges in the Banking and Finance Sector:...
Click here to load reader
-
Upload
skybox-security -
Category
Technology
-
view
127 -
download
0
description
Transcript of Infosec 2014: Meeting Regulation and Compliance Challenges in the Banking and Finance Sector:...
Situational Awareness is Key
Risk Management for Financial Services
2
• BT Risk Hourglass
• BT Cyber Risk Hierarchy
• Business Case Challenges
• Justifying Risk Mitigation Expenditure
• Case Study
– The Merger
– Project Methodology
– Results
Risk Management for Financial Services Putting Things into Perspective
3
Risk Hourglass – Case Study
Detection
Prevention
Emergency Response
Incident Management
Material Event(s)
Non-Material Event(s)
Consequential Event(s)
Crisis Management
Disaster Recovery
Financial Compensation
Insurance Coverage
POS equipment infected with RAM
scraper and exfiltration malware
Data leak and malware trace signatures
detected by FireEye and Symantec AV
Critical alerts and sirens were alledged to
have been heard in India and Brazil
SOCs.
SOC teams were reported to have alerted
CERT who in turn alerted IT
management.
SOCs ordered to turn off alerts/sirens and
carry on by Top Management due to
Christmas Shopping backlog
Target alerted by Federal Authorities. By
then 40 million credit/debit card details
downloaded.
Estimated $420 million in customer
compensations, $100 million in cyber
insurance claims and 90 court orders.
2 w
ee
ks !
Time Money
People/Process
4
Cyber Risk Hierarchy
Operational ‘Cyber Risks’
Overload Sabotage
Infrastructure or Processes
Destroyed or Control Taken Over
Web Pages Defaced,
Abused or Infected
Systems Overwhelmed in a Denial
of Service (DDoS) Attack
Personal Data Stolen
and Exploited
Industrial Espionage
Commercially Sensitive and Valuable
Information Intercepted or Uploaded
Data Theft
Service Interruption Vandalism Theft of Information
Data Exposed,
Publicised or Corrupted
Confidentiality Availability Integrity
5 BT in commercial confidence
Business Case Challenges
An example of a common scenario we find in business today
6 6
Business Case Challenges
But the reality is very different….
7
Justifying Risk Mitigation Expenditure : Business Case
• Risk mitigation may have to
compete for funds with plans for
growth and greater efficiency
• Executive scorecards rarely
include risk reduction, but may
include growth, cost reduction
and defence of market share
• Risk mitigation aims to cut
potential losses and unbudgeted
expenditure
• Support for cost reduction is
only realistic for high frequency
risks
• Fears, Uncertainty and Doubts
(FUDs) play a major role
• Regulatory compliance is a
common theme
• Avoiding reputation and brand
damage is intangible justification
• Avoidance of regret is an
underlying principle
• Satisfying audit requirements is
valid with risk-based auditing
• Clear definition of risk appetite
makes justification much easier
8
A Case Study - The Merger
9
Project Methodology
9
Network Perimeter Discovery Vulnerability Assessment
Rogue Device Detection Risk Exposure Analysis
10 BT Assure
Results: Visibility
1
0
Assessed 250,000
endpoint devices
Extracted
configurations of 550
firewalls and 20,000
routers
Network perimeter
map of LTSB and
HBOS networks
Detailed all ingress/
egress points