Cyber-security Risk Management

Introducere:
Capra cu Trei Iezi Incident

1. Context

Hacker

IT & Security

Business Lines
2. Prevention Activity
A solid House + Parola in clar, neprotejata:
Awareness 3 iezi cucuieti ….
(Dar nu si testare)
etc
3. Business as Usual
(Amenintarile sunt
evidente – nu si pentru business
lines)
4. Vulnerability Scan ….
and Identification
RECON Phase
5. Exploit preparation
6. The Attack
7. Disaster Plan activation and execution
8. Post-Incident Impact Assessment
9. Reaction

Honeypot
(Offensive Security)
10. Post Incident analysis and Action Plan

a) NO more Business for 2 business lines – game over

b) Security is essential for business activities in

I. Prevention
II. Detection
III. Reaction

c) Vulnerabilities are open gates for hackers

d) Knowing our vulnerabilities and Risks is essential

a) Identify Risks
b) Measure
c) Mitigate
d) Follow up
e) Report

e) Implement and Promote a security mindset and culture

Security Mission:

Security function represents a vital Business Enabler Support.

The main drivers from security perspective to deliver expertise and added value are:

a. Understand the Business Strategies, Objectives, Stakes and Processes

b. Understand the IT Technologies which are supporting Business-Operations
c. Understand the Regulatory Framework in Industry concerning cyber-security
d. Understand the Threats that could affect Business-Operations
Cyber-Threats: 4 main categories against an Organization:

a) From Internet connectivity mainly by:

1. Phishing against employees
2. Attempts for Intrusion in the infrastructure

b) From Collaboration with Partners - malware or intrusion coming from a compromised partner:
1. VPN maintenance connectivity
Examples: Finastra, Sopra, Diebold Nixdorf are partners which in 2020 had ransomware penetration in theirs
infrastructure, and could have contaminate clients infrastructure
2. Backdoor in code development and/or applications form 3rd parties
Example: 2020 - SolarWinds application backdoor vulnerability, which affected many important companies like FireEye,
Microsoft, Ford, Visa, MasterCard, even US agencies (Secret Service, Dept of Defense...)
c) From Internal weaknesses/vulnerabilities
1. Extended (too permissive) access rights in applications
2. Data leakage via Emails, USB, Uploads,
3. Existence of internal unpatched critical vulnerabilities
4. Permissive derogations and exceptions
5. Internally vulnerable developed code (non-secured, not enough tested)

d) From Regulatory or non-compliance context (as an emerging risk)

1. Numerous legislative initiatives concerning Information Security
2. Lack of systematic Security Clauses in contracts
How to Mitigate the Threats ?

a) Threats from Internet connectivity

Threats from Internet connectivity are first priority in mitigation.
- Build the SOC (Security Operation Center) team as a dedicated first level of defense in order to assure the Prevention, Detection
and Reaction Capabilities
- Implementing security advanced defense systems:
- SIEM (Security Information Event Management),
- anti-DDoS system, Reputational intelligence filter for emails and browsing,
- Sandbox for exploding email-attachments and downloads before delivery,
- Proxy-Gateway for traffic antimalware inspection and control,
- EDR (End-point detection and Response – OS processes behavior),
- SOAR (Security Orchestration Automation and Response – for an automatic response to mass-attacks)
- Intelligence services collaboration,
- Permanent external vulnerability scans
The effectiveness of the defense system was proved many times, detecting attacks like:
Cryptolocker attacks, e.g. Emotet malware affected many worldwide companies.
Permanent Phishing attacks (like DHL, Romanian Post Office, etc)
Vishing (voice) attacks on employees
All intrusion attempts were detected and mitigation measures applied

- Complementary measures for effectiveness of defense framework:

 Improve detection capability of SIEM by mapping the new cyber-defense strategy into correlated rules and establish a process of
continuous improvement
 Yearly the Tabletop cyber-attack exercises
 Collaboration with other Organizations, Authorities and national cyber defense services
 Continuous SOC monitoring activity 24/7
 Permanent awareness program for users, partners and clients
How to Mitigate the Threats ?

b) Threats from Collaboration with Partners

1. The remote connectivity with Providers:
- Inventory of remote accesses, default access is on disable mode
- VPNs are opened only initiated by beneficiary, when need.
- Implement security measures 2FA, console segregation, monitor activity (zero-trust mindset)
- Have clear contracts with security clauses

2. Development of code as a service, and 3rd party applications – As many organizations are dependent of
external code developing and external applications to deliver IT services. In order to mitigate the risk of non-secure
developed code:
- Implement a distinct platform with automation software development. including external service coding: SecDevOps
§ Enhance Security Code validation in the automatic process of development
§ Programmers permanent awareness
- Penetration tests for all exposed systems and sensitive internal applications
- Patch management process
- Implement security assessment technologies based on ML&AI (Machine Learning and Artificial Intelligence) to
detect suspicious traffic and behaviors
How to Mitigate the Threats ?

c) Threats from Internal Emplyees:

- Data Classification tool for enforcement of Information classification
- DLP system (in alert and prevent mode)
- Security of authentication: Two-Factor-Authentication
- IAM global coordination function (govern the access applications via Matrix of Rights, Dictionary of Profiles and
Toxic Combinations, applying “minimum privileges” and “segregation of duties” principles)
- Security of sensitive data: Encryption of Databases
- Anonymization of data outside production
- Exception management system (USB, local admin, extended Internet)
- Permanent Awareness campaigns
- Internal Vulnerability and Obsolescence Management (virtual patching system for obsolete systems)
- Non-standard software installation management
- Data Breach detection automatic tool (equivalent of EDR at network level)

d) Threats from Regulatory and compliance:

- Internal Security Framework in continuous evolution
- Security clauses for all new contracts
- Internal business process security validations (new processes, bypasses, modifications, evolutions)
- Change Advisory Board for new Products and Externalizations with security validations
Main threats – graphical presentation
1. DDoS Attack
Attacker
2. Malware against Bank via
Users or Partners
Internet
3. Insider Accomplice Threat
1 DDoS 4. Malware against Clients
Remote Attack
Users

2 2
Malware Internet Users
to Users Onsite
Users Insider
Threat
3

Internet
Partners

Malware against 2
Malware to
E-Banking Clients Software
Clients 4 Partners delivery Maintenance
Notiuni asociate Riscului cyber
1) Risk Genesis (3 simultaneous elements)
1. Asset
2. Threat Risk;
3. Vulnerability Risk.Value = Probability x Impact

2) Cyber-Risk Management

Identification, Minimize
Coordinated
= Activity/Process of Assessment, of risks, followed by application of resources to Monitor the
Economical
Prioritization Control

Probability
of adverse events.
Impact

3) Concepts of Risk Management:

Risk Appetite = Level of risk, an ORG is prepared to accept in pursuit its objectives before action is deemed
necessary to reduce the risk
Risk Tolerance = The maximum cost (financial, reputational, impact) that are acceptable for a short or limited time
3) Concepts of Risk Management - cont:
RM Standards
NIST SP800-30 NIST SP800-37 NIST SP800-39
Conducting RA Risk Framework Managing Risk

ISO 27005 ISO 31000 ISO 31010 ISO Guide 73

IS Risk Mgmt RM Guidelines RA Techniques RM Vocabulary

4) RM Frameworks
CISO should promote an effective RM-Model for ORG inspiring from various RMFs
RMF categories
1) Cyber-Security RMFs (COBIT.5 for Risk, FAIR, ISO.27005, NIST.SP800-37, TARA, OCATVE, ISACA-Risk.IT.Framework)
2) ERM Frameworks (COSO, RMA Enterprise.Risk.Mgmt, ISO.31000)
3) RA Methodologies (IRAM2, FRAP)
4) General RMF (IGRC, RMA Ope.RMF, CRAMM – CCTA.Risk.Analysis&Mgmt.Method)
5) Essentials elements of RM
1. Understand the context in which risk is managed
2. Create a RM Policy and obtain enforcement (buy-in from executive leadership)
3. Personalize risk (Appetite, Tolerance)
4. Understand the inventory of Assets requiring protection
5. Assign risk to asset (assign risk to asset owner), adopt a standardized RA form
6. Understand Threats and Vulnerabilities
7. Adopt a R.M.F.
8. Create a Risk Registry (track risk scores, treatments)
9. Perform Risk Compliance monitoring
10. Communicate Risk treatment and management to ORG
11. Continuously monitor ORG and assets for emerging risks

6) Risk Ownership
Risk Owner is the Asset Owner
Assigning Risk Ownership can be political
CISO don’t take Risk-Ownership (except security-projects)
CISO don’t have the legitimacy (authority, responsibility) to decide if a risk is treated or accepted
7) Risk Calculation Formulas
Risk = Probability x Impact
Residual Risk = Inherent Risk – Control Effectiveness
Accept

Inherent Control Residual Risk

Risk Effectiveness Risk Appetite

ALE (Annualized Loss Expectancy) = Cost_of_Risk x Likelihood (in a year)

Savings = ALE_initial – Cost.of.Control – ALE_final
Example
Cost_of_Risk = 1.000.000, likelihood = 5% => ALE_initial = 50.000 (per a year)
If Cost.of.Control = 20.000E (per year), reducing the likelihood to 1% => ALE_final = 1.000.000 x 1% = 10.000
Savings (or ROI) = 50.000 – 20.000 – 10.000 = 20.000

AV = Asset Value
EF = Exposed Factor (% damage is a threat is materializing)
SLE = Single Loss Expectancy (Estimated Loss of a single event on asset) = AV x EF
ARO = Annual Rate of Occurrence (Estimated nb. of time over a period of 10 years threat would occur)
ALE = Annualized Loss Expectancy (Estimated Cost of Risk materialization x Likelihood in a year) = SLE x ARO
AV EF SLE ARO ALE
2.000.000 50% 1.000.000 0,05 (1time in 20 years) 50.000
8) Implementing a Risk Management Program

A) Adopt a Risk Management Model (from Risk Management Main Frameworks)

ISO.27005 NIST.SP800-37

(NIST.SP800-60)

(NIST.SP800-37) (NIST.SP800-53)

(NIST.SP800-53A)

(NIST.SP800-37) (NIST.SP800-53)

NIST.SP800-30 Risk Assessment

NIST.SP800-39 Risk Management Guidance
B) Create a RMP Governance (Policy, Procedures, Processes, Work Instructions, Standards or Model – ISO, NIST, COBIT, OCTAVE)

C) Execute the Risk Management Program Lifecycle:

Identification
Analysis
Evaluation
C) Execute the Risk Management Program Lifecycle (cont):

1. Risk Assessment
– Risk Identification
1) Identification of Assets
2) Identification of Threats (ISO27005 – Annex C with A,D,E categories) ISO27005 – Annex C
3) Identification of existing Controls
4) Identification of Vulnerabilities (ISO27005 – Annex D)
5) Identification of Consequences

– Risk Analysis (Quantitative vs Qualitative approach for each risk)

ISO27005 – Annex D

– Risk Evaluation => Prioritized List of Risks

2. Risk Catalog
3. Risk Treatment = How to reduce Risk through the application of an action

4. Risk Acceptance
Decision from Risk owner to accept the Residual risk
Decision is Formally recorded

5. Risk Monitoring
New Assets are included in RMP
Necessary modification of Assets Values
New Threats and Vulnerabilities
Risk Aggregation (!) – increase impact on risk aggregation
Security Incidents

6. Risk Reporting
Present the outcome of RMP
Present Risk Management Plan
Support decision making
Improve culture of Risk to stakeholders and decision makers
Improve awareness
Security Mission in an Organization

Security is a Business enabler

Business Centric Activity
- Understand the Business (Objectives, Stakes, Processes) & Strategies
- Understand the IT which supports the Business
- Understand the Threats that could affect the Business
- Understand the Regulatory constrains (internal, external)
Deliver Security in Organization
- Define
- Implement
- Manage ISMP (Information Security Management Program)
- Maintain
G – Governance via ISGP (Information Security Governance Program)
Business R – Risk via RMF (Risk Management Framework)
C – Compliance via ISMS (Information Security Management System)

Prevention & Detection & Reaction Capabilities

IT Operational Proactive Approach (Vulnerability, IAM&Apps, Awareness on cyber-threats)
Incident or Crisis Response/Containment/Reaction/Remediation

Enhance the DevOps in SecDevOps

IT Development Deliver Secure/Reliable Code
Vulnerability Tested
Business Model

Top Management • Strategic thinking

• Business driving

• Executive management
Middle
• Decision making
Management

• Implementing
Operational layer • Day-by-day activity
Business Model – IT&C Perspective

Core system • Customer databases

• Payments-related systems

• Internal communications network

Networking • Firewalls, routers etc.
• PCs, printers, employee mobile devices

• Customer facing applications

• Firewalls
Organizational boundaries • Internet facing resources
Instead of closing remarks

PSD2 Disruptions
GDPR Attacks

Compliance Threats

NIS Directive Organized crime

DORA Undisclosed
vulnerabilities
Future laws/acts
Examples of security controls transversal to Layers

Layer Measure
Human Awareness; PhishingTests; IAM
Workstations (Laptops) Standard Image; Antivirus; Vuln. Scan; Patch Mgmt; EDR;
Local.AccessRightsControl; Local.DLP
Internet Connectivity Reputational Posture; FWs; AV; Filtering&Inspect; WAF;
Sandbox; Gateway (SSL inspect); DLP.Network;
Remote-Access (VPN, Posture assessment, MFA)
Partners Connectivity VPN default closed; 2FA; Consoles; Monitor
Internal Network Segmentaion, IDS, IPS, Breach Detection; AI&ML
Servers, DB, Middleware, Scan+Patch, EDR, PAM
Transversal SOC, SIEM, SOAR, Threat intel, OSINT, HUMINT, SecDev
Multumim