Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA

Transcription

1 Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 1

2 Cyber Risk Management Project Government University Industry Collaboration Monetary Authority of Singapore Cyber Security Agency Nanyang Technological University SCOR; Aon; MSIG; Lloyd s; TransRe; Geneva Association; Verizon Launched in /13/2018 ULaval 2

3 Traditional Insurance Risk Randomness Law of Large Numbers Diversify through risk transfer Cyber Risk Human Factors Hackers, fishing Strengthen defense reduces risk 04/13/2018 ULaval 3

4 Quantify Cyber Risk Reduction ad function of Security Spend Global cybersecurity spend $100b per annum For a firm, what is the benchmark security budget?how effective? How much risk is reduced? For the eco system, what coordination / policies are needed? This talk is based on my recent paper: Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 4

5 1. Concept of Knowledge Set 04/13/2018 ULaval 5

6 Attack surface knowledge set Knowledge Set is a relative concept: 1) WHO 2) What actually knows should know but not know Unknown unknown 1) How 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 6

7 Knowledge Set & Cyber Breach Probability Given knowledge set Ω, for a given budget z, the firm may select any possible mitigating action within budget. Define Ω Ω: =1. If zero security investment, the firm would have a probability one of being breached. <0, for z>0. 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 7

8 Security Spend Production Frontier 04/13/2018 ULaval 8

9 1) Exponential Power 2) Proportional Hazard Benchmark Spending & Risk Reduction Equation benchmark security budget spend ratio 1 1 3) Wang Transform ln =f(revenue) 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 9

10 Optimal Security Spending A firm s data asset to protect has value R For the Exponential Power and the Proportional Hazard Class, the optimal spending has an upper bound For the Wang Transform Class, the optimal spending has an upper bound 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 10

11 Invest: (1) y in data/information, (2) z in defense/response 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 11

12 04/13/2018 ULaval 12

13 Multiple Areas of Vulnerability data asset route 1 route 2 route 3 Need to secure the full spectrum of areas of vulnerability Neglecting one area of vulnerability can render the overall security investment ineffective or wasteful 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 13

14 Data Segmentation & Multiple Checkpoints ICT System (segments are seperated by firewalls) factor 1 factor 2 Data Asset Data Segment 1 Data Segment 2 Data Segment 3 $$$$$ $$$ $ Multi factor authentication very effective Need protect key ($$$$$) data assets with extra security measures 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 14

15 NIST Framework Function Category ID Asset Management ID.AM Business Environment ID.BE Identify Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Protect Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Anomalies and Events DE.AE Detect Security Continuous Monitoring DE.CM Detection Processes DE.DP Response Planning RS.RP Communications RS.CO Respond Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recovery Planning RC.RP Recover Improvements RC.IM Communications RC.CO 04/13/2018 ULaval Subcategory ID.BE 1: The organization s role in the supply chain is identified and communicated ID.BE 2: The organization s place in critical infrastructure and its industry sector is identified and communicated ID.BE 3: Priorities for organizational mission, objectives, and activities are established and communicated ID.BE 4: Dependencies and critical functions for delivery of critical services are established ID.BE 5: Resilience requirements to support delivery of critical services are established Informative References COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 CP 2, SA 12 COBIT 5 APO02.06, APO03.01 NIST SP Rev. 4 PM 8 COBIT 5 APO02.01, APO02.06, APO03.01 ISA : , NIST SP Rev. 4 PM 11, SA 14 ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 CP 8, PE 9, PE 11, PM 8, SA 14 COBIT 5 DSS04.02 ISO/IEC 27001:2013 A , A , A , A NIST SP Rev. 4 CP 2, 15CP 11, SA 14 15

16 Apply our Knowledge Set to Quantify NIST Risk Management Framework 04/13/2018 ULaval 16

17 Growing size of known unknown? 04/13/2018 ULaval 17

18 In Search for Cost Effective Ways of Reducing Known Unknown SINGAPORE (12 Dec 2017) In a first for a government agency here, 300 white hat hackers will be invited to put the Ministry of Defence s public facing systems to the test, in order to expose vulnerabilities. The rewards will hinge on the number and quality of the vulnerabilities exposed, and are expected to cost significantly less than a commercial cyber security vulnerability assessment programme, which can cost up to S$1 million. In contrast, the new bug bounty initiative is estimated to cost around S$100,000, said Mr Koh, who also heads the CSA. Accessed from online mindef invites hackers to test public facing systems for vulnerabilities 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 18

19 2. Supply Chain Cyber Risk Propogation 04/13/2018 ULaval 19

20 Attack on Vendor Set Up Breach at Target The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malwarelaced phishing attack sent to employees at a Heating, ventilation, and air conditioning (HVAC) firm that did business with the nationwide retailer,... Accessed from attack on vendor set up breach at target/ 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 20

21 Supply chain Propagation Model Let, be the likelihood that a cyber breach into firm i will export to firm j,, (non symmetric) Matrix of propagation coefficients:,,,,,, 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 21

22 Cyber Breach Probability in a Supply Chain Let be security investments by the m firms. We consider only 1 step propagation firm j faces a combined cyber breach probability:, firm j s contributes to the eco system s expected cyber loss:, 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 22

23 Supply Chain Propagation: An Example Consider one large firm with eight small firm contractors Firm j (j=1,2,8) has a small value atrisk $4; firm 9 has a large value at risk $80. Assume that all small firms have an anchor points, $1 with, 0.3, (j=1,,8). The large firm has an anchor point, $5, with, 0.2. The propagation coefficients are, 0.1but, 0, for j=1,,8. firm 3 firm 2 firm 4 firm 1 Firm 9 large firm firm 5 firm 8 firm 6 firm 7 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 23

24 Optimal Security Spend: for the eco system vs. firm itself Standalone spending Eco system Spending j j 1 Small firm $ 1.31 $ % Large firm $10.09 $ % 1) Optimal spend by small firm need to increase +70% in a supply chain setting vs standalone (as compared to +13% for large firm) 2) However, small firms have no incentives to voluntarily do that! This is the problem! 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 24

25 Securing high risk, third party relationships ( 04/13/2018 ULaval 25

26 Knowledge Gap about Security Level of 3 rd Party Vendors 1) Large firms invest $$$$$ to their own cyber security, but are vulnerable to the lack of knowledge for the security level of their suppliers 2) To overcome such knowledge gap, large firms may require suppliers to provide cyber security rating 3) But how good (reliable) is the cybersecurity rating? [similarly how good are the security audits?] 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 26

27 3. Sharpness of Cyber Security Rating 04/13/2018 ULaval 27

28 Cyber Breach Probability in Sigmas 04/13/2018 ULaval 28

29 Gaussian Copula model for security level rating Assume estimated security level u and the true security level v, expressed in sigma values,, follow a bivariate Normal(0,1), with correlation Conditional on the true underlying sigma value, the estimated sigma value has a mean of and volatility of ρ. 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 29

30 Gaussian Copula {true vs observed sigmas} 04/13/2018 ULaval 30

31 For Supply Chain Security: Impose Penalty for Failing Security Rating Impose penalty K if the firm fails prescribed security rating level 1.65) sigma value. (e.g. The firm s total cost as function of security spend z : 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 31

32 Sharpness of Security Rating & Penalty Amount Effect on the Optimal Security Spend z by a firm Reliability of Rating No Penalty (K=$0) Penalty K=$10 Penalty K=$20 Optimal * Optimal * Optimal * 0.95 $6.5 $11.0 $ $6.5 $ 11.0 $ $6.5 $ 9.5 $ $6.5 $9.5 $ $6.5 $8.5 $ $6.5 $8.0 $ /13/2018 ULaval Shaun.Wang@ntu.edu.sg 32

33 We have just started Push the Actuarial Science Frontier: 1. Apply the Knowledge Set concept in Enterprise Risk Management 2. Assemble various sources of data to consumable Information 3. Design mechanisms to enhance resilience of a supply chain Push the insurance and risk management practice frontier: Integrate risk reduction and risk transfer services 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 33

34 Thank You! 04/13/2018 ULaval 34