Modelling Cyber Security Risk Across the Organization Hierarchy

Similar documents
Chapter X Security Performance Metrics

CYBER RESILIENCE & INCIDENT RESPONSE

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Automating the Top 20 CIS Critical Security Controls

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

Gujarat Forensic Sciences University

Cybersecurity for Health Care Providers

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Symantec Security Monitoring Services

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Education Network Security

MIS5206-Section Protecting Information Assets-Exam 1

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

CISO as Change Agent: Getting to Yes

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cyber Resilience - Protecting your Business 1

Advanced IT Risk, Security management and Cybercrime Prevention

Building UAE s cyber security resilience through effective use of technology, processes and the local people.

External Supplier Control Obligations. Cyber Security

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

RSA NetWitness Suite Respond in Minutes, Not Months

Advanced Security Tester Course Outline

CISM QAE ITEM DEVELOPMENT GUIDE

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Make IR Effective with Risk Evaluation and Reporting

CCISO Blueprint v1. EC-Council

RSA INCIDENT RESPONSE SERVICES

Cybersecurity, safety and resilience - Airline perspective

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

A new approach to Cyber Security

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

भ रत य ररज़र व ब क. Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

Integrating Cyber Security and Safety Systems Engineering Disciplines with a common Code of Practice

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Department of Management Services REQUEST FOR INFORMATION

NCSF Foundation Certification

Cyber Security Technologies

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

RSA INCIDENT RESPONSE SERVICES

align security instill confidence

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Cybersecurity in Government

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Designing and Building a Cybersecurity Program

IoT & SCADA Cyber Security Services

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

ABB Ability Cyber Security Services Protection against cyber threats takes ability

Security Awareness Training Courses

Control System Security for Social Infrastructure

INTELLIGENCE DRIVEN GRC FOR SECURITY

Management Information Systems. B15. Managing Information Resources and IT Security

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Dell helps you simplify IT

Port Facility Cyber Security

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

A practical guide to IT security

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Featured Articles II Security Platforms Hitachi s Security Solution Platforms for Social Infrastructure

Cyber Security Program

Aligning Agency Cybersecurity Practices with the Cybersecurity Framework

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Information Security Controls Policy

Table of Contents. Sample

Cloud Security Standards

Best Practices in Securing a Multicloud World

The Center for Internet Security

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Certified Information Security Manager (CISM) Course Overview

DHS Cybersecurity: Services for State and Local Officials. February 2017

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

AT&T Endpoint Security

Cyber Criminal Methods & Prevention Techniques. By

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

About Issues in Building the National Strategy for Cybersecurity in Vietnam

6.6 INCIDENT RESPONSE MANAGEMENT SERVICES (INRS) (L )

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Security by Default: Enabling Transformation Through Cyber Resilience

David Fletcher Co-Principal Investigator Western Management & Consulting LLC Albuquerque, NM

Cyber Security. Building and assuring defence in depth

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

General Framework for Secure IoT Systems

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Transcription:

Modelling Cyber Security Risk Across the Organization Hierarchy Security issues have different causes and effects at different layers within the organization one size most definitely does not fit all. Likewise, the investment in security controls needs to take into account the level of risk and return on investment to reduce the risk to an acceptable level throughout the organization. Are you finding the black swan or the elephant in the room? By applying the Bow Tie model, we can determine the threats, vulnerabilities and required controls for cyber-security: we can model a hierarchy of causal relationships that could lead to an incident and controls that could reduce the likelihood of the incident occurring (fault tree); and given that an event has occurred, we can model the potential consequences and contingent controls (event tree). We will use a targeted 'phishing attack' as an example of the necessary controls through the layers of the organization and phases of response. Illustration 1: Bow Tie model showing Fault Tree and Event Tree The explanations for the causes and likelihood of Event Scenarios can be determined for the various organizational cyber security layers. Note that multiple threat events and control failures may lead to multiple Event Scenarios which in turn may culminate into a catastrophic event. Refer to the Fault Tree section. The consequences from the Event Scenarios and the efforts to mitigate and to return to normal operations from the results of the Event Scenarios are modelled in the Event Tree. Note that the consequences may be different for the various organization layers and types of Event Scenarios. Refer to the Event Tree section. Threatalytics.com April 2016 page: 1

Organizational Cyber Security Layers The causes and effects of event scenarios depend on where and at what level of the organization we wish to assess. Furthermore, a successful compromise at one level can contaminate the layers above and below this layer. Here is a review of the various layers of security. 14 Regulatory Legal restrictions promulgated by governments 13 Policy Principles of behaviours adopted by the organization 12 Standards & Guidelines 11 Process Instructions and yardsticks for measure and control 10 Procedure A documented set of activities as called for in a process 9 Activity 8 People OSI layers 1 to 7 A systematic series of procedures directed to some organizational deliverable The smallest unit of work or behaviour called for in a procedure You & I Open Systems Interconnection Reference Model, or simply the OSI model. Network attacks have moved up the OSI network model over time, climbing from network attacks in the 1990s to session attacks and application layer attacks today. Threatalytics.com April 2016 page: 2

Layers of Protection Swiss Cheese Model Illustration 2: Swiss Cheese model, showing layers of protection For an event to occur, the various possible causes need to occur. This is called the Swiss Cheese model, where layers of the system controls cause defence-in-depth. For an attack to be successful, each layer in the cheese needs to have a hole (vulnerability) aligned with the adjacent layer. Each layer in the organization has a role toward prevention, detection, mitigation or recovery from the event. Providing the controls complement each other across the organizational layers (the holes in the Swiss Cheese are blocked by the other control layers) a threat agent will be blocked from causing a hazardous event. However, should a layer of control fail (the holes in the Swiss Cheese line up), an incident will likely occur. E-mail Phishing Example of Controls by Security Layer A phishing attack can only be successful if the layers of technological and procedural controls are missing or have failed. Phishing attacks represent a combination of user and technological failures. Before the user is ever confronted with a phishing e-mail, there are opportunities to block the attack at the network components and at the mail server. Fault Tree Analysis This is a technique which starts with the undesired event (top event) and determines all the ways in which it could occur. These are displayed graphically in a logical tree diagram. Once the fault tree has been developed, consideration should be given to ways of reducing or eliminating potential causes / sources. Fault Trees are composed from events with relationships that connect the events together reflecting the structure and relationships within the organization and to the organization environment. We will take the e-mail phishing scenario to build a simplified fault tree model. Threatalytics.com April 2016 page: 3

Illustration 3: Fault Tree analysis across the cyber security layers Threatalytics.com April 2016 page: 4

Security Layer Threat Event Possible Countermeasure Layers 2, 3, 4 Malicious e-mail arrives from some internet source over service provider network. Technologies for detecting and deleting phishing emails can be implemented in the internet infrastructure to block these attacks before they reach mail servers. Layers 6, 7 Malicious e-mail has arrived at the server, most likely from an At the mail server there is another opportunity to implement technologies to quarantine phishing emails. un-trusted source but may have arrived from an outside trusted source that had been infected with the e-mail payload. Layer 8, people E-mail recipient unwittingly opens e-mail that should have been suspicious, allowing address book of the user It is only if these first 7 OSI layers have failed to block a phishing attack that a user becomes involved. If users have been properly trained to recognize and report phishing attacks, these attacks can be blocked at this account to forward the malicious stage. User awareness programmes should be e-mails to other accounts. Recipient also convinced to open attachment, which unleashes payload application. designed to ensure that users are able to recognize a potential phishing attack and know where to report it. Users may still be spoofed by social engineering methods that make use of a well-crafted phishing email. Layer 9, Activity and Layer 10, Procedures Layer 11, Process Layers 12 and 13, Policy, Standards and Guidelines Layer 14, Regulatory Payload of opened e-mail is propagated along with automatically forwarded packets across e-mail accounts via e- mail services. E-mail payload executes across connected networks, causing malicious activity to propagate across the network, bypassing normal network controls. Contingency plans are not followed or are proven to be ineffective. Network administration either fails to respond properly or panics. Interconnected organizations receive the malicious traffic without warning. Adequate response is not possible because they were not notified in a timely manner, metrics are not kept, heuristics were not assessed. Even if a user clicks on a malicious link in a phishing email, all is not lost because technologies exist to warn users of potentially harmful links and quarantine the attachments. The user has the opportunity to report attempted phishing attacks to enable administrators to delete any associate unopened phishing emails on the mail server. But if a user decides to open an email even though it has been quarantined, the email client should still be able to prevent malicious code from executing. The network can be equipped to be a layer of defense and should be able to detect and block malicious activity, identify rogue clients and prevent any infection from spreading. Interrupting the criminal s discovery process as quickly as possible is the ideal response, and requires the organization to allocate the budget, resources and necessary skills. Once the security basics are in place, organizations need to focus on reducing impact and understanding how to recover more quickly. Organizations need to understand what has happened and must be absolutely clear about how they respond to an attack. Organizations need to have a clearly-defined process in place for notifying and reporting unexpected incidents. Collaboration between organizations within and across sectors is getting better, and is encouraged by the government security initiatives in many countries. Threatalytics.com April 2016 page: 5

Event Tree Analysis Consequence analysis determines the nature and type of impact which could occur assuming that a particular event situation or circumstance has occurred. An event may have a range of impacts of different magnitudes, and affect a range of different objectives and different stakeholders. When we have established the context of the event we can decide what types of consequence to be analyzed and which stakeholders would be affected. From the preceding Fault Tree Analysis example, we can choose threat events to create the event tree model. As an illustration, we will pick as an initiating event the acceptance of the malicious software at the e-mail server. We assume the event has already happened: somehow malicious e-mail data, of unknown threat level, has passed through the network layer control. The combination of fault tree and event tree analysis can quickly get complicated. We should start with a high level analysis and work in the detail over time. This is where an automated method can help us keep track of the complexity and the numerous inter-relationships of cause and effect. Threatalytics.com April 2016 page: 6

Measure of Effectiveness From a review of remediation methods for targeted phishing scenarios, no single solution is fool-proof. Even for the expensive solution R4 in this case we need defence-in-depth. Management can then select an optimal and acceptable method to control the risks by: comparing the potential impacts determined from the fault tree analysis to the cost of selected remediation methods from the event tree that would reduce the risks to an acceptable level. Because of the costs and skills required to administer and manage the more complex applications, management may have to accept the risks of implementing a cheaper and less effective remediation solution. Threatalytics.com April 2016 page: 7

Bayesian Networks for Modelling Risk This process of fault tree analysis, event tree analysis, and control selection can be modelled using Bayesian Networks 1 for the following benefits: Explicitly models causal factors including incorporation of expert judgment in scenarios of insufficient data and accommodate causal explanations; Reason from effect to cause and vice versa. The probability distributions for every unknown variable will be updated whenever an observation is entered into any node. Reduces the burden of parameter acquisition. The process is modular and compact making the elicitation of probabilities easier and explaining the model results easier. Overturns previous beliefs in the light of new evidence. The model is flexible. Makes predictions with incomplete data. There is no need to enter observations about all inputs. The model produces revised probability distributions for all the the unknown variables when any new observations are entered. If no observation is entered then the model simply assumes the prior distribution. Combines diverse types of evidence including both subjective beliefs and objective data. A Bayesian Network is agnostic about the type of data in any variable and about the way the probability tables are defined. Arrives at decisions based on visible, audit-able reasoning. There are no hidden variables and the inference mechanism is based on Bayes theorem. Conclusion We have demonstrated how cyber-security risk can be analyzed across the various control layers of an organization. We walked through a malicious e-mail scenario to determine threats, vulnerabilities, and remediation controls. We used a simplified fault tree model to determine events and relationships that cause security events. We used an event tree for malicious e-mail arriving at e-mail server scenario to evaluate selected remediation controls. We demonstrated how management can make informed decisions toward loss prevention and loss reduction by analyzing the various remediation solutions in terms of cost, effectiveness, and remaining risks. We recommended using Bayesian Networks for modelling the scenarios. One remediation method we did not mention in the event tree scenario is outsourcing much of the detection and remediation controls. Outsourcing may not reduce responsibility and accountability of your staff, but it may be a good cost effective addition to gain the support of robust remediation tools managed by skilled resources. We can help. 1 Risk Assessment and Decision Analysis with Bayesian Networks / Norman Fenton, Martin Neil 2013 ISBN 978-1- 4398-0910-5 Threatalytics.com April 2016 page: 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback