Hello, everybody. My name is Carter Schoenberg.
Today Session cyber risk for system owners will be focusing on how to effectively translate technical threats
For more information with regards to my background experience, if you scroll to the bottom of the page, you will see a short biography.
When we think about cyber security, what do we usually think about? A firewall?
Antivirus. Remember protection,
perhaps cyber threat, intelligence or even incident response?
You cannot pull up a trade rag,
open a newspaper, turned on the television or open of a Web browser without seeing the most recent aftermath of a data breach that's taken place that day.
Health and Human Services Office of Civil Rights is handing out penalties ranging between 1 to 1.5
to organizations that failed adequately protect Elektronik health care information. But the U. S citizens
and they're handing out these fines like it's candy on Halloween.
Home Depot recently just settled a lawsuit in response to a data breach in the amount of $19 million.
And as I'm sure most of you are aware,
Target sustained a pretty large breach in the latter part of 2013
in the total value of their settlement, and spend to date
Here's what I have outlined for our agenda today.
I don't mean a detailed biography on Carter Schoenberg, but more importantly,
what is the current threat landscape look like? And how does it have a direct applicability to your business operations?
Next, we'll be focusing on legal concepts that are relative to cyber security.
We will also be talking about the total cost of ownership
versus return on investment.
This is a highly debated topic. As many people firmly believe that you can not show a dollar value on your return on investment
the definitions of each
Then we'll be talking about stole e ation order exfoliation. Order is a legal instrument,
and we will show how a small e ation order could potentially impact your liability. That's a sight for a professional.
Then we'll focus on supply chain.
Many people believe that supply chains are simply
applicable to manufacturing,
where you're able to show the assembly line where you're getting your core components to make
Have you ever considered the fact that your business partners are in fact part of your supply chain?
And finally, we will conclude with the cyber implications for publicly traded companies.
The value of any training in awareness section is measured by the knowledge transfer from the instructor to the student.
Given this isn't the sexy ultracool penetration testing Siri's,
we want to highlight what you can expect as a result of this session. First, you should be able to understand
how to discern a cyber threat from a business risk. You should also be able to understand legal concepts as it is relative to cyber security. You should also be able to understand how your business partners directly increases your organization's risk exposure.
The culmination of all of these points
will provide greater value to the C suite or system owners that you report to
and better position you for career advancement.
For the first part of this lesson introduction,
we will spend some time on the current cyber threat landscape.
Current cyber related spending activities in our business owners traditionally operate.
There's a lot of material to cover,
and this may potentially be one of the longest intro topic sessions you have encountered within the cyber. Very Siris.
But where to start with so many fascinating areas of interest?
How about the word cyber?
When we hear the words cyber today,
it has become so meddled in terminology,
that many of the industry believe
this word has little or no value.
for the purpose of this lesson, we will define cyber
computers, smartphones, networks, cloud infrastructure or data centers and data itself.
When we look at forecast for a cyber security spending,
we see very clear upward trend.
This first graphic shows us the estimated level of spending on everything from mobile to io ti over the next five years between 2015 and 2020.
It is important to know
that while this chart is fairly new,
this upward trend in cyber security spending
has seen dramatic increases for over 10 years.
More money is being spent on cyber security today
With these increases, you would think our risk posture would improve proportionately to the level of spent.
as seen in this next chart. You'll notice increases in what US certain reports for security incidents
and Verizon IBM insecure works are all showing similar increases.
A few years ago, while attending Black Hat,
there was a very prominent headhunter
who asked the audience who thought that they were great Ed doing pen testing in a number of hands went up.
what about being a great firewall administrator.
And again more hands went up.
He finally concluded. With what about instant response and digital forensics.
More hands went up. Even still,
you shook his head and said, People, it's no longer enough
Once you get the six figure mark for conversation,
if you can't demonstrate an understanding of the business
and how your efforts in same security directly support the business,
you were in a losing proposition.
There's a great article that was posted a few years ago at C. S. O. Online.
The name of the article was titled The Four Things I Wish I Knew as a Sister.
This article featured a former chief information security officer
that took on the role of the chief operations officer within the same company.
His main point was that had he only understood then, as a c I s O
what he does now. As the chief operations officer,
he would have been significantly more successful getting buying from his peers
Because he understood the business more.
So Let's look at business operations.
Would have business owners typically care about
their primary concern. Whether we want to acknowledge it or not is sales
how much money or be able to bring in.
Let's not fault them too harshly, because that's what pays our salary.
Other factors include
program or project management.
Staffing resource is
When the last light we covered general business considerations,
let's look at what is generally now overlooked by the same business owners cyber risk,
legal considerations and insurance.
This is especially true with mergers and acquisitions activities.
What is interesting to note is,
yet there are clear dependencies on these three areas.
They generally are the most overlooked by business owners,
and the irony is that overlooking the convergence of these three highly specialized areas,
equates to the greatest exposure to business risk.
We will illustrate these risks in greater detail later in the session.
I'm sure a lot of the students taking this session are very familiar with vulnerably assessment tools like Nexus in Rapid seven.
When we run these tools, we get report that looks something like the graphic here.
However, when you try to explain the results from these tool sets to leadership,
you gentlemen get this expression. Inevitably,
it's simply whether we want to like it or not.
We will be faced with this one as well.
Okay, everybody. So now that we have highlighted
the traditional model on how we look at the outputs from a security tool and how we convey that to our bosses,
let's dig a little bit deeper.
Have you ever been asked to quantify your findings
if you respond? Well,
sure. Carter. The tools that gives you a score between one and 10
at wrong answer. That's never what we're looking for.
For this example, I'm using a screen capture from the tool Next Pose A, which is part of Rapid seventh Portfolio. As we review the screen capture, I would like to ask you how many critical risks
are being displayed.
It's a trick question.
Any answer other than zero is technically incorrect.
What you see before you
are threats defined by the tool not risk.
These tools are not factoring compensated controls
or the type of data that resides on the computer in question.
So here's where you can really hone your skills as a cyber professional.
Do you recall the article I mentioned earlier before things I wish I knew as the CSO
focus on how you can add value by understanding the business better
now, this particular equation, I'm sure that we have all seen
it's been around for about 15 years, if not more,
in my professional opinion, is
what a bunch of it be. Dippy baloney
couldn't have said it any better myself. The other factor within this equation is the rate of occurrence,
which I kind of got a chuckle out of because it only takes one occurrence
for the risk to manifest itself.
so now let's get into the nitty gritty of where we can really add value by leveraging a weighted scoring system that I call the 40 2040
using the outputs from next pose A. As we saw from the last line,
we're gonna highlight
a critical vulnerability that occurred back in 2006 with Microsoft
to better. It says the actual potential risk to the business.
We look at three factors.
with a weighted average of 40%
compensating controls with a weighted average of 20%
with the weighted average of 40%.
It's important to note
if your core business operations is highly centric around health care,
or highly sensitive financial information,
the percentage that you will use for that third factor data
may very well increase
in this graphic. We have a network apology, which includes
and I. D. S. This network has three computing assets that maintain different data types.
The first is defined as a general support system, or
GSS is generally responsible for day to day operations. But if the system was disrupted, while would cause significant inconvenience to the business,
it may not necessarily cause her. These other assets maintained personally identifiable information
in credit cards or electronic health care records.
So under the scenario,
now, let's incorporate that Microsoft vulnerability into this sitting
as we continue to review this vulnerability in its new environment, we will need to give it a numerical value
for the purpose of this lesson. A Louis to find it's having a score between 13
and high between eight and 10.
Now that we have the values to assess the weighted average for the value of the tool score,
we must now calculate the compensating controls
Conversely, to the tool score,
the better you're compensated controls, the lower the numeric value.
the more valuable the information, the higher the number.
Using our 40 2040 model,
we assigned that critical rate of vulnerability
We then will assign a score of five for having a firewall in I d. S.
Well, while someone's subjective,
factors like, you know, it's great to have a fire one i d. S. But who's actually monitoring it in one of their qualifications?
What about the host based I, PS, or even the use of a security incident in the Mansion party and invent management tools or otherwise known as the SIM?
And now, finally, the data.
Because the data is not critically
important to protect either by requirement or mission sensitivity, we're going to saying that the value of four
after we complete the equation, using the 40 2040 model
This would be to find at best
at it as a moderate risk
if we leverage the exact same networked apology. But we simply change the data.
How does that impact the score? Let's look in a scenario where we're no longer using General Support Service is,
but now a computer that has personally identifiable information on it.
The rating from the tool remains in eight.
The compensating controls have not changed either.
you have hit it maximum score
for data 10 out of 10
now, only factor all of these data sets. Together,
we have a total score of an 82%.
In this specific example,
the actual rating from the tool to find it's critical
is now tracking on par with the numeric value that we have given it as a business risk.
Just to make sure the the Jeralyn chest of what we're looking to illustrate, let's run through one more scenario
again. Same topology, same configurations.
But this time we're gonna focus on the
desktop that has a credit card or electronic health care records.
We would raid that with the maximum value of 10 out of 10 just like we did for personally identifiable information.
we want to be able to change the value
of the vulnerability itself. Let's say that the tool says that it is a moderate,
so now we're giving it in. Assign value of five out of 10
compensating controls remains the same, and so does the score for data.
Now, when we complete the calculation,
it gives us the score
the value that's being described
by the tool is tracking on par
with the actual business risk