Scribd Logo
Upload

Welcome to Scribd!

  • Auditing Cyber Security Risk - From Nuissance To Impact

    Uploaded by

    Biljana
    9 views31 pages

    Original Title

    Auditing Cyber Security Risk_ From Nuissance to Impact

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views31 pages

    Auditing Cyber Security Risk - From Nuissance To Impact

    Uploaded by

    Biljana

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 31

    Auditing Cyber Security Risk

    From nuisance to impact


    Who Am I?
    • European Commission official 1987-2017
    • Internal audit, external audit
    • COO and CRO at the Joint Research Centre
    • Founder and Head of CERT-EU
    • Independent strategic advisor in cyber security and cyber risk management
    • Advisor/Board Member in cybersecurity startups

    2
    Cybersecurity: Current Context
    • Internet of Everything
    • Service delivery requires connectedness
    • Economy and society depend on IT
    • Everything and everybody exposed
    • Everything Vulnerable
    • Inherently fragile systems
    • Often unpatchable
    • Agile Adversaries
    • Determined pursuit of goals
    • Industrialization of operations

    3
    (Not)Petya

    • June 2017
    • “Targeted” attack
    • Encryption malware
    • Destructive intent: no way to decrypt
    • Initial infection via accounting software

    4
    10% of all computers in UA destroyed !
    3 billion € collateral damage
    5
    Collateral Damage
    Maersk/APM
    • 17 container terminals disrupted for days
    • Loading and unloading impossible
    • Perishable goods lost?
    • Truck chaos
    • Saved by power cut in Ghana…

    • More than 300mio€ financial impact

    6
    Targeted Ransomware

    7
    8
    Cyber hits the C-papers

    9
    Your C-Suite?

    10
    Intermediate Questions
    • Has your company been facing this type of problems?

    • Does your company have a cyber insurance in place?

    • Would your company pay ransom?

    • Is this a Board issue in your company?

    • How confident are you in your company’s backup?


    11
    Prevention, detection, response is not enough

    RESILIENCE

    12
    Infrastructure

    Product
    IT 5G

    CISO

    Mobile /
    OT / IOT
    BYOD
    Cloud

    13
    Regulation

    14
    Compliance

    DPA
    Internal
    Regulator
    Regulator Auditor
    Regulator
    CISO

    Client
    Client External Cyber
    Client
    Auditor Insurance

    15
    16
    Frameworks

    17
    Mapping

    18
    Mapping
    Subcategory Informative References
    · CIS CSC 1
    · COBIT 5 BAI09.01, BAI09.02
    · ISA 62443-2-1:2009 4.2.3.4
    ID.AM-1: Physical devices and systems within the organization are inventoried
    · ISA 62443-3-3:2013 SR 7.8
    · ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
    · NIST SP 800-53 Rev. 4 CM-8, PM-5

    Physical devices and systems within the organization are Singapore - SAMA "Information Security
    ID.AM-1 Singapore - SAMA
    inventoried Survey - 2016"

    NFA "9070 - NFA COMPLIANCE RULES 2-9, 2-


    Physical devices and systems within the organization are
    ID.AM-1 NFA 36 AND 2-49: INFORMATION SYSTEMS
    inventoried
    SECURITY PROGRAMS"

    19
    Supervisory
    NIST Categories NIST Functions

    Mapping
    NIST Subcategories
    Issuances

    20
    What Matters Most?

    21
    C-Level
    • Translate cyber risk into business risk
    • Continuity of operations (disruption, ransomware)
    • Image damage
    • IPR theft
    • Financial loss
    • GDPR

    • Provide them tools to take ownership of the risk

    • Make them understand in their language


    22
    Metrics Linked To Framework
    Subcategory What How to Measure Input/Design Output/Implement
    Critical
    Green: 100%, Yellow: 80%, Red: <80%
    Design and implement a system to verify the
    Inventory of all devices and systems. Measurement should include
    ID.AM-1 CMDB <-> what can be seen on the network. inventory of assets in an automated manner
    differentiation according to the criticality of the device/system. Non-Critical
    and identify anomalies
    Green: 90%, Yellow: 50%, Red: <50%

    COVERAGE All relevant systems and applications are integrated into admin logging Green: > 90%, Yellow: 70-90%, Red: < 70% Number of logged security-critical systems/total number of security-critical systems
    12.6 Logging administrative
    activities
    Number of incorrect admin logs
    EFFECTIVENESS Completeness and integrity of admin logs Number of incorrectly written admin logs
    Red: > 0,Green = 0

    23
    Metrics at Board Level

    24 Jan Nys, KBC, presentation at RSA 2016


    Monitor Metrics Over Time

    25
    Different Metrics

    • Input indicators: design, effort

    • Output indicators: implement, statistics

    • Impact indicators: reduce risk

    26
    Metrics: Principles to Follow

    • Based on objective data

    • Not annual but continuous

    • Not separate but integrated in your business risk process

    • Not static but continuously improved

    27
    Take Aways
    • Plan for resilience
    • Preparedness

    • Frameworks and Metrics


    • Choose a Framework and map it to your stakeholders’ references
    • Agree on relevant Metrics

    • C-Level visibility
    • Cyber Risk is a Business Risk
    • Gain and maintain C-Suite support

    28
    References
    • NIST Cyber Security Framework
    • FSSCC Financial Sector Cybersecurity Profile
    • ISO 27001
    • VDA’s Information Security Assessment
    • CIS Critical Security Controls
    • How to Steer Cybersecurity with Only One KPI

    29
    Thank You

    Don’t Hide The Risk, Manage It

    FreddyDezeure.eu

    30

    You might also like