2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT

7/31/2019 2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT

1/31

Larry ClintonPresident & CEO

Internet Security [email protected]

202-236-0001


2/31

During the Last Minute

45 new viruses 200 new malicious web sites 180 personal identities stolen 5,000 new versions of malware created 2 million dollars lost


3/31

Technology or Economics?

Security failure is caused as least as often by bad

incentives as by bad technological designeverywhere we look we see online risk allocated

poorlypeople who connect their machines torisky places do not bear full consequences of

their actions. And developers are not

compensated for costly efforts to strengthen theircode. Anderson & Moore, Economics of

Information Security

Anderson and Moore The Economics of Information Security


4/31

Sr. Management & Cyber

SecurityGood News!!! PricewaterhouseCoopers survey of 9,000executives published September 2011

Executives were confident in their ability to securetheir information systems and bullish about cyber

security spending

43% had confidence in their security protocols 50% expected their companies to spend increasing

amounts of money on cyber security


5/31

Now the Harsh Reality

Only 13% of the Executives polled by PWCactually had done what is considered to be

adequate security.

Most executives didnt have an overall securitystrategy, had not reviewed the effectiveness oftheir strategy or knew what types of breaches had

hit them in the past 12 months. Only 1 in 3 said their companies had a policy for

dealing with employee use of social media


6/31

Digital Growth?

Companies have built into their business models theefficiencies of digital technologies such as real time

tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital

lifestyle is already built into almost every companys

assumptions for growth.

---Stanford University Study, July 2006

Sure


7/31

Digital Defense ------

Not So Much

23% of CTOs did not know if cyber losses were coveredby insurance.

34% of CTOs thought cyber losses would be covered byinsurance----and were wrong. SONY v Zurich insurance---when comprehensive doesnt

mean comprehensive (CGL policies)

The biggest network vulnerability in Americancorporations are extra connections added for seniorexecutives without proper security.

---Source: DHS Chief Economist Scott Borg


8/31

The Cyber Security

Economic Equation

Technological analysis tells us HOW cyber attacksoccur. Economics tells us WHY they occur

All the economic incentives favor the attackers Attacks are cheap, easy, profitable and chances of

getting caught are small

Defense is a generation behind the attacker, theperimeter to defend is endless, ROI is hard to show

Until we solve the cyber economics equation wewill not have cyber security


9/31

Efficiency and Security

Business efficiency demands LESS securesystems (VOIP/international supply chains/Cloud)

Cost is the single biggest problem ininformation security

In 2010 50%-66% of US Companies aredeferring or reducing investment in cyber

security


10/31

Corp Cyber Practices Are

Degrading


11/31

Why is this the case?

The vast majority of Sr management---and themajority of all employees---are digital immigrants

Cyber Security is not, just, an IT problem Insiders (including lawyers and PR/sales Execs)

are the single biggest cyber security vulnerability

We compensate for productivity and cost savings,we dont compensate for security


12/31

50 Questions Every CFO

Should Ask (2008)

It is not enough for the information technologyworkforce to understand the importance of cyber

security; leaders at all levels of government andindustry need to be able to make business and

investment decisions based on knowledge of risksand potential impacts. Presidents Cyber Space

Policy Review May 30, 2009 page 15

ISA-ANSI Project on Financial Risk Management

of Cyber Events: 50 Questions Every CFO

should Ask ----including what they ought to beasking their General Counsel and outside

counsel. Also, HR, Bus Ops, Public and InvestorCommunications & Compliance


13/31

Financial Management of

Cyber Rick (2010)


14/31

ANSI-ISA Program

Outlines an enterprise wide process to attackcyber security broadly and economically

CFO strategies HR strategies Legal/compliance strategies Operations/technology strategies Communications strategies Risk Management/insurance strategies


15/31

What CFO needs to do

Own the problem Appoint an enterprise wide cyber risk team

Meet regularly Develop an enterprise wide cyber risk

management plan

Develop an enterprise wide cyber risk budget Implement the plan, analyze it regularly, test and

reform based on EW feedback


16/31

Human Resources

Recruitment Awareness

Remote Access Compensate for cyber security Discipline for bad behavior Manage social networking Beware of vulnerability especially from IT and

former employees


17/31

Legal/Compliance Cyber

Issues What rules/regulations apply to us and partners? Exposure to theft of our trade secrets?

Exposure to shareholder and class action suits? Are we prepared for govt. investigations? Are we prepared for suits by customers and

suppliers?

Are our contracts up to date and protecting us?


18/31

Operations/IT

What are our biggest vulnerabilities? Re-evaluate? What is the maturity of our information

classification systems?

Are we complying with best practices/standards How good is our physical security? Do we have an incident response plan? How long till we are back up?---do we want that? Continuity Plan? Vendors/partners/providers plan?


19/31

Communications

Do we have a plan for multiple audiences?--general public

--shareholders--Govt./regulators

--affected clients

--employees

---press


20/31

InsuranceRisk

Management Are we covered?----Are we sure????????? What can be covered How do we measure cyber losses? D and O exposure? Who sells cyber insurance & what does it cost? How do we evaluate insurance coverage?


21/31

Growth toward Enterprise

wide cyber management In 2008 only 15% of companies had enterprise

wide risk management teams for privacy/cyber

In 2011 87% of companies had crossorganizational cyber/privacy teams

Major firms (E & Y) are now including ISA FinancialRisk Management in their Enterprise Programs

Even govt. (e.g DOE) has now adopted theseprinciples for their sector risk management


22/31

DOE Risk management

FrameworkSenior executives are responsible how cyber security

risk impacts the organizations mission and business

functions . As part of governance, each

organization establishes a risk executive functionthat develops an organization-wide strategy to

address risks and set direction from the top. Therisk executive is a functional role established within

organizations to provide a more comprehensive,organization-wide approach.


23/31

Two Types of Attacks

Basic attacks Vast majority Can be very damaging Can be managed

Ultra-Sophisticated Attacks (e.g., APT) Well organized, well funded, multiple methods,

probably state supported

They will get in


24/31

Best Practices do Work

PWC/Gl Inform Study 2006--- best practices 100% CIA 2007---90% can be stopped Verizon 200887% can be stopped NSA 2009---80% can be prevented Secret Service/Verizon 2010---94% can be

stopped or mitigated by adopting inexpensive best

practices and standards already existing


25/31

Advanced Persistent

ThreatWhat is it? Well funded Well organized---state supported Highly sophisticated---NOT hackers Thousands of custom versions of malware Escalate sophistication to respond to defenses Maintain their presence and call-home They target vulnerable people more than

vulnerable systems


26/31

APT

The most revealing difference is that when youcombat the APT, your prevention efforts will

eventually fail. APT successfully compromises any

target it desires.----M-trend Reports


27/31

The APT----Average

Persistent ThreatThe most sophisticated, adaptive and persistent class

of cyber attacks is no longer a rare eventAPT is

no longer just a threat to the public sector and the

defense establishment this year significantpercentages of respondents across industries

agreed that APT drives their organizations securityspending. PricewaterhouseCoopers Global

Information Security Survey September 2011


28/31

% Who Say APT Drives

Their Spending 43% Consumer Products 45% Financial services 49% entertainment and media 64% industrial and manufacturing sector 49% of utilitiesPWC 2001 Global Information Security Survey


29/31

Are we thinking of APT

all wrong? Companies are countering the APT principally

through virus protection (51%) and either intrusion

detection/prevention solutions (27%) PWC 2011

Conventional information security defenses dontwork vs. APT. The attackers successfully evade allanti-virus network intrusion and other best

practices, remaining inside the targets networkwhile the target believes they have been

eradicated.---M-Trend Reports 2011


30/31

We Are Not Winning

Only 16% of respondents say their organizationssecurity policies address APT. In addition more

than half of all respondents report that their

organization does not have the core capabilitiesdirectly or indirectly relevant to countering this

strategic threat.


31/31

Larry ClintonPresident & CEO

Internet Security Alliance

[email protected]

202-236-0001

2011 12 02 Larry Clinton Cyber Risk and Data Breach Management Summit Presentation in NYC About PWC Study APT

Documents