Cyber Risk Management - PDF

Cyber Risk Management Prepared by : Dr. Hala Hamadeh Outline Governance Risk What is Risk? Risk Management? Communication and Consultation Risk assessment Monitoring and review Cyber systems Cybersecurity Cyber-risk management 2 What is Risk? ØA risk is the likelihood of an incident and its consequence for an asset ØAn incident is an event that harms or reduces the value of an asset ØAn asset is anything of a value to party ØA likelihood is the chance of something to occur ØA consequence is the impact of an incident on an asset in terms of harm or reduced asset value ØRisk level is the magnitude of a risk as derived from its likelihood and consequence 3 Vulnerabilities, Threats, and Risks ØVulnerabilities: are weaknesses or flaws in systems, processes, or controls that can be exploited to compromise the security of an organization. ØThreats: are potential events or circumstances that can exploit vulnerabilities and cause harm to an organization. ØRisks are the combination of vulnerabilities, threats, and the potential impact or harm that could result from a successful threat exploiting a vulnerability. 4 Exercise 1: Identify Vulnerabilities, Threats, and Risks 1. Unlocked doors at businesses Vulnerability 2. Ransomware Threat 3. Unauthorized Data Access and Financial Loss Risk 4. Weak Password Policies Vulnerability 5. Phishing Threat 6. Supply Chain Disruption Risk 5 Exercise 2: Identify vulnerabilities, threats, and risks A small healthcare clinic stores patient records electronically, and their IT infrastructure includes electronic health records (EHR) systems. ØRisk: Unauthorized Patient Data Access. ØVulnerabilities: 1) Weak Authentication: The EHR system relies on weak username and password combinations for user access. 2) Unencrypted Data: Patient data is stored without encryption, making it vulnerable in the event of unauthorized access. ØThreats: 1) Insider Threats: A disgruntled employee with access to the EHR system may intentionally access, steal, or tamper with patient records. 2) Phishing Attacks: Cybercriminals may send phishing emails to clinic staff to steal login credentials and gain unauthorized access to patient data. 6 Cyber Vulnerabilities Examples ØMissing data encryption ØLack of security cameras ØUnlocked doors at businesses ØUnrestricted upload of dangerous files ØCode downloads without integrity checks ØUsing broken algorithms ØURL Redirection to untrustworthy websites ØWeak and unchanged passwords ØWebsite without SSL 7 Cyber threats Examples ØRansomware: is a form of malware that attempts to encrypt your data and then extort a ransom to release an unlock code. ØPhishing: is an attempt to gain sensitive information while posing as a trustworthy contact. ØData leakage: This is often caused when information is exposed to unauthorized people due to internal errors. ØHacking: exploiting vulnerabilities in an organization's computer systems and networks to gain unauthorized access or control of digital ØInsider threat: is the potential for an insider to use their authorized access or understanding of an organization to harm that organization. 8 What is Risk Management? ØRisk management comprises coordinated activities to direct and control an organization with regard to risk. 9 Risk management framework ØRisk Management framework defines: the mandate and commitment of the risk management, the risk management policy and responsibilities the integration of the risk management into the organizational processes, the mechanisms for internal and external communication and reporting. ØThe risk management framework should be continuously monitored, reviewed, and improved. ØThe risk management framework, in turn, must comply with the basic principles for risk management. 10 Risk management principles ISO 31000 provides a framework for risk management that includes several principles: ØRisk management shall create and protect value ØRisk management shall be part of decision making ØRisk management shall be an integral part of all organizational processes ØRisk management shall be based on the best available information. 11 Risk management process ØRisk management process involves three processes which are the risk assessment (finite but conducted regularly), communication and consultation (continuous), and monitoring and review (continuous) 12 Communication and Consultation ØCommunication and consultation refer to the activities aiming to provide, share, or obtain information regarding the management of risk. ØThe interaction and information sharing serve as basis for decision making. ØThe information of relevance is anything that may determine how the organization should manage risk. 13 Success of communication and consultation To ensure the effectiveness and efficiency of the communication and consultation it is advised to: 1. Establish a consultative team: with defined responsibilities to communicate and discuss decisions with stakeholders (feasible in large organizations) 2. Define a plan for communication and consultation: which helps decision makers in determining how to manage risks. 3. Ensure endorsement of the risk management process: by ensuring mutual understanding among decision makers and stakeholders 4. Communicate risk assessment results: support decision making, improve the understanding of the sources and nature of risk, and strengthen risk awareness 14 Risk assessment ØRisk assessment mean the activities aiming to understand and document the risk picture for specific parts or aspects of an organization. ØRisk assessment involves the estimation of the risk level, and the identification of options for risk treatment. ØThe results of the risk assessment serves as the basis for decision making regarding how to respond to the risks 15 Risk assessment ctd. ØRisk assessment is divided into five steps: 1. Context establishment 2. Risk identification 3. Risk analysis 4. Risk evaluation 5. Risk treatment 16 Context establishment ØInvolves the documentation of both the external and the internal context of relevance for the assessment in question. ØExternal context includes the relationships with external stakeholders, as well as the relevant societal, legal, regulatory, and financial environment. ØInternal context includes the relevant goals, objectives, policies, and capabilities that may determine how risk should be assessed. ØThe target of the assessment is the parts and aspects of the system that are the subject of the risk assessment. 17 Context establishment ctd. ØThe scope of the assessment is the extent or range of a risk assessment, and it defines what is held outside of the assessment ØThe focus of the assessment is the main issue or central area of attention in a risk assessment. ØThe assumptions are the things that we take for granted or accepted as true about the system in question, and risk assessment is only valid given these assumptions. ØBefore doing the risk assessment, it is essential to do the asset identification to which the assessment is conducted. 18 Example: Scenario: A financial institution is conducting a cybersecurity risk assessment to safeguard its online banking platform. Scope of the Assessment: The scope of the cybersecurity risk assessment is defined to include the online banking platform, the underlying IT infrastructure, and customer data stored within the platform. Focus of the Assessment: The central focus of the assessment is on protecting customer data and ensuring the uninterrupted availability of online banking services. The primary areas of attention include identifying potential risks related to data breaches, DDoS attacks, phishing threats, and vulnerabilities in the online banking software. Assumptions: The risk assessment is based on several assumptions, including the assumption that employees are well-trained and follow security policies. It also assumes that the institution regularly updates its security software and conducts penetration testing. Context establishment ctd. ØAfter defining the scope, target, and assets we can define the risk scales and the risk evaluation criteria. ØWe need to define scales for consequences and likelihoods. ØIt is better to describe consequences that are specific to the asset that using the monetary value e.g., server downtime ØWe may need to define several consequence scales, one for each kind of asset. ØFor the scales of likelihoods, we may use general terms such as seldom or often, or numeric and discrete scales. 20 Risk identification Risk identification means the activities aiming to identify, describe, and document risks and possible causes of risk. Based on the definition of risk, there are no risk without three elements: Asset: without assets there is nothing to harm Vulnerability: without vulnerability there is no way to cause harm Threat: without threat there are no causes of harm 21 Risk identification ctd. A threat is an action or event that is caused by a threat source and that may lead to an incident. A threat source is the potential cause of an incident. Threat sources can be human or non-human, tangible or non- tangible. 22 Risk identification ctd. ØTechniques for risk identification include: Brainstorming Interviews Checklists Statistics Approaches for gathering historical data ØFundamental risk identification questions are in the diagram 23 Risk analysis ØRisk analysis means the activities aiming to estimate and determine the level of the identified risks. ØThe objective of this step is to estimate the likelihood and consequences for the identified incidents using the scales defined in the context establishment. ØAn incident represents one risk for each asset it harms. ØThe severity of an incident can be determined differently by the organization, or the party affected. ØLikelihood estimation is to determine the probability or frequency if incidents using the defined likelihood scale. 24 Risk evaluation ØRisk evaluation means the activities involving the comparison of the risk analysis with the risk evaluation criteria to determine which risks should be considered for treatment. ØSometimes we need to combine risks and evaluate them combined as a single risk. ØSome risks may be considered non-critical as individuals but can be problematic if occurred together. ØIt is recommended to group risks that share the same threat sources, vulnerabilities, and/or assets. 25 Risk treatment ØRisk treatment means the activities aiming to identify and select means for risk mitigation, reduction, avoidance, and acceptance. ØRisk level may increase or decrease based on the treatment applied. ØIn this course, we focus on techniques to reduce the risk level. ØA treatment is an appropriate measure to reduce the risk level. ØA risk treatment is based on multiple factors such as the cost of applying the risk treatment. 26 Risk treatment ctd. Risk treatment techniques are: ØRisk reduction: by reducing the likelihood or consequence of incidents. ØRisk retention: is accepting the risk by informed decision. Typically, an option if the risk is within an acceptable level or is too costly to treat. ØRisk avoidance: simply avoid the activity that gives rise to the risk. ØRisk sharing: transfer the risk or parts of it to another party. An example is to use insurance or sub-contracting. 27 Monitoring and review ØMonitoring is the process of continual checking, supervising, critically observing, or determining the current status in order to identify deviations from the expected or required status. ØReview is to determine the suitability, adequacy, and effectiveness of the risk management process and framework. ØThe main purposes of the monitoring and review are: Ensure that controls are effective and efficient Obtain further information to improve risk assessment Analyze and learn lessons from incidents, changes, trends, successes, and fails Detect changes Identify emerging risks 29 What is cyberspace? ØCyberspace is a collection of interconnected computerized networks, including services, computer systems, embedded processors, and controllers, as well as information in storage or transit. ØThe internet is an example of global cyberspace. ØAny collection of interconnected networks is a cyberspace. ØExamples of unconnected to the internet cyberspaces are the military networks and emergency communication networks and systems. ØA cyber-system is a system that makes use of a cyberspace. 30 Cyber-system ØA cyber system may include information infrastructure, as well as people and other entities that are involved in the business process. ØMany of the services the society rely on are cyber-systems such as telecommunication, transportation, finance, power supply, water supply, and emergency services. ØA cyber-physical system is a cyber-system that controls and responds to physical entities through actuators and sensors. ØCyber-physical systems are increasingly part of our daily lives, which are used to control smart grids, smart homes, production lines …etc 31 What is cybersecurity? ØCybersecurity is the protection of cyber-systems against cyber-threats. ØCyber-threat is a threat that exploits a cyber-space. ØCyber-threats may be malicious or non-malicious. An example of a malicious cyber-threat is a DoS attack. An example of a non-malicious cyber-threat is the crash of a system because of a programming error. ØCybersecurity is defined by what we need to protect the assets from not what are the assets we need to protect. It is not defined by the kinds of assets that are to be protected, but rather by the kinds of threats to assets. 32 Cybersecurity and safety ØSafety can be defined as the protection of life and health by prevention of physical injury caused by damage to property or the environment. ØSafety focuses on system incidents that can harm the surroundings; cybersecurity focuses on threats that cause harm via a cyber-space. ØAssets usually considered with safety are usually limited to human life and health as well as environmental assets, while the assets of concern to cybersecurity can be anything that needs to be protected. ØSafety issues are not outside the scope of cybersecurity. 33 Cyber-risk management ØCyber-risk is a risk that is caused by a cyber-threat. ØCyber-risk is not the same as any risk that a cyber-system can be exposed to. Example: flood damaging a server is not a cyber- risk ØA cyber-risk is malicious if it is (at least partly) caused by a malicious threat. 34 Communication and consultation of cyber-risk ØGeneral process of communication and consultation is suited for cyber- risk, but there are two things that requires attention: Cyber-systems may potentially have stakeholders everywhere. The stake holders may be consumers of services or providers of services to the cyber-system. Adversaries can be everywhere and any major incident somewhere in the world may have considerable impact on our cyber-system. ØDealing with these parameters requires increased focus on information collection by monitoring and surveillance. 35 Cyber-risk assessment ØThere are two things that distinguish risk assessment in the context of cyber- systems from the general case: The potentially far-reaching extent of a cyberspace implies that also the origins of threats are widespread, possibly global. The number of potential threat sources and threats, both malicious and non- malicious is very large. ØThe process of cyber-risk assessment has the 2nd step divided into two phases. 36 Cyber-risk assessment ctd. ØThere are an almost unlimited number of ways unintentional things may happen. ØIt is recommended to start from the assets and the ways in which they may be harmed. ØThis way focuses strictly on what we seek to protect. ØBy asking what can go wrong? And how? We keep ourselves in the right focus. ØAsking how something could happen unintentionally or by accident and what could be the cause, will cause us to move in all directions. 37 Monitoring and review of cyber-risk The monitoring and review makes clear distinction between: ØMonitoring and review of risk: in which we are concerned with the system in question. ØMonitoring and review of risk management: in which we focus on the implementation and operation of the risk management process for the system in question. 38 Questions/Comments?

Cyber Risk Management - PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue