Enterprise Cyber Risk Management PDF

Summary

This document provides an introduction to enterprise cyber risk management. It covers course objectives, outlines, and key concepts in the field of cybersecurity. It is intended for professional development.

Full Transcript

Enterprise Cyber
Risk
Management
Introduction and overview
INTRODUCTION – ABOUT YOU

Tell the class a little bit about yourself:
Your name
Why cybersecurity?
How will this class help you
One interesting and FUN fact

©2023 Mastercard. Proprietary and Confidential
2
INTRODUCTIONS – ABOUT ME

30 years of professional experience
Married; 2 children
Worked across multiple industries
Live in Westchester County, NY
In 4 continents
@Mastercard for 5+ years

Big picture view B.Sc. – Finance
Growth mindset B.Sc. – CMIS
Identify problems MBA – Global Business
Communicate clearly Certifications: CISM, ITIL

©2023 Mastercard. Proprietary and Confidential
Read Email: [email protected]
Netflix – and chill LinkedIn:
Travel – esp. on SQ https://www.linkedin.com/in/uroojb
Cricket urney/

3
Course overview

Cyber risk management is a Course Objectives:
crucial aspect of contemporary
business operations. This course
equips participants with the
1. Understand the fundamentals of cyber risk management.
knowledge necessary to identify, 2. Understand the role of various frameworks and
assess, measure, mitigate, and
manage cyber risks within methodologies for cyber risk assessment.
organizational contexts.
3. Learn how to identify and assess cyber risks within
Through a blend of theoretical
organizational environments.
concepts, practical examples,
and case studies, participants 4. Learn strategies for mitigating cyber risks.
will develop a comprehensive
understanding of cyber risk 5. Understand the role of compliance and regulations in
management strategies and
best practices.
cyber risk management.

©2024 Mastercard. Proprietary
6. Develop understanding of incident response and
recovery.

4
Course Outline
Item Session Content
History and overview of the cyber risk landscape
1 Introduction to Cyber Risk Management Importance of cyber risk management
Key concepts and terminology
Introduction to cyber risk assessment frameworks (e.g., NIST, ISO)
2 Cyber Risk Assessment Frameworks Comparative analysis of frameworks
Practical application of assessment frameworks
Methods for identifying cyber risks
3 Cyber Risk Identification Common vulnerabilities and threats
Risk measurement and management techniques
Why does third-party risk matter?
Identifying vendors and service providers
4 Third Party Risk Components of a TPRM program
Challenges
Post Assessment
Overview of cyber risk mitigation strategies
5 Cyber Risk Mitigation Strategies Risk transfer, avoidance, acceptance, and mitigation
Implementing security controls

©2024 Mastercard. Proprietary
Role of compliance in cyber risk management
6 Compliance and Regulations Overview of relevant regulations (e.g., GDPR, HIPAA)
Compliance frameworks and standards
Importance of incident response planning
7 Incident Response and Recovery Incident detection, containment, and eradication
5
Post-incident recovery and lessons learned
INTRODUCTION – ENTERPRISE CYBER RISK MANAGEMENT
INTRODUCTION – ENTERPRISE CYBER RISK MANAGEMENT

- What is risk?

©2023 Mastercard. Proprietary and Confidential
7
Enterprise Cyber
Risk
Management
Introduction and overview
Copyright 2024 Mastercard

The information provided herein by Mastercard (the “Presentation”), as well as all materials, concepts, processes and
methodologies employed by Mastercard or a Mastercard supplier in connection with the Presentation, are and will remain the sole
and exclusive property of Mastercard (or such Mastercard Supplier). Mastercard hereby grants to meeting participants a limited,
non-exclusive right to use the Presentation without the right to assign, transfer or sublicense the Presentation in any way.

The Presentation is confidential, provided for informational, non-commercial purposes only. The recipient may use the Presentation
for its own internal business purposes. Except with the prior written permission of Mastercard, the Presentation shall not be used
for any other purpose and shall not be published or disclosed to third parties, in whole or part.

Mastercard makes no warranties concerning the Presentation and disclaims all express and implied warranties to the extent
permitted by law, including but not limited to ay implied warranty of merchantability, course of dealing, or fitness for a particular
purpose. Recipient is responsible for its use of the Presentation, and Mastercard assumes no responsibility or liability with respect
thereto.

In addition, all meeting participants are reminded that this meeting must adhere to competition law rules and, as such, no
confidential or commercially sensitive information ought to be shared directly or indirectly between competitors. If any member
feels that a discussion includes prohibited topics, they should raise an objection immediately as to stop discussion on such matter
pending advice regarding the application of competition law.

©2024 Mastercard. Proprietary
9
 At the beginning hacking was all about exploring and figuring out how the wired
world worked
Hacking is any activity that aims to exploit and illegally access a computer system, device, or network, without explicit permission from its owner.

Before the 90s The early 2000s Since the COVID-19 pandemic
Hacking wasn’t always a criminal enterprise. In Ever since modern computers solidified their existence in
the early days, it was all about having fun and homes and offices, hackers, as we know them today,
Digitalization, hyperconnectivity and artificial intelligence
impressing your peers. Apple co-founders emerged.
Steve Wozniak and Steve Jobs were early The pandemic has
hackers, “phone phreakers” who learned to As technology further evolved and the internet, emails, and further escalated cyber
manipulate telephone systems and trick the cellphones and smartphones became mainstream, malicious risk with an explosion
phone company into giving out free long- hackers managed to find their way into almost every type of of digital relationships.
distance calls. system and device. Unprotected emerging
digital and cyber 3,600 667% 127%
For Jobs, hacking was very much about the technologies became fake Covid-19 increase in increase in
sense of adventure: “It was the magic of the fact fertile breeding grounds websites email scams3 exposed
that two teenagers could build this box for $100 for criminals. created between endpoints4
worth of parts and control hundreds of billions of March 14-182
dollars of infrastructure in the entire telephone
network of the whole world.”¹ Surge in ransomware and DDoS attacks with the rise
of organized crimes

©2024 Mastercard. Proprietary
The SolarWinds hack is the commonly used term to refer to the supply chain breach
“LoveBug”, was a simple piece of malware, but it changed the world of that involved the SolarWinds Orion system. In this hack, suspected nation-state
Wozniak and Jobs Blue Box, ca. 1972. The Blue cybersecurity. Originally intended to simply harvest the passwords of a few hackers gained access to the networks, systems and data of thousands of SolarWinds
Box allowed electronics hobbyists to make free local internet providers, in the year 2000, LoveBug spread around the world, customers. The breadth of the hack is unprecedented and one of the largest, if not the
telephone calls. infecting over 45 million devices to become the first piece of malware to really largest, of its kind ever recorded.
take businesses offline in a significant way.

10
Cyber crime emerged in a digital and interconnected world with the internet as a
safe domain, with much less risk, with which to operate and generate profits
Criminals had introduced a professional element into the world of cybercrime. No longer were we looking at geeky exploitation of weaknesses in systems,
things had now developed to using computer networks to infiltrate and take advantage of the trust of other users for huge financial gain.

Computer systems & applications
Data theft
compromise
SPAM
Credentials ID Spammers send out millions of messages
(login and password) (passport, driver license) Medical records on behalf of online merchants who want
to sell a product. If a spam recipient buys Click Fraud
something, the spammer gets a
Advertisers pay websites for clicks on
percentage of the sale.
Insurance their ads. With a zombie network, a
Credit card information E-mail hacker can generate thousands of unique
clicks a day
Phishing
Cybercriminals handling phishing schemes
Fraud Identity Theft pay botnet¹ owners up to USD 2k per
month for hosting fast flux services.
Exploit accounts or services Usage of personal information to open and Malware or DDoS for
already in place abuse new accounts or services
Ransom
Fraud transactions, withdrawals Creation of fake seller accounts on marketplaces
and payments Opening of credit lines Adware Hackers make money by demanding

©2024 Mastercard. Proprietary
payment to decrypt information or halt
Impersonation – E.g.: medical or ID creation Many companies that offer online
unavailability of an application / server
criminal Claiming insurance or unemployment benefits advertising services pay for each
Money laundering – Creation of fake seller / installation of their software. With a
buyer accounts botnet¹ at disposal, a cybercriminal can
Sale on dark web install any software on thousands of
computers

11
 Besides attackers who seek financial benefits, the world of cyber crime enables
other types of attackers, motivated by social causes, religion, politics and ideology
Cyber criminals such as hacktivists and cyberterrorists are socially and/or politically-motivated, targeting institutions and nations with opposing views.
These attackers often perform cyber attacks that expose, embarrass, intimidate or generate fear in the target population

Disruption of critical Disruption of major
Information leakage
infrastructure systems websites This is a popular activist tactic. Typically, an insider source
Threat actors try to disable or disrupt cities, cause a Through DDoS attacks, hacktivists prevent users will access sensitive or classified information - which
public health crisis, endanger public safety or cause from accessing targeted computer systems, devices implicates an individual, organization or government
massive panic and fatalities. For example, or networks. DoS and DDoS attacks flood systems agency in an activity that reflects negatively on them - and
cyberterrorists might target a water treatment with traffic, overwhelm resources and make them make it public. WikiLeaks is known for publishing leaked
plant, cause a regional power outage or disrupt a difficult to access. data.
pipeline, oil refinery or fracking operation. The intent here can also be to create public
inconvenience or stop traffic to websites containing
content the hackers disagree with.

Wikileaks
Florida Water Treatment Plant Julian Assange launched the WikiLeaks website in 2006 to host

©2024 Mastercard. Proprietary
By abusing remote access credentials that were shared between
Anonymous leaked documents, describing itself as an independent, nonprofit
They attacked the company's online media organization. The first notable documents published
employees, on Friday, February 5, 2021, a hacker initiated an on the site were the nearly 80,000 documents about the U.S. war
attack on an Oldsmar, Florida water treatment facility which online Playstation store in
retribution for Sony's lawsuit in Afghanistan leaked in 2010, followed by nearly 400,000
briefly adjusted the levels of sodium hydroxide. According to documents about the war in Iraq. WikiLeaks is also known for
specialists, the motivation behind the attack seemed to be to against PS3 hacker George Hotz
(aka "GeoHot"). A DDoS attack revealing over 20,000 emails and 8,000 email attachments from
cause harm to people, rather than to gain financial benefits the Democratic National Committee that were sent during the
has temporarily taken down
playstation.com. 2016 U.S. presidential campaign.

12
THE COST OF CYBERCRIME

$10,500,000,000,000

Cybercrime Pays Cyber Security Skills Shortage Technology Accessibility
Earnings are ~$30,000/job; Approximately 3 million cyber Digital transformation grows
averaging 10-15% higher than security positions are unfilled, the attack surface for threat

©2024 Mastercard. Proprietary
most traditional crimes and the number is growing actors to explore and exploit

13 Source: Cyber Ventures, GCI 2020
The cyber security market is growing rapidly; driven by 4 main factors

Cyber spend (by year and cumulatively) Key drivers of market growth

Driver 1: Increased technical complexity Driver 2: Regulations and Compliance
1,500 Buyers have recognized that “tech sprawl” leads to Multiple new compliance regimens across the globe
1,400
gaps in defenses are forcing organizations to re-examine and invest
in cybersecurity operations
Estimated cumulative cyber security expenditures

1,300 317 Technology configurations are difficult to manage
1,200 and cause inadvertent gaps despite best efforts New tooling and advisory services are needed to
1,100 These issues are changing buying behaviors leading reset the security posture, preparedness, response
1,000 283 to purchase of solution suites + services vs. point and resiliency of the enterprise (e.g., DORA and
+12% NIS2 in EUR; SEC Disclosure Rules in NAM, MAS
900 products
Tech Risk in SG, etc.)
800
253
700
600
500 226 Driver 3: Business transformation with AI, Digital, Driver 4: Lack of skilled security experts
400 etc. Organizations are looking for Automation (AI)
300 202 As businesses adopt new operating models, they based solutions to reduce dependency on scarce
200 180 recognize the need for cybersecurity as and often unskilled resources who are unable to

©2024 Mastercard. Proprietary
100 fundamental to securing sensitive customer and detect and prevent attacks and breaches
0 transaction data Specialized consulting resources are in demand as
2023 2024 2025 2026 2027 2028
Cybersecurity is listed as one of the Top 3 risks on they address organizations inability to attract
Estimated annual cyber security 10Ks and other business reports qualified resources
expenditures

14 Based on various market analyst estimates
Many businesses are not equipped to handle this evolving dynamic

Too many security tools

47 Number of security tools the average
company deploys3

Lack of synergy throughout the business
Of enterprises believe they’ve synergized
Severe shortage of cyber skills
39% key security and incident response
processes4
3.5 Million cyber jobs expected to be unfilled
globally in 20212
Growing dependence on third-parties

Shifting to digital channels without a
holistic view of cyber risks
59% Of companies experience a third-party
data breach yet only 16% can mitigate
those risks5

88% Have seen a rise in cyber attacks resulting
from employees working at home1

©2024 Mastercard. Proprietary
15
Breaches lead to significant financial costs as well as substantial indirect costs

$4.24MM
Financial
losses

Legal &
Share price
average cost of a drop / investor
regulatory fines
data breach impact

Compromise of
customer Cyber Attacks Disclosure of
security & Result in: trade secrets
privacy

©2024 Mastercard. Proprietary
Loss of Loss in business
customer trust reputation

16
It is important to understand that Cyber Risk is independent of industries, or
countries; everyone is a target

What do we need to From whom are we How are they attacking us
protect? protecting this? and our customers?

Digital Assets: Anything that Hacker: People who work alone Malware: Is a term used to
has value to us or to our or in teams for financial gains, describe malicious software,
customers there are several types of including spyware, ransomware,
hackers viruses, and worms.

Unstructured Data: Files in
various formats such as Word, DoS: Denial-of-service attack –
Insider threats: Individuals This attack floods systems,
Excel, PowerPoint within the organization who servers, or networks with traffic
have malicious intent towards to exhaust resources and
the company bandwidth.
Structured Data: Transaction
data in systems, databases
Political Cyber Warriors: Phishing: It is the practice of
Nation-state sponsored sending fraudulent

©2024 Mastercard. Proprietary
Systems: Solution, applications attacker with significant communications that appear to
owned by the organizations, etc. resources to affect major come from a reputable source,
disruptions on a national scale usually through email

17
How cyber risk relevance has changed over time

Enterprise Risk
Past

Environmental Compliance Operational
Strategic Risk Market Risk Credit Risk
Risk Risk Risk

An embedded component of the overall operational risk universe of the IT Security
enterprise – seen as an IT issue
Risk

Enterprise
Risk
Shift to cloud/digital and
Environmental Compliance Operational corresponding increases in
Strategic Risk Market Risk Credit Risk Security Risk
Risk Risk Risk fraud/scams resulting in
increased regulatory scrutiny

Enterprise Cybersecurity
Digital Risk

©2024 Mastercard. Proprietary
Risk Risk

Present
Select highly-innovative and very risk averse organizations established roles such
as Chief Cyber-Security Risk Officer responsible for cyber risk management at
the same level as a CRO and CIO and with direct access to the Board.
18
The dynamic role of the CISO

Past Present Future Types of CISOs

Limited insights Have oversight and Board becomes key Security as a Cost Centre Security as Compliance
and interest in awareness driver of cyber risk
cyber topics; lack management and
awareness business resilience Low-to-mid Management Middle Management
Board
Not called CISO Limited technical
Part of operational Executives may be Executives have Technical background background
risk reports but not held liable for cyber expertise in cyber; Function is understaffed and Compliance is used to drive
material events make data driven,
under-funded the cyber agenda
ROI positive
Execs
decisions Cyber is not a company Generally underfunded but
priority not aware of business
Technical SME; Some business Holistic view of cyber
Board awareness is limited impacts
focused on point expertise; as a business
solutions – reports expanding to enabler; reports to
CISO to CIO/CTO resilience; some the CEO & has
report to CEO board presence Security as IT Business Enabler
Technologists with Operationally Focused on business Reports to: Reports to:
some cyber focused; not a enablement through CIO/CTO The CEO or the board
product broad view of resilience and trust
knowledge/ business impacts Senior Management Business focused senior
Cyber Technical expert executive
Team training
Uses technology to address Board understands the need

©2024 Mastercard. Proprietary
Not cyber aware Receive annual Continuous and solve issues and importance of cyber and
trainings / feedback on actions; Lacks required business manages risk
certifications; few cyber aware and
understand role in proactive
acumen Security by design and
Staff Accomplished in their own security aware culture
business protection
right

19
Important capabilities for a CISO

Leadership and management

Business and technical
communications

Strategic thinking
CISO

Business acumen

Technical expertise

©2024 Mastercard. Proprietary
Problem-solving

20
Expectations of and from the board

I. The board sets the risk appetite and tolerance levels, approves the risk management plan,
and monitors the risk profile and performance.
II. The board also ensures that the organization has adequate resources, systems, and
controls to manage risks effectively.

Cyber Risks Review and impact to business priorities
A clear view of the threat
landscape and relevant risks
Governance oversight and mechanisms

Activities undertaken to
measure, manage and mitigate Risk Appetite Determination
risks

Review and approval of remediation and mitigation plans
Business impacts of cyber risk

©2024 Mastercard. Proprietary
Learning and awareness
Demonstration of compliance
wrt policies, rules and
regulations Resource allocation

What the CISO owes leadership What leadership owes the CISO
21
Glossary of useful
terms
Copyright 2024 Mastercard

The information provided herein by Mastercard (the “Presentation”), as well as all materials, concepts, processes and
methodologies employed by Mastercard or a Mastercard supplier in connection with the Presentation, are and will remain the sole
and exclusive property of Mastercard (or such Mastercard Supplier). Mastercard hereby grants to meeting participants a limited,
non-exclusive right to use the Presentation without the right to assign, transfer or sublicense the Presentation in any way.

The Presentation is confidential, provided for informational, non-commercial purposes only. The recipient may use the Presentation
for its own internal business purposes. Except with the prior written permission of Mastercard, the Presentation shall not be used
for any other purpose and shall not be published or disclosed to third parties, in whole or part.

Mastercard makes no warranties concerning the Presentation and disclaims all express and implied warranties to the extent
permitted by law, including but not limited to ay implied warranty of merchantability, course of dealing, or fitness for a particular
purpose. Recipient is responsible for its use of the Presentation, and Mastercard assumes no responsibility or liability with respect
thereto.

In addition, all meeting participants are reminded that this meeting must adhere to competition law rules and, as such, no
confidential or commercially sensitive information ought to be shared directly or indirectly between competitors. If any member
feels that a discussion includes prohibited topics, they should raise an objection immediately as to stop discussion on such matter
pending advice regarding the application of competition law.

©2024 Mastercard. Proprietary
23
Attackers – There are different types of cybercriminals. One must be able to
identify their modus operandi to defend against threats

Political Cyber Warrior Organized Crime
Nation-state sponsored attacker with significant resources to disrupt Criminal organization with significant resources focused on financial
on a national scale. gain.

Political Activist Sensationalist
Semi-organized individuals acting out of political ideologies Attention grabber who may employ any method to get their “15
(hacktivism), not backed technically by nation-states. minutes of fame.”

Cyber Terrorist Disgruntled IT Employee
Individuals within an organization who have malicious intent towards
Hostile entities based on ideologies, state/non-state actors. Cyber
the company. May be a disgruntled employee with possible access or
terror is an emerging attack method heavily supported by nation-
knowledge of how to access the organization and significant levels of
states and considered political cyber warriors, not terrorists.
IT knowledge specific to the organization.

Industrial Espionage Fraudster
A person or small group that tries to commit fraud, especially in online
Financially motivated actor looking to gain competitive advantage.
business transactions.

©2024 Mastercard. Proprietary
Financial Hacker Legal Adversary
Hackers working alone or in teams for financial gain. Adversary in legal proceedings against the organization.

24
TTP – Acronyms and terminology

Attack Description

Denial of Service The Denial-of-Service attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There
(DoS/DDoS) are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, or resources handling
vulnerabilities, among others. If a service receives a very large number of requests, it may become unavailable to legitimate users. In the
same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.

Unauthorized Device Unauthorized devices that are connected to the environment can cause malware distribution and data leakage. Attack examples are
Connection unauthorized removable media connection and unauthorized network device connection.

Injection Injection flaws, such as SQL, NoSQL, OS and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or
query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper
authorization.

Spoofing/MitM This type of attack targets the communication between two components (typically client and server). The attacker places themself in the
communication channel between the two components. Whenever one component attempts to communicate with the other (data flow,
authentication challenges, etc.), the data first goes to the attacker, who can observe or alter it, and it is then passed on to the other
component as if it was never intercepted. This interposition is transparent, leaving the two compromised components unaware of the
potential corruption or leakage of their communications. The potential for man-in- the-middle attacks yields an implicit lack of trust in
communication or identity between two components.

©2024 Mastercard. Proprietary
Brute Force/Fuzzing In this attack, an asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access
to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is
functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys,
database lookup keys, and initial values to one-way functions.

25
TTP – Acronyms and terminology

Attack Description

Exploitation of An attacker exploits weaknesses, limitations and assumptions in the mechanisms a target utilizes to manage access to its resources or to
Authentication, authorize utilization of its functionality. Such exploitation can lead to the complete subversion of any control the target has over its data
or functionality, enabling almost any desired action on the part of the attacker. Attack examples are software integrity attacks,
Privileges and Trust authentication bypass or abuse, privilege escalation, authentication bypass and exploitation of session variables, resource IDs and other
trusted credentials.

Use of Legitimate An attacker manipulates legitimate tools or functions of an application to perform an attack. Attack examples are abuse of
Tools legitimate business processes and abuse of legitimate channels.

Physical Attacks An adversary physically attacks a device or component, destroying it so it no longer functions.

Web Social Engineering An adversary manipulates and exploits people over the web using drive by downloads, watering hole attacks and malvertising

Email Social Engineering An adversary manipulates and exploits people using emails, including spam, scams, phishing and spear phishing.

Interpersonal Social An adversary manipulates and exploits people at the interpersonal level using bribery, elicitation, extortion and influence.
Engineering

©2024 Mastercard. Proprietary
Malicious Code Execution Malware or malicious software performs undesirable operations such as data theft or some other type of computer compromise.
(Malware) Some of the main types of malware include trojans, viruses, worms and spyware..

26
TTP – Acronyms and terminology

Attack Description

Command and Control Malware is a command-and-control channel (botnet). It is the collection of internet connected programs communicating with other similar
programs to perform tasks. This can be as mundane as controlling an Internet Relay Chat (IRC) channel, or it could be used to send spam
email or participate in distributed denial of service attacks.

Mobile Malware Malware, short for malicious software, is any software used to disrupt mobile device operation, gather sensitive information, or gain
access to private computer systems. Malware is defined by its malicious intent, acting against the requirements of the computer user, and
does not include software that causes unintentional harm due to some deficiency. This attack focuses on iOS, Android and Windows
Mobile malware types.

Resource Manipulation Attack patterns within this category focus on the adversary's ability to manipulate one or more resources, or some attribute thereof, in
order to perform an attack. This is a broad class of attacks wherein the attacker can change some aspect of a resource's state and
thereby affect application behavior or information integrity. Attack examples are infrastructure manipulation, file manipulation, registry
manipulation, remote code execution and cache poisoning.

Buffer Attacks An adversary manipulates an application's interaction with a buffer to read or modify data they shouldn't have access to. Buffer attacks
are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the
content of the buffer. In virtually all buffer attacks, the content placed in the buffer is immaterial. Instead, most buffer attacks involve
retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended
program memory.

Network Manipulation Attack patterns within this category focus on the adversary's ability to manipulate one or more network resources or some attribute to

©2024 Mastercard. Proprietary
perform an attack. Attack examples are protocol manipulation and abuse of communication channels

ICS Malware Malware is any software used to disrupt ICS infrastructure, gather sensitive information, or gain access to private computer systems.
Malware is defined by its malicious intent, acting against the requirements of the computer user, and does not include software that
causes unintentional harm due to some deficiency. This attack focuses on ICS endpoints and controllers.

27
TTP – Acronyms and terminology

Attack Description

Terminal Malware Terminal attacks are malware for the purpose of terminal stations, such as POS, kiosk, ATM, etc.

Reconnaissance Attack patterns within this category focus on the gathering, collection and theft of information by an adversary. The adversary may
collect this information through a variety of methods, including active querying and passive observation. By exploiting weaknesses in
the design or configuration of the target and its communications, an adversary can get the target to reveal more information than
intended. Information retrieved may aid the adversary in making inferences about potential weaknesses,
vulnerabilities or techniques that assist the adversary’s objectives. This information may include details regarding the configuration or
capabilities of the target, clues as to the timing or nature of activities, or other sensitive information. Often this sort of attack is
undertaken in preparation for some other type of attack, although the collection of information by itself may in some cases be the end
goal of the adversary.

Web Application Attacks Web application attacks are regarded as direct or indirect attempts to exploit a vulnerability or weakness in the services and
applications on the web, abusing their APIs, runtime environments or services.

DNS Attacks Attacks on DNS servers, such as cache poisoning and DNS hijacking.

Supply Chain Attacks Attack patterns within this category focus on the disruption of the supply chain lifecycle by manipulating computer system
hardware, software or services. The purpose of these types of attacks is espionage, theft of critical data or technology, or the
disruption of mission-critical operations or infrastructure. Supply chain operations are usually multi-national with parts,
components, assembly and delivery occurring across multiple countries, offering an attacker multiple points for disruption.

©2024 Mastercard. Proprietary
Ransomware Ransomware is a type of malware (like viruses, trojans, etc.) that infects the computer systems of users and manipulates the infected
system in such a way that the victim cannot (partially or fully) use it and the data stored on it. The victim usually receives a pop-up
blackmail note urging the victim to pay a ransom to regain full access to their system and files. Ransomware travels through the same
channels as other kinds of malware, such as phishing emails, water holing and other drive-by attacks.

28
Cybersecurity Frameworks &
Compliance
Copyright 2024 Mastercard

The information provided herein by Mastercard (the “Presentation”), as well as all materials, concepts, processes and
methodologies employed by Mastercard or a Mastercard supplier in connection with the Presentation, are and will remain the sole
and exclusive property of Mastercard (or such Mastercard Supplier). Mastercard hereby grants to meeting participants a limited,
non-exclusive right to use the Presentation without the right to assign, transfer or sublicense the Presentation in any way.

The Presentation is confidential, provided for informational, non-commercial purposes only. The recipient may use the Presentation
for its own internal business purposes. Except with the prior written permission of Mastercard, the Presentation shall not be used
for any other purpose and shall not be published or disclosed to third parties, in whole or part.

Mastercard makes no warranties concerning the Presentation and disclaims all express and implied warranties to the extent
permitted by law, including but not limited to ay implied warranty of merchantability, course of dealing, or fitness for a particular
purpose. Recipient is responsible for its use of the Presentation, and Mastercard assumes no responsibility or liability with respect
thereto.

In addition, all meeting participants are reminded that this meeting must adhere to competition law rules and, as such, no
confidential or commercially sensitive information ought to be shared directly or indirectly between competitors. If any member
feels that a discussion includes prohibited topics, they should raise an objection immediately as to stop discussion on such matter
pending advice regarding the application of competition law.

©2024 Mastercard. Proprietary
30
The Broader Cyber Security Landscape

NON-EXHAUSTIVE
Cybersecurity Services
Cybersecurity products
Plan Build Manage

Governance
Network Content Endpoint Identity & Security vuln. Consulting & Security Integration & Managed
risk & Hosted services
security security security access mgmt. mgmt. advisory assurance engineering services
compliance

Vulnerability Regulation-specific
NAC, device EDR (client, server, Board advisory/ Security solutions Co-hosted or multi-
DD, DC, DLP IG&A, IAM SIEM / XDR testing and audits, SOC
disc./class. OT, IoT) / EPP virtual CISO delivery tenant SIEM
scanning accreditation

Framework (ISO, Security system
Endpoint mgmt. Strategic program Cloud based unified
NGFW Bot Mgmt. SSO/PM VA / VM / ASM Penetration testing NIST) maturity optimization, SIEM, monitoring
suites design, mgmt. threat protection
assessments migration

Product and
Breach response War-gaming Third party risk Threat Intelligence Cloud based anti-
IDS/IDP, UTM WAF MDM / MAM Advanced auth. AST licensing
planning exercises assessment & Support Svcs malware
procurement

Security
Cloud (containers, Digital forensics Other regulation- Security software EDR, EPP, NDR
VPN SWG PAM GRC, VRM architecture, Other
CSPM, CWPP) and IR specific services development mgmt.
design

Strategic digital Static and dynamic
DDoS, DNS sec SEG Consumer Identity federation IR / forensics Other Vulnerability mgmt.
initiative support code analysis

Security SDLC,

©2024 Mastercard. Proprietary
NDR CASB Threat Intelligence Training Infrastructure Device mgmt.
hardening

Other SecOps
Product testing
SDN & ZTA SASE / SSE (AM/C, SOAR, Authorized support Other
(IoT, ICS/SCADA)
UEBA)

Note: NGFW is Next-Generation Firewall, IDS/IDP is Intrusion Detection/Prevention, UTM is Unified Threat Management, VPN is Virtual Private Network, SDN is Software-Defined Networking, DD is Data Discovery, DC is Data Classification, DLP is Data Loss Prevention, WAF is
Web Application Firewall, SWG is Secure Web Gateway, SEG is Security Email Gateway, CASB is Cloud-Access Security Broker, SASE is Secure Access Service Edge, EDR is Endpoint Detection and Response, MDM/MAM is Mobile Device/Application Management, CSPM is Cloud
Security Posture Mgmt., CWPP is Cloud Workload Protection Platform, SSO is Single-Sign On, PAM is Privileged Access Management, SIEM is Security Information and Event Management, VA/VM is Vulnerability Assessment/Management, AST is Application Security Testing,
31 GRC is Governance Risk & Compliance Management, VRM is Vendor Risk Management, IR is Incident Response, AM/C is Asset Management/Configuration, SOC is Security Operation Center, EPP is Endpoint Protection Platform, API is Application Programming Interface
Frameworks and Standards provide structure to a data and resource intensive
function
Cyber risk frameworks provide a guided, systematic approach
to managing cyber risks, facilitate compliance with regulatory
requirements and industry standards. They also enhance the
organization's ability to respond to and recover from cyber
incidents, thus minimizing impacts on business operations.

International standards are designed as tests for the correct
NIST CSF 2.0 SOC 2
and proper design, implementation and operations of system
controls. NOTE: industry standards differ from international
control standards as the former is oriented towards specific
industry types whereas the latter is agnostic.

©2024 Mastercard. Proprietary
Frameworks and standards may be combined and jointly
implemented.
ISO 27001 ISO 30001

32
How Frameworks help describe complex issues in simple terms

IDENTIFY DETECT PROTECT RESPOND RECOVER

Visibility DATA Resilience

©2024 Mastercard. Proprietary
Governance & Compliance

33
Risk Management vs. Risk Analysis vs. Risk Assessment

Risk Management Risk Assessment
The continuing process to Helps identify and categorize risks
identify, analyze, evaluate, and Provides an outline for potential consequences
treat loss exposures and monitor
risk control and financial Identification of risk based on the following steps:
resources to mitigate the Identify the critical assets and sensitive data,
adverse effects of loss Build a risk profile for each asset,
Determine cybersecurity risks for each asset,
Mapping how critical assets are linked,
Prioritize which assets to address in case of a security threat,
Management Analysis Assessment Create a mitigation plan with security controls to eliminate or mitigate the
impact of each risk,
Continually monitor risks, threats, and vulnerabilities.

Risk Analysis
Evaluation component that helps determine:
The significance of identified risk factors
Qualifies the risk
Enables measurement and likelihood of hazards occurring
Enables the determination of tolerances for certain events

©2024 Mastercard. Proprietary
Analysis enables the estimated extent of possible impact of the risks
identified in the assessment process.
Together, this makes it possible to prioritize risks and set a strategy for
mitigating the risks to reduce business impact.

34
Application of Frameworks
Define the Scope Identify Threats Assess Vulnerabilities
Frameworks enable the creation of a
Determine the boundaries of the
risk assessment—specific systems,
List potential cybersecurity threats Identify weaknesses in your systems standardized approach that is more
such as malware, ransomware, and processes that could be
data, and processes.
phishing, insider threats, and exploited by threats. intuitive to manage and enables a
Identify the assets that need
protection, including hardware,
natural disasters. Use vulnerability scanning tools and common taxonomy across various parts
Consider both internal and external penetration testing to detect
software, data, and network
threats. vulnerabilities. of the business.
resources.

The purpose of the process is to provide a
method to continuously update and
Monitor and Review manage the risk posture of the
Assess the likelihood of each threat
organization.
Continuously monitor the Prioritize risks based on their exploiting a vulnerability and the potential
effectiveness of implemented likelihood and impact. impact on the organization.
controls. Review and update the Implement security measures, such Use qualitative methods (e.g., Certain measures will be monitored
risk assessment regularly for new
threats, vulnerabilities, and
as firewalls, encryption, multi- high/medium/low) or quantitative
methods (e.g., calculating potential continuously whereas others may be
factor authentication, security
organizational changes. policies, etc., to mitigate risks.
financial loss).
measured at various frequencies.
Implementation Phases

Implement Controls Analyze Risk The benefit of a standardized approach,
framework-based approach is that cyber
risk can be managed regardless of the
size and scope of the organization while

©2024 Mastercard. Proprietary
Document the risk assessment
process, findings, decisions, and making reporting easier to manage and
actions taken.
Report the results to relevant
explain. Furthermore, applying this
stakeholders, including approach also enables more robust
management and regulatory
bodies. compliance management and reporting.
Document & Report
35
Compliance and
Cyber Risk
Management
Role of Compliance in Cyber Risk Management

Regulatory Alignment Data Protection:
Compliance ensures organizations align their cyber risk Compliance helps ensure that sensitive data is protected
management practices with relevant laws, regulations, and according to legal and regulatory standards, which is vital for
standards. This alignment is crucial for avoiding legal maintaining customer trust and avoiding data breaches
penalties and reputational damage.

Risk Mitigation: Operational Resilience:
Compliance frameworks often incorporate best practices for By following compliance standards, organizations can improve
cyber security, which help identify, assess, and mitigate risks their resilience to cyber attacks, reducing downtime and
effectively. minimizing the impact on business operations.

Trust and Credibility: Strategic Decision Making:
Organizations that adhere to compliance standards can Compliance provides a framework for making informed
boost their credibility and trustworthiness among customers, decisions about investments in cyber security, prioritizing
partners, and stakeholders, enhancing their market actions based on regulatory importance and potential impact.
reputation.

Continuous Improvement: Legal and Financial Safeguards:

©2024 Mastercard. Proprietary
Compliance requirements can drive continuous improvement Adhering to compliance standards can provide legal and
in cyber security practices, as they often require regular financial safeguards against the consequences of cyber
audits and reviews incidents, including litigation and fines
Country-specific regulatory requirements are driving increased adoption of cyber
risk management functions across the globe
Current and anticipated cyber resilience regulations (select markets below)
E.U. (DORA and NIS2)
DORA: Enforcement of by national competent
authorities will be integrated into existing
supervision practices for regulated entities;
member states to set out rules establishing
administrative penalties for breaches of DORA
NIS2: Extends the scope of the cybersecurity DORA and NIS 2
rules to new non-FI sectors; EU member states
NYDFS,
must implement NIS2 by October 2024 SEC Op Res
UK
Joint FS regulators’ position on Operational MAS
Resilience, which is like DORA but not as TRM
prescriptive, became effective in 2021; final Cyber
Resilience
compliance deadline is 2025 Framework
US
Nat’l.
NY State has put in place Cybersecurity Cyber The Security of
Requirements for financial services companies, Strategy Critical
and the [SEC has put in place requirement of Infrastructure
Act
cybersecurity capabilities]

©2024 Mastercard. Proprietary
Australia E-CIBER
Cybersecurity
Security of Critical Infrastructure Act of 2018 & Cyber
requires a holistic and proactive cybersecurity Resilience
for select sectors deemed to be of critical
infrastructure

38
Singapore specific regulations*

Personal Data Applies to any organization handling personal data within Singapore.
Protection Act It aims to protect individuals' data against misuse and regulate the flow of personal data
(PDPA): among organizations.

Cybersecurity Applies to owners of Critical Information Infrastructure (CII) across various sectors in
Act: Singapore.
It aims to secure Singapore’s critical information infrastructure from cyber threats and
enhance national security.

Monetary Targets financial institutions in Singapore.
Authority of It aims to ensure robust cybersecurity practices among financial institutions to protect
Singapore (MAS) against financial and data breaches.
Guidelines:

©2024 Mastercard. Proprietary
39 *Non-exhaustive
Common Themes and Intent Across Regulations

Enhance Security Increase Transparency
Strengthen cybersecurity defenses to Mandate organizations to be transparent
prevent unauthorized data breaches and about how personal data is collected,
cyber attacks. used, and protected.

Intent of Security &
Privacy Regulations

Build Trust Promote Accountability
Enhance public trust in digital services and Ensure organizations are accountable for
infrastructure through stringent regulatory managing data securely, with penalties

©2024 Mastercard. Proprietary
standards. for non-compliance.

40
Demonstrating Compliance

Identify relevant laws, regulations, and standards applicable to your industry and region (e.g., GDPR, HIPAA, PCI-DSS)

Stay updated with changes and amendments to compliance frameworks

Demonstrate compliance through regular audits, reporting, and third-party certifications such as ISO 27001 and SOC2

Tools like compliance management software can help track requirements and document adherence

Continual education and training are crucial for maintaining compliance and understanding evolving regulations

©2024 Mastercard. Proprietary
41
Cybersecurity risk Identification,
Quantification, and Prioritization
Copyright 2024 Mastercard

The information provided herein by Mastercard (the “Presentation”), as well as all materials, concepts, processes and
methodologies employed by Mastercard or a Mastercard supplier in connection with the Presentation, are and will remain the sole
and exclusive property of Mastercard (or such Mastercard Supplier). Mastercard hereby grants to meeting participants a limited,
non-exclusive right to use the Presentation without the right to assign, transfer or sublicense the Presentation in any way.

The Presentation is confidential, provided for informational, non-commercial purposes only. The recipient may use the Presentation
for its own internal business purposes. Except with the prior written permission of Mastercard, the Presentation shall not be used
for any other purpose and shall not be published or disclosed to third parties, in whole or part.

Mastercard makes no warranties concerning the Presentation and disclaims all express and implied warranties to the extent
permitted by law, including but not limited to ay implied warranty of merchantability, course of dealing, or fitness for a particular
purpose. Recipient is responsible for its use of the Presentation, and Mastercard assumes no responsibility or liability with respect
thereto.

In addition, all meeting participants are reminded that this meeting must adhere to competition law rules and, as such, no
confidential or commercially sensitive information ought to be shared directly or indirectly between competitors. If any member
feels that a discussion includes prohibited topics, they should raise an objection immediately as to stop discussion on such matter
pending advice regarding the application of competition law.

©2024 Mastercard. Proprietary
43
CYBER RISK MANAGEMENT

Key Questions: Purpose:

Do you know which of the security gaps Identify critical security gaps by assessing the
maturity of cyber controls and processes and the
pose the greatest risk to your business? importance of each

What is the financial risk of security Quantify cyber security risks specific to the
organization and calculate the potential
breaches on your organization? financial impact of a breach

Proprietary and Confidential
Prioritize next steps to improve security posture

Proprietary
How do your business and security
and reduce risk by conducting simulations to

Mastercard.
leaders determine where to invest?

Mastercard.
pinpoint actions with the greatest ROI

©2020
©2024
44
A HOLISTIC CYBER APPROACH

Think about current
cybersecurity
capabilities how you
think of protecting your
home

©2024 Mastercard. Proprietary
45
A HOLISTIC CYBER APPROACH

Understand how your organization is protected by assessing your
cyber security posture externally and internally

Outside-In View Inside-Out View

©2024 Mastercard. Proprietary
46
PERSONAL SECURITY DRIVERS PARALLEL PROFESSIONAL NEEDS

Like protecting a home, organizations must prioritize capabilities that
prevent unauthorized access and protect valuable assets

©2024 Mastercard. Proprietary and Confidential
©2020
47
IMPROVING RISK VISIBILITY

Identification
Awareness & Response
Quantification

The goal is to improve the analysis of risk, understand the implications of the risk,

©2024 Mastercard. Proprietary
create a business proposal to address the risk and, over time, manage the risk within
acceptable thresholds

48
CYBER RISK VISIBILITY DRIVES IMPROVED DECISION MAKING AND RESOURCE ALLOCATION

Cyber Risk Dashboard
Awareness
Visibility into Cyber Risk
Identification Response

Visibility into Threat Landscape Visibility into Process Risks Visibility into Human Risks

Visibility into Supply Chain Risks Visibility into Threat Realization Risks Visibility into Digital Technology Risks

The goal is to improve the analysis of risk, understand the implications of the risk,

©2024 Mastercard. Proprietary
create a business proposal to address the risk and, over time, manage the risk within
acceptable thresholds

49
A HOLISTIC CYBER APPROACH

Understand how your organization is protected by assessing your
cyber security posture externally and internally

mastercard

CyberQuant

©2024 Mastercard. Proprietary
50
RISKRECON – HOW IT WORKS

What is cyber risk scoring?
IN CONTEXT

Imagine a thief standing across the Crack in the Open door
street casing a business and assessing window
+ with no
both the security safeguards as well as dead bolt
potential gaps for exploitation.

Cyber risk scoring does this same thing -
in a cyber environment, passively
evaluating the security safeguards and - Surveillance
camera
gaps in an organization—without
interfering in their business—to score -
cyber risk.
-

©2024 Mastercard. Proprietary
Security safeguards and gaps are
assessed by categories for Security and Garbage left
Infrastructure. out with
No security private
guard on details
51
premise
RISKRECON – FEATURES

Pinpoint and prioritize cyber
risk from third parties
✓ Aggregated cyber risk score for every third-party service
provider and vendor based on the assessment of their cyber
environment

✓ Alerts on issues exceeding risk thresholds, not just a general
listing of all issues uncovered

✓ Downloadable detailed reports on all uncovered
vulnerabilities

©2024 Mastercard. Proprietary and Confidential
✓ Benchmarking of third-party service providers and vendors
against standardized compliance frameworks and amongst
one another

✓ Actionable risk plans are easily shared with third-party
service providers and vendors using the collaboration portal

©2020
52
A HOLISTIC CYBER APPROACH

Understand how your organization is protected by assessing your
cyber security posture externally and internally

mastercard

CyberQuant

©2024 Mastercard. Proprietary
53
POSITIONING

Cyber Quant evaluates
the risk exposure of an
organizations’ cyber Update graphic
security processes,
technology and
workforce security
practices

©2024 Mastercard. Proprietary
54
CYBER QUANT – HOW IT WORKS

What is cyber risk quantification?
IN CONTEXT

Activities

Control Threat Control Environment & Risk Dollar
Maturities Activity Importance Asset Risk Impact
Adherence of security Intensity of attacks Importance and priority Threats in the Value at risk based
policies procedures, and attackers on of remediating gaps in context of the client on direct loss from
and configurations to specific business policies, procedures and and business assets, attacks as well as
best practices profiles within specific configurations based on combined with the remediation and
geopolitical regions potential attacks controls in place recovery costs

Data Information Knowledge Action

©2020 Mastercard. Proprietary and Confidential
Outcomes

Defensive Threat Gap Business Informed
Landscape Landscape Analysis Effect Choices

©2024
55
A HOLISTIC CYBER APPROACH

Understand how your organization is protected by assessing your
cyber security posture externally and internally

Outside-In View Inside-Out View

©2024 Mastercard. Proprietary
56
Third Party Risk
Copyright 2024 Mastercard

The information provided here