Enterprise Cyber Risk Management PDF
Document Details
Uploaded by CooperativeJacksonville
Nanyang Technological University
Urooj Burney
Tags
Related
- Chapter 12 - 04 - Discuss Security Risks and Guidelines Associated with Enterprises Mobile Usage Policies_ocred_fax_ocred.pdf
- Certified Cybersecurity Technician Risk Management PDF
- CISSP ALL-IN-ONE-9e Cap 4.pdf
- Avalor Competitive Differentiation PDF
- Avalor Competitive Differentiation PDF
- Chapter 4: Frameworks PDF
Summary
This document provides an introduction to enterprise cyber risk management. It covers course objectives, outlines, and key concepts in the field of cybersecurity. It is intended for professional development.
Full Transcript
Enterprise Cyber Risk Management Introduction and overview INTRODUCTION – ABOUT YOU Tell the class a little bit about yourself: Your name Why cybersecurity? How will this class help you One interesting and FUN fact ©2023 Master...
Enterprise Cyber Risk Management Introduction and overview INTRODUCTION – ABOUT YOU Tell the class a little bit about yourself: Your name Why cybersecurity? How will this class help you One interesting and FUN fact ©2023 Mastercard. Proprietary and Confidential 2 INTRODUCTIONS – ABOUT ME 30 years of professional experience Married; 2 children Worked across multiple industries Live in Westchester County, NY In 4 continents @Mastercard for 5+ years Big picture view B.Sc. – Finance Growth mindset B.Sc. – CMIS Identify problems MBA – Global Business Communicate clearly Certifications: CISM, ITIL ©2023 Mastercard. Proprietary and Confidential Read Email: [email protected] Netflix – and chill LinkedIn: Travel – esp. on SQ https://www.linkedin.com/in/uroojb Cricket urney/ 3 Course overview Cyber risk management is a Course Objectives: crucial aspect of contemporary business operations. This course equips participants with the 1. Understand the fundamentals of cyber risk management. knowledge necessary to identify, 2. Understand the role of various frameworks and assess, measure, mitigate, and manage cyber risks within methodologies for cyber risk assessment. organizational contexts. 3. Learn how to identify and assess cyber risks within Through a blend of theoretical organizational environments. concepts, practical examples, and case studies, participants 4. Learn strategies for mitigating cyber risks. will develop a comprehensive understanding of cyber risk 5. Understand the role of compliance and regulations in management strategies and best practices. cyber risk management. ©2024 Mastercard. Proprietary 6. Develop understanding of incident response and recovery. 4 Course Outline Item Session Content History and overview of the cyber risk landscape 1 Introduction to Cyber Risk Management Importance of cyber risk management Key concepts and terminology Introduction to cyber risk assessment frameworks (e.g., NIST, ISO) 2 Cyber Risk Assessment Frameworks Comparative analysis of frameworks Practical application of assessment frameworks Methods for identifying cyber risks 3 Cyber Risk Identification Common vulnerabilities and threats Risk measurement and management techniques Why does third-party risk matter? Identifying vendors and service providers 4 Third Party Risk Components of a TPRM program Challenges Post Assessment Overview of cyber risk mitigation strategies 5 Cyber Risk Mitigation Strategies Risk transfer, avoidance, acceptance, and mitigation Implementing security controls ©2024 Mastercard. Proprietary Role of compliance in cyber risk management 6 Compliance and Regulations Overview of relevant regulations (e.g., GDPR, HIPAA) Compliance frameworks and standards Importance of incident response planning 7 Incident Response and Recovery Incident detection, containment, and eradication 5 Post-incident recovery and lessons learned INTRODUCTION – ENTERPRISE CYBER RISK MANAGEMENT INTRODUCTION – ENTERPRISE CYBER RISK MANAGEMENT - What is risk? ©2023 Mastercard. Proprietary and Confidential 7 Enterprise Cyber Risk Management Introduction and overview Copyright 2024 Mastercard The information provided herein by Mastercard (the “Presentation”), as well as all materials, concepts, processes and methodologies employed by Mastercard or a Mastercard supplier in connection with the Presentation, are and will remain the sole and exclusive property of Mastercard (or such Mastercard Supplier). Mastercard hereby grants to meeting participants a limited, non-exclusive right to use the Presentation without the right to assign, transfer or sublicense the Presentation in any way. The Presentation is confidential, provided for informational, non-commercial purposes only. The recipient may use the Presentation for its own internal business purposes. Except with the prior written permission of Mastercard, the Presentation shall not be used for any other purpose and shall not be published or disclosed to third parties, in whole or part. Mastercard makes no warranties concerning the Presentation and disclaims all express and implied warranties to the extent permitted by law, including but not limited to ay implied warranty of merchantability, course of dealing, or fitness for a particular purpose. Recipient is responsible for its use of the Presentation, and Mastercard assumes no responsibility or liability with respect thereto. In addition, all meeting participants are reminded that this meeting must adhere to competition law rules and, as such, no confidential or commercially sensitive information ought to be shared directly or indirectly between competitors. If any member feels that a discussion includes prohibited topics, they should raise an objection immediately as to stop discussion on such matter pending advice regarding the application of competition law. ©2024 Mastercard. Proprietary 9 At the beginning hacking was all about exploring and figuring out how the wired world worked Hacking is any activity that aims to exploit and illegally access a computer system, device, or network, without explicit permission from its owner. Before the 90s The early 2000s Since the COVID-19 pandemic Hacking wasn’t always a criminal enterprise. In Ever since modern computers solidified their existence in the early days, it was all about having fun and homes and offices, hackers, as we know them today, Digitalization, hyperconnectivity and artificial intelligence impressing your peers. Apple co-founders emerged. Steve Wozniak and Steve Jobs were early The pandemic has hackers, “phone phreakers” who learned to As technology further evolved and the internet, emails, and further escalated cyber manipulate telephone systems and trick the cellphones and smartphones became mainstream, malicious risk with an explosion phone company into giving out free long- hackers managed to find their way into almost every type of of digital relationships. distance calls. system and device. Unprotected emerging digital and cyber 3,600 667% 127% For Jobs, hacking was very much about the technologies became fake Covid-19 increase in increase in sense of adventure: “It was the magic of the fact fertile breeding grounds websites email scams3 exposed that two teenagers could build this box for $100 for criminals. created between endpoints4 worth of parts and control hundreds of billions of March 14-182 dollars of infrastructure in the entire telephone network of the whole world.”¹ Surge in ransomware and DDoS attacks with the rise of organized crimes ©2024 Mastercard. Proprietary The SolarWinds hack is the commonly used term to refer to the supply chain breach “LoveBug”, was a simple piece of malware, but it changed the world of that involved the SolarWinds Orion system. In this hack, suspected nation-state Wozniak and Jobs Blue Box, ca. 1972. The Blue cybersecurity. Originally intended to simply harvest the passwords of a few hackers gained access to the networks, systems and data of thousands of SolarWinds Box allowed electronics hobbyists to make free local internet providers, in the year 2000, LoveBug spread around the world, customers. The breadth of the hack is unprecedented and one of the largest, if not the telephone calls. infecting over 45 million devices to become the first piece of malware to really largest, of its kind ever recorded. take businesses offline in a significant way. 10 Cyber crime emerged in a digital and interconnected world with the internet as a safe domain, with much less risk, with which to operate and generate profits Criminals had introduced a professional element into the world of cybercrime. No longer were we looking at geeky exploitation of weaknesses in systems, things had now developed to using computer networks to infiltrate and take advantage of the trust of other users for huge financial gain. Computer systems & applications Data theft compromise SPAM Credentials ID Spammers send out millions of messages (login and password) (passport, driver license) Medical records on behalf of online merchants who want to sell a product. If a spam recipient buys Click Fraud something, the spammer gets a Advertisers pay websites for clicks on percentage of the sale. Insurance their ads. With a zombie network, a Credit card information E-mail hacker can generate thousands of unique clicks a day Phishing Cybercriminals handling phishing schemes Fraud Identity Theft pay botnet¹ owners up to USD 2k per month for hosting fast flux services. Exploit accounts or services Usage of personal information to open and Malware or DDoS for already in place abuse new accounts or services Ransom Fraud transactions, withdrawals Creation of fake seller accounts on marketplaces and payments Opening of credit lines Adware Hackers make money by demanding ©2024 Mastercard. Proprietary payment to decrypt information or halt Impersonation – E.g.: medical or ID creation Many companies that offer online unavailability of an application / server criminal Claiming insurance or unemployment benefits advertising services pay for each Money laundering – Creation of fake seller / installation of their software. With a buyer accounts botnet¹ at disposal, a cybercriminal can Sale on dark web install any software on thousands of computers 11 Besides attackers who seek financial benefits, the world of cyber crime enables other types of attackers, motivated by social causes, religion, politics and ideology Cyber criminals such as hacktivists and cyberterrorists are socially and/or politically-motivated, targeting institutions and nations with opposing views. These attackers often perform cyber attacks that expose, embarrass, intimidate or generate fear in the target population Disruption of critical Disruption of major Information leakage infrastructure systems websites This is a popular activist tactic. Typically, an insider source Threat actors try to disable or disrupt cities, cause a Through DDoS attacks, hacktivists prevent users will access sensitive or classified information - which public health crisis, endanger public safety or cause from accessing targeted computer systems, devices implicates an individual, organization or government massive panic and fatalities. For example, or networks. DoS and DDoS attacks flood systems agency in an activity that reflects negatively on them - and cyberterrorists might target a water treatment with traffic, overwhelm resources and make them make it public. WikiLeaks is known for publishing leaked plant, cause a regional power outage or disrupt a difficult to access. data. pipeline, oil refinery or fracking operation. The intent here can also be to create public inconvenience or stop traffic to websites containing content the hackers disagree with. Wikileaks Florida Water Treatment Plant Julian Assange launched the WikiLeaks website in 2006 to host ©2024 Mastercard. Proprietary By abusing remote access credentials that were shared between Anonymous leaked documents, describing itself as an independent, nonprofit They attacked the company's online media organization. The first notable documents published employees, on Friday, February 5, 2021, a hacker initiated an on the site were the nearly 80,000 documents about the U.S. war attack on an Oldsmar, Florida water treatment facility which online Playstation store in retribution for Sony's lawsuit in Afghanistan leaked in 2010, followed by nearly 400,000 briefly adjusted the levels of sodium hydroxide. According to documents about the war in Iraq. WikiLeaks is also known for specialists, the motivation behind the attack seemed to be to against PS3 hacker George Hotz (aka "GeoHot"). A DDoS attack revealing over 20,000 emails and 8,000 email attachments from cause harm to people, rather than to gain financial benefits the Democratic National Committee that were sent during the has temporarily taken down playstation.com. 2016 U.S. presidential campaign. 12 THE COST OF CYBERCRIME $10,500,000,000,000 Cybercrime Pays Cyber Security Skills Shortage Technology Accessibility Earnings are ~$30,000/job; Approximately 3 million cyber Digital transformation grows averaging 10-15% higher than security positions are unfilled, the attack surface for threat ©2024 Mastercard. Proprietary most traditional crimes and the number is growing actors to explore and exploit 13 Source: Cyber Ventures, GCI 2020 The cyber security market is growing rapidly; driven by 4 main factors Cyber spend (by year and cumulatively) Key drivers of market growth Driver 1: Increased technical complexity Driver 2: Regulations and Compliance 1,500 Buyers have recognized that “tech sprawl” leads to Multiple new compliance regimens across the globe 1,400 gaps in defenses are forcing organizations to re-examine and invest in cybersecurity operations Estimated cumulative cyber security expenditures 1,300 317 Technology configurations are difficult to manage 1,200 and cause inadvertent gaps despite best efforts New tooling and advisory services are needed to 1,100 These issues are changing buying behaviors leading reset the security posture, preparedness, response 1,000 283 to purchase of solution suites + services vs. point and resiliency of the enterprise (e.g., DORA and +12% NIS2 in EUR; SEC Disclosure Rules in NAM, MAS 900 products Tech Risk in SG, etc.) 800 253 700 600 500 226 Driver 3: Business transformation with AI, Digital, Driver 4: Lack of skilled security experts 400 etc. Organizations are looking for Automation (AI) 300 202 As businesses adopt new operating models, they based solutions to reduce dependency on scarce 200 180 recognize the need for cybersecurity as and often unskilled resources who are unable to ©2024 Mastercard. Proprietary 100 fundamental to securing sensitive customer and detect and prevent attacks and breaches 0 transaction data Specialized consulting resources are in demand as 2023 2024 2025 2026 2027 2028 Cybersecurity is listed as one of the Top 3 risks on they address organizations inability to attract Estimated annual cyber security 10Ks and other business reports qualified resources expenditures 14 Based on various market analyst estimates Many businesses are not equipped to handle this evolving dynamic Too many security tools 47 Number of security tools the average company deploys3 Lack of synergy throughout the business Of enterprises believe they’ve synergized Severe shortage of cyber skills 39% key security and incident response processes4 3.5 Million cyber jobs expected to be unfilled globally in 20212 Growing dependence on third-parties Shifting to digital channels without a holistic view of cyber risks 59% Of companies experience a third-party data breach yet only 16% can mitigate those risks5 88% Have seen a rise in cyber attacks resulting from employees working at home1 ©2024 Mastercard. Proprietary 15 Breaches lead to significant financial costs as well as substantial indirect costs $4.24MM Financial losses Legal & Share price average cost of a drop / investor regulatory fines data breach impact Compromise of customer Cyber Attacks Disclosure of security & Result in: trade secrets privacy ©2024 Mastercard. Proprietary Loss of Loss in business customer trust reputation 16 It is important to understand that Cyber Risk is independent of industries, or countries; everyone is a target What do we need to From whom are we How are they attacking us protect? protecting this? and our customers? Digital Assets: Anything that Hacker: People who work alone Malware: Is a term used to has value to us or to our or in teams for financial gains, describe malicious software, customers there are several types of including spyware, ransomware, hackers viruses, and worms. Unstructured Data: Files in various formats such as Word, DoS: Denial-of-service attack – Insider threats: Individuals This attack floods systems, Excel, PowerPoint within the organization who servers, or networks with traffic have malicious intent towards to exhaust resources and the company bandwidth. Structured Data: Transaction data in systems, databases Political Cyber Warriors: Phishing: It is the practice of Nation-state sponsored sending fraudulent ©2024 Mastercard. Proprietary Systems: Solution, applications attacker with significant communications that appear to owned by the organizations, etc. resources to affect major come from a reputable source, disruptions on a national scale usually through email 17 How cyber risk relevance has changed over time Enterprise Risk Past Environmental Compliance Operational Strategic Risk Market Risk Credit Risk Risk Risk Risk An embedded component of the overall operational risk universe of the IT Security enterprise – seen as an IT issue Risk Enterprise Risk Shift to cloud/digital and Environmental Compliance Operational corresponding increases in Strategic Risk Market Risk Credit Risk Security Risk Risk Risk Risk fraud/scams resulting in increased regulatory scrutiny Enterprise Cybersecurity Digital Risk ©2024 Mastercard. Proprietary Risk Risk Present Select highly-innovative and very risk averse organizations established roles such as Chief Cyber-Security Risk Officer responsible for cyber risk management at the same level as a CRO and CIO and with direct access to the Board. 18 The dynamic role of the CISO Past Present Future Types of CISOs Limited insights Have oversight and Board becomes key Security as a Cost Centre Security as Compliance and interest in awareness driver of cyber risk cyber topics; lack management and awareness business resilience Low-to-mid Management Middle Management Board Not called CISO Limited technical Part of operational Executives may be Executives have Technical background background risk reports but not held liable for cyber expertise in cyber; Function is understaffed and Compliance is used to drive material events make data driven, under-funded the cyber agenda ROI positive Execs decisions Cyber is not a company Generally underfunded but priority not aware of business Technical SME; Some business Holistic view of cyber Board awareness is limited impacts focused on point expertise; as a business solutions – reports expanding to enabler; reports to CISO to CIO/CTO resilience; some the CEO & has report to CEO board presence Security as IT Business Enabler Technologists with Operationally Focused on business Reports to: Reports to: some cyber focused; not a enablement through CIO/CTO The CEO or the board product broad view of resilience and trust knowledge/ business impacts Senior Management Business focused senior Cyber Technical expert executive Team training Uses technology to address Board understands the need ©2024 Mastercard. Proprietary Not cyber aware Receive annual Continuous and solve issues and importance of cyber and trainings / feedback on actions; Lacks required business manages risk certifications; few cyber aware and understand role in proactive acumen Security by design and Staff Accomplished in their own security aware culture business protection right 19 Important capabilities for a CISO Leadership and management Business and technical communications Strategic thinking CISO Business acumen Technical expertise ©2024 Mastercard. Proprietary Problem-solving 20 Expectations of and from the board I. The board sets the risk appetite and tolerance levels, approves the risk management plan, and monitors the risk profile and performance. II. The board also ensures that the organization has adequate resources, systems, and controls to manage risks effectively. Cyber Risks Review and impact to business priorities A clear view of the threat landscape and relevant risks Governance oversight and mechanisms Activities undertaken to measure, manage and mitigate Risk Appetite Determination risks Review and approval of remediation and mitigation plans Business impacts of cyber risk ©2024 Mastercard. Proprietary Learning and awareness Demonstration of compliance wrt policies, rules and regulations Resource allocation What the CISO owes leadership What leadership owes the CISO 21 Glossary of useful terms Copyright 2024 Mastercard The information provided herein by Mastercard (the “Presentation”), as well as all materials, concepts, processes and methodologies employed by Mastercard or a Mastercard supplier in connection with the Presentation, are and will remain the sole and exclusive property of Mastercard (or such Mastercard Supplier). Mastercard hereby grants to meeting participants a limited, non-exclusive right to use the Presentation without the right to assign, transfer or sublicense the Presentation in any way. The Presentation is confidential, provided for informational, non-commercial purposes only. The recipient may use the Presentation for its own internal business purposes. Except with the prior written permission of Mastercard, the Presentation shall not be used for any other purpose and shall not be published or disclosed to third parties, in whole or part. Mastercard makes no warranties concerning the Presentation and disclaims all express and implied warranties to the extent permitted by law, including but not limited to ay implied warranty of merchantability, course of dealing, or fitness for a particular purpose. Recipient is responsible for its use of the Presentation, and Mastercard assumes no responsibility or liability with respect thereto. In addition, all meeting participants are reminded that this meeting must adhere to competition law rules and, as such, no confidential or commercially sensitive information ought to be shared directly or indirectly between competitors. If any member feels that a discussion includes prohibited topics, they should raise an objection immediately as to stop discussion on such matter pending advice regarding the application of competition law. ©2024 Mastercard. Proprietary 23 Attackers – There are different types of cybercriminals. One must be able to identify their modus operandi to defend against threats Political Cyber Warrior Organized Crime Nation-state sponsored attacker with significant resources to disrupt Criminal organization with significant resources focused on financial on a national scale. gain. Political Activist Sensationalist Semi-organized individuals acting out of political ideologies Attention grabber who may employ any method to get their “15 (hacktivism), not backed technically by nation-states. minutes of fame.” Cyber Terrorist Disgruntled IT Employee Individuals within an organization who have malicious intent towards Hostile entities based on ideologies, state/non-state actors. Cyber the company. May be a disgruntled employee with possible access or terror is an emerging attack method heavily supported by nation- knowledge of how to access the organization and significant levels of states and considered political cyber warriors, not terrorists. IT knowledge specific to the organization. Industrial Espionage Fraudster A person or small group that tries to commit fraud, especially in online Financially motivated actor looking to gain competitive advantage. business transactions. ©2024 Mastercard. Proprietary Financial Hacker Legal Adversary Hackers working alone or in teams for financial gain. Adversary in legal proceedings against the organization. 24 TTP – Acronyms and terminology Attack Description Denial of Service The Denial-of-Service attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There (DoS/DDoS) are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may become unavailable to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses. Unauthorized Device Unauthorized devices that are connected to the environment can cause malware distribution and data leakage. Attack examples are Connection unauthorized removable media connection and unauthorized network device connection. Injection Injection flaws, such as SQL, NoSQL, OS and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Spoofing/MitM This type of attack targets the communication between two components (typically client and server). The attacker places themself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who can observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent, leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for man-in- the-middle attacks yields an implicit lack of trust in communication or identity between two components. ©2024 Mastercard. Proprietary Brute Force/Fuzzing In this attack, an asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. 25 TTP – Acronyms and terminology Attack Description Exploitation of An attacker exploits weaknesses, limitations and assumptions in the mechanisms a target utilizes to manage access to its resources or to Authentication, authorize utilization of its functionality. Such exploitation can lead to the complete subversion of any control the target has over its data or functionality, enabling almost any desired action on the part of the attacker. Attack examples are software integrity attacks, Privileges and Trust authentication bypass or abuse, privilege escalation, authentication bypass and exploitation of session variables, resource IDs and other trusted credentials. Use of Legitimate An attacker manipulates legitimate tools or functions of an application to perform an attack. Attack examples are abuse of Tools legitimate business processes and abuse of legitimate channels. Physical Attacks An adversary physically attacks a device or component, destroying it so it no longer functions. Web Social Engineering An adversary manipulates and exploits people over the web using drive by downloads, watering hole attacks and malvertising Email Social Engineering An adversary manipulates and exploits people using emails, including spam, scams, phishing and spear phishing. Interpersonal Social An adversary manipulates and exploits people at the interpersonal level using bribery, elicitation, extortion and influence. Engineering ©2024 Mastercard. Proprietary Malicious Code Execution Malware or malicious software performs undesirable operations such as data theft or some other type of computer compromise. (Malware) Some of the main types of malware include trojans, viruses, worms and spyware.. 26 TTP – Acronyms and terminology Attack Description Command and Control Malware is a command-and-control channel (botnet). It is the collection of internet connected programs communicating with other similar programs to perform tasks. This can be as mundane as controlling an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial of service attacks. Mobile Malware Malware, short for malicious software, is any software used to disrupt mobile device operation, gather sensitive information, or gain access to private computer systems. Malware is defined by its malicious intent, acting against the requirements of the computer user, and does not include software that causes unintentional harm due to some deficiency. This attack focuses on iOS, Android and Windows Mobile malware types. Resource Manipulation Attack patterns within this category focus on the adversary's ability to manipulate one or more resources, or some attribute thereof, in order to perform an attack. This is a broad class of attacks wherein the attacker can change some aspect of a resource's state and thereby affect application behavior or information integrity. Attack examples are infrastructure manipulation, file manipulation, registry manipulation, remote code execution and cache poisoning. Buffer Attacks An adversary manipulates an application's interaction with a buffer to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks, the content placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory. Network Manipulation Attack patterns within this category focus on the adversary's ability to manipulate one or more network resources or some attribute to ©2024 Mastercard. Proprietary perform an attack. Attack examples are protocol manipulation and abuse of communication channels ICS Malware Malware is any software used to disrupt ICS infrastructure, gather sensitive information, or gain access to private computer systems. Malware is defined by its malicious intent, acting against the requirements of the computer user, and does not include software that causes unintentional harm due to some deficiency. This attack focuses on ICS endpoints and controllers. 27 TTP – Acronyms and terminology Attack Description Terminal Malware Terminal attacks are malware for the purpose of terminal stations, such as POS, kiosk, ATM, etc. Reconnaissance Attack patterns within this category focus on the gathering, collection and theft of information by an adversary. The adversary may collect this information through a variety of methods, including active querying and passive observation. By exploiting weaknesses in the design or configuration of the target and its communications, an adversary can get the target to reveal more information than intended. Information retrieved may aid the adversary in making inferences about potential weaknesses, vulnerabilities or techniques that assist the adversary’s objectives. This information may include details regarding the configuration or capabilities of the target, clues as to the timing or nature of activities, or other sensitive information. Often this sort of attack is undertaken in preparation for some other type of attack, although the collection of information by itself may in some cases be the end goal of the adversary. Web Application Attacks Web application attacks are regarded as direct or indirect attempts to exploit a vulnerability or weakness in the services and applications on the web, abusing their APIs, runtime environments or services. DNS Attacks Attacks on DNS servers, such as cache poisoning and DNS hijacking. Supply Chain Attacks Attack patterns within this category focus on the disruption of the supply chain lifecycle by manipulating computer system hardware, software or services. The purpose of these types of attacks is espionage, theft of critical data or technology, or the disruption of mission-critical operations or infrastructure. Supply chain operations are usually multi-national with parts, components, assembly and delivery occurring across multiple countries, offering an attacker multiple points for disruption. ©2024 Mastercard. Proprietary Ransomware Ransomware is a type of malware (like viruses, trojans, etc.) that infects the computer systems of users and manipulates the infected system in such a way that the victim cannot (partially or fully) use it and the data stored on it. The victim usually receives a pop-up blackmail note urging the victim to pay a ransom to regain full access to their system and files. Ransomware travels through the same channels as other kinds of malware, such as phishing emails, water holing and other drive-by attacks. 28 Cybersecurity Frameworks & Compliance Copyright 2024 Mastercard The information provided herein by Mastercard (the “Presentation”), as well as all materials, concepts, processes and methodologies employed by Mastercard or a Mastercard supplier in connection with the Presentation, are and will remain the sole and exclusive property of Mastercard (or such Mastercard Supplier). Mastercard hereby grants to meeting participants a limited, non-exclusive right to use the Presentation without the right to assign, transfer or sublicense the Presentation in any way. The Presentation is confidential, provided for informational, non-commercial purposes only. The recipient may use the Presentation for its own internal business purposes. Except with the prior written permission of Mastercard, the Presentation shall not be used for any other purpose and shall not be published or disclosed to third parties, in whole or part. Mastercard makes no warranties concerning the Presentation and disclaims all express and implied warranties to the extent permitted by law, including but not limited to ay implied warranty of merchantability, course of dealing, or fitness for a particular purpose. Recipient is responsible for its use of the Presentation, and Mastercard assumes no responsibility or liability with respect thereto. In addition, all meeting participants are reminded that this meeting must adhere to competition law rules and, as such, no confidential or commercially sensitive information ought to be shared directly or indirectly between competitors. If any member feels that a discussion includes prohibited topics, they should raise an objection immediately as to stop discussion on such matter pending advice regarding the application of competition law. ©2024 Mastercard. Proprietary 30 The Broader Cyber Security Landscape NON-EXHAUSTIVE Cybersecurity Services Cybersecurity products Plan Build Manage Governance Network Content Endpoint Identity & Security vuln. Consulting & Security Integration & Managed risk & Hosted services security security security access mgmt. mgmt. advisory assurance engineering services compliance Vulnerability Regulation-specific NAC, device EDR (client, server, Board advisory/ Security solutions Co-hosted or multi- DD, DC, DLP IG&A, IAM SIEM / XDR testing and audits, SOC disc./class. OT, IoT) / EPP virtual CISO delivery tenant SIEM scanning accreditation Framework (ISO, Security system Endpoint mgmt. Strategic program Cloud based unified NGFW Bot Mgmt. SSO/PM VA / VM / ASM Penetration testing NIST) maturity optimization, SIEM, monitoring suites design, mgmt. threat protection assessments migration Product and Breach response War-gaming Third party risk Threat Intelligence Cloud based anti- IDS/IDP, UTM WAF MDM / MAM Advanced auth. AST licensing planning exercises assessment & Support Svcs malware procurement Security Cloud (containers, Digital forensics Other regulation- Security software EDR, EPP, NDR VPN SWG PAM GRC, VRM architecture, Other CSPM, CWPP) and IR specific services development mgmt. design Strategic digital Static and dynamic DDoS, DNS sec SEG Consumer Identity federation IR / forensics Other Vulnerability mgmt. initiative support code analysis Security SDLC, ©2024 Mastercard. Proprietary NDR CASB Threat Intelligence Training Infrastructure Device mgmt. hardening Other SecOps Product testing SDN & ZTA SASE / SSE (AM/C, SOAR, Authorized support Other (IoT, ICS/SCADA) UEBA) Note: NGFW is Next-Generation Firewall, IDS/IDP is Intrusion Detection/Prevention, UTM is Unified Threat Management, VPN is Virtual Private Network, SDN is Software-Defined Networking, DD is Data Discovery, DC is Data Classification, DLP is Data Loss Prevention, WAF is Web Application Firewall, SWG is Secure Web Gateway, SEG is Security Email Gateway, CASB is Cloud-Access Security Broker, SASE is Secure Access Service Edge, EDR is Endpoint Detection and Response, MDM/MAM is Mobile Device/Application Management, CSPM is Cloud Security Posture Mgmt., CWPP is Cloud Workload Protection Platform, SSO is Single-Sign On, PAM is Privileged Access Management, SIEM is Security Information and Event Management, VA/VM is Vulnerability Assessment/Management, AST is Application Security Testing, 31 GRC is Governance Risk & Compliance Management, VRM is Vendor Risk Management, IR is Incident Response, AM/C is Asset Management/Configuration, SOC is Security Operation Center, EPP is Endpoint Protection Platform, API is Application Programming Interface Frameworks and Standards provide structure to a data and resource intensive function Cyber risk frameworks provide a guided, systematic approach to managing cyber risks, facilitate compliance with regulatory requirements and industry standards. They also enhance the organization's ability to respond to and recover from cyber incidents, thus minimizing impacts on business operations. International standards are designed as tests for the correct NIST CSF 2.0 SOC 2 and proper design, implementation and operations of system controls. NOTE: industry standards differ from international control standards as the former is oriented towards specific industry types whereas the latter is agnostic. ©2024 Mastercard. Proprietary Frameworks and standards may be combined and jointly implemented. ISO 27001 ISO 30001 32 How Frameworks help describe complex issues in simple terms IDENTIFY DETECT PROTECT RESPOND RECOVER Visibility DATA Resilience ©2024 Mastercard. Proprietary Governance & Compliance 33 Risk Management vs. Risk Analysis vs. Risk Assessment Risk Management Risk Assessment The continuing process to Helps identify and categorize risks identify, analyze, evaluate, and Provides an outline for potential consequences treat loss exposures and monitor risk control and financial Identification of risk based on the following steps: resources to mitigate the Identify the critical assets and sensitive data, adverse effects of loss Build a risk profile for each asset, Determine cybersecurity risks for each asset, Mapping how critical assets are linked, Prioritize which assets to address in case of a security threat, Management Analysis Assessment Create a mitigation plan with security controls to eliminate or mitigate the impact of each risk, Continually monitor risks, threats, and vulnerabilities. Risk Analysis Evaluation component that helps determine: The significance of identified risk factors Qualifies the risk Enables measurement and likelihood of hazards occurring Enables the determination of tolerances for certain events ©2024 Mastercard. Proprietary Analysis enables the estimated extent of possible impact of the risks identified in the assessment process. Together, this makes it possible to prioritize risks and set a strategy for mitigating the risks to reduce business impact. 34 Application of Frameworks Define the Scope Identify Threats Assess Vulnerabilities Frameworks enable the creation of a Determine the boundaries of the risk assessment—specific systems, List potential cybersecurity threats Identify weaknesses in your systems standardized approach that is more such as malware, ransomware, and processes that could be data, and processes. phishing, insider threats, and exploited by threats. intuitive to manage and enables a Identify the assets that need protection, including hardware, natural disasters. Use vulnerability scanning tools and common taxonomy across various parts Consider both internal and external penetration testing to detect software, data, and network threats. vulnerabilities. of the business. resources. The purpose of the process is to provide a method to continuously update and Monitor and Review manage the risk posture of the Assess the likelihood of each threat organization. Continuously monitor the Prioritize risks based on their exploiting a vulnerability and the potential effectiveness of implemented likelihood and impact. impact on the organization. controls. Review and update the Implement security measures, such Use qualitative methods (e.g., Certain measures will be monitored risk assessment regularly for new threats, vulnerabilities, and as firewalls, encryption, multi- high/medium/low) or quantitative methods (e.g., calculating potential continuously whereas others may be factor authentication, security organizational changes. policies, etc., to mitigate risks. financial loss). measured at various frequencies. Implementation Phases Implement Controls Analyze Risk The benefit of a standardized approach, framework-based approach is that cyber risk can be managed regardless of the size and scope of the organization while ©2024 Mastercard. Proprietary Document the risk assessment process, findings, decisions, and making reporting easier to manage and actions taken. Report the results to relevant explain. Furthermore, applying this stakeholders, including approach also enables more robust management and regulatory bodies. compliance management and reporting. Document & Report 35 Compliance and Cyber Risk Management Role of Compliance in Cyber Risk Management Regulatory Alignment Data Protection: Compliance ensures organizations align their cyber risk Compliance helps ensure that sensitive data is protected management practices with relevant laws, regulations, and according to legal and regulatory standards, which is vital for standards. This alignment is crucial for avoiding legal maintaining customer trust and avoiding data breaches penalties and reputational damage. Risk Mitigation: Operational Resilience: Compliance frameworks often incorporate best practices for By following compliance standards, organizations can improve cyber security, which help identify, assess, and mitigate risks their resilience to cyber attacks, reducing downtime and effectively. minimizing the impact on business operations. Trust and Credibility: Strategic Decision Making: Organizations that adhere to compliance standards can Compliance provides a framework for making informed boost their credibility and trustworthiness among customers, decisions about investments in cyber security, prioritizing partners, and stakeholders, enhancing their market actions based on regulatory importance and potential impact. reputation. Continuous Improvement: Legal and Financial Safeguards: ©2024 Mastercard. Proprietary Compliance requirements can drive continuous improvement Adhering to compliance standards can provide legal and in cyber security practices, as they often require regular financial safeguards against the consequences of cyber audits and reviews incidents, including litigation and fines Country-specific regulatory requirements are driving increased adoption of cyber risk management functions across the globe Current and anticipated cyber resilience regulations (select markets below) E.U. (DORA and NIS2) DORA: Enforcement of by national competent authorities will be integrated into existing supervision practices for regulated entities; member states to set out rules establishing administrative penalties for breaches of DORA NIS2: Extends the scope of the cybersecurity DORA and NIS 2 rules to new non-FI sectors; EU member states NYDFS, must implement NIS2 by October 2024 SEC Op Res UK Joint FS regulators’ position on Operational MAS Resilience, which is like DORA but not as TRM prescriptive, became effective in 2021; final Cyber Resilience compliance deadline is 2025 Framework US Nat’l. NY State has put in place Cybersecurity Cyber The Security of Requirements for financial services companies, Strategy Critical and the [SEC has put in place requirement of Infrastructure Act cybersecurity capabilities] ©2024 Mastercard. Proprietary Australia E-CIBER Cybersecurity Security of Critical Infrastructure Act of 2018 & Cyber requires a holistic and proactive cybersecurity Resilience for select sectors deemed to be of critical infrastructure 38 Singapore specific regulations* Personal Data Applies to any organization handling personal data within Singapore. Protection Act It aims to protect individuals' data against misuse and regulate the flow of personal data (PDPA): among organizations. Cybersecurity Applies to owners of Critical Information Infrastructure (CII) across various sectors in Act: Singapore. It aims to secure Singapore’s critical information infrastructure from cyber threats and enhance national security. Monetary Targets financial institutions in Singapore. Authority of It aims to ensure robust cybersecurity practices among financial institutions to protect Singapore (MAS) against financial and data breaches. Guidelines: ©2024 Mastercard. Proprietary 39 *Non-exhaustive Common Themes and Intent Across Regulations Enhance Security Increase Transparency Strengthen cybersecurity defenses to Mandate organizations to be transparent prevent unauthorized data breaches and about how personal data is collected, cyber attacks. used, and protected. Intent of Security & Privacy Regulations Build Trust Promote Accountability Enhance public trust in digital services and Ensure organizations are accountable for infrastructure through stringent regulatory managing data securely, with penalties ©2024 Mastercard. Proprietary standards. for non-compliance. 40 Demonstrating Compliance Identify relevant laws, regulations, and standards applicable to your industry and region (e.g., GDPR, HIPAA, PCI-DSS) Stay updated with changes and amendments to compliance frameworks Demonstrate compliance through regular audits, reporting, and third-party certifications such as ISO 27001 and SOC2 Tools like compliance management software can help track requirements and document adherence Continual education and training are crucial for maintaining compliance and understanding evolving regulations ©2024 Mastercard. Proprietary 41 Cybersecurity risk Identification, Quantification, and Prioritization Copyright 2024 Mastercard The information provided herein by Mastercard (the “Presentation”), as well as all materials, concepts, processes and methodologies employed by Mastercard or a Mastercard supplier in connection with the Presentation, are and will remain the sole and exclusive property of Mastercard (or such Mastercard Supplier). Mastercard hereby grants to meeting participants a limited, non-exclusive right to use the Presentation without the right to assign, transfer or sublicense the Presentation in any way. The Presentation is confidential, provided for informational, non-commercial purposes only. The recipient may use the Presentation for its own internal business purposes. Except with the prior written permission of Mastercard, the Presentation shall not be used for any other purpose and shall not be published or disclosed to third parties, in whole or part. Mastercard makes no warranties concerning the Presentation and disclaims all express and implied warranties to the extent permitted by law, including but not limited to ay implied warranty of merchantability, course of dealing, or fitness for a particular purpose. Recipient is responsible for its use of the Presentation, and Mastercard assumes no responsibility or liability with respect thereto. In addition, all meeting participants are reminded that this meeting must adhere to competition law rules and, as such, no confidential or commercially sensitive information ought to be shared directly or indirectly between competitors. If any member feels that a discussion includes prohibited topics, they should raise an objection immediately as to stop discussion on such matter pending advice regarding the application of competition law. ©2024 Mastercard. Proprietary 43 CYBER RISK MANAGEMENT Key Questions: Purpose: Do you know which of the security gaps Identify critical security gaps by assessing the maturity of cyber controls and processes and the pose the greatest risk to your business? importance of each What is the financial risk of security Quantify cyber security risks specific to the organization and calculate the potential breaches on your organization? financial impact of a breach Proprietary and Confidential Prioritize next steps to improve security posture Proprietary How do your business and security and reduce risk by conducting simulations to Mastercard. leaders determine where to invest? Mastercard. pinpoint actions with the greatest ROI ©2020 ©2024 44 A HOLISTIC CYBER APPROACH Think about current cybersecurity capabilities how you think of protecting your home ©2024 Mastercard. Proprietary 45 A HOLISTIC CYBER APPROACH Understand how your organization is protected by assessing your cyber security posture externally and internally Outside-In View Inside-Out View ©2024 Mastercard. Proprietary 46 PERSONAL SECURITY DRIVERS PARALLEL PROFESSIONAL NEEDS Like protecting a home, organizations must prioritize capabilities that prevent unauthorized access and protect valuable assets ©2024 Mastercard. Proprietary and Confidential ©2020 47 IMPROVING RISK VISIBILITY Identification Awareness & Response Quantification The goal is to improve the analysis of risk, understand the implications of the risk, ©2024 Mastercard. Proprietary create a business proposal to address the risk and, over time, manage the risk within acceptable thresholds 48 CYBER RISK VISIBILITY DRIVES IMPROVED DECISION MAKING AND RESOURCE ALLOCATION Cyber Risk Dashboard Awareness Visibility into Cyber Risk Identification Response Visibility into Threat Landscape Visibility into Process Risks Visibility into Human Risks Visibility into Supply Chain Risks Visibility into Threat Realization Risks Visibility into Digital Technology Risks The goal is to improve the analysis of risk, understand the implications of the risk, ©2024 Mastercard. Proprietary create a business proposal to address the risk and, over time, manage the risk within acceptable thresholds 49 A HOLISTIC CYBER APPROACH Understand how your organization is protected by assessing your cyber security posture externally and internally mastercard CyberQuant ©2024 Mastercard. Proprietary 50 RISKRECON – HOW IT WORKS What is cyber risk scoring? IN CONTEXT Imagine a thief standing across the Crack in the Open door street casing a business and assessing window + with no both the security safeguards as well as dead bolt potential gaps for exploitation. Cyber risk scoring does this same thing - in a cyber environment, passively evaluating the security safeguards and - Surveillance camera gaps in an organization—without interfering in their business—to score - cyber risk. - ©2024 Mastercard. Proprietary Security safeguards and gaps are assessed by categories for Security and Garbage left Infrastructure. out with No security private guard on details 51 premise RISKRECON – FEATURES Pinpoint and prioritize cyber risk from third parties ✓ Aggregated cyber risk score for every third-party service provider and vendor based on the assessment of their cyber environment ✓ Alerts on issues exceeding risk thresholds, not just a general listing of all issues uncovered ✓ Downloadable detailed reports on all uncovered vulnerabilities ©2024 Mastercard. Proprietary and Confidential ✓ Benchmarking of third-party service providers and vendors against standardized compliance frameworks and amongst one another ✓ Actionable risk plans are easily shared with third-party service providers and vendors using the collaboration portal ©2020 52 A HOLISTIC CYBER APPROACH Understand how your organization is protected by assessing your cyber security posture externally and internally mastercard CyberQuant ©2024 Mastercard. Proprietary 53 POSITIONING Cyber Quant evaluates the risk exposure of an organizations’ cyber Update graphic security processes, technology and workforce security practices ©2024 Mastercard. Proprietary 54 CYBER QUANT – HOW IT WORKS What is cyber risk quantification? IN CONTEXT Activities Control Threat Control Environment & Risk Dollar Maturities Activity Importance Asset Risk Impact Adherence of security Intensity of attacks Importance and priority Threats in the Value at risk based policies procedures, and attackers on of remediating gaps in context of the client on direct loss from and configurations to specific business policies, procedures and and business assets, attacks as well as best practices profiles within specific configurations based on combined with the remediation and geopolitical regions potential attacks controls in place recovery costs Data Information Knowledge Action ©2020 Mastercard. Proprietary and Confidential Outcomes Defensive Threat Gap Business Informed Landscape Landscape Analysis Effect Choices ©2024 55 A HOLISTIC CYBER APPROACH Understand how your organization is protected by assessing your cyber security posture externally and internally Outside-In View Inside-Out View ©2024 Mastercard. Proprietary 56 Third Party Risk Copyright 2024 Mastercard The information provided here