1 / 22

Critical Data Points to Assess the True Risk of a Data Breach

Explore the paradigm shift from a fortress mentality to a security ecosystem, with examples of data points and analysis of industry trends. Learn about the challenges of third-party risk and the current state of third-party cybersecurity. Discover how to effectively manage third-party risks through due diligence and security benchmarking.

jefferyj
Download Presentation

Critical Data Points to Assess the True Risk of a Data Breach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Critical Data Points to Assess the True Risk of a Data Breach PRESENTED BY Ali Alwan Director,SecurityScorecard, Inc.

  2. AGENDA • Paradigm shift from fortress mentality to security ecosystem • Examples of data points around us • Security Benchmarkingoutside-in approach • Analysis of financial services industry trends

  3. Paradigm Shift – From Fortress to Ecosystem • FORTRESS • High level of trust • You own the blueprint • Control of audit, policies • “Crown jewels” are in a centralized, monitored data center • “IF we get breached…”

  4. Paradigm Shift – From Fortress to 3rd Party Ecosystem • ECOSYSTEM • Empowered employees (BYOD) • Decentralized infrastructure with many 3rd party cloud services • Limited audits without validation • “Crown jewels” are everywhere – continuity is not • Only as strong as your weakest link • “WHEN we get breached…”

  5. Third Party Risk Challenge • Your company spends millions of dollars on IT security – systems, technologies, appliances • InfoSec professionals • Internal Audit professionals • External Auditors • Processes, technologies, systems • Then some manager in marketing dumps your client data to an Excel spreadsheet, and emails it to a direct mail firm in Omaha. • Perhaps even worse – Usually not random. Usually not one vendor. Often thousands of vendors.

  6. Third Party Breach- The Numbers • 41% to 63% of breaches involved third parties • Per-record costs of a 3rd party breach higher - $231 vs. $188 • 71% of companies failed to adequately manage risk of third parties • 92% of companies planned to expand their use of vendors in 2013 • 90% of anti-corruption actions by DOJ involved 3rd parties

  7. Target by the Numbers, Remember Fazio HVAC? 40,000,000 - Number of credit and debit numbers stolen 70,000,000 - Number of non-credit-card PII records stolen November 27 to December 15, 2013 – Duration of theft 46% - The percentage drop in profits for 4th quarter 2013 from the year before $250,000,000 - Total estimated costs as of August 2014 $90,000,000 - Amount paid by Target’s insurers (maxed out) $54,000,000 - Estimated amount generated from sale of cards stolen 0 – Number of CIOs and CEOs who kept their jobs

  8. So 3rd party risk is a high priority right? 98% of IT pros feel third-party secure access is not a top priority - Soha Systems via SC Magazine, May 2016

  9. CURRENT STATE OF THIRD PARTY CYBERSECURITY • Ineffective point-in-time security snapshots • Pen & paper questionnaires – expensive, time consuming, and difficult to validate • Intrusive penetration tests require expensive and time consuming site visits • Difficult to meet needs of business • Slow process to onboard new vendors • Challanging to communicate security challanges to business executives • Offer lower risk vendor alternatives • Labor Intensive • Unable to scale program beyond small sub-set of critical high risk vendors without a big increase in both Risk & Security teams • Difficult to prioritize vendors without benchmarked data • Challenging to substantiate survey responses and ensure ongoing compliance

  10. TPRM – What It Is Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company. Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle. No universally-accepted framework like CObIT or COSO

  11. TPRM – Who It Is Vendors Customers Joint Ventures Counterparties Fourth parties

  12. AGENDA Examples of Critical Data around us

  13. Question: What year was Castello di Amorosa castle built in?

  14. Critical Data Point:construction photos of the same castle. Any other guesses?

  15. Question: How secure is National Weather Service from 0-100?

  16. Critical Data Point “Dorking” which discovers a bad XSS injection "failed to open stream: No such file or" AND -"topic" AND -"topics" AND -"reply" AND -"replies" AND -"forums" AND -"forum" AND -"answer" AND -"inject" AND -"comment" AND -"comments" AND -"exploit" AND -troubleshoot AND -"troubleshooting" AND -"Previous message" AND -"posts" AND -"documentation" AND -"bug" AND -"discourse" AND -inurl:"forum" AND -"discussion" AND -inurl:"collab" AND -inurl:"community"

  17. Question: Should I book my vacation to China on chinavista.com? http://travel.chinavista.com/culture2.php?id=1

  18. Probably not. Critical data point “hacker chatter”

  19. AGENDA Security Benchmarking: Outside/In Approach

  20. Indirect data exfiltration 3rd Party Ecosystem Attack Surface & Degrees of Threat Are Expanded Habitat Indirect data exfiltration Fortress Pathway infiltration / exfiltration Direct infiltration /exfiltration

  21. Are there subtle “data points” that can help us identify companies at significantly higher risk of being breached? • FOR MY COMPANY • What can a hacker find out without knocking on my door? • Do you know? • System or app misconfigurations • Unpatched or insecure technology • Inadvertent exposure • Self-enumeration • “Unknown unknowns” • FOR MY THIRD PARTIES • Are my partners as diligent as I am in protecting my data? • Do you know? • Do the questionnaire results match their true posture? • Litmus test – reflections of maturity and awareness

  22. Examples of Critical Data Points Beyond Malware • Take a holistic approach to security risk assessments • Security is more than just understanding malware • Trust but validate • Data with more depth and breadth DORKING Prevent sensitive information accessibility through advanced search techniques APPLICATION SECURITY Determine if insecure applications exist that may yield information leaks COMPLIANCE VALIDATION Validate compliance with ISO 27001, SIG, & NIST to identify potential gaps in your information security framework SOCIAL ENGINEERING Understand risk for non-technical intrusion based on human interaction CREDENTIAL LEAKS Instantly know if corporate passwords are circulating out in the hacker underground HACKER CHATTER Uncover and monitor chatter that puts your company at risk

More Related