Presentation is loading. Please wait.

Presentation is loading. Please wait.

| Web: | Critical Data Points to Assess the True Risk of a Data Breach PRESENTED BY Ali Alwan Director,

Published byBertram Hicks Modified over 7 years ago

Similar presentations

Presentation on theme: "| Web: | Critical Data Points to Assess the True Risk of a Data Breach PRESENTED BY Ali Alwan Director,"— Presentation transcript:

1 | Web: www.securityscorecard.com | Twitter: @security_score Critical Data Points to Assess the True Risk of a Data Breach PRESENTED BY Ali Alwan Director, SecurityScorecard, Inc.

2 | Web: www.securityscorecard.com | Twitter: @security_score AGENDA Paradigm shift from fortress mentality to security ecosystem Examples of data points around us Security Benchmarking outside-in approach Analysis of financial services industry trends

3 | Web: www.securityscorecard.com | Twitter: @security_score Paradigm Shift – From Fortress to Ecosystem FORTRESS High level of trust You own the blueprint Control of audit, policies “Crown jewels” are in a centralized, monitored data center “IF we get breached…”

4 | Web: www.securityscorecard.com | Twitter: @security_score Paradigm Shift – From Fortress to 3 rd Party Ecosystem ECOSYSTEM Empowered employees (BYOD) Decentralized infrastructure with many 3 rd party cloud services Limited audits without validation “Crown jewels” are everywhere – continuity is not Only as strong as your weakest link “WHEN we get breached…”

5 | Web: www.securityscorecard.com | Twitter: @security_score Your company spends millions of dollars on IT security – systems, technologies, appliances InfoSec professionals Internal Audit professionals External Auditors Processes, technologies, systems Then some manager in marketing dumps your client data to an Excel spreadsheet, and emails it to a direct mail firm in Omaha. Perhaps even worse – Usually not random. Usually not one vendor. Often thousands of vendors. Third Party Risk Challenge 5

6 | Web: www.securityscorecard.com | Twitter: @security_score 41% to 63% of breaches involved third parties Per-record costs of a 3 rd party breach higher - $231 vs. $188 71% of companies failed to adequately manage risk of third parties 92% of companies planned to expand their use of vendors in 2013 90% of anti-corruption actions by DOJ involved 3 rd parties 6 Third Party Breach- The Numbers

7 | Web: www.securityscorecard.com | Twitter: @security_score 40,000,000 - Number of credit and debit numbers stolen 70,000,000 - Number of non-credit-card PII records stolen November 27 to December 15, 2013 – Duration of theft 46% - The percentage drop in profits for 4 th quarter 2013 from the year before $250,000,000 - Total estimated costs as of August 2014 $90,000,000 - Amount paid by Target’s insurers (maxed out) $54,000,000 - Estimated amount generated from sale of cards stolen 0 – Number of CIOs and CEOs who kept their jobs Target by the Numbers, Remember Fazio HVAC? 7

8 | Web: www.securityscorecard.com | Twitter: @security_score So 3 rd party risk is a high priority right? 98% of IT pros feel third-party secure access is not a top priority - Soha Systems via SC Magazine, May 2016

9 | Web: www.securityscorecard.com | Twitter: @security_score CURRENT STATE OF THIRD PARTY CYBERSECURITY Ineffective point-in-time security snapshots ▪Pen & paper questionnaires – expensive, time consuming, and difficult to validate ▪Intrusive penetration tests require expensive and time consuming site visits Difficult to meet needs of business ▪Slow process to onboard new vendors ▪Challanging to communicate security challanges to business executives ▪Offer lower risk vendor alternatives Labor Intensive ▪Unable to scale program beyond small sub-set of critical high risk vendors without a big increase in both Risk & Security teams ▪Difficult to prioritize vendors without benchmarked data ▪Challenging to substantiate survey responses and ensure ongoing compliance

10 | Web: www.securityscorecard.com | Twitter: @security_score Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company. Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle. No universally-accepted framework like CObIT or COSO TPRM – What It Is 10

11 | Web: www.securityscorecard.com | Twitter: @security_score Vendors Customers Joint Ventures Counterparties Fourth parties TPRM – Who It Is 11

12 | Web: www.securityscorecard.com | Twitter: @security_score Examples of Critical Data around us AGENDA

13 | Web: www.securityscorecard.com | Twitter: @security_score Question: What year was Castello di Amorosa castle built in?

14 | Web: www.securityscorecard.com | Twitter: @security_score Critical Data Point: construction photos of the same castle. Any other guesses?

15 | Web: www.securityscorecard.com | Twitter: @security_score Question: How secure is National Weather Service from 0-100?

16 | Web: www.securityscorecard.com | Twitter: @security_score "failed to open stream: No such file or" AND -"topic" AND -"topics" AND -"reply" AND -"replies" AND - "forums" AND -"forum" AND -"answer" AND -"inject" AND -"comment" AND -"comments" AND -"exploit" AND -troubleshoot AND -"troubleshooting" AND -"Previous message" AND -"posts" AND -"documentation" AND - "bug" AND -"discourse" AND -inurl:"forum" AND - "discussion" AND -inurl:"collab" AND -inurl:"community" Critical Data Point “Dorking” which discovers a bad XSS injection

17 | Web: www.securityscorecard.com | Twitter: @security_score Question: Should I book my vacation to China on chinavista.com? http://travel.chinavista.com/culture2.php?id=1

18 | Web: www.securityscorecard.com | Twitter: @security_score Probably not. Critical data point “hacker chatter”

19 | Web: www.securityscorecard.com | Twitter: @security_score Security Benchmarking: Outside/In Approach AGENDA

20 | Web: www.securityscorecard.com | Twitter: @security_score Attack Surface & Degrees of Threat Are Expanded Fortress Habitat 3 rd Party Ecosystem Direct infiltration /exfiltration Indirect data exfiltration Pathway infiltration / exfiltration

21 | Web: www.securityscorecard.com | Twitter: @security_score Are there subtle “data points” that can help us identify companies at significantly higher risk of being breached? FOR MY COMPANY What can a hacker find out without knocking on my door? Do you know? System or app misconfigurations Unpatched or insecure technology Inadvertent exposure Self-enumeration “Unknown unknowns” FOR MY THIRD PARTIES Are my partners as diligent as I am in protecting my data? Do you know? Do the questionnaire results match their true posture? Litmus test – reflections of maturity and awareness

22 | Web: www.securityscorecard.com | Twitter: @security_score Examples of Critical Data Points Beyond Malware Take a holistic approach to security risk assessments Security is more than just understanding malware Trust but validate Data with more depth and breadth DORKING Prevent sensitive information accessibility through advanced search techniques APPLICATION SECURITY Determine if insecure applications exist that may yield information leaks COMPLIANCE VALIDATION Validate compliance with ISO 27001, SIG, & NIST to identify potential gaps in your information security framework SOCIAL ENGINEERING Understand risk for non- technical intrusion based on human interaction HACKER CHATTER Uncover and monitor chatter that puts your company at risk CREDENTIAL LEAKS Instantly know if corporate passwords are circulating out in the hacker underground

Download ppt "| Web: | Critical Data Points to Assess the True Risk of a Data Breach PRESENTED BY Ali Alwan Director,"

Similar presentations

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Emerging Trends: Cyber Threats Bryan Sheppard Cyber Security Defense Center.

Emerging Trends: Cyber Threats Bryan Sheppard Cyber Security Defense Center.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Enterprise Computing Community June 13 - 15, 2010February 27, 2010 1 Information Security Industry View Linda Betz IBM Director IT Policy and Information.

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
Business Analysis: A Business Unit Perspective International Institute of Business Analysis January 18, 2012.

Business Analysis: A Business Unit Perspective International Institute of Business Analysis January 18, 2012.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet.

Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
Presentation to Senior Management 2007. MiFID for Senior Managers Introduction These slides introduce the big changes for senior management from MiFID.

Presentation to Senior Management MiFID for Senior Managers Introduction These slides introduce the big changes for senior management from MiFID.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.

How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
Cyber Security Nevada Businesses Overview June, 2014.

Cyber Security Nevada Businesses Overview June, 2014.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Similar presentations

Ads by Google