OPHISTICATED MANAGEMENT OF YBER ISK

SOPHISTICATED MANAGEMENT OF CYBER RISK

SPONSORED BY:



Page 1

Sophisticated Management of Cyber Risk

Acknowledgements

The following professionals comprise the Internet Security Alliance¡¯s (ISA¡¯s) Board of Directors,

without which, the work of ISA would not be possible. We would also like to acknowledge AIG,

which is a member of ISA and which sponsored the workshops and publication of this case study

white paper.

Internet Security Alliance Board of Directors

Fidelity Investments

Timothy McKnight, ISA Board Chairman; EVP Information Security

and Risk

Raytheon Company

Jeffrey Brown, ISA Board First Vice Chairman; VP of Infrastructure

Services and CISO

USAA

Gary McAlum, ISA Board Second Vice Chairman; SVP and CSO

Verizon

Marcus Sachs, VP of National Security Policy

BNY Mellon

Thomas Quinn, Managing Director and CISO

Lockheed Martin Corporation

(Lt. Gen., Ret. USAF) Charlie Croom, VP of Cyber Security Solutions

Northrop Grumman

Russell Koste, Director of Identity, Intelligence and Network

Defense

Wells Fargo

Rich Baich, CISO

General Electric

Larry Trittschuh, Director of Global Information Security Operations

Carnegie Mellon University (CMU)

Tim McNulty, CyLab Associate VP for Government Relations

Dell SecureWorks

Jeffrey Schilling, Director for the Incident Response Practice

Tyco International

Gene Fredriksen, Senior Director and Global Information Security

Officer

The Boeing Company

Thomas Kelly, Director of Information Security ¨C Assessments and

Vulnerabilities

SAIC

Julie Taylor, SVP Operations, Cyber Security Services and Solutions

Direct Computer Resources

Joe Buonomo, President & CEO

AVG Technologies

Siobhan MacDermott, Chief Policy Officer

National Association of

Manufacturers (NAM)

Brian Raymond, Director of Tax, Technology and Domestic

Economic Policy

Vodafone Group

Richard Knowlton, Group Corporate Security Director

Internet Security Alliance (ISA)

Larry Clinton, President & CEO



Page 2

Sophisticated Management of Cyber Risk

About the Internet Security Alliance:

The Internet Security Alliance (ISA) is a multi-sector trade

association with membership from virtually every one of the

designated critical industry sectors, including substantial participation

from the aviation, banking, communications, defense, education,

financial services, health care, insurance, manufacturing, security and

technology industries.

ISA focuses exclusively on cybersecurity and cybersecurity related

issues as is embodied in its mission, which is to create a sustainable

system of cybersecurity by combining advanced technology with

economics and public policy.

About Our Publication and Workshops Sponsor:

American International Group, Inc. (AIG) is a leading international

insurance organization serving customers in more than 130 countries.

AIG companies serve commercial, institutional, and individual customers

through one of the most extensive worldwide property-casualty

networks of any insurer. In addition, AIG companies are leading

providers of life insurance and retirement services in the United States.

Notice:

? 2013 Internet Security Alliance (ISA)

All rights reserved. Published by ISA. Printed in the United States of America.

No part of this publication may be reproduced or distributed in any form or by any means, or

stored in a database or retrieval system, except as permitted under Sections 107 or 108 of the

U.S. Copyright Act, without prior written permission of the publisher.

Material in this publication is for educational purposes. Neither the publisher nor the authors

assume any liability for any errors or omissions or for how this publication or its contents are used

or interpreted or for any consequences resulting directly or indirectly from the use of this

publication. For legal advice or any other, please consult your personal lawyer or the appropriate

professional.

The views expressed by the individuals in this publication do not necessarily reflect the views

shared by the companies they are employed by (or the companies mentioned in this publication).

The employment status and affiliations of authors with the companies referenced are subject to

change.



Page 3

Sophisticated Management of Cyber Risk

THE EMERGENCE OF THE SOPHISTICATED THREAT

For many years, cyber attacks were thought to be the exclusive province of teenage hackers and

academic nerds. Incursions had cutesy names like ¡°Love Bug¡± and ¡°BLASTER,¡± and, while

annoying, they tended to do little actual damage; most enterprises shrugged them off as either a

petty cost of doing business, similar to low-level pilferage, or an obtuse issue best relegated to the

geeks in information technology (IT) and not worthy of senior level attentions.

Those days are over.

In his February 12, 2013 State of the Union Address, President Obama declared that: America¡¯s

¡°enemies are seeking the ability to sabotage our power grid, our financial institutions and our air

traffic control systems. We cannot look back years from now and wonder why we did nothing in the

face of real threats to our security and our economy.¡±1 The President¡¯s signature white paper on

the issue, the ¡°Cyberspace Policy Review,¡± suggests the costs to American business could run close

to one trillion dollars.2

In October, Defense Secretary Leon Panetta warned of increasingly sophisticated attacks being

launched on private cyber systems and the need for greater awareness and attention to securing

these systems.3

In February, The New York Times and The Washington Post reported the results of security firm

Mandiant¡¯s findings that not only had these iconic institutions been compromised, but that the

degree of sophistication of attacks had grown substantially.4,5,6,7 Indeed, Mandiant reported that

the sophisticated attacks that had previously been confined to governments and major defense

contractors have now spread broadly throughout the economy.8

1

Obama, Barack H. ¡°2013 State of the Union Address.¡± Address. Capitol Building, Washington, D.C. 12 Feb. 2013. .

White House, 12 Feb. 2013. Web. 18 Mar. 2013. .

2

United States. Executive Office of the President. ¡°Cyberspace Policy Review: Assuring a Trusted and Resilient Information and

Communications Infrastructure.¡± . White House, 2009. Web. 1 May 2013.

.

3

Panetta, Leon E. "Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security." Address. 2012

BENS Eisenhower Award Dinner. New York City. . U.S. Department of Defense, 11 Oct. 2012. Web. 1 May 2013.

.

4

Perlroth, Nicole. "Hackers in China Attacked the Times for Last 4 Months." . New York Times, 30 Jan. 2013. Web. 30

Apr. 2013. .

5

Sanger, David E., David Barboza, and Nicole Perlroth. "Chinese Army Unit Is Seen as Tied to Hacking Against U.S." .

New York Times, 18 Feb. 2013. Web. 30 Apr. 2013. .

6

Wan, William, and Ellen Nakashima. ¡°Report Ties Cyberattacks on U.S. Computers to Chinese Military.¡± .

Washington Post, 19 Feb. 2013. Web. 1 May 2013. .

7

Mandiant. ¡°APT1: Exposing One of China's Cyber Espionage Units.¡± Rep. Mandiant, 18 Feb. 2013. Web. 1 May 2013.

.

8

Ibid.



Page 4

Sophisticated Management of Cyber Risk

Unfortunately, the research shows that most enterprises are still attempting to fight these modern

attacks with perimeter-based defenses like anti-virus and intrusion detection, which are no longer

adequate to meet the modern cyber threats.9

Fortunately, while attack methods have continued to evolve, so too have defensive strategies.

THE RISE OF SOPHISTICATED DEFENSE

A series of studies has indicated that, while perfect security is not feasible, we are learning a good

deal about how enterprises can better manage their cyber risk.10,11,12 Although analysis of

successful attacks has generated good data on how to combat them, this data has not been

broadly integrated into business practice.13 This research suggests that by combining modern

organizational techniques with research-based technical procedures, organizations can mitigate

damage from all but the most sophisticated of cyber threats (e.g., those launched by nation-states)

and even these attacks can be better managed.

The major barriers to widespread adoption of these techniques are lack of awareness at senior

corporate levels, and, as always, cost.14,15,16,17,18

In early 2012, AIG elected to sponsor an effort by the ISA and the Union of Concerned

Cybersecurity Leaders (UCCL) to investigate how sophisticated and experienced firms are

addressing their cyber threats. Operating in conjunction with a series of partner organizations

including, the Financial Services ISAC, the Aerospace Industries Association (AIA) and the National

Association of Manufacturers (NAM), a series of workshops were held in Washington, Silicon Valley

and New York City. The goal of this effort was to analyze the risk management methods

sophisticated firms in the defense industrial base, IT and financial services were and are using. In

9

Ibid.

10

Internet Security Alliance and American National Standards Institute. ¡°The Financial Impact of Cyber Risk: 50 Questions Every CFO

Should Ask.¡± Rep. . Internet Security Alliance, 2008. Web. 30 Apr. 2013. .

11

Internet Security Alliance and American National Standards Institute. ¡°The Financial Management of Cyber Risk: An Implementation

Framework for CFOs.¡± Rep. . Internet Security Alliance, 2008. Web. 30 Apr. 2013. .

12

Verizon RISK Team, et al. ¡°2012 Data Breach Investigations Report.¡± Rep. . Verizon, March 2012. Web. 30

Apr. 2013. .

13

PricewaterhouseCoopers (PwC). ¡°The Global State of Information Security Survey: 2011.¡± Survey. .

PricewaterhouseCoopers, 2010. Web. 1 May 2013.

.

14

Westby, Jody. ¡°Governance of Enterprise Security: CyLab 2012 Report ¨C How Boards & Senior Executives are Managing Cyber

Risks.¡± Rep. . Carnegie Mellon CyLab, 16 May 2012. Web. 30 Apr. 2013.

.

15

PricewaterhouseCoopers. The Global State of Information Security: 2008. Rep. PricewaterhouseCoopers, 2007. Print.

16

Brenner, Bill. "Business Partners with Shoddy Security; Cloud Providers with Dubious Risk Controls; What¡¯s a CIO to Do?" CIO

Magazine, 14 Oct. 2010.

17

Baker, Stewart, Shaun Waterman, and George Ivanov. ¡°In the Crossfire: Critical Infrastructure in the Age of Cyber War.¡± Rep.

. McAfee, 2010. Web. 30 Apr. 2013. .

18

Domenici, Helen, and Afzal Bari. The Price of Cybersecurity: Improvements Drive Steep Cost Curve. Rep. Ponemon InstituteBloomberg Government Study, 31 Jan. 2012. Print.



Page 5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download