Académique Documents
Professionnel Documents
Culture Documents
My Background
Chip Wentz
Ernst & Young, LLP - Executive Director, Advisory
Services
Serves as the Americas Information Protection and
Privacy services leader and the Southeast Region
Information Security leader
Experience in IT risk management, information
security, data protection, privacy, compliance,
controls and governance, with a focus on enabling
the business to achieve its objectives through risk
mitigation and process improvement.
Experimentation
You are attacked
because you are on
the Internet and
have a vulnerability.
Risk
1980s/1990s
Sophisticated attackers
(hackers)
Monetization
You are attacked
because you are on
the Internet and have
information of value.
Corporate espionage
(insiders)
20XX
Organized crime
Motive
Financial gain
National economic/competitive
or military advantage
Characteristics
Conduct unauthorized
financial transactions
Steal banking credentials
Obtain credit card numbers
Identity theft
Maintain access to victim
network
Data
destruction/modification
(e.g., web-site
defacement)
Service disruption (e.g.,
DDoS)
Steal/post personal
information for brand or
reputation impact
Anonymous
LulzSec
The APT
Any industry,
organization, government
agencies, public figures
that counter hacktivists
ideology
Attack objective
(s)
Adversary/threat
actor examples
Targeted
industries
Hactivists
State sponsored
From Symantec:
Ninety-two percent of data breaches caused by external agents, 14% by insiders and
1% by partners.
Fifty-two percent used some form of hacking, 76% exploited weak credentials, 40% used
malware, 35% involved physical attacks, 29% employed social tactics, 13% involved privilege
misuse.
Seventy-five percent were driven by financial motive, 78% rated low difficulty, 69%
discovered by external parties, 66% took months to discover.
Source: Datalossdb.org
Source: Datalossdb.org
Source: Datalossdb.org
Source: Datalossdb.org
Incident Details
An undisclosed number of names, Social Security numbers, and dates of birth exposed on public
court website
City of Detroit
1,700 employee names, dates of birth, and Social Security numbers compromised after a malware
infection
Texas Comptrollers
Office
Personal details for 3.5 million teachers and other employees of the state of Texas were
accidentally published on the Internet. Information released included names, social security
numbers and birthdates. This data had been posted on the Internet for over a year without the
organization realizing it.
California DMV
An unknown number of credit or debit card numbers with expiration dates and three digit security
codes compromised due to a security issue with the credit card processing service
NC DHHS
48,752 names, dates of birth, and Medicaid identification numbers exposed when children's
Medicaid insurance cards were sent to the wrong addresses
Missing flash drive contained unencrypted names, SSN, dates of birth and addresses for more
than 50,000 medical providers
NC DOR
NC ABC
As many as 26,000 envelopes mailed in January partially or fully exposed the retirees' Social
Security numbers
Source: Datalossdb.org
10
http://datalossdb.org/search?utf8=%E2%9C%93&query=North+carolina&sho
w_fringe=no&commit=SEARCH
Organizations
Johnston County North Carolina
Mecklenburg County North Carolina
University of North Carolina
North Carolina State University
North Carolina Utilities Commission
North Carolina Department of Revenue
North Carolina Department of Transportation
North Carolina Department of Correction
North Carolina Community College System
North Carolina Employment Security Commission
Wake County North Carolina Emergency Medical Services
University of North Carolina at Greensboro
University of North Carolina School of Arts
North Carolina Division of Medical Assistance
North Carolina Division of Motor Vehicles
University of North Carolina at Charlotte
North Carolina Department of State Treasurer
North Carolina Alcoholic Beverage Control Commission
State Climate Office of North Carolina
North Carolina Division of Aging and Adult Services
University of North Carolina Lineberger Comprehensive Cancer Center
North Carolina Department of Health and Human Services
Incidents
2
1
3
1
1
1
1
1
1
1
1
3
1
1
2
3
1
1
1
1
1
5
Records
61,000
400
242,000
1,800
???
30,000
25,000
???
51,000
1,771
4,642
2,815
2,700
???
16,013
350,148
26,000
???
2,608
85,045
3,500
100,520
11
Common challenges
Lost or stolen media
Over-sharing of personal
information
Good intentions but misused
data
Third party service provider
weaknesses
Web site leakage
Hackers (inside and outside)
Unwanted marketing
communications (telephone,
email)
Fraudulent transactions
Social engineering, including
phishing
12
confidence
Direct loss of business
Loss of competitive
advantage
13
Company B:
Low-profile
breach in a
regulated
industry
$50
$50
Lost employee
productivity
$20
$25
$30
Opportunity cost
$20
$50
$100
Category
Discovery,
notification, and
response
Description
$50
Regulatory fines
$0
$25
$60
Restitution
$0
$0
$30
Additional security
and audit
requirements
$0
$5
$10
Other liabilities
14
Company C:
High-profile
breach in a
highly regulated
industry
$0
$0
$25
$90
$155
$305
Source: Symantec & the Ponemon Institute May 2013: Cost of a Data Breach Study
15
16
The
Gap
20XX
17
18
27%
42%
Compliance monitoring
32%
9%
17%
Forensics/fraud support
17%
11%
12%
1st
2nd
57%
29%
19%
4%
14%
39%
20%
19%
28%
30%
30%
30%
38%
24%
21%
3rd
25%
48%
16%
18%
21%
19
9%
42%
26%
18%
7%3%
20%
21%
12%
18%
22%
22%
25%
14%
25%
22%
33%
29%
9%
17%
8% 8%
22%
25%
8% 8%
19%
22%
26%
67%
12%
17%
13%
22%
25%
17%
26%
22%
Privacy
9%
27%
12%
16%
44%
14%
32%
24%
16%
34%
13%
11%
17%
17%
17%
15%
29%
26%
14%
16%
29%
17%
11% 7%
13%
27%
15%
23%
33%
4th
5th
3%
69%
32%
64%
4%
33%
64%
3%
Forensics/fraud support
14%
28%
22%
21%
8%
10%
6%
73%
38%
7%
57%
32%
61%
61%
6%
56%
36%
31%
Spend more
2%
52%
3%
72%
68%
46%
2%
9%
63%
74%
25%
Privacy
4%
62%
18%
5%
66%
74%
36%
3%
52%
29%
22%
7%
79%
45%
20
2%
45%
28%
Compliance monitoring
Cyber risks/cyber threats
Data leakage/data loss prevention
36%
7%
8%
2%
62%
32%
5%
63%
Spend less
Security governance
How do you ensure that your external partners, vendors or contractors are protecting your
organizations information? Choose all that apply.
45%
29%
19%
16%
31%
20%
17%
21
3%
34%
6%
33%
2% 13%
9%
4%
20%
38%
24%
16%
37%
33%
9%
38%
14%
36%
21%
10%
13%
68%
10%
8%
1%
23
30%
24%
Preventative controls
Detective controls
24
36%
58%
No change in (internal)
vulnerabilities
45%
No change in (external)
threats
36%
Decrease in (internal)
vulnerabilities
Decrease in (external)
threats
14%
3%
Because respondents could select more than one option, data will not total 100%.
25
50%
5%
2%
6%
1%
3%
Dont know
33%
26
23%
60%
33%
32%
16%
68%
12%
Threat spam
27**
8%
79%
13%
Threat phishing
8%
80%
31%
12%
58%
70%
36%
31%
11%
9%
88%
9%
8%
9%
79%
12%
6%
9%
16%
58%
78%
58%
31%
Threat cyber attacks to steal financial information (credit card numbers, 13%
Threat cyber attacks to steal intellectual property or data
45%
34%
12%
62%
46%
17%
55%
11%
17%
55%
52%
9%
17%
Threat is defined as a statement to inflict a hostile action from actors in the external environment
Vulnerability is defined as the state in which exposure to the possibility of being attacked or
harmed exists
9%
9%
24%
25%
15%
17%
Threat fraud
Threat internal attacks (e.g., by disgruntled employees)
18%
19%
Threat spam
14%
9%
23%
20%
26%
15%
33%
7%
27%
20%
14%
27%
22%
33%
Threat phishing
19%
31%
19%
24%
16%
21%
26%
13%
13%
15%
33%
33%
26%
15%
8%
25%
30%
17%
18%
18%
15%
31%
15%
11%
25%
22%
19%
15%
17%
17%
46%
7%
14%
11%
21%
33%
34%
10%
13%
30%
28%
26%
15%
19%
15%
30%
20%
15%
11%
30%
26%
* Threat is defined as a statement to inflict a hostile action from actors in the external environment
2
** Vulnerability is defined as the state in which exposure to 1
the possibility of being attacked
or harmed exists
13%
46%
35%
19%
28
Todays information security programs must enable business objectives and defend against threats
while investing in the right priorities.
Source Results from Ernst &Youngs Global Information Security Survey conducted in 2011 that included nearly 1,700 information security and IT leaders in 52 countries and across all industry sectors.
29
Governance and
organization
Operations
Awareness
Services
Network
security
Software
security
Host security
Data
protection
Technology protection
Identity and
access
management
Threat and
vulnerability
management
Asset
management
Third -party
management
Business
continuity
management
Security
monitoring
Privacy
Incident
management
Functional operation
Resiliency
Data infrastructure
Events
Alerts
Logs
30
10
Educate
Govern
Detect
Respond
31
State-sponsored attacks
Cloud computing and new data risks
Social media and reputation risks
Mobile device security breaches
32
33
11
Cyber risks are very real and emanate from a wide range of sources:
APT, cyber spies and criminals, foreign intelligence, wire transfer fraud, poor software
development methods, malware, botnets, third-party business partners, vendors,
malicious insiders, underfunded IT, etc.
Securing data and processes from cyber attack must be one of your highest
priorities the network cannot be secured.
Threats emanate from both internal and external sources, so dont forget about an insider
threat program
Anticipate that certain attacks will occur prepare for them now.
Malware has developed to the point that it enables attackers to monetize their botnets
and steal valuable IP.
Weaponized malware now enables governments to use cyber capabilities to produce desired
effects in the physical world.
Users are key they are both the primary target and the first line of defense.
New strategies require strong governance.
34
Assess whether such challenges exist and begin working on them as soon
as possible
Cultural
Establishing and maintaining a sense of urgency
Effective remediation is a marathon, not a sprint
Combating false sense of security that stagnates improvement (e.g., we have ABC
tools)
35
Assess whether such challenges exist and begin working on them as soon
as possible
Technical
Other
36
12
Protect
mattersmost:
most:
Protect what
what matters
Sustain
Sustain your
your security
securityprogram:
program:
Embed
Embed in
security
the business:
in the business:
Corporations need to figure out what their crown jewels are. You can't protect everything and defend your entire
corporate network equally. It's not all equally important, either.
Richard Clarke, Preparing for a future Cyber War,
http://www.computerworld.com/s/article/9182783/Richard_Clarke_Preparing_For_A_Future_Cyberwar
37
Key takeaways
1. Cyber risks are real.
2. Cyber risks must be managed with as much discipline as
financial risk.
3. CISOs must be business leaders and risk managers.
4. Eliminate unnecessary data; keep tabs on whats left.
5. Ensure essential controls are met; regularly check that they
remain so.
6. Without deemphasizing prevention, focus on better and
faster detection through a blend of people, processes, and
technology.
38
QUESTIONS
???
39
13
Thank You!
Chip Wentz
Ernst & Young
Executive Director
Raleigh, NC
Phone:
E-Mail:
+1 (919) 349-4957
chip.wentz@ey.com
40
Further information
41
Beating cybercrime:
Security Program
Management
from the Boards perspective
www.ey.com/spm
www.ey.com/soc
Protecting and
strengthening your brand:
social media governance and
strategy
www.ey.com/mobiledevicesec
urity
www.ey.com/protectingbrand
Information
security in
a borderless
world:
time for a rethink
www.ey.com/infose
c_borderless
Please visit our Insights on governance, risk and compliance series at ey.com/GRCinsights
42
14