Cyber Event Participation Levels | |||||
---|---|---|---|---|---|
Position | Extreme | Major | Mode rate | Minor | Insignificant |
CIO | 100% | 100% | 50% | 25% | 0% |
VP IT | 100% | 100% | 75% | 50% | 25% |
VP Ops | 100% | 100% | 50% | 25% | 10% |
Retrieved from ( | ||
1. Acceptable Use Policy | 6. Employee Internet UseMonitoring and Filtering Policy | 11. Remote Access Policy |
2. Computer Ethics Policy | 7. Technology Disposal Policy | 12. Mobile Device Policy |
3. Password Protection Policy | 8. Physical Security Policy | 13. Software Policy |
4. Clean Desk Policy | 9. Electronic Mail Policy | 14. Access Control Policy |
5, Use of the Internet Policy | 10. Removable Media Policy | 15. Network Management Policy |
Likethood Table | |||||
---|---|---|---|---|---|
Level | Descriptor | Description | Frequency of Occurrence | ||
Strategic | Operational | Routine | |||
1 | Rare | May only occur in exceptional circumstances | Less than once every 50 years | Less than once every 10 years | Loss than once every 5 years |
2 | Unlikely | Could occur at some time | At least once in 20 years | At least once in 5 years | At least once in 3 years |
3 | Possible | Might occur at some time | At least once in 5 years | At least once per year | At least once per year |
4 | Likely | Will probably occur in most circumstances | At least once por year | At least once per quarter | At least once per month |
5 | Almost Certain | Expected to occur in most circumstances | More than once per year | At least once per month | At least once per |
Consequences Table | |||||
---|---|---|---|---|---|
Impact | 1 Insignificant | 2 Minor | 3 Moderate | 4 Major | 5 Extreme |
Safety | No injuries | First aid treatment | Medical treatment, lost time | Medical treatment, extensive injuries | Fatalities |
Financial Loss | < $50k or 0.5% of OB | $50k - S250k or 1% of OB | S250k - $3M or 2% of OB | $3m - $1Om or 6% of OB | > $10m or > 10% of OB |
Assat Loss | Little or no impact on assets | Minor loss or damage to assets | Major damage to assets | Significant loss of assets | Complete loss of assets |
Interruption to Services | < ½ day | ½ - 1 day | 1 day - 1 week | 1 week - 1 month | > 1 month |
Information Management | Inaccurate data entry | Loss or corruption of database | Failure of backup data | System faliure and/or extensive hacking attack | |
Legislative Compliance | Broach of Regulations | Warning from Regulator | Successful Prosecution | Cessation of Activities | |
Management Effort | An event, the impact of which can be absorbed through normal activity | An event, the consequences of which can be absorbed but management effort is required to minimise the impact | A significant event which can be managed under normal circumstances | A critical event which with proper management can be endured | A disaster with the potential to lead to the collapse of the University |
Reputation and Image | Unsubstantiate d, low impact, low profile or no news items | Substantiated, low impact, low news profile | Substantiated, public embarrassment, moderate impact, moderate news profile | Substantiated, public embarrassment, high impact, high news profile, third party actions | Substantiated, public embarrassment, very high multiple impacts, high widespread news profile, third party actions |
Role | Assess Risk | Manage Risk | Fund | Implement | Assure |
---|---|---|---|---|---|
Application Owner | I | R, A | R, A | A | A |
IT | I | C | I | R | I |
Operational Risk | R, A | I | I | I | C |
Security | C | c | I | I | R |
Appendix D. Checklist for CEO (Executives in general) | |||
Retrieved from (Vantage Point, 2016) | |||
Before an Incident | |||
1 - Stay current on the latest threads and cyber security best practices | 4 - Research, design, and deploy security technology. Consider access control, data security, training, processes, and procedures | 7 - Ensure the response plan covers communications, analysis, mitigation, and other critical tasks | 10 - Discuss with counsel whether cybersecurity risk factors in the company should be disclosed (i.e. SEC 10-K filings) in public |
2 - Designate a board committee tasked with cyber security responsibilities. Establish links between board and C-level executives, specially CIO and CISO | 5 - Develop and deploy the appropriate systems to identify a cyber security event as soon as possible | 8 - Run practice drills to test the plan and revise it as needed | 11 - Obtain liability insurance specifically covering cyber security risk for directors and officers as well as for the corporation |
3 - Identify the firm’s security posture and the risks to the company. Assess the company’s systems, assets, data, and capabilities. And identify risks unique to your industry | 6 - Create an incident response plan that lays out who reports to whom. Build m contingencies in case some people are unavailable at the time of an incident | 9 - Establish a recovery plan to restore any capabilities or services impaired by a breach and to protect the company from further attacks | 12 - To limit the company’s liability in certain kinds of attacks, consider cyber security vendors certified by U.S. Department of Homeland Security’s SAFETY (“Support Anti-Terrorism By Fostering Effective Technologies”) Act |
During an Incident | |||
1 - Oversee an incident response. Serve as a conduit between incident responders within the company and external stakeholders including customers, partners, and regulators | 2 - Understand that news of the incident usually comes to the company from outsiders, such as law enforcement or partner companies. Keeping the event under wraps is no longer very likely | 3 - Work closely with your legal counsel and public relations team to advise C-level executives about how to disclose incident details, especially to news media. Don’t disclose facts until they’ve been verified | 4 - Stay in touch with your response team to assist as needed during response and through remediation |
After an Incident | |||
1 - After a breach has been repaired, intruders ejected, and systems restored, assist in damage control to fix the company’s infrastructure and reputation | 2 - Review incident response to assess how it went. Identify weaknesses in equipment, systems, and procedures to determine where to make improvements | 3 - With guidance from your legal counsel, determine how to make customers whole if their data was exposed or stolen | 4 - Consider offering free credit monitoring, issuing new account numbers, and so on. Identify the “chum rate”. Counsel can advise as to any consumer remedies required by law |
Question | Metric Category | Metric |
---|---|---|
1.0.1 | How many times are we being “pinged” and “probed”? | |
1.0.2 | How much spam is filtered? | |
1.0.3 | How many phishing messages are we receiving? | |
1.0.4 | Who is targeting us? | |
1.1.1 | System vulnerabilities | |
1.1.1.1 | Number of vulnerabilities discovered | |
1.1.1.2 | Percentage of vulnerabilities mitigated in prescribed time frames | |
1.1.1.3 | Number of residual vulnerabilities | |
1.1.2 | Other Vulnerabilities | |
1.1.2.1 | Percentage of systems and devices beyond projected life span | |
1.1.2.2 | Percentage of software beyond projected life span | |
1.2.1 | Number of cybersecurity incidents detected | |
1.2.2 | Number of detected cybersecurity incidents by category | |
1.2.3 | Cost per incident | |
1.2.4 | Who is responsible for cyber security incidents | |
2.0.1 | Network Performance Measurement | |
2.0.2 | How does network performance compare to previous measurements? | |
2.0.3 | Percentage of devices with current security software | |
2.1.1 | Number of unauthorized changes, Unauthorized changes to your systems are not good | |
2.1.2 | Percentage of maintenance successfully accomplished within schedule and budget | |
2.2.1 | Percentage of software current with all known patches. This is a critical cybersecurity measure. It makes sense to patch your soft | |
2.2.2 | Number of unauthorized software and media detected on network and devices | |
2.3.1 | Number of physical security incidents allowing unauthorized access into facilities | |
2.3.2 | Number of violations of clean desk policy | |
2.4.1 | Percentage of System and service contracts that include security Requirements and/or Specifications | |
4.0.1 | Percentage of the IT budget devoted to cybersecurity | |
4.0.2 | Percentage of the organization budget devoted to cybersecurity | |
4.0.3 | Execution of current budget | |
4.2.1 | Cost to replace | |
4.2.2 | Estimated costs associated with loss, tampering, or destruction of information | |
4.2.3 | Estimated costs associated with regulatory fines for failing compliance | |
4.3.1 | Cybersecurity risk |
Attacker | Who | Objectives | Targets | Signature | Likelihood | Consequences | Classic Case |
---|---|---|---|---|---|---|---|
China, Iran, Israel. Russia, U.S | Intelligence, state secrets, sabotage | Foreign governments, terrorists, industry | Multi-tiered, precisely orchestrated attacks that breach computer systems | Possible | Major | One-fifth of Iran’s nuclear centrifuges crashed after Stuxnet, a worm reportedly developed by U.S. and Israeli intelligence, penetrated computers at an Iranian enrichment facility, Irar allegedly retaliated by disrupting access to the websites of J.R Morgan (JPM, +1.25% ), PNC (PNC. +1.27% ), Wells Fargo (WFC, -1.05% ) and others. | |
Anonymous, AntiSec, LulzSec | Righting perceived wrongs, publicity, protecting Internet freedoms | Bullies, Scientologists, corporations, governments | Leaking sensitive information, public shaming, creepy YouTube videos | Likely | Minor | The websites of PayPal. Visa (V, +0.30%). and MasterCard (MA, -0.05%)were disrupted during Operation Payback, an Anonymous-led effort to punish companies that suspended the accounts of WikiLeaks in 2010. Some $5.6 million was lost by PavPal alone. | |
Nigerian “princes,” carders, identity thieves, spammers | Treasure | The gullible, online shoppers, small businesses, data-rich health care and retail companies | Stealing data, looting bank accounts | Possible | Minor | Coreflood, malicious software that records keystrokes and passwords, infected 2.3 million computers in 2009, some in police departments, airports, banks, hospitals, and universities. Affected companies suffered six-figure fraudulent wire transfers. | |
Disgruntled employees, contractors, whistleblowers | Score-settling, leaks, public good | Large companies, governments | Document theft | Unlikely | Major | Maroochy Shire, an Australian district along the Sunshine Coast in Queensland, was inundated with millions of gallons of untreated sewage in 2001 when a contractor hacked and took control of 150 sewage-pumping stations. He had been passed over for a job with the district. His dirty work cost Maroochy Shire upwards of $1 million. | |
Bored youth | Thrills, notoriety | Low-hanging fruit such as unprotected websites and e-mail accounts | Defacing or dismantling websites | Likely | Insignificant | An e-mail subject-lined I LOVE YOU duped people -- some of them inside the Pentagon - in 2001. The virus it contained, which originated in the Philippines, destroyed files and simultaneously replicated itself, seeding in-boxes as it went. The so-called Love Bug caused an estimated $10 billion in digital damage and lost productivity. | |
Endgame, Netragard, Vupen | Hacking as legitimate business | Agnostic | Finding so-called zero-day exploits - ways to hack new software, selling them to governments and other deep-Docketed clients | Rare | Minor | French firm Vupen hacked Google’s (GOOG, +0.44%) Chrome browser at a security conference last March. Rather than share its technique with the company (and accept a $60,000 award), Vupen has been selling the exploit to higher-paying customers. | |
Terrorists | Spread fear, terror and commit murder | non-believers in their political or religious beliefs | create fear and chaos by disrupting critical infrastructure | Possible | Moderate | Ardit Ferizi was arrested in Malaysia charged in October 2015 with stealing the data belonging to the US service members and passing it to the members of the ISIS with the intent to support them in arranging attacks against Western targets | |
Hackers working for competing corporations | Steal trade secrets | Specific corporations | Leak information that are critical to victim’s organization | Possible | Major | Chinese cyber spying of US for military and political reasons. |