1. Three Bad Outcomes (and how to address them)
Michael K Hamilton
8 May 2014

2. SHORT BIO Partner, MK Hamilton and Associates
Policy Advisor, Washington State OCIO
CISO, City of Seattle
Managing Consultant, VeriSign GSC
Senior Principal Consultant, Guardent
Independent Consultant
CEO, Network Commerce, Inc.
Ocean Scientist, NASA/JPL

3. LESSONS LEARNED OVER 20 YEARS
Assume breach
Preventive controls will fail
There is no firewall for stupidity
The local scale is the most important
Risk transference (insurance) is misapplied
The smart grid and Internet of Things are about to make problems much worse

4. CURRENT EVENTS

5. Willis Insurance Predicts Energy Cyber-Attack 'Catastrophe' Ahead
We are on the verge of a catastrophe, according to US-owned global insurer Willis.
A major cyber-attack on the energy industry ‘is only a matter of time,’ said Robin Somerville, Communications Director for Willis Global Energy Practice at a presentation in London, April 8.
In 2012, Willis received two enquiries about cyber attacks.  Today, the figure is one a week.  ‘I think the energy industry is sitting on an unexploded bomb from uninsured cyber attacks,’ said Somerville, addressing 400 energy industry professionals.

6. Cyber Attack on Journalists, News Services Worldwide by Government Hackers
Two internet security experts Morgan Mayhem and Shane Huntley presented a paper at the Blackhat Conference Asia 2014 that described a pattern of cyber attacks worldwide on journalists and news services from government hackers.  A set of attacks by the Vietnamese government with its poor human rights record reported on by the AP in February illustrated patterns of intense pressure applied on activists by repressive regimes, in this case on Vietnamese who are activists, bloggers and public journalists.

7. Utilities and infrastructure face new risks as Microsoft trims cyber support
Tomorrow, Microsoft Corp. will carry out its well-advertised decision to cut back on cybersecurity support for its legacy Windows XP operating system, exposing an undisclosed number of electric utilities, chemical plants, energy facilities and other critical infrastructure in the United States and worldwide to new cybersecurity vulnerabilities, the company warns.

8. Hacking hits ‘phenomenal’ high in 2013: cyber crime report
Cyber crime and hacking attacks hit an all-time high in 2013, making it the “year of the mega breach,” according to the latest report by Symantec.
There was a 91 per cent increase in attempted “targeted attacks” worldwide, with a 62 per cent increase in successful cyber security breaches, reads the anti-virus software company’s annual Internet Security Threat Report.
Symantec Director of Security Response Kevin Haley said 2013 was a “phenomenal” year for hacking. Cyber attacks are increasing every year and he said organized crime is partly to blame.

9. INVENTORY OF BAD OUTCOMES
What’s really important to those that approve budgets?
Loss of protected records
Electronic theft (funds, or intellectual property, for the private sector)
Service infrastructure disruption
BONUS BUMMER: regulatory noncompliance

10. CALCULATING RISK Threat / Vulnerability / Consequence
Estimate/calculate likelihood of threat exploiting a vulnerability
Multiply by asset value, or impact of its destruction or loss of availability

11. VULNERABILITIES Third-party failure to maintain secure products
Inability to upgrade some applications from legacy operating systems
Poorly-developed applications facing the Internet
User behavior

12. RECORDS DISCLOSURE Threat probability Consequence
Increasing due to insiders, hacktivists, organized crime, increasing use of sophisticated attacks, increasing exposures from mobility/IOT
Consequence
$200/record, brand damage, bond rating, insurance costs
Fines, oversight by regulators

13. THEFT Threat probability Consequence Empirically high in our region
Burlington, Gold Bar, Skagit Transit, Leavenworth Hospital, assisted living facilities in Bremerton
Consequence
Between $450K and $1M lost
Insurance rate increase
Scrutiny of security practices by risk pool

18. SERVICE DISRUPTION Threat probability Consequence
Growing: HVAC compromise, 911 TDOS event, DDOS attacks, nation-state compromise of government networks, rising level of rhetoric from Iran, North Korea, Syria
Consequence
FEMA values a human life at $23M

19. HOW IT (MOSTLY) STARTS Malware Poisoned attachment
Visiting a compromised website
Your Internet-facing services are attacked
Booby-trapped applications
Removable media
Consumer technology

22. Always tie security to money!
CHECK POINT
Risk of these bad outcomes is definitely rising
Preventive controls will fail in these cases – these are targeted attacks
Financial impact can be calculated, and appropriate risk management conducted
Always tie security to money!

23. SO WHAT TO DO?

24. ASSESS YOUR ENVIRONMENT
Against an appropriate standard
NIST framework
20 Critical Controls
ISO 27001/2

25. FOCUS ON DETECTION/RESPONSE
Employ monitoring technology
Monitor outbound communications
Use intrusion detection technology
SIEM/correlation engine technology
Develop rapid response capability
“Bake” into existing roles
Use Help Desk and ticketing system
Key metrics: time to incident close, cost per incident, incident frequency

26. IDENTIFY RISK TO KEY ASSETS
Inventory sensitive and valuable assets
Determine financial impact of loss or disruption
Identify technical and process vulnerabilities
Estimate likelihood of action from threat actor taxonomy
Set the bar at an acceptable level

27. ADDRESS IDENTIFIED RISK
Avoid
Remove the condition that creates the risk
Accept
Cost/benefit might make this reasonable
Mitigate
Through controls
Transfer
Only the RESIDUAL risk

28. RINSE, REPEAT

29. THANK YOU Michael K. Hamilton mkh@mkhamiltonassociates.com