7. www.niiconsulting.com @kkmookhey
Measuring Information Security
What is your Risk?
Standard Risk Assessments
More for compliance than for actual business decision making
Elaborate Excel sheets
Few insights
Taking a different approach
War-game exercises
Run scenarios
APT attack
Insider breach
Perimeter breach
8. www.niiconsulting.com @kkmookhey
Scenario 1: End-point compromise
Typical breaches target the end-point and the attacker then penetrate
deeper into the network from there onwards. End-points are compromised
due to missing Adobe/Java patches or unpatched browsers being used.
Malware can also get introduced via USB drives.Controls:
End-point malware protection
Internet content filtering
USB blocking
Removal of local admin rights
Installing latest OS patches
Installing latest non-OS patches (for Java,
Adobe, etc.)
Email filtering
Restrict local admin rights
Modify local administrator account password
Observations:
Anti-virus protection is working well
Microsoft patches are being applied properly
Email filtering is working well
Internet content filtering allows access to file
sharing sites and does not block zip/exe
downloads
Patches not applied to non-MS software
such as Java, Adobe]
Internet content filtering can be bypassed by
changing WLAN/browser settings
Nearly 100 users have local admin rights
Local administrator password not changed
Recommendations:
1. Enhance end-point
security controls
2. Enhance Internet
content filtering
3. Address systems
noted as malware-
infected
9. www.niiconsulting.com @kkmookhey
Recommendation 1: Enhance end-point &
gateway security controls
As a media company and due to various software requirements, we understand
that standard end-point security controls are difficult to implement. Yet we cannot
stress enough the importance of protecting the end-point as that has become the
primary target for attackers:
a. Restrict the Internet access and block Skype / YouTube / Dropbox / Social Media
b. Upgrade firewalls to Next Generation Firewalls
c. Ensure patching process covers non-MS software such as Adobe and Java
d. Remove local admin rights by working with the provider of Media software
e. Block USB access and provide users with an alternate means of file sharing
f. Enhance endpoint security to enforce conditional USB / Local Admin controls
g. Evaluate and budget for DLP
Priority: Critical
12. www.niiconsulting.com @kkmookhey
Case Study
Large Telco
On-going application security assessments
On-going source code reviews
Periodic penetration tests
Development done by vendors
WAF decision pending for a year…
Should they buy a WAF? Should they invest more in
application security? Should they implement a GRC
solution?
14. www.niiconsulting.com @kkmookhey
Insights from data analytics
Vendor delays in fixing the issues
Multiple reassessments leads to the issues
remaining open and overlapped in subsequent
assessments
High level of exposure on the Internet
Multiple approaches adopted and strong focus on
appsec in recent times
15. www.niiconsulting.com @kkmookhey
Hence…
Strategy is two pronged
1. WAF and other virtual patching
technologies should be implemented
2. Vendor management practices and
contractual negotiation should have CISO
involvement
16. www.niiconsulting.com @kkmookhey
Why you need your data
Surveys/Reports cover
organizations across
industries
Do not take into account
nature of the organization’s
current web app situation –
vendor, in-house, legacy,
COTSE, etc.
Do not take into account
current level of maturity
Try to draw general
conclusions from
average/sum of all data
18. www.niiconsulting.com @kkmookhey
Economic Model for Information Security
Parameter Value
Turnover ₹1000 crores
Profit-After-Tax (15%) ₹150 crores
Number of customers 10 lakhs (0.1 crore)
Profit per customer ₹1500
Number of customers that will go away in case of
cyber-security incident
5%
Profit reduction (financial impact) ₹7.5 crores
Remediation costs (incident response, forensics,
legal fees, if any)
₹20 lakhs
Business growth projection 15% - 1.5 lakh new customers
Future customer attrition 5% new customers won’t join
Cost of lost future business ₹1.12 crores
Total cost of the breach ₹8.8 crores
20. www.niiconsulting.com @kkmookhey
Other economic models
Theft of intellectual property
Market opportunity cost is much higher
Cost of regulatory non-compliance
Penalties to be paid to the regulator; or
Cost of class-action lawsuit
22. www.niiconsulting.com @kkmookhey
On the horizon…
Cloud adoption – only going to increase
Mobility – moving towards mobile-first
Shadow IT
Big Data
Social Media Access
DevOps
Internet of Things
Deperimeterization
Business environments are becoming increasingly VUCA
24. www.niiconsulting.com @kkmookhey
Evolving Role of Information Security
More evangelist than checkpoint
Embedding information security within the business
Enabling the business to address information security risk
Reporting structure outside of IT
You will – or have already been – compromised; so be
responsive
You can’t protect everything – so strategize and prioritize