Pub Date : 2021-11-18DOI: 10.1093/oso/9780197526545.003.0005
Gregory Falco, Eric Rosenbach
The question “Who is responsible for cybersecurity?” addresses how cyber risk prevention and resilience is not a one-person show: it takes a village to reduce organizational cyber risk. A case study opens the chapter by examining the immense hack of Equifax and the company’s poor cyber leadership during and after the data breach. It details the importance of strong leadership and educates readers on achieving accountable leadership for cyber risk. Afterward, it teaches readers about an organization’s enterprise information security policy and outlines the components of a cybersecurity culture. Topics include transparency, accountability, appropriate system knowledge, compliance with policy and procedure, and formal communication channels. The chapter guides executives in budgeting and allocating resources to cyber risk management and explains third-party agreements for cyber risk. It also details the importance of cyber talent management. The chapter concludes with Rosenbach’s Embedded Endurance strategy experience with cyber risk leadership at the U.S. Department of Défense.
{"title":"Who Is Responsible for Cybersecurity?","authors":"Gregory Falco, Eric Rosenbach","doi":"10.1093/oso/9780197526545.003.0005","DOIUrl":"https://doi.org/10.1093/oso/9780197526545.003.0005","url":null,"abstract":"The question “Who is responsible for cybersecurity?” addresses how cyber risk prevention and resilience is not a one-person show: it takes a village to reduce organizational cyber risk. A case study opens the chapter by examining the immense hack of Equifax and the company’s poor cyber leadership during and after the data breach. It details the importance of strong leadership and educates readers on achieving accountable leadership for cyber risk. Afterward, it teaches readers about an organization’s enterprise information security policy and outlines the components of a cybersecurity culture. Topics include transparency, accountability, appropriate system knowledge, compliance with policy and procedure, and formal communication channels. The chapter guides executives in budgeting and allocating resources to cyber risk management and explains third-party agreements for cyber risk. It also details the importance of cyber talent management. The chapter concludes with Rosenbach’s Embedded Endurance strategy experience with cyber risk leadership at the U.S. Department of Défense.","PeriodicalId":176943,"journal":{"name":"Confronting Cyber Risk","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125025643","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-11-18DOI: 10.1093/oso/9780197526545.003.0007
Gregory Falco, Eric Rosenbach
The question “What resilience measures can I use?” addresses how to reduce the impact and consequences of successful cyberattacks. The chapter begins with a case study analyzing how Capital One recovered after being hacked and highlighting how your organization can use planning to facilitate cyber resilience. It illuminates the technical means for enabling resilience from an attack, including virtualization and maintaining backups. It defines a ten-step process for responding to cyberattacks: prevention, planning, preparation, detection, analysis, containment, communication, eradication, recovery, and post-event analysis. The chapter explains how an organization can build a computer security incident response team (CSIRT) to facilitate this process, and what role a cyber crisis communication plan should play. The chapter concludes with Rosenbach’s Embedded Endurance strategy experience supporting the White House in crafting a national cyberattack resilience and response plan.
{"title":"What Risk Resilience Measures Can I Use?","authors":"Gregory Falco, Eric Rosenbach","doi":"10.1093/oso/9780197526545.003.0007","DOIUrl":"https://doi.org/10.1093/oso/9780197526545.003.0007","url":null,"abstract":"The question “What resilience measures can I use?” addresses how to reduce the impact and consequences of successful cyberattacks. The chapter begins with a case study analyzing how Capital One recovered after being hacked and highlighting how your organization can use planning to facilitate cyber resilience. It illuminates the technical means for enabling resilience from an attack, including virtualization and maintaining backups. It defines a ten-step process for responding to cyberattacks: prevention, planning, preparation, detection, analysis, containment, communication, eradication, recovery, and post-event analysis. The chapter explains how an organization can build a computer security incident response team (CSIRT) to facilitate this process, and what role a cyber crisis communication plan should play. The chapter concludes with Rosenbach’s Embedded Endurance strategy experience supporting the White House in crafting a national cyberattack resilience and response plan.","PeriodicalId":176943,"journal":{"name":"Confronting Cyber Risk","volume":"263 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122161744","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-11-18DOI: 10.1093/oso/9780197526545.003.0008
Gregory Falco, Eric Rosenbach
The question “How do I embed cyber risk management in all aspects of the organization?” addresses how to adopt an Embedded Endurance cyber risk strategy in your day-to-day work as a cyber leader. The chapter begins with a case study about the NotPetya cyberattack, which highlights ongoing challenges in cyber insurance and illuminates the need for embedding cyber mitigation measures across all prioritized critical systems, networks, and data. The chapter describes how to develop an Embedded Endurance cyber risk strategy that is customized for your organization. This chapter walks readers through the key elements of a cyber strategy, from start to finish. This includes defining a risk framework, setting strategic goals, identifying metrics, and establishing strong leadership. The chapter concludes with experiences highlighting the real-world importance of an Embedded Endurance cyber risk strategy from Rosenbach and Falco.
{"title":"How Do I Embed Cyber Risk Management in All Aspects of the Organization?","authors":"Gregory Falco, Eric Rosenbach","doi":"10.1093/oso/9780197526545.003.0008","DOIUrl":"https://doi.org/10.1093/oso/9780197526545.003.0008","url":null,"abstract":"The question “How do I embed cyber risk management in all aspects of the organization?” addresses how to adopt an Embedded Endurance cyber risk strategy in your day-to-day work as a cyber leader. The chapter begins with a case study about the NotPetya cyberattack, which highlights ongoing challenges in cyber insurance and illuminates the need for embedding cyber mitigation measures across all prioritized critical systems, networks, and data. The chapter describes how to develop an Embedded Endurance cyber risk strategy that is customized for your organization. This chapter walks readers through the key elements of a cyber strategy, from start to finish. This includes defining a risk framework, setting strategic goals, identifying metrics, and establishing strong leadership. The chapter concludes with experiences highlighting the real-world importance of an Embedded Endurance cyber risk strategy from Rosenbach and Falco.","PeriodicalId":176943,"journal":{"name":"Confronting Cyber Risk","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122693295","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-11-18DOI: 10.1093/oso/9780197526545.003.0002
Gregory Falco, Eric Rosenbach
The question “Who is attacking us?” explains cyber threat actors and their motivations for attacking organizations. The chapter begins with a Colonial Pipeline case study that describes the ransomware attack against the U.S. fuel pipeline, a cyberattack on critical U.S. infrastructure. The chapter explains different types of cyberattacks, including social engineering, denial of service, advance persistent threats, brute force attacks, and artificial intelligence attacks. Further, the chapter details the suite of threat actors who launch cyberattacks, including lone hackers, hacktivists, petty criminals, organized criminals, professional criminals, and nation-states. Finally, the chapter describes the importance of sectoral threat intelligence, including Information Sharing and Analysis Centers (ISACs), and types of threats to specific sectors, including finance, healthcare, manufacturing, education, power and utilities, and retail. The chapter concludes with Embedded Endurance strategy lessons from Falco’s experience addressing these issues at NASA’s Jet Propulsion Laboratory.
{"title":"Who Is Attacking Us?","authors":"Gregory Falco, Eric Rosenbach","doi":"10.1093/oso/9780197526545.003.0002","DOIUrl":"https://doi.org/10.1093/oso/9780197526545.003.0002","url":null,"abstract":"The question “Who is attacking us?” explains cyber threat actors and their motivations for attacking organizations. The chapter begins with a Colonial Pipeline case study that describes the ransomware attack against the U.S. fuel pipeline, a cyberattack on critical U.S. infrastructure. The chapter explains different types of cyberattacks, including social engineering, denial of service, advance persistent threats, brute force attacks, and artificial intelligence attacks. Further, the chapter details the suite of threat actors who launch cyberattacks, including lone hackers, hacktivists, petty criminals, organized criminals, professional criminals, and nation-states. Finally, the chapter describes the importance of sectoral threat intelligence, including Information Sharing and Analysis Centers (ISACs), and types of threats to specific sectors, including finance, healthcare, manufacturing, education, power and utilities, and retail. The chapter concludes with Embedded Endurance strategy lessons from Falco’s experience addressing these issues at NASA’s Jet Propulsion Laboratory.","PeriodicalId":176943,"journal":{"name":"Confronting Cyber Risk","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129783289","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-11-18DOI: 10.1093/oso/9780197526545.003.0009
Gregory Falco, Eric Rosenbach
The conclusion summarizes the importance of an Embedded Endurance cyber risk strategy and the steps you can take to design and implement your own. The Embedded Endurance cyber risk strategy you will build focuses on implementing mitigation measures that include prevention and resilience. The chapter describes how even in an evolving cyber risk landscape, the concepts described in the Embedded Endurance cyber risk strategy will remain foundational. The chapter concludes with “cryptograms” from the future, in which organizational leaders confront the next generation of cyber risk challenges. The cryptograms encourage readers to apply the lessons learned and extend these Embedded Endurance strategy lessons to the future.
{"title":"Conclusion","authors":"Gregory Falco, Eric Rosenbach","doi":"10.1093/oso/9780197526545.003.0009","DOIUrl":"https://doi.org/10.1093/oso/9780197526545.003.0009","url":null,"abstract":"The conclusion summarizes the importance of an Embedded Endurance cyber risk strategy and the steps you can take to design and implement your own. The Embedded Endurance cyber risk strategy you will build focuses on implementing mitigation measures that include prevention and resilience. The chapter describes how even in an evolving cyber risk landscape, the concepts described in the Embedded Endurance cyber risk strategy will remain foundational. The chapter concludes with “cryptograms” from the future, in which organizational leaders confront the next generation of cyber risk challenges. The cryptograms encourage readers to apply the lessons learned and extend these Embedded Endurance strategy lessons to the future.","PeriodicalId":176943,"journal":{"name":"Confronting Cyber Risk","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130717970","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-11-18DOI: 10.1093/oso/9780197526545.003.0006
Gregory Falco, Eric Rosenbach
The question “What risk prevention measures can I use?” describes how to reduce the likelihood of a cyberattack on your organization. The chapter begins with a case study on the SolarWinds hack exemplifying how prevention measures on a specific system, network, or data cannot be effective on their own. The chapter describes why cyber risk management needs to be embedded across all facets of the organization, and how the Embedded Endurance strategy can help readers achieve that. It reviews system security prevention measures that include patch management and antivirus software. It explains network security prevention measures, including intrusion detection and intrusion prevention systems. The chapter also describes data risk prevention measures such as data governance, encryption, and data loss prevention technology, and highlights the importance of physical security for reducing cyber risk. The chapter concludes with Falco’s Embedded Endurance strategy insight on risk prevention gained at his industrial Internet-of-Things security company.
{"title":"What Risk Prevention Measures Can I Use?","authors":"Gregory Falco, Eric Rosenbach","doi":"10.1093/oso/9780197526545.003.0006","DOIUrl":"https://doi.org/10.1093/oso/9780197526545.003.0006","url":null,"abstract":"The question “What risk prevention measures can I use?” describes how to reduce the likelihood of a cyberattack on your organization. The chapter begins with a case study on the SolarWinds hack exemplifying how prevention measures on a specific system, network, or data cannot be effective on their own. The chapter describes why cyber risk management needs to be embedded across all facets of the organization, and how the Embedded Endurance strategy can help readers achieve that. It reviews system security prevention measures that include patch management and antivirus software. It explains network security prevention measures, including intrusion detection and intrusion prevention systems. The chapter also describes data risk prevention measures such as data governance, encryption, and data loss prevention technology, and highlights the importance of physical security for reducing cyber risk. The chapter concludes with Falco’s Embedded Endurance strategy insight on risk prevention gained at his industrial Internet-of-Things security company.","PeriodicalId":176943,"journal":{"name":"Confronting Cyber Risk","volume":"32 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127807836","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-11-18DOI: 10.1093/oso/9780197526545.003.0004
Gregory Falco, Eric Rosenbach
The question “What do I need to know about cyber frameworks, standards, and laws?” distills the complex landscape of cyber risk laws, requirements, and standards. The chapter begins with a case study on Nielsen Holdings’ legal and business trouble with the European General Data Protection Regulation (GDPR). It distinguishes compliance from security—explaining how readers can achieve both—and clarifies the dynamic, complex legal landscape in a world of ever-evolving cyber risk. It reviews legislation relating to cyber risk including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GBLA), the Federal Information Security Management Act (FISMA), and GDPR. The chapter describes the importance of adopting the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, creating a cyber policy/act/law/regulation “watch list” and purchasing cyber insurance. At the chapter’s end Falco shares Embedded Endurance strategy insight from his experience leading a team developing a cyber standard of care.
{"title":"What Do I Need to Know About Cyber Frameworks, Standards, and Laws?","authors":"Gregory Falco, Eric Rosenbach","doi":"10.1093/oso/9780197526545.003.0004","DOIUrl":"https://doi.org/10.1093/oso/9780197526545.003.0004","url":null,"abstract":"The question “What do I need to know about cyber frameworks, standards, and laws?” distills the complex landscape of cyber risk laws, requirements, and standards. The chapter begins with a case study on Nielsen Holdings’ legal and business trouble with the European General Data Protection Regulation (GDPR). It distinguishes compliance from security—explaining how readers can achieve both—and clarifies the dynamic, complex legal landscape in a world of ever-evolving cyber risk. It reviews legislation relating to cyber risk including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GBLA), the Federal Information Security Management Act (FISMA), and GDPR. The chapter describes the importance of adopting the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, creating a cyber policy/act/law/regulation “watch list” and purchasing cyber insurance. At the chapter’s end Falco shares Embedded Endurance strategy insight from his experience leading a team developing a cyber standard of care.","PeriodicalId":176943,"journal":{"name":"Confronting Cyber Risk","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129495998","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-11-18DOI: 10.1093/oso/9780197526545.003.0001
Gregory Falco, Eric Rosenbach
The question “Why is cyber risk an issue?” pinpoints the leadership challenge that cyber risk poses. The chapter begins with a WannaCry case study that demonstrates how cyberattacks can impact every aspect of organizations given the pervasive nature of digital systems. The chapter describes how leadership must address cyber risk by analyzing the organization’s unique threats, its vulnerabilities, and the impact an attack can have on the organization. It describes how mitigation measures minimize cyber vulnerabilities and maximize an organization’s ability to respond to cyberattacks. It emphasizes that leadership must strategically manage cyber risk through carefully selected mitigations. This chapter introduces how an Embedded Endurance cyber risk strategy offers a systems-level approach to mitigating cyber risk by addressing interdependent components of the organization’s risk and preparing for the inevitability of cyber threats over the long term, and details real-world Embedded Endurance cyber risk strategy experiences.
{"title":"Why Is Cyber Risk an Issue?","authors":"Gregory Falco, Eric Rosenbach","doi":"10.1093/oso/9780197526545.003.0001","DOIUrl":"https://doi.org/10.1093/oso/9780197526545.003.0001","url":null,"abstract":"The question “Why is cyber risk an issue?” pinpoints the leadership challenge that cyber risk poses. The chapter begins with a WannaCry case study that demonstrates how cyberattacks can impact every aspect of organizations given the pervasive nature of digital systems. The chapter describes how leadership must address cyber risk by analyzing the organization’s unique threats, its vulnerabilities, and the impact an attack can have on the organization. It describes how mitigation measures minimize cyber vulnerabilities and maximize an organization’s ability to respond to cyberattacks. It emphasizes that leadership must strategically manage cyber risk through carefully selected mitigations. This chapter introduces how an Embedded Endurance cyber risk strategy offers a systems-level approach to mitigating cyber risk by addressing interdependent components of the organization’s risk and preparing for the inevitability of cyber threats over the long term, and details real-world Embedded Endurance cyber risk strategy experiences.","PeriodicalId":176943,"journal":{"name":"Confronting Cyber Risk","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127373218","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-11-18DOI: 10.1093/oso/9780197526545.003.0003
Gregory Falco, Eric Rosenbach
The question “How do I assess our cyber risk?” addresses how to identify and characterize cyber risk unique to an organization’s critical systems, networks, and data. The chapter begins with a case study about a cyberattack on Ukraine’s electric grid. It details risk assessment for three types of critical systems: mission-critical systems, business-critical systems, and safety-critical systems. It explains the three types of networks critical to many organizations: business and administrative networks, operational and service delivery networks, and communication networks. In outlining the “CIA triad,” it shows how cyber risk can be characterized as a confidentiality, integrity, or availability issue relating to digital assets. Further, it describes how to assess the importance of different digital assets and how to prioritize them using a business impact analysis (BIA). The chapter concludes with real-world Embedded Endurance strategy lessons Rosenbach gained in Saudi Arabia in the wake of one of the world’s most destructive cyberattacks.
{"title":"How Do I Assess Our Cyber Risk?","authors":"Gregory Falco, Eric Rosenbach","doi":"10.1093/oso/9780197526545.003.0003","DOIUrl":"https://doi.org/10.1093/oso/9780197526545.003.0003","url":null,"abstract":"The question “How do I assess our cyber risk?” addresses how to identify and characterize cyber risk unique to an organization’s critical systems, networks, and data. The chapter begins with a case study about a cyberattack on Ukraine’s electric grid. It details risk assessment for three types of critical systems: mission-critical systems, business-critical systems, and safety-critical systems. It explains the three types of networks critical to many organizations: business and administrative networks, operational and service delivery networks, and communication networks. In outlining the “CIA triad,” it shows how cyber risk can be characterized as a confidentiality, integrity, or availability issue relating to digital assets. Further, it describes how to assess the importance of different digital assets and how to prioritize them using a business impact analysis (BIA). The chapter concludes with real-world Embedded Endurance strategy lessons Rosenbach gained in Saudi Arabia in the wake of one of the world’s most destructive cyberattacks.","PeriodicalId":176943,"journal":{"name":"Confronting Cyber Risk","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124725510","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: