Justin Clarke-Salt CRESTCon 2019 - 14th March 2019

Page created by Johnnie Jackson

IT & Technique

English

Like
Share
Embed
Fullscreen
Slides
Download HTML
Download PDF
Abuse

←

→

Page content transcription

If your browser does not render page correctly, please read the page content below

Justin Clarke-Salt CRESTCon 2019 - 14th March 2019

Justin Clarke-Salt

  CRESTCon
CRESTCon 20192019
14th March 2019

Agenda

CRESTCon 2019
                2

CRESTCon 2019
                3

Aon’s Cyber Solutions

CRESTCon 2019
                        4

The classic pentest risk

CRESTCon 2019
                           5

The “classic” pentest risk
Probably something like this:                       Or perhaps something like this:

 High – the world is burning, and this needs to     CVSS 7.0-8.9 (High) - the world is burning, and
  be addressed in 0.5 nanoseconds                     this needs to be addressed in 0.5 nanoseconds

 Medium – this is pretty serious, but the           CVSS 4.0-6.9 (Medium) - this is pretty serious,
  universe isn’t going to implode right now. Sort     but the universe isn’t going to implode right now.
  out as soon as possible                             Sort out as soon as possible.

 Low – you should definitely do something           CVSS 0.1-3.9 (Low) - you should definitely do
  about these, although I do realise there are        something about these, although I do realise
  15,000 of them                                      there are 15,000 of them

CRESTCon 2019
                                                                                                           6

Observations
Often what the client wants, asks for, and specifies, but can lead to:

     Client re-rates every finding – we’re missing the business risk?

     Client tears off everything but the detailed findings – don’t even care about the risk rating… fix
      everything… but what?

     Difficulty understanding relative priorities – “which of these medium risk issues should we fix first?”

     Confusing possible and probable

CRESTCon 2019
                                                                                                                7

Are we doing it wrong?

CRESTCon 2019
                         8

What is risk?

 Risk / Opportunity

 “Cyber” risk is just another business risk

 Requires context, capability, motivation

 Can be avoided, mitigated, accepted or transferred

 Zero risk is undesirable

CRESTCon 2019
                                                       9

Risk in other contexts

CRESTCon 2019
                         10

Risk taxonomy

Open FAIR (The Open Group)
    Asset
    Threat
    Vulnerability
Risk
    Loss event frequency
    Loss magnitude

“The Open FAIR Body of Knowledge”. © The Open Group 2014

CRESTCon 2019
                                                           11

What can we learn or adapt

CRESTCon 2019
                             12

Traps to avoid

 Overstating risk

 Probability versus possibility

 Probability versus prediction

 Risk isn’t priority or severity

CRESTCon 2019
                                    13

Future things to note

CRESTCon 2019
                        14

Wider contexts

Regulatory moves – cyber resilience
    Financial Stability Board – Cyber Lexicon (July 2018)
    Bank for International Settlements – Cyber Resilience: Range of Practices (December 2018)
    FCA

Operational risk and cyber risk
   Major financial institutions – job adverts

CRESTCon 2019
                                                                                                 15

Wrapping up

CRESTCon 2019
                16

Questions?

CRESTCon 2019
                17

Contact
Justin Clarke-Salt
Managing Director
Cyber Solutions
+44.20.7061.2267
justin.clarke-salt@aon.co.uk

CRESTCon 2019
                               18

About Cyber Solutions:
Aon’s Cyber Solutions offers holistic cyber security, risk and insurance management,
investigative skills, and proprietary technologies to help clients uncover and quantify
cyber risks, protect critical assets, and recover from cyber incidents.

About Aon:
Aon plc (NYSE:AON) is a leading global professional services firm providing a broad
range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries
empower results for clients by using proprietary data and analytics to deliver insights
that reduce volatility and improve performance.

Cyber security services offered by Stroz Friedberg Inc. and its affiliates.

The information contained herein and the statements expressed are of a general
nature and are not intended to address the circumstances of any particular individual
or entity. Although we endeavor to provide accurate and timely information and use
sources we consider reliable, there can be no guarantee that such information is
accurate as of the date it is received or that it will continue to be accurate in the future.
No one should act on such information without appropriate professional advice after a
thorough examination of the particular situation.

The information contained in this document should not be considered or construed as
legal or tax advice and is for general guidance only. Accordingly, the information
contained herein is provided with the understanding that Aon, its employees and
related entities are not engaged in rendering legal or tax advice. As such, this should
not be used as a substitute for consultation with legal and tax counsel.

All descriptions, summaries or highlights of coverage are for general informational
purposes only and do not amend, alter or modify the actual terms or conditions of any
insurance policy .Coverage is governed only by the terms and conditions of the
relevant policy.
aon.com

CRESTCon 2019
19

You can also read