cyber risk research at ccrs
play

Cyber Risk Research at CCRS Jennifer Copic Research Assistant - PowerPoint PPT Presentation

Feb 10, 2023 •109 likes •296 views

Cambridge Centre for Risk Studies Advisory Board Research Showcase 24 January 2017 Cyber Risk Research at CCRS Jennifer Copic Research Assistant Cambridge Centre for Risk Studies Largest Cyber Data Exfiltration Event: Yahoo August 2013

  1. Cambridge Centre for Risk Studies Advisory Board Research Showcase – 24 January 2017 Cyber Risk Research at CCRS Jennifer Copic Research Assistant Cambridge Centre for Risk Studies

  2. Largest Cyber Data Exfiltration Event: Yahoo  August 2013 – 1 billion customer details such as phone numbers, birthdates, and security questions – Shares lost 6.5% after the announcement of this breach in Dec 2016 – Hackers forged cookies in order to steal the information  Late 2014 - 500 million records stolen in separate event announced in Sept 2016  July 2016 – Verizon announced to buy Yahoo for $4.8 billion prior to the hacks being discovered – Verizon is exploring price cut due to the data breaches – Impact of Yahoo Data Breach could potentially kill the valuation of Yahoo Leswing, K. “Yahoo confirms major breach — and it could be the largest hack of all time”. Business Insider. 22 Sept 2016. http://uk.businessinsider.com/yahoo-hack-by- state-sponsored-actor-biggest-of-all-time-2016-9?r=US&IR=T Weinberger, M. “IT HAPPENED AGAIN: Yahoo says 1 billion user accounts stolen in what could be biggest hack ever” Business Ins ider. 14 Dec 2016. http://uk.businessinsider.com/yahoo-data-breach-billion-accounts-2016-12 Moritz, S. and Womack, B. “Verizon Explores Lower Price or Even Exit From Yahoo Deal”. Bloomberg Technology. 15 Dec 2016. 2 https://www.bloomberg.com/news/articles/2016-12-15/verizon-said-to-explore-lower-price-or-even-exit-from-yahoo-deal

  3. DDoS Attack on Dyn  Dyn is an internet traffic management product managing domain name system (DNS) infrastructure – They promise to protect companies from DDoS Map of areas most affected by Dyn attack, 11:45 a.m. EDT, October 21, 2016  They suffered two 2 hours outages due to a DDos attack as  Systemic Attack large as 1,200 Gbps on 21 Oct Amazon – 2016 – Twitter – Attackers created a botnet from AirBnB – Internet of Things (IoT) using the – Pinterest Mirai IoT botnet malware – BBC o Had 100,000 malicious endpoints – CNN involved in the attack – Spotify  Geographic: 18 points of Tumbler – presence – Paypal – Netflix Woolf, N. “DDoS attack that disrupted internet was largest of its kind in history, experts say”. The Guardian. 26 October 201 6. https://www.theguardian.com/technology/2016/oct/26/ddos- attack-dyn-mirai-botnet York, K. “Dyn Statement on 10/21/2016 DDoS Attack”. Dyn. http://dyn.com/blog/dyn -statement-on-10212016-ddos-attack/ 3

  4. ShadowBrokers Release a Cyber Arsenal On 13 August 2016 the ‘ShadowBrokers’ group released a showcase folder containing a set of  cyber hacking weapons obtained from ‘Equation Group’ – Obtained from the United States National Security Agency (NSA) ShadowBrokers hacked the NSA or an insider leaked the materials –  The showcase folder released: – 15 exploits, 13 implants and 11 tools Most notably a number of ‘zero day’ exploits to penetrate industry standard firewalls –  In October the Shadow Brokers leaked a further 300 files of IP addresses purportedly revealing NSA targeting and routing References: Greenberg, 2016; Fox-Brewster, 2016; CERT, 2016. Images: Tweet, NSA Picture, Victim map 4

  5. Completed Cyber Research Projects 2016  Integrated Infrastructure: Cyber Resiliency in Society  Insurability of Cyber Catastrophe Risk – Assessment of PMLs  Cyber Catastrophe Scenarios for Insurance Accumulation Management  Cyber Terrorism Phase 1  Cyber in Project Pandora and the Cambridge Global Risk Index 2017 5

  6. Integrated Infrastructure: Cyber Resiliency in Society 2,100 GDP (constant prices £ 2012 , Bn) 2,000 1,900 1,800 Baseline £ billion S1 1,700 S2 X1 1,600 1,500 2016 2017 2018 2019 2020 2021 Domestic UK GDP@Risk under each scenario variant GDP@Risk (5 Yr) Company (1 year Customer (1 year direct) Sector indirect) Sector Scenario Lost power impact on overall Losses Losses Variants (TWh) UK economy £ billion £ billion £ billion S1 10.3 7.2 4.4 49 S2 19.8 18.0 10.9 129 X1 39.6 53.6 31.8 442 6

  7. Integrated Infrastructure: Cyber Resiliency in Society Railway customers disrupted Customer disruptions by scenario: S1 = 0.85m | S2 = 1m | X1 = 1m 7

  8. Cyber Catastrophe Scenarios for Insurance Accumulation Management – Assessment of PMLs Industry Organizations Supporting the Schema Accumulation Exposure Data Management Reinsurance Schema Association System of America Lloyd’s Scenarios Risk Models Lloyd’s Jan 2016 Market v1.0 Association First complete schema Chief Risk Officer Forum 8

  9. Cyber Catastrophe Scenarios for Insurance Accumulation Management – Assessment of PMLs Affirmative cyber attack scenarios developed by Accumulation Exposure Data Centre for Risk Studies Management Schema Deployed in CAMS v1.0 System Data Exfiltration (‘Leakomania’) Denial of Service Attack (‘Mass DDoS’) Scenarios Risk Models Cloud Service Provider Failure (‘Cloud Compromise’) Cyber Heist (‘Financial Theft’) Ransomware (‘Extortion Spree’) ShadowBrokers (‘ExtraBacon Exploited’) 9

  10. Cyber Catastrophe Scenarios for Insurance Accumulation Management – Assessment of PMLs Silent cyber attack scenarios developed by Accumulation Exposure Data Centre for Risk Studies Management Schema Deployed in CAMS v2.0 System Cyber-Induced Fires in Commercial Office Buildings (Laptop batteries fire induction’) Cyber-Enabled Marine Cargo Theft from Port (‘Port Management System’) Scenarios Risk Models ICS-Triggered Fires in Industrial Processing Plants (‘ICS Attack’) PCS-Triggered Explosions on Oil Rigs (‘Phishing - Triggered Explosions’) Regional Power Outage from Cyber Attack on US Power Generation (‘Business Blackout’) S1, X1 Regional Power Outage from Cyber Attack on UK Power Distribution (‘Integrated Infrastructure’) 10

  11. Lloyd’s Cyber RDS Scenarios CRS Cyber Scenarios Data Exfiltration 1. Data Theft from an Aggregator (Variant of ‘Leakomania’) Cloud Service Provider Failure 2. Cloud Computing Service Provider (‘Cloud Compromise’ Reference View) 3. Northeast Blackout Scenario S1 Attack on US Power Generation (‘Business Blackout Scenario S1’) 4. Northeast Blackout Scenario X1 Attack on US Power Generation (‘Business Blackout Scenario X1’) 5. UK Blackout Scenario Attack on UK Power Distribution (‘Integrated Infrastructure’) 6. Offshore Energy – MODU DP attack Version in development Different attack vector 7. Aviation – navigation control attack 8. Marine – ballast control system attack Version in development Different attack vector Lloyd's have opted to only require the Northeast Blackout (Erebos) Scenario for future reporting 11

  12. Cyber Catastrophe Scenarios for Insurance Accumulation Management – Assessment of PMLs  Work started in June 2016 and continuing through 2018 – Enhancements to RMS Cyber Accumulation Management System (v2.0) o Development of silent cyber scenarios o Reparameterize of affirmative scenarios o Cyber Risk Landscape 2017 report – Research to Support Development of Account-Specific Cyber Accumulation Analytics o Probabilistic cyber risk assessment modelling method review o Compilation of cyber data exfiltration incidences o Cyber account differentiation database 12

  13. Cyber Terrorism Phase 1  Report to be launched soon: – Several cyber terrorism scenario narratives – Cyber capabilities of various terrorist groups – Current methods of monitoring and Mortality Rate Physical Damage Plausibility defending against 2.3 Airplane 8 10 6 cyber terrorism Cyber Hijack 7 10 7 5.4 Eurostar Fire – Insuring cyber 9.1 Chemical Reactor 10 10 9 terrorism Explosion 10.1 Ordnance 8 10 5 Target 13

  14. Cyber Terrorism Phase 2  Current terrorism research activities – Develop structured approach to monitoring and producing a regular view on emerging cyber terrorism threats o Alerts and threat reports – Further cyber terrorism scenario development – Economic and societal loss estimation for cyber and non-cyber terrorism events 14

  15. Cyber in Project Pandora Cambridge Global Risk Index 2017  Cyber attack severities are increasing – Major recent cyber hacks Cyber have consistently broken attack previous records o Largest ever data exfiltration attacks (Yahoo 1 billion records Cyber attack on Ukrainian power grid cut power to 225,000 people; Dec 2015 and Mossack Fonseca 2.6 Tbytes) ShadowBroker cyber hack released NSA exploits to public; Aug 2016 o Largest known attempted cyber bank theft (Lazarus SWIFT $1Bn attempt) o Largest Denial of Service attacks: 1,000 Gbps o Shadowbroker hack released NSA cyber weaponry to public  Updated the Global Risk Index model to reflect increase in severity of cyber scenario 15

  16. Engagement, Outreach and Collaboration  Engagement (UK, EU, US) – Industry (Insurance, Power, CyberGreen...) – Regulators (PRA, Lloyd’s, OfGen, NERC...) – Government (Cab Office, DECC, GCHQ, CPNI...)  Outreach – Launch events – Conferences – Data standards  Collaboration – Subject Matter Experts – Academia (ITRC...) – Consultants 16

  17. Cyber Research Projects 2017  Enhancements to RMS Cyber Accumulation Management System (v2.0)  Research to Support Development of Account- Specific Cyber Accumulation Analytics – Hosting Cyber Probabilistic Modelling Workshop on 27 July 2017 in Cambridge  Cyber Terrorism Phase 2  Cyber in Project Pandora and the Cambridge Global Risk Index 2017 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017 Management Summary Research Approach: Overview of the main research topics in the fields of cyber risk and

579 views • 12 slides
Mark Fernandes Principal, Cyber Risk Services + FUTURE OF CYBER CYB CYBER SINGU GULAR ARIT

Mark Fernandes Principal, Cyber Risk Services + FUTURE OF CYBER CYB CYBER SINGU GULAR ARIT

Mark Fernandes Principal, Cyber Risk Services + FUTURE OF CYBER CYB CYBER SINGU GULAR ARIT ITY How cyber is becoming a key aspect of the ubiquity generation. CYBER SUMMIT More to come 3 2018 Deloitte Cyber Risk Services 4 2018

514 views • 19 slides
Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management Association Date: August 18, 2016 Agenda An Overview of Cyber Risk Exposures 1. Legal & Regulatory Trends 2. Marshs Cyber Risk Management

649 views • 31 slides
Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech Information Security Center Georgia Tech

763 views • 16 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to

Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to

Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to prepare for Cyber Risk: 3 2 1 Understand the tech & Cyber insurance Focus on company interconnected risks culture 2 Policy: Protection &

774 views • 18 slides
Utilization of CCRs on Coal Mining Sites; Where are We? W. Lee Daniels -- Virginia Tech A Short

Utilization of CCRs on Coal Mining Sites; Where are We? W. Lee Daniels -- Virginia Tech A Short

Utilization of CCRs on Coal Mining Sites; Where are We? W. Lee Daniels -- Virginia Tech A Short History of Fly Ash USEPA delisted fly ash and related coal combustion residuals (CCRs) in the early 1990s from RCRA-C designation.

414 views • 23 slides
Cyber Risk as Systemic Risk Jon Danielsson Systemic Risk Centre London School of Economics

Cyber Risk as Systemic Risk Jon Danielsson Systemic Risk Centre London School of Economics

Introduction Systemic Risk Cyber as systemic Conclusion Cyber Risk as Systemic Risk Jon Danielsson Systemic Risk Centre London School of Economics www.systemicrisk.ac.uk June 10 th 2016 Introduction Systemic Risk Cyber as systemic

351 views • 24 slides
Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino,

Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino,

Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino, CSG International Cindy Stevens, Colorado Springs Utilities Agenda What is Cyber Insurance Overview of Cyber Risk Quantifying Cyber

508 views • 23 slides
Slide 10 minutes (11) What actions 3 have you had the opportunity to REFLECTION implement

Slide 10 minutes (11) What actions 3 have you had the opportunity to REFLECTION implement

Slide 1/2 minute 1 Welcome participants to 3rd and final CCRS Meeting for 2016-2017 school CCRS Meeting # 3 year. Planning for Mathematical Rigor (Facilitator Note: When facilitating, remember your audience is MATH

175 views • 6 slides
PREDICTIVE MODELING CONFERENCE Data Workshop Cyber Risk Models Loss Aggregation Models

PREDICTIVE MODELING CONFERENCE Data Workshop Cyber Risk Models Loss Aggregation Models

PREDICTIVE MODELING CONFERENCE Data Workshop Cyber Risk Models Loss Aggregation Models Advisens Data Assets CYBER RISK MODELS Cyber Case Count over Time Cyber Cases Entered per Day Case Type Composition Total : 21,817 Distribution

967 views • 51 slides
CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview

CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview

CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview 1. What is at risk? 2. Global industry trends 3. BDO/AusCERT survey 4. Recent cyber case studies 5. Cyber risk mitigation strategies Page

481 views • 35 slides
Cyber Risk Trends: Q1 2017 Sponsored By: Cyber Risk Trends: Q1 2017 Visit www.advisenltd.com at

Cyber Risk Trends: Q1 2017 Sponsored By: Cyber Risk Trends: Q1 2017 Visit www.advisenltd.com at

Cyber Risk Trends: Q1 2017 Sponsored By: Cyber Risk Trends: Q1 2017 Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording of todays webinar Many Thanks to our Sponsor! About Advisen Advisen

530 views • 39 slides
Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The

Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The

Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The Evolution of Cyber Insurance Is Cyber Risk Already Insured? Cyber And Data Protection Is Not Just An IT Issue Case Study Cyber Risk Stakeholders The

1.03k views • 8 slides
EVERYTHING YOU WANTED TO KNOW ABOUT CYBER RISK But were afraid to ask! Rachel Burley, Lead

EVERYTHING YOU WANTED TO KNOW ABOUT CYBER RISK But were afraid to ask! Rachel Burley, Lead

EVERYTHING YOU WANTED TO KNOW ABOUT CYBER RISK But were afraid to ask! Rachel Burley, Lead Security Analyst, Diligent Josh Fruecht, Governance Advisor and Former Clerk, Diligent Tuesday, October 22 Agenda Recent research & common

448 views • 29 slides
Risk Mitigation Services in Cyber Insurance Underwriting Sponsored By: 1 Risk Mitigation

Risk Mitigation Services in Cyber Insurance Underwriting Sponsored By: 1 Risk Mitigation

Risk Mitigation Services in Cyber Insurance Underwriting Sponsored By: 1 Risk Mitigation Services in Cyber Insurance Underwriting www.advisenltd.com Paper Beware the Botnets: Botnets Correlated to a Higher Likelihood of a Significant

671 views • 22 slides
Secure application development with AOP Nils Durner <ndurner@web.de> 1 Outline of the

Secure application development with AOP Nils Durner <ndurner@web.de> 1 Outline of the

Secure application development with AOP Nils Durner <ndurner@web.de> 1 Outline of the talk Introduction to Aspect Oriented Programming Examples for uses of AOP for security AOP & Memory safety Future work 2 What is

870 views • 59 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
An Examination of Security in Web Applications Brian Booth Luis Sanchez Jeremy Hancock Simon

An Examination of Security in Web Applications Brian Booth Luis Sanchez Jeremy Hancock Simon

An Examination of Security in Web Applications Brian Booth Luis Sanchez Jeremy Hancock Simon Timms Dr. Osmar Zaiane Cmput 410 Introduction As we enter full force into the information age more and more of our lives involves utilizing the

303 views • 14 slides
www.ren-isac.net soc@ren-isac.net 317.274.7228 What is an ISAC? Information

www.ren-isac.net soc@ren-isac.net 317.274.7228 What is an ISAC? Information

www.ren-isac.net soc@ren-isac.net 317.274.7228 What is an ISAC? Information Sharing and Analysis Centers Presidential Decision Directive-63 (PDD-63), signed May 22, 1998 The federal government asked each critical

537 views • 20 slides
CYBER SECURITY By Sachin Dedhia CISA, CEH, ISO 27001 L.A., Ethical Hacker & Digital

CYBER SECURITY By Sachin Dedhia CISA, CEH, ISO 27001 L.A., Ethical Hacker & Digital

CYBER SECURITY By Sachin Dedhia CISA, CEH, ISO 27001 L.A., Ethical Hacker & Digital Forensics Expert Founder Skynet Secure Solutions , skynetsecure.com Email : Sachin@skynetsecure.com Phone : 91- 9867700095 Web Conference Security

828 views • 11 slides
Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James Kasten, Michael Bailey, J.

Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James Kasten, Michael Bailey, J.

Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James Kasten, Michael Bailey, J. Alex Halderman University of Michigan Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric HTTPS and TLS How does HTTPS and the CA ecosystem

449 views • 24 slides
Cryptography (+ Web Security): Certificates Spring 2015

Cryptography (+ Web Security): Certificates Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography (+ Web Security): Certificates Spring 2015 Franziska (Franzi) Roesner

505 views • 21 slides
We believe that we are on the verge of the Internet of Things explosion. Now is the time to make

We believe that we are on the verge of the Internet of Things explosion. Now is the time to make

We believe that we are on the verge of the Internet of Things explosion. Now is the time to make sure that IoT incorporates everything weve learned about digital security and infrastructure resiliency over the last 20 years of the Internet.

661 views • 50 slides

More recommend