Cyber Security Trends | DTMEnoufexpo.com.kw/egov1/images/sixth.pdfthat unknown hackers were able to...

Cyber Security Trends | DTME

The Strategic Implications of Cyber Security

E-Government Forum

Courtyard Marriott

11-13 November 2013

Presented By:

Fadi Mutlak, Security & Privacy Leader Middle East

1. The Current Threat Landscape

2. Top 10 Cyber Risk

3. Guiding Principals for Cyber Security

5. Q&A

Table of Contents

The Current Threat Landscape

@ 2013 Deloitte & Touche M.E. Strategic Implications of Cyber Security 4

Breach Incidents are happening more frequently…

In response to the rapid growth in both the sophistication and intensity of attacks basic defensive measures and operations

while remaining important are just the starting point


The digital revolution is driving business innovation and growth, yet also exposing us to new and emerging threats.

Digital Revolution

According to a recent McKinsey & Co. report

• There are 2 Billion internet users worldwide

• Internet account 3.4% of GDP in 13 Largest Countries (by GDP)

• 21% of GDP growth in the last 5 years in mature countries

• 2.6 jobs created for 1 job lost

• 75% of internet impact arises from traditional industries

The World Economic Forum recognizes that the risks, rewards and governance of the networked economy are

core issues of the global agenda and fundamental for sustainable growth and stability.


Cyber Resiliency Maturity Model

• Organization sees cyber

risk as largely irrelevant

• Cyber does not form part

of the organizations risk

management processes.

• Organization recognizes

hyper connectivity as a

potential source of risk

• Limited insight in its

cyber risk management

practices

• Siloed approach to cyber

risk with fragmented and

incidental reporting

• Chief Executive Officer

has set the tone for


• Top-down threat-risk

response program

• Organization does not

view cyber risk

management as a

competitive advantage

• Organizations leadership

takes full ownership of


and has developed

policies and framework

including responsibilities

and reporting

• Holistic view of

vulnerabilities, controls

and interdependencies

with third parties

• Highly connected to

peers and partners,

sharing information and

jointly mitigating cyber

risk as part of their day

to day operations.

• Exceptional cyber

awareness and the

organization is an

industry leader in

managing cyber risk

management.


Global Cyber Crime Statistics

≈ 1.6M New cyber

threats are being

Identified everyday

globally

The Major Motivation Behind Cyber Attacks

Top 10 Industries Attacked in 2012

Cyber Crime Hacktivism Cyber Warfare Cyber Espionage

1 in 10 Social Network Users said they’d fallen

victim to a scam or fake link on social networking

platforms ≈ 230M Users

45% 45% 3% 7%

1%

2%

2%

2%

8%

10%

12%

17%

19%

24%

Transportation

Aerospace

Retail

Whole Sale

Services - Professional

Energy & Utilities

Government

Services - Non Traditional

Financial Institutions

Manufacturing

Of business experienced at

least one security event

Of attacks occurred due to

malware infection

Of companies noticed increase

in the number of cyber attacks

Of attacks due to

Vulnerable software

Lost business data


The Cost of Cyber Crime

$8,933,510

$5,950,725 $5,154,447

$3,386,201 $3,252,912

USAGermanyJapanAustraliaUK

Estimated Annual

Cyber Crime Cost

To Consumers

≈ $114B USD

Estimated Annual

Total Cost of Cyber Crime

Consumers, Government

and Business

≈ $444B USD

2013 Avg per Capita

Cost per Data Breach

≈ $194 USD

2013 Avg # of

breached Records

per incidents

≈ 28,765

Largest # of breached

records in history

≈ 130M

Estimated Total Cost

(Indirect / Direct) of

Largest breach

≈ $7.8B USD

2013 Avg Total Cost

(Indirect / Direct) of

Data Breach

≈ $5.4M USD

2009 Avg per Capita

Cost per Data Breach

≈ $60 USD

Average Cost of Cyber Crime vs. Organization Size

2012 Largest Single

Cyber Crime Cost

≈ $46M USD

Estimated # of Adults that

fell victim to Cyber Crime

≈ 431M Adults

$1,650,976 $2,872,913 $2,832,962 $3,180,182

$5,167,657 $5,440,553 $4,611,172

$7,576,693 $8,664,578

$15,567,136

$17,455,124

$18,795,950

2010 2011 2012

0 > 32K

33K > 64K

64K > 96K

97K > 128K

Average Cost of Cyber Crime by Country


Cyber Attacks Targeting Governments

Feb 2013 – Cyber Crime,

Hacktivism.

April 2013 – Cyber

Crime, Hacktivism

Mar 2013 – Cyber Crime,

Cyber Espionage,

Hacktivism.

Jan 2013 – Cyber Crime,

Hacktivism.

July 2013 – Cyber

Espionage, Cyber

Warfare, Hacktivism.

Aug 2013 – Targeted

Cyber Attack, Cyber

Espionage, Hacktivism.

These attacks have been launched since January 2013

May 2013 – Cyber

Crime, Cyber Warfare,

Hacktivism.

June 2013 – Cyber

Warfare, Cyber Crime,

Hacktivism.

Sep 2013 – Cyber

Espionage, Hacktivism.

Recent Gov. Data

Compromises

• South Korean officials declare

that unknown hackers were able

to hack and release publicly

personal details of more than

2,000,000 South Korean ruling

party workers and 40,000 US.

troops, including those stationed

in South Korea

• The anonymous hacktivist Ieak

7GB of data from Azerbaijan

government owned Azerenergy.

• The Anonymous collective claims

that it had hacked into accounts

belonging to various members of

US Congress and their staffers,

publishing an online document

that shows 2.000 passwords

online.


This past year has been especially difficult on the Middle East and has seen cyber-attacks broadened in scope and complexity, targeting critical national infrastructure and the large establishments. The impact of such attacks was felt across the region, and an immediate urgency has materialized to address such risks.

According to Microsoft, the malware infection rate of countries in the Middle East was above the worldwide average in all four quarters of 2012 as depicted in the below graph

The Middle East on High Alert

0

5

10

15

20

25

30

35

1Q12 2Q12 3Q12 4Q12

Worldwide

UAE

KSA

Syria

Qatar

Palestine

Oman

Kuwait

Lebanon

Jordan

Iraq

Egypt

Bahrain

Q1 2012

Q2 2012

Q3 2012

Q4 2012

Q1 2013

Q2 2013

Q3 2013

Q4 2013

Cyber War ME

Syrian Electronic Army

Operation Petrol

Top 10 Cyber Risks


Top 10 Cyber Trends

1 Data as money 6 Privacy…global battle for

anonymity

2 Hijacked communications 7 IP…battle of knowledge

superpowers

3 Supply chain….the real insider

threat 8 Notification…new laws coming

to a country near you

4 Hacking…. already inside 9 Mobile…internet of things

5 Sitting targets…Boards of

Directors and Senior Execs 10 Crime sourcing – criminal

enterprises go Web 3.0


Personal information increasingly valuable

• User IDs, addresses, phone numbers, social security numbers, full names

and dates of birth

Data can be monetized quickly, at low risk

• Cybercrime now a $114B underground economy

Thefts are harder to detect and trace

• In several recent incidents, hackers have had undetected access to company

networks for more than a year

Data as money 1

The largest Cyber compromise in recent history is the Heartland Payment Systems with

130,000,000 records being compromise. The fines leveed by the payments card operators

alone were $68,198,380.00 while the estimated costs of compromise are ≈ $7,800,000,000.


Interrupted video feeds

• 37-second pornography video interrupted the feed of an NBC affiliate delivered to

Comcast subs during 2009 Super Bowl

Social media hacks

• False tweets claiming that President Barack Obama had been assassinated (Fox

news)

Downlinks

• $26 software program was used to hack into US drones… allowing unencrypted

military video to be viewed by insurgents

Hijacked communications 2

Computer hackers, possibly from the Chinese military, interfered with two U.S. government

satellites four times in 2007 and 2008 through a ground station in Norway, according to the final

draft of a report by a congressional commission


Malicious products

• According to Congressional testimony by DHS in 2011, electronics sold in

the United States are being preloaded with spyware, malware and security-

compromising components by unknown foreign parties

Cross-border partnerships

• Sprint/Nextel announced in 2010 that due to national security concerns, it

would be excluding two of China’s largest networking equipment

manufacturers Huawei and ZTE from a multi-billion dollar government

contract proposal

Supply chain….the real insider threat 3

Russia, China, India, Brazil, and elsewhere are responding to the threat to supply chains with

national laws that make increasing demands on technology firms dependent on location to

demonstrate security


Compromised partners

• EMC disclosed that it spent $66 million in its second quarter to deal with a

cyber attack that compromised its RSA Security division’s 40 million

customers. Hackers used the same command and control techniques that

infiltrated RSA to target 760 companies around the world.

New Approach

• The National Security Agency (NSA), which acts as the US government’s

primary cyber-security and code-breaking organization, recently stated that

their agency operates under the assumption that critical national security

systems have already been compromised.

Hacking ...already inside 4

“There’s no such thing as ‘secure’ any more. The most sophisticated adversaries are going to

go unnoticed on our networks. We have to build our systems on the assumption that

adversaries will get in.” – National Security Agency (2010)


Board of Directors

• Sensitive board documents at 300 companies that use NASDAQ OMX’s

board portal service may have been repeatedly compromised for over a

year by hackers, prompting an investigation by the FBI, the Secret Service

and the US Department of Justice

Senior Executives

• CEOs for Goldman Sachs and J.P. Morgan Chase were hacked in 2011,

posting personal addresses, business connections, political contributions ,

legal information, property values and court cases…including information

on family members as well

Sitting targets…Boards of Directors and Senior Execs 5

A survey of 70 international companies in 2011 found that information provided to members of

corporate boards of directors is often in unencrypted email accounts and computers, or

otherwise provided in forms that are easily lost, misplaced or stolen


Legal & Regulatory pressure

• In 2011, location tracking investigations have initiated in South Korea

France, Germany, Italy and the US over location tracking mobile users'

location without permission

• After calls for an investigation in 2011, OnStar reversed its proposed policy

changes and won’t keep data connection to customers’ vehicles after

OnStar service is canceled

• Facebook sued in 2011 for tracking users after they had logged off and

allegedly violating US wiretap law

Privacy…global battle for anonymity 6

Look into the Future? With continuous behavior tracking, marketers & technology companies

are beginning to generate predictions of consumer intent


Massive transfer of wealth

• Hackers using Internet servers in China broke into six U.S. and European

energy companies for over 5 years, resulting in the loss of “project-financing

information with regard to oil and gas field bids and operations.” It was

discovered that closely guarded national secrets, source code, bug databases,

email archives, negotiation plans and exploration details for new oil and gas

field auctions, document stores, legal contracts, SCADA configurations, design

schematics and much more among those hacked in a 5-year hacking campaign

• Affected companies include construction, energy production, technology,

telecommunications, media, sports, economics, finance and real estate in 14

countries

IP…battle of knowledge superpowers 7

"The key to these intrusions is that the adversary is motivated by a massive hunger for secrets

and intellectual property; this is different from the immediate financial gratification that drives

much of cybercrime”


Saudi Arabia

• The Saudi Arabian Monetary Agency (SAMA) In response to the evolving Threat

landscape SAMA has published a set of 21 requirements for IT Evaluation

Program as a means for banks to assess their current Information Security

Programs

EU

• New rules could potentially prohibit ad companies from tracking consumers

without their explicit consent

• Cross border data flows would place more accountability on the organization

(versus the government)`

Notification…new laws coming to a country near you 8

Some privacy advocates have called on the EU to get tougher with the United States and

require it to harden up the current mix of industry self-regulation


Trillions of identities

• Industry experts predict 1 trillion 'things' will be connected to the Internet -

everything from your body, car, alarm clock (and even cows)….each with an

identity

• Consumers can now be connected with objects to trigger related information,

recommendations and reviews

• Networked printers present a new scenario where cybercriminals can “lock up”

the data on a printer in exchange for money….and espionage, where

information can be stolen remotely

Mobile…internet of things 9

The next frontier? In 2011, researchers have shown showed they could infiltrate a vehicle

(including control over its engine and brakes) by attacking the Bluetooth connection used in

hands-free phone systems


Organized crime goes digital

• Cybercriminals now micro-tasks to specialists who write malware, people who

deploy it, who control and rent the botnets, receive goods bought with stolen

credit cards and do the money laundering. Criminals even offer SLAs (service

level agreements) and technical support lines

• Tools of the trade for cyber organized crime include malware like viruses, worms

and Trojans to harvest personal data….with over 268 million separate computer

malware having been identified on the internet today

• The crime market obeys the laws of supply and demand…after Sony lost the

details of almost 100 million customers, so much stolen credit card information

was available that underground prices dropped in response

Crimesourcing – criminal enterprises go Web 3.0 10

According to the recently released Norton Cyber Crime Report for 2011, 431 million adults

worldwide were victims of cyber crime last year

Deloitte Cyber: covering all the bases


Guiding Principals for Cyber Security Only when you have fully

understood your assets, the risks

that threaten them, and how these fit

into the overall threat landscape can

you determine what level of threat

maturity you need to defend against,

and where you draw the line to focus

on limiting the impact of a

successful attack.

2. Ensure close

alignment with

business goals

3. Prepare for the

worst

4. Share

intelligence

5. Instil a broad

awareness of

cyber security

1. Understand

your risk

appetite

It is not practical to prevent all forms

of cyber attack, especially those that

are particularly sophisticated and

targeted (‘APT’). You should ensure

you have the organisational and

technical capability to rapidly detect

and respond to a successful attack in

order to limit its impact.

Ensure that your strategic direction

for cyber security is in close

alignment with business goals, and

the organisation’s strategy for

achieving these. Focus effort on

defending the most strategically

important parts of the business, or

those that are being delivered in the

riskiest way.

Collaborate and share intelligence

with industry, national and

international cyber threat

intelligence organisations. By

sharing intelligence with other

organisations you will be in a

position to receive the benefit of

shared wisdom.

Your security is only as strong as

the weakest link; ensure that the

risks associated with cyber security,

and the steps that your organisation

is taking to combat these risks are

understood across the organisation,

from the board and senior

management, to all staff, partners

and third parties.

Cyber Video


Deloitte supported the creation of a short film to illustrate the complex topic of cyber security and help organizations understand

the huge impact a cyber attack could have.

The digital revolution has brought huge benefits in innovation and growth. But the heavy reliance of many business models on

the Internet brings exposure to new threats. Assets that were once physically protected are now available online; customer

channels are vulnerable to disruption; criminals have entirely new opportunities for theft and fraud. The barriers to cyber crime

are low, the methods increasingly sophisticated, and the risks of detection and capture are seen as small.

Protection against cyber crime must now be a priority for businesses. The issue should be considered as a strategic business

risk involving the organization as a whole from the Board downwards; not just a matter for IT. Organizations must look to build

their capability to cope with the evolving threat in order to satisfy customers, consumers, shareholders and regulators.

Is your organization prepared to deal with cyber threats? Have you considered what assets may be vulnerable? Do you know

what the business costs of a successful attack could be? How can you ensure your business is appropriately securing its

operations?

http://www.deloitte.com/view/en_GB/uk/services/audit/enterprise-risk-services/security-and-resilience/cyber/index.htm

Companies like yours



















About Deloitte:

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity.

Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries,

Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000

professionals, all committed to becoming the standard of excellence.

Deloitte's professionals are unified by a collaborative culture that fosters integrity, outstanding value to markets and clients, commitment to each other, and strength from cultural diversity. They enjoy an

environment of continuous learning, challenging experiences, and enriching career opportunities. Deloitte's professionals are dedicated to strengthening corporate responsibility, building public trust, and making

a positive impact in their communities.

About Deloitte & Touche (M.E.):

Deloitte & Touche (M.E.) is a member firm of Deloitte Touche Tohmatsu Limited (DTTL) and is the first Arab professional services firm established in the Middle East region with uninterrupted presence for over

87 years. Deloitte is among the region’s leading professional services firms, providing audit, tax, consulting, and financial advisory services through 26 offices in 15 countries with over 2,500 partners, directors

and staff. Deloitte has been annually classified as a Tier 1 Tax advisor in the GCC region since 2010 by the International Tax Review World Tax Rankings.

Cyber Security Trends | DTMEnoufexpo.com.kw/egov1/images/sixth.pdfthat unknown hackers were able to...

Documents

Transcript of Cyber Security Trends | DTMEnoufexpo.com.kw/egov1/images/sixth.pdfthat unknown hackers were able to...