Cybersecurity Risks · Data Exfiltration AV not effective - more than 200,000 new blacklist...
Transcript of Cybersecurity Risks · Data Exfiltration AV not effective - more than 200,000 new blacklist...
Cybersecurity RisksIs your Organization
Prepared?
► CAACM
► 10 June 2016
Page 1
We don’t know what we don’t know
There are known knowns; there are things we know we know. We alsoknow there are known unknowns; that is to say we know there are somethings we do not know. But there are also unknown unknowns — theones we don't know we don't know, and if one looks throughout thehistory of our country and other free countries, it is the latter category thattend to be the difficult ones (Donald Rumsfeld, US Secretary of Defense,2001 to 2006)
Cybersecurity – CAACM
Page 2
Definition
CYBERSECURITY:
► Merriam Webster:Measures taken to protect a computer or computer system againstunauthorized access or attack
► Techtarget:Cybersecurity is the body of technologies, processes and practicesdesigned to protect networks, computers, programs and data from attack,damage or unauthorized access. In a computing context, the term securityimplies cybersecurity
► In the recent past, $13 Billion US federal government investment was planned over next 5years for cybersecurity - President Obama included $14 billion for cyber security spending inhis 2016 budget
► Department of Homeland Security increased its cyber security budget 500 percent during thepast two years
.
► In the recent past, $13 Billion US federal government investment was planned over next 5years for cybersecurity - President Obama included $14 billion for cyber security spending inhis 2016 budget
► Department of Homeland Security increased its cyber security budget 500 percent during thepast two years
.Cybersecurity – CAACM
Page 3
Information Security vs Cybersecurity
Information security deals withinformation, regardless of itsformat. It includes:
• Paper documents
• Digital and intellectual property
• Verbal or visualcommunications
Cybersecurity is concerned withprotecting digital assets. Itincludes:
• Networks
• Hardware
• Software
• Information that is processed,stored or transported byinternetworked IS
Cybersecurity – CAACM
----- Isaca, 2015
Page 4
Cybercrime – Attack on digital systems
► Cyber threat/fraud: Phishing, hacking, malware ransomware, record invasion,
SQL injections
► Cyber espionage: data theft, web intrusion
► Cyberterrorism: critical infrastructure attacks, communications disruption
(DoS), system failures, extortion
► Cyber warfare: state sponsored attacks
Cybersecurity – CAACM
► Cyber-attacks are costing businesses $400 to $500 billion a year, and does not include thelarge number of cyber-attacks which are not reported --- Forbes , 2015
► Cyber attacks cost businesses $400 billion every year—Lloyd’s of London, 2015
► Cyber-attacks are costing businesses $400 to $500 billion a year, and does not include thelarge number of cyber-attacks which are not reported --- Forbes , 2015
► Cyber attacks cost businesses $400 billion every year—Lloyd’s of London, 2015
Page 5
The number of cybersecurity incidents hasskyrocketed in recent years……
2013 2015
1/10/2014NEIMAN MARCUS1.1M Credit Cards
compromized
8/20/2014The UPS Store
- 100Ktransactionscompromized
through a virus
9/2/2014HOME DEPOT- 56 M C-Cardscompromized
20145 Million GMAIL
passwords leaked
2014EBAY
145 millioncustomers data
stolen
2015Chinese APT
steals terabytesof US Gov. data
I am convinced that there are only two types of companies: those that have been hackedand those that will be, and even they are converging into one category, companies thathave been hacked and will be hacked again
I am convinced that there are only two types of companies: those that have been hackedand those that will be, and even they are converging into one category, companies thathave been hacked and will be hacked again
….. Robert S. Mueller, Director, Federal Bureau of Investigation
Who next???
FBI portal, OPM,Experian/ T-Mobile,AshleyMaddison ……
```````````````````````
12/19/2013TARGET
Corporation- 70 M credit card
info stolen
Cybersecurity – CAACM
Page 6
The Breaches Continue in 2016
Trump HotelsBreachedAgain…April 2016
Hyatt CardBreach Hit 250
Hotels in 50Nations…
Jan 2016
LinkedIn –117 M email
passwords forsale…May 2016
272 millionemail acc’ts
compromised…
May 2016
U.S.Department of
Justicebreach…
Feb 2016
IRA breachrecounted
from 100,000to 700,000…
Feb 2016
Verizon Ent.Solns hack –
1.5 Mcustomers…
Mar 2016Philippines
Commissionon elections55M persons
Mar 2016
Swift hack –81M missingfrom Bang’sh
Bank…Feb 2016
Cybersecurity – CAACM
Page 7
Threats
Cybersecurity – CAACM
Page 8
Evolution of threats
Unsophisticatedattackers (script
kiddies)You are attacked
because you are onthe internet and
have vulnerability.
Sophisticatedattackers(hackers)
You are attackedbecause you areon the internet
and haveinformation of
value.
Corporateespionage(insiders)
Your current orformer employeeseeks financial
gain from sellingyou IP.
State-sponsoredattacks
Advanced PersistentThreat (APT)
You are targetedbecause of who youare, what you do, orthe value of your IP.
Cybersecurity – CAACM
Page 9
Lower----- ------HigherIndicative threat sophistication
Nation state-sponsoredcyberattack
Large-scale IPtheft, criticalinfrastructure
disruption
Diplomaticespionage,
cyber sabotage
Advancedpersistent threat
IP theft,financial gainvia espionage
Targetedmalware,corporateespionage
Organisedcriminals,malware
Financial gainvia online fraudand extortion
Mainstreammalware:
Trojans andransomware
Anonymous,ideological‘hacktivism’
Disruption,humiliation,
political aims
Denial ofservice,
social media,data breaches
Lone casual‘hobbyists’,
opportunisticattackers
Curiosity,mischief,malice
Websitedefacement oropportunistic
hacking
Who
Why
What
The Cyber-threat spectrum
Cybersecurity – CAACM
Page 10
Attack Types
Cybersecurity – CAACM
Trojan Horse
Botnet
Spyware
Rootkit
Cross site scripting
Man in the middle
Phishing
APT
Denial of Service SQL Injection
Ransomware
Spoofing
The malware used in the Sony hack would have slipped past 90 percent of defenses today. —Joseph Demarest, assistant director of the FBI’s cyber division, during a U.S. Senate hearingThe malware used in the Sony hack would have slipped past 90 percent of defenses today. —Joseph Demarest, assistant director of the FBI’s cyber division, during a U.S. Senate hearing
Page 11
Who/What are the APT?
Cybersecurity – CAACM
� “APT” is a term developed by the US Air Forceto talk about classified groups and capabilitiesin an unclassified medium – AdvancedPersistent Threat
� APT refers to “specific actors, not shadowyInternet forces”
� “They are not opportunistic” – they havespecific targets on their list and a specific set ofcollection requirements to be fulfilled
� Incidents are not “hit-and-run” or “smash-and-grab”
� They study their target, develop the avenueof approach, gain access, elevate privileges,and attempt to remain hidden to persist inthe target environment.
�Where are the APT sources(https://www.sans.org/reading-room/whitepapers/hackers/finding-advanced-persistent-adversary-35512 )
gets past your existingdefenses, goes undetectedand continues to causedamage
APTs circumvent traditionalcontrols
APTs circumvent traditionalcontrols
Page 12
What an APT attack looks like
Background Research
Initial Attack
Establish Foothold
Enable Persistence
Enterprise Recon
Move Laterally
Escalate Privilege
Gather& Encrypt Data
Maintain Presence
Steal Data
IntelligenceGathering
InitialExploitation
Command& Control
PrivilegeEscalation
DataExfiltration
AV not effective - more than 200,000 new blacklist signatures each day.AV not effective - more than 200,000 new blacklist signatures each day.
� The primary attack target:� Is NOT a computer
� Is the HUMAN USER
Cybersecurity – CAACM
Page 13
Breaches/Data loss around the world
Source: Datalossdb.org
Increasing count of security breaches
Cybersecurity – CAACM
Page 14
Internal vs. External breach stats
Source: Datalossdb.org
Cybersecurity – CAACM
Page 15
Breach Causes
Cybersecurity – CAACM
Page 16
The cost of a breach – 3 sample companies
Category Description
Company A:Low-profilebreach in a non-regulatedindustry
Company B:Low-profilebreach in aregulatedindustry
Company C:High-profilebreach in ahighlyregulatedindustry
Discovery, notification,and response
Outside legal counsel, mailnotification, calls, call center, anddiscounted product offers
$50 $50 $50
Lost employeeproductivity
Employees diverted from other tasks $20 $25 $30
Opportunity cost Customer churn and difficulty ingetting new customers
$20 $50 $100
Regulatory fines FTC, PCI, SOX $0 $25 $60
Restitution Civil courts may ask to put this moneyaside in case breaches arediscovered
$0 $0 $30
Additional securityand auditrequirements
The security and audit requirementslevied as a result of a breach
$0 $5 $10
Other liabilities Credit card replacement costs. Civilpenalties if specific fraud can betraced to the breach
$0 $0 $25
Total cost per record $90 $155 $305
Source: Forrester Research, Inc.
Cybersecurity – CAACM
Page 17
What EY is seeing with Organizations today
GoalWe will try to …
HeadlineWe were able to … Root causes
Get into the corporatenetwork
Get local privilege in < 6 minutes User complacency
Escalate privileges Control the network in < 12hours
Privileged accounts notproperly protected
Move around the network Go anywhere Flat global networkMasquerade as anotheruser
Be anyone Weak baseline technicalcontrols
Transfer funds Move money out of corporatebank accounts
AP clerk with local admin privs
Impact production Affect shop floor production &safety
Factory systems directlyconnected to network
Find intellectual property Find corporate crown jewels Lack of intellectual propertyinventory and control
Steal intellectual property Take copies of anything &everything
Limited outbound contentinspection
Cybersecurity – CAACM
Page 18
Cyber security is increasingly an issue forbusinesses
Cybersecurity – CAACM
Page 19
What does it mean to you?
► Damage your brand/reputation,
► Loss of competitive advantage
► Legal/regulatory noncompliance
(e.g., PCI) – Fines, lawsuits
Average time to detect an advanced threat is197 days and to contain is 39 days— Ponemon Institute LLC, May 2015
► ……….The cost of a breach to an organization increases the longer abreach goes undetected
► ………..The value of the data to an attacker decreases dramatically after abreach is detected and reported.
► ……….The cost of a breach to an organization increases the longer abreach goes undetected
► ………..The value of the data to an attacker decreases dramatically after abreach is detected and reported.
Cybersecurity – CAACM
Page 20
How we see it – Fighting to close the gap
The Gapwidens
2006 2015
Cybersecurity – CAACM
The cybersecurity landscape is improving, but the bad guys seem to always be a step ahead
Page 21
Tackling the “right risks” in the “right way”
Cybersecurity – CAACM
Organizations need to ask:
► Do we understand our risks?
► How much can we do to manage the residual risk?
► Are we prepared to accept a certain level of risk?
► What can we attempt to control and what do we need to accept is out of our control
(for example, world events and changes in location regulations)?
►Within its defined ecosystem, organizations need to continually reassess relationships
and risks, adjusting how the business evolves.
►Agility is needed to react to uncontrollable factors that affect every business in similar,
but distinct, ways.
► Today’s security programs must enable business objectives and defendagainst threats while investing in the right priorities.
► Today’s security programs must enable business objectives and defendagainst threats while investing in the right priorities.
Page 22
What companies should be focused on
Identify the real risks► Define the organization's overall
risk appetite and how informationrisk fits
► Identify the most importantinformation and applications, wherethey reside and who has/needsaccess
► Assess the threat landscape anddevelop predictive modelshighlighting yourreal exposures
Protect what matters most► Develop a security strategy focused on
business drivers and protecting high-valuedata
► Assume breaches will occur – improveprocesses that plan, protect, detect and
respond► Balance fundamentals with emerging
threat management► Establish and rationalize access
control models for applicationsand
Sustain an enterpriseprogram► Get governance right–
make security a board-level priority► Allow good security to drive
compliance, not vice versa► Measure leading indicators to catch
problems while they are still small► Accept manageable risks that improve
performance
Optimize for businessperformance
► Align all aspect s of security(information, privacy, physical and
business continuity) with the business► Spend wisely in controls and technology
–invest more in people and processes► Selectively consider outsourcingoperational security program areas
Enable businessperformance
► Define Everyone'sresponsibility
► Don't restrict newertechnologies; use theforces of change toenable them
► Broaden program toadopt enterprise-wideinformation riskmanagement concepts
► Set security programgoals/metrics
Cybersecurity – CAACM
Page 23
A CRITICAL STEP: Understand what you need toprotect► Does your organization really know what types of sensitive
data are held?
► Do you know what your crown jewels are?
► The business must be involved in data identification,classification and risk assessment.
► Data identification must include both structured andunstructured data throughout the enterprise, as well as dataheld by third parties.
► What has been done to ensure the security program isproperly aligned with the business?
Cybersecurity – CAACM
Page 24
Data identification – Example data types
Corporate dataPrice/cost listsTarget customer listsNew designsSource codeFormulasPending patentsIntellectual property
Personally identifiable dataFull nameBirthday, birthplaceBiometric dataGenetic informationCredit card numbersNational identification number, passport numbersDriver's license number, vehicle registrationnumber
Transaction dataBank paymentsB2B ordersVendor dataSales volumesPurchase powerRevenue potentialSales projections
Customer dataCustomer listSpending habitsContact detailsUser preferenceProduct customer profilePayment statusContact history
Cybersecurity – CAACM
Page 25
Personal information and dataclassification
Common dataclassification levels
Examples of personalinformation mapping
RestrictedCredit card numbersSocial Security numbersHealth information
Confidential
Customer listsCustomer financial accountinformationEmployee records
Internal use only
Corporate directoriesMarket researchProspective customer lists(maybe)
Approved for public releaseCustomer sales points of contactCustomer testimonialsMortgage listings
► How many copies of your crown jewels are out there? How many arecurrently being covertly funneled out of your organization?
► How many copies of your crown jewels are out there? How many arecurrently being covertly funneled out of your organization?
Cybersecurity – CAACM
Page 26
Cybersecurity – Let’s summarize
►Cybersecurity is far beyond beingan IT issue
► Cybersecurity risks are a top-three concern worldwide
►Inherent interconnectivity anddigitization increases thevulnerable surface areas forpersons, organizations andcountries
►All business-as-usual activities,now have a cyber dimension
►The adoption of mobile andcloud-based operations andservices dramatically increasesand changes the risk landscapeof our professional and personallives.
Are you prepared to protect the “crownjewels”? Can you answer “yes” to thesefive key questions?
1. Do you know whatyou have that
others may want?
3. Do you understand howthese assets could
be accessed or disrupted?
2. Are your businessplans making your assets
more vulnerable?
Valued assets
Intellectual property
People information
Financial information
Business information(strategy
performancetransactions)
4. Would you know if youwere attacked orcompromized?
5. Do you have a plan toreact to an attack and
minimize the harm caused?
Being attacked is unavoidable
Cybersecurity – CAACM
Page 27
The Cybersecurity Program Management (CPM)Framework
Cybersecurity – CAACM
A robust framework needs to be implemented
Page 28
NIST Framework focus
► Identify – Develop the organizational understanding to managecybersecurity risk to systems, assets, data, and capabilities.
► Protect – Develop and implement the appropriate safeguards to ensuredelivery of critical infrastructure services.
► Detect – Develop and implement the appropriate activities to identify theoccurrence of a cybersecurity event.
► Respond – Develop and implement the appropriate activities to takeaction regarding a detected cybersecurity event.
► Recover – Develop and implement the appropriate activities to maintainplans for resilience and to restore any capabilities or services that wereimpaired due to a cybersecurity event.
Cybersecurity – CAACM
Page 29
Some Fundamentals you should consider
► Identify, understand and classify your assets
► Formulate security governance team for oversight, policy making
► Align to framework/standard – ISO 2700X, ENISA, CobIT, NIST, etc.
► Implement blend of prevent and detect controls – people, process,
technology
► Privileged accounts – use conservatively; vault; monitor
► Incident management – Consider SOC; develop strong IR program
► Train users
► Measure, measure, measure
► Use ‘Deming Cycle’ for IS program – Plan, Do, Check, Act
Cybersecurity – CAACM
Page 30
Questions or Comments
Cybersecurity – CAACM
Page 31
EY contacts:Arnold NiranjanAdvisory Service Line Leader+1 868 822 6240 | [email protected]
Hema NarinesinghPartner, Advisory Services+1 868 822 5030 | [email protected]
Anil PersadSenior Manager, Advisory Services+1 868 822 6165 | [email protected]
• Leader in security consulting• Deep Local and international professional resources
certified in ISMS/ISO 27001 implementation• EY has Implemented and certified global enterprises
in ISMS/ISO27001/SOC (google, amazon, etc.)• Supported by professionals in key risk and compliance
disciplines such as internal control, internal audit,information security, IT compliance, privacy, businesscontinuity and others
• Guided by the Risk Transformation Innovation Board,taking forward the advice of the world’s leading riskspecialists in industry
• Relentless focus on helping clients reduce risk, lowerthe cost of compliance and improve businessperformance
• Culture of delivering a superior client experience
Why we are chosen?
EY