Cybersecurity Risks · Data Exfiltration AV not effective - more than 200,000 new blacklist...

Cybersecurity RisksIs your Organization

Prepared?

► CAACM

► 10 June 2016

We don’t know what we don’t know

There are known knowns; there are things we know we know. We alsoknow there are known unknowns; that is to say we know there are somethings we do not know. But there are also unknown unknowns — theones we don't know we don't know, and if one looks throughout thehistory of our country and other free countries, it is the latter category thattend to be the difficult ones (Donald Rumsfeld, US Secretary of Defense,2001 to 2006)

Cybersecurity – CAACM

Definition

CYBERSECURITY:

► Merriam Webster:Measures taken to protect a computer or computer system againstunauthorized access or attack

► Techtarget:Cybersecurity is the body of technologies, processes and practicesdesigned to protect networks, computers, programs and data from attack,damage or unauthorized access. In a computing context, the term securityimplies cybersecurity

► In the recent past, $13 Billion US federal government investment was planned over next 5years for cybersecurity - President Obama included $14 billion for cyber security spending inhis 2016 budget

► Department of Homeland Security increased its cyber security budget 500 percent during thepast two years

.

► In the recent past, $13 Billion US federal government investment was planned over next 5years for cybersecurity - President Obama included $14 billion for cyber security spending inhis 2016 budget

► Department of Homeland Security increased its cyber security budget 500 percent during thepast two years

.Cybersecurity – CAACM

Information Security vs Cybersecurity

Information security deals withinformation, regardless of itsformat. It includes:

• Paper documents

• Digital and intellectual property

• Verbal or visualcommunications

Cybersecurity is concerned withprotecting digital assets. Itincludes:

• Networks

• Hardware

• Software

• Information that is processed,stored or transported byinternetworked IS


----- Isaca, 2015

Cybercrime – Attack on digital systems

► Cyber threat/fraud: Phishing, hacking, malware ransomware, record invasion,

SQL injections

► Cyber espionage: data theft, web intrusion

► Cyberterrorism: critical infrastructure attacks, communications disruption

(DoS), system failures, extortion

► Cyber warfare: state sponsored attacks


► Cyber-attacks are costing businesses $400 to $500 billion a year, and does not include thelarge number of cyber-attacks which are not reported --- Forbes , 2015

► Cyber attacks cost businesses $400 billion every year—Lloyd’s of London, 2015

► Cyber-attacks are costing businesses $400 to $500 billion a year, and does not include thelarge number of cyber-attacks which are not reported --- Forbes , 2015

► Cyber attacks cost businesses $400 billion every year—Lloyd’s of London, 2015

The number of cybersecurity incidents hasskyrocketed in recent years……

2013 2015

1/10/2014NEIMAN MARCUS1.1M Credit Cards

compromized

8/20/2014The UPS Store

- 100Ktransactionscompromized

through a virus

9/2/2014HOME DEPOT- 56 M C-Cardscompromized

20145 Million GMAIL

passwords leaked

2014EBAY

145 millioncustomers data

stolen

2015Chinese APT

steals terabytesof US Gov. data

I am convinced that there are only two types of companies: those that have been hackedand those that will be, and even they are converging into one category, companies thathave been hacked and will be hacked again

I am convinced that there are only two types of companies: those that have been hackedand those that will be, and even they are converging into one category, companies thathave been hacked and will be hacked again

….. Robert S. Mueller, Director, Federal Bureau of Investigation

Who next???

FBI portal, OPM,Experian/ T-Mobile,AshleyMaddison ……

```````````````````````

12/19/2013TARGET

Corporation- 70 M credit card

info stolen


The Breaches Continue in 2016

Trump HotelsBreachedAgain…April 2016

Hyatt CardBreach Hit 250

Hotels in 50Nations…

Jan 2016

LinkedIn –117 M email

passwords forsale…May 2016

272 millionemail acc’ts

compromised…

May 2016

U.S.Department of

Justicebreach…

Feb 2016

IRA breachrecounted

from 100,000to 700,000…

Feb 2016

Verizon Ent.Solns hack –

1.5 Mcustomers…

Mar 2016Philippines

Commissionon elections55M persons

Mar 2016

Swift hack –81M missingfrom Bang’sh

Bank…Feb 2016


Threats


Evolution of threats

Unsophisticatedattackers (script

kiddies)You are attacked

because you are onthe internet and

have vulnerability.

Sophisticatedattackers(hackers)

You are attackedbecause you areon the internet

and haveinformation of

value.

Corporateespionage(insiders)

Your current orformer employeeseeks financial

gain from sellingyou IP.

State-sponsoredattacks

Advanced PersistentThreat (APT)

You are targetedbecause of who youare, what you do, orthe value of your IP.


Lower----- ------HigherIndicative threat sophistication

Nation state-sponsoredcyberattack

Large-scale IPtheft, criticalinfrastructure

disruption

Diplomaticespionage,

cyber sabotage

Advancedpersistent threat

IP theft,financial gainvia espionage

Targetedmalware,corporateespionage

Organisedcriminals,malware

Financial gainvia online fraudand extortion

Mainstreammalware:

Trojans andransomware

Anonymous,ideological‘hacktivism’

Disruption,humiliation,

political aims

Denial ofservice,

social media,data breaches

Lone casual‘hobbyists’,

opportunisticattackers

Curiosity,mischief,malice

Websitedefacement oropportunistic

hacking

Who

Why

What

The Cyber-threat spectrum


Attack Types


Trojan Horse

Botnet

Spyware

Rootkit

Cross site scripting

Man in the middle

Phishing

APT

Denial of Service SQL Injection

Ransomware

Spoofing

The malware used in the Sony hack would have slipped past 90 percent of defenses today. —Joseph Demarest, assistant director of the FBI’s cyber division, during a U.S. Senate hearingThe malware used in the Sony hack would have slipped past 90 percent of defenses today. —Joseph Demarest, assistant director of the FBI’s cyber division, during a U.S. Senate hearing

Who/What are the APT?


� “APT” is a term developed by the US Air Forceto talk about classified groups and capabilitiesin an unclassified medium – AdvancedPersistent Threat

� APT refers to “specific actors, not shadowyInternet forces”

� “They are not opportunistic” – they havespecific targets on their list and a specific set ofcollection requirements to be fulfilled

� Incidents are not “hit-and-run” or “smash-and-grab”

� They study their target, develop the avenueof approach, gain access, elevate privileges,and attempt to remain hidden to persist inthe target environment.

�Where are the APT sources(https://www.sans.org/reading-room/whitepapers/hackers/finding-advanced-persistent-adversary-35512 )

gets past your existingdefenses, goes undetectedand continues to causedamage

APTs circumvent traditionalcontrols

APTs circumvent traditionalcontrols

What an APT attack looks like

Background Research

Initial Attack

Establish Foothold

Enable Persistence

Enterprise Recon

Move Laterally

Escalate Privilege

Gather& Encrypt Data

Maintain Presence

Steal Data

IntelligenceGathering

InitialExploitation

Command& Control

PrivilegeEscalation

DataExfiltration

AV not effective - more than 200,000 new blacklist signatures each day.AV not effective - more than 200,000 new blacklist signatures each day.

� The primary attack target:� Is NOT a computer

� Is the HUMAN USER


Breaches/Data loss around the world

Source: Datalossdb.org

Increasing count of security breaches


Internal vs. External breach stats

Source: Datalossdb.org


Breach Causes


The cost of a breach – 3 sample companies

Category Description

Company A:Low-profilebreach in a non-regulatedindustry

Company B:Low-profilebreach in aregulatedindustry

Company C:High-profilebreach in ahighlyregulatedindustry

Discovery, notification,and response

Outside legal counsel, mailnotification, calls, call center, anddiscounted product offers

$50 $50 $50

Lost employeeproductivity

Employees diverted from other tasks $20 $25 $30

Opportunity cost Customer churn and difficulty ingetting new customers

$20 $50 $100

Regulatory fines FTC, PCI, SOX $0 $25 $60

Restitution Civil courts may ask to put this moneyaside in case breaches arediscovered

$0 $0 $30

Additional securityand auditrequirements

The security and audit requirementslevied as a result of a breach

$0 $5 $10

Other liabilities Credit card replacement costs. Civilpenalties if specific fraud can betraced to the breach

$0 $0 $25

Total cost per record $90 $155 $305

Source: Forrester Research, Inc.


What EY is seeing with Organizations today

GoalWe will try to …

HeadlineWe were able to … Root causes

Get into the corporatenetwork

Get local privilege in < 6 minutes User complacency

Escalate privileges Control the network in < 12hours

Privileged accounts notproperly protected

Move around the network Go anywhere Flat global networkMasquerade as anotheruser

Be anyone Weak baseline technicalcontrols

Transfer funds Move money out of corporatebank accounts

AP clerk with local admin privs

Impact production Affect shop floor production &safety

Factory systems directlyconnected to network

Find intellectual property Find corporate crown jewels Lack of intellectual propertyinventory and control

Steal intellectual property Take copies of anything &everything

Limited outbound contentinspection


Cyber security is increasingly an issue forbusinesses


What does it mean to you?

► Damage your brand/reputation,

► Loss of competitive advantage

► Legal/regulatory noncompliance

(e.g., PCI) – Fines, lawsuits

Average time to detect an advanced threat is197 days and to contain is 39 days— Ponemon Institute LLC, May 2015

► ……….The cost of a breach to an organization increases the longer abreach goes undetected

► ………..The value of the data to an attacker decreases dramatically after abreach is detected and reported.

► ……….The cost of a breach to an organization increases the longer abreach goes undetected

► ………..The value of the data to an attacker decreases dramatically after abreach is detected and reported.


How we see it – Fighting to close the gap

The Gapwidens

2006 2015


The cybersecurity landscape is improving, but the bad guys seem to always be a step ahead

Tackling the “right risks” in the “right way”


Organizations need to ask:

► Do we understand our risks?

► How much can we do to manage the residual risk?

► Are we prepared to accept a certain level of risk?

► What can we attempt to control and what do we need to accept is out of our control

(for example, world events and changes in location regulations)?

►Within its defined ecosystem, organizations need to continually reassess relationships

and risks, adjusting how the business evolves.

►Agility is needed to react to uncontrollable factors that affect every business in similar,

but distinct, ways.

► Today’s security programs must enable business objectives and defendagainst threats while investing in the right priorities.

► Today’s security programs must enable business objectives and defendagainst threats while investing in the right priorities.

What companies should be focused on

Identify the real risks► Define the organization's overall

risk appetite and how informationrisk fits

► Identify the most importantinformation and applications, wherethey reside and who has/needsaccess

► Assess the threat landscape anddevelop predictive modelshighlighting yourreal exposures

Protect what matters most► Develop a security strategy focused on

business drivers and protecting high-valuedata

► Assume breaches will occur – improveprocesses that plan, protect, detect and

respond► Balance fundamentals with emerging

threat management► Establish and rationalize access

control models for applicationsand

Sustain an enterpriseprogram► Get governance right–

make security a board-level priority► Allow good security to drive

compliance, not vice versa► Measure leading indicators to catch

problems while they are still small► Accept manageable risks that improve

performance

Optimize for businessperformance

► Align all aspect s of security(information, privacy, physical and

business continuity) with the business► Spend wisely in controls and technology

–invest more in people and processes► Selectively consider outsourcingoperational security program areas

Enable businessperformance

► Define Everyone'sresponsibility

► Don't restrict newertechnologies; use theforces of change toenable them

► Broaden program toadopt enterprise-wideinformation riskmanagement concepts

► Set security programgoals/metrics


A CRITICAL STEP: Understand what you need toprotect► Does your organization really know what types of sensitive

data are held?

► Do you know what your crown jewels are?

► The business must be involved in data identification,classification and risk assessment.

► Data identification must include both structured andunstructured data throughout the enterprise, as well as dataheld by third parties.

► What has been done to ensure the security program isproperly aligned with the business?


Data identification – Example data types

Corporate dataPrice/cost listsTarget customer listsNew designsSource codeFormulasPending patentsIntellectual property

Personally identifiable dataFull nameBirthday, birthplaceBiometric dataGenetic informationCredit card numbersNational identification number, passport numbersDriver's license number, vehicle registrationnumber

Transaction dataBank paymentsB2B ordersVendor dataSales volumesPurchase powerRevenue potentialSales projections

Customer dataCustomer listSpending habitsContact detailsUser preferenceProduct customer profilePayment statusContact history


Personal information and dataclassification

Common dataclassification levels

Examples of personalinformation mapping

RestrictedCredit card numbersSocial Security numbersHealth information

Confidential

Customer listsCustomer financial accountinformationEmployee records

Internal use only

Corporate directoriesMarket researchProspective customer lists(maybe)

Approved for public releaseCustomer sales points of contactCustomer testimonialsMortgage listings

► How many copies of your crown jewels are out there? How many arecurrently being covertly funneled out of your organization?

► How many copies of your crown jewels are out there? How many arecurrently being covertly funneled out of your organization?


Cybersecurity – Let’s summarize

►Cybersecurity is far beyond beingan IT issue

► Cybersecurity risks are a top-three concern worldwide

►Inherent interconnectivity anddigitization increases thevulnerable surface areas forpersons, organizations andcountries

►All business-as-usual activities,now have a cyber dimension

►The adoption of mobile andcloud-based operations andservices dramatically increasesand changes the risk landscapeof our professional and personallives.

Are you prepared to protect the “crownjewels”? Can you answer “yes” to thesefive key questions?

1. Do you know whatyou have that

others may want?

3. Do you understand howthese assets could

be accessed or disrupted?

2. Are your businessplans making your assets

more vulnerable?

Valued assets

Intellectual property

People information

Financial information

Business information(strategy

performancetransactions)

4. Would you know if youwere attacked orcompromized?

5. Do you have a plan toreact to an attack and

minimize the harm caused?

Being attacked is unavoidable


The Cybersecurity Program Management (CPM)Framework


A robust framework needs to be implemented

NIST Framework focus

► Identify – Develop the organizational understanding to managecybersecurity risk to systems, assets, data, and capabilities.

► Protect – Develop and implement the appropriate safeguards to ensuredelivery of critical infrastructure services.

► Detect – Develop and implement the appropriate activities to identify theoccurrence of a cybersecurity event.

► Respond – Develop and implement the appropriate activities to takeaction regarding a detected cybersecurity event.

► Recover – Develop and implement the appropriate activities to maintainplans for resilience and to restore any capabilities or services that wereimpaired due to a cybersecurity event.


Some Fundamentals you should consider

► Identify, understand and classify your assets

► Formulate security governance team for oversight, policy making

► Align to framework/standard – ISO 2700X, ENISA, CobIT, NIST, etc.

► Implement blend of prevent and detect controls – people, process,

technology

► Privileged accounts – use conservatively; vault; monitor

► Incident management – Consider SOC; develop strong IR program

► Train users

► Measure, measure, measure

► Use ‘Deming Cycle’ for IS program – Plan, Do, Check, Act


Questions or Comments


EY contacts:Arnold NiranjanAdvisory Service Line Leader+1 868 822 6240 | [email protected]

Hema NarinesinghPartner, Advisory Services+1 868 822 5030 | [email protected]

Anil PersadSenior Manager, Advisory Services+1 868 822 6165 | [email protected]

• Leader in security consulting• Deep Local and international professional resources

certified in ISMS/ISO 27001 implementation• EY has Implemented and certified global enterprises

in ISMS/ISO27001/SOC (google, amazon, etc.)• Supported by professionals in key risk and compliance

disciplines such as internal control, internal audit,information security, IT compliance, privacy, businesscontinuity and others

• Guided by the Risk Transformation Innovation Board,taking forward the advice of the world’s leading riskspecialists in industry

• Relentless focus on helping clients reduce risk, lowerthe cost of compliance and improve businessperformance

• Culture of delivering a superior client experience

Why we are chosen?

EY

Cybersecurity Risks · Data Exfiltration AV not effective - more than 200,000 new blacklist...

Documents

Transcript of Cybersecurity Risks · Data Exfiltration AV not effective - more than 200,000 new blacklist...