cyber resilience
DESCRIPTION
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.TRANSCRIPT
Cyber Resilience
Malta Association of
Risk Management (MARM)
Donald Tabone
24 June 2013
1
Agenda
Where are we coming from?
What the stats say
Who‟s being targeted?
1
4
3
Cyber resilience defined 6
A six-point plan to becoming resilient 7
Cause for concern? 5
Cybercrime and threat actors 2
2
Where are we coming from?
The foundations • ‟62 J.C. R. Licklider introduced the idea of an „Intergalactic Network‟
• „76 Dr. Robert Metcalfe invented Ethernet, coaxial cables
• „78 Gary Thuerek – first spam email sent to 400 users of ARPANET
• „84 Dr. Jon Postel described his idea for .com, .org, .gov etc. In a series of papers published by the IETF
• „89 The World was the first ISP to offer commercial dial up internet
• ‟92 The Corporation for Education and Research Network (CREN) released the world wide web
The beginning of eCommerce • „94 Pizza hut offered online ordering through their website
• „95 Pierre Omidyar released AuctionWeb which later became eBay
• „96 Hotmail was launched. The following year Microsoft bought it out for $400m
• „98 Google received funding to become Google Technology Incorporated.
• „99 The Internet consisted of 19.5m hosts and over 1m websites
3
Where are we coming from?
The Dot-com bubble • „00 The Dot-com bubble burst
• „03 Apple launched the iTunes store with 200,000 songs
• „03 The hacktivisit group Anonymous was born
• „04 Google launched Gmail with 1Gb of storage
• ‟05 YouTube is launched. The following year Google bought it out for $1.6b
• „06 Twitter and Facebook came around
• „06 There are an estimated 92m websites online
40 years from its inception
• ‟09 Mobile data traffic exceeds voice traffic every single month
• „09 Cloud-based file hosting from the likes of Dropbox came around
• „10 Facebook announces it reached 400m active members
• „10 Syria and China attempt to control Internet access
• „10 The Wikileaks drama ensues whilst Anonymous conduct several cyber attacks on government, religious and corporate websites
• „11 Interest in virtualisation and cloud computing reach their highest peak
• „13 The interest in BYOD and Big Data has reached a new high
4
Opportunity for crime
www
Our dependence
Cybercrime & Cyber criminals
As a result, we face new challenges related to..
• Our online privacy,
• The confidentiality and integrity of the data we entrust to online entities, and
• Our ability to conduct business on the net through the use of ecommerce web applications
Because of the nature of how the net works, accountability is also a challenge!
5
Threat actors..1
Organised Crime
• Traditionally based in former Soviet Republics
(Russia, Belarus, Ukraine)
• Common attacks: Theft of PII for resale and
misuse or resources for hosting of illicit
material
• Occasionally employ blackmail in terms of
availability (Threats of denial of service attacks
to companies and threats of exposing
individuals to embarrassment)
6
Threat actors..2
State Sponsored
• Nations where commercial and state interests
are very aligned
• Military or Intelligence assets deployed in
commercial environments
• Limitless resources?
• Main aim to achieve competitive advantage for
business
• Theft of commercial secrets (Bid information,
M&A details)
7
Just this week
8
Hacktivism
Will attack companies, organizations and individuals who are seen as
being unethical or not doing the right thing
Hacking for fun… seriously!
Entire nations can be taken down (Estonia)
9
Stolen information
• 18.5m people have been affected by PC theft
• 75% of data loss incidents in Retail were
attributed to Hacking
• 96% of data loss incidents in Media were
attributed to Hacking
Source: 2012 KPMG Data Loss Barometer
10
2012 KPMG cybercrime survey
Source: KPMG A nuanced perspective on cybercrime, shifting viewpoints – call for action. The results were based on over 170 responses from CIOs/CISOs or professionals in related
professions in the Netherlands.
11
Traditional crime, redefined?
Network based attacks
• Identify a target website
• Conduct network reconnaissance / mapping
• Engage in DDoS attacks to deny accessibility
• The result is direct loss of business
Spear phishing attacks
• Identify a target individual
• Build a profile / biography
• Directly target with a personal email
• Trick user into accessing a malicious website
• Implant malware and gain control of a device
• Use a compromised machine to obtain otherwise confidential information
Human based attacks
• Human error incidents
• Inside users become the target as they are often trusted users
• Scorned / disgruntled employees
3 C
om
mon
Att
acks
The reality is that cyber attackers and
organised crime perpetuators often use
a combination of attack avenues to
profile a target and map out their internal
systems – the information is readily
available!
Competitive edge is eroded
Organisation secrets are
stolen
Corporate reputations
are damaged
Source: 2012 KPMG Cyber Vulnerability Index
12
Who are they targeting?
Sources: * The study was carried out by the Federation of Small Businesses in the UK and is based on its 20000 members, http://www.fsb.org.uk/News.aspx?loc=pressroom&rec=8083, accessed 12/6/2013
** The study was conducted by PollOne in April 2013 for Tripwire on 1000 users, http://www.tripwire.com/company/research/survey-half-uk-population-worried-about-nation-state-cyber-attacks/, accessed 12/6/2013
One study* conducted in the UK showed that small businesses suffer an estimated loss of £800m a year, averaging nearly £4000 per
business
• 30% of its members were victims of fraud as a result of virus infections
• 50% hit by malware
• 8% victims of hacking
• 5% suffered security breaches
As a consequence, a second recent cybercrime study** revealed that
• 53% of the British public is worried about the damage of cyber attacks
• 40% feel more vulnerable to cyber attacks now than a year ago
• 38% feel that their personal data exchanged with organisations they do business with may already have been compromised
Increased attack
sophistication
Inappropriate business response
UNCERTAINITY
=
13
In the US
The unverified losses that victims
claimed in 2012 jumped 8.3% from
$485m the previous year
Sources: SC Magazine and Internet Crime Complaint Center
Losses
Complaints
14
Meanwhile in a non-descript building …
… just outside of Shanghai, “Unit 61398” of the Peoples Liberation Army is the alleged source of
Chinese hacking attacks…
Source: Businessweek.com
Why should you be concerned?
… although the Chinese government consistently denies its involvement in such activities
claiming that such allegations are “irresponsible and unprofessional”
Source: Hello, Unit 61398, The Economist. 19 February 2013, accessed 13/06/2013
15
Convictions?
The fight against cybercrime seems to be ongoing
Why should you be concerned?
Sources: ValueWork, Help Net Security, SC Magazine
• Romanian hacker Cezar Butu – 21 months in prison for compromising credit card processing systems
• Darnell Albert-El, 53 – 27 months in prison for hacking
• Steven Kim, 40 – 12 months in prison for stealing personal data
• Bruce Raisley, 48 – 24 months in prison for creating a botnet virus to launch DDoS atacks
• Shawn Reilly, 34 – 33 months in prison for committing 84 fraudulent wire transfers
• Eduard Arakelyan, 21 and Arman Vardanyan, 23 – 36 months in prison for theft of credit card information and committed bank fraud
• Sonya Martin, 45 – 30 months in prison for being part of a gang to evade encryption
41
MONTHS
16
Next generation cybercrime threat?
What if hackers hijacked a key satellite? Could space be cybercrime's new frontier?
Source: The Independent, Space : the new cybercrime frontier, http://www.independent.co.uk/life-style/gadgets-and-tech/news/space-the-new-cyber-crime-frontier-
8194801.html accessed 16/2/2013
FACT #1
We have an overwhelming reliance on
space technology for vital streams of
information
Makes us acutely vulnerable!
FACT #2
Satellites are frightfully vulnerable to
collisions and there are over 5500
redundant ones at the moment !
17
Juggling the risks
Examine threats
Determine the risk level
Risk Assessment
AIM: reduce organisational risk
• With appropriate due diligence, management accept the potential risk and continue operating Risk Assumption
• Management approve the implementation of controls to lower risk to an acceptable level Risk Alleviation
• Eliminate the process that could cause the risks Risk Avoidance
• Management limit the risk exposure by putting controls to limit the impact of a threat Risk Limitation
• A process to manage risk by developing an architecture that prioritises, implements and maintains controls Risk Planning
• Management transfer the risk by using other options to compensate for a loss – e.g. Purchasing an insurance policy Risk Transference
18
Risk Transference
Bespoke insurance products providing tailor made
policies targeting key professional liability exposures for
technology companies
19
Becoming resilient – a six point action plan
“ The ability of a system or a domain to withstand attacks or
failures and in such events to re-establish itself quickly ”
– Nigel Inkster, International Institute of Strategic Studies
Cyber
Resilience
3. Cyber defence
1. Organizational Readiness
2. Situational awareness
4. Detection
5. Mitigation and containment
6. Recovery
20
#1 - Organisational Readiness
Corporate awareness
Ownership at the C-level
Assign the role and responsibility for information security oversight
Understand your business risks
Focus on your information and reputation
Share intelligence and experiences
21
#2 - Situational intelligence
Specialist knowledge
Keep abreast of the latest advanced threats
Hacking for fame & glory
Cybercrime moved into
monetisation Criminal gangs
Protest hacktivism
Anonymous & Lulzsec target
corporate infrastructures
Corporate espionage
Disruption
Know your information assets
Classify your information assets
“ One of the problems is that we all tend to be technology professionals weathered by our experiences rather than looking at
new ways of managing risk and gaining or using new sources of intelligence ” - Pat Brady, Information Security Manager,
National Australia Group
22
#3 – Cyber defence
Get a grip on infrastructure and access security
Assert the levels of staff awareness
Define strict access control and remote access control
Ensure strong visitor procedures for key buildings
Keep your basic security controls in sight e.g. Password change policy
Infrastructure changes should trigger network configuration changes allowing you to move the shape of the target
23
#4 – Detection
Develop the ability to detect attacks
Ensure you have an effective internal & external monitoring process
Scan outbound messages for abnormal volumes and patterns
Early recognition of a compromise is key to early reaction
24
#5 – Mitigation and containment
The aim is to limit the damage to your services and reputation
Limit the impact / shutdown the source
Being prepared is the key
Contingency planning – define and review your plans
Ensure adequate testing of business continuity plans
Prepared PR statements
Continuity of Operations Plan
Disaster Recovery Plan
IT / Network Contingency
Plans
Crisis Communication
Plan
Cyber Incident
Plan
Occupant Emergency Plan
25
#6 – Recovery
You need to develop the ability to re-establish normal service
Your survival as a business depends on it
Apply the lessons learnt
Give feedback to senior executives
Here’s what happened to
us
This is how we reacted
This is what we’ve done to
mitigate / prevent it
26
Conclusions
Some final thoughts..
• The cyber crime threat is actual and here to stay
• It’s NOT a question of IF but WHEN
• Be prepared for incidents
• Ensure security awareness between departments
• Protect your information assets, regardless of where are being held
• Ensure adequate crisis management between departments
• Align individual goals with the organisations‟ cyber security ambitions
• Cyber risk teams need to consist of flexible people who can build relationships across departments
• Take a pragmatic approach to investing in your defences – overinvesting is a real danger
Cyber Resiliency
Business Continuity
IT Service Continuity
Management functions
BEING PROACTIVE IS THE NAME OF THE GAME
Awareness
Knowledge
Controls
Detection
Mitigation
Recovery
27
References
Andrew Auernheimer, http://en.wikipedia.org/wiki/Weev
Bandit Country, Amir Singh, Chartech March/April 2013
Cyber Crime Study Reveals Uncertainty, http://www.tripwire.com/state-of-security/it-security-data-protection/cyber-security/viewpoints-on-cyber-crime-reveal-uncertainty/
Eight cyber crooks who got less prison time than Andrew Auernheimer, http://www.scmagazine.com/here-are-eight-cyber-crooks-who-got-less-prison-time-than-andrew-auernheimer/article/284928/ -
KPMG data loss barometer 2012, http://www.kpmg.com/uk/en/services/advisory/risk-consulting/pages/data-loss-barometer-2012.aspx
KPMG seven ways to beat cyber crime, http://www.kpmg.com/UK/en/IssuesAndInsights/ArticlesPublications/Documents/PDF/Advisory/seven-ways-beat-cyber-crime-nov2012.pdf
KPMG shifting viewpoints - A nuanced perspective on cybercrime, http://www.kpmg.com/NL/en/Issues-And-Insights/ArticlesPublications/Pages/Shifting-viewpoints.aspx
Microsoft and FBI disrupt global cybercrime ring, http://www.net-security.org/malware_news.php?id=2511
Most small businesses can't restore all data after a cyber attack, http://www.net-security.org/secworld.php?id=15012
Operation cyber taskforce, Gerry O’Neill, Chartech March/April 2013
Space: the new cyber crime frontier, http://www.independent.co.uk/life-style/gadgets-and-tech/news/space-the-new-cyber-crime-frontier-8194801.html
The cost of cybercrime, http://securityaffairs.co/wordpress/14628/cyber-crime/cost-of-cybercrime-for-uk-small-businesses.html