Into the Danger Zone: The Cyber Threat September …...Security Coordinator, White House. • ‖The...

Copyright © 2008 Accenture All Rights Reserved. Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.

Dr. Alastair MacWillson

Global Managing Director, Security Practice

Into the Danger Zone: The Cyber Threat

September 2011

Copyright © 2008 Accenture All Rights Reserved. 2

• ―The decentralized, asymmetrical nature of cyber-threats makes them particularly dangerous. Not

only is cybercrime expanding, but cyber-terrorism is capable of damage on a par with the Sept. 11,

2001, attacks‖. Former Homeland Security Secretary - Michael Chertoff

• ―The United States is fighting a cyber-war today, and we‘re losing‖ Mike McConnell – Director

NSA

• ―What we‘ve already lost in the cyber-battle is tantamount to the Soviet and Chinese theft of

nuclear bomb secrets in 40‘s and 50‘s‖ Richard Clark – Author ‗Cyber War‘ and Ex-National

Security Coordinator, White House.

• ‖The UK's critical infrastructure - such as power grids and emergency services - faces a "real and

credible" threat of cyber-attack‖ Iain Lobban – Director GCHQ , October 2010

• ―Cyber 9/11 has happened over the last ten years, but it happened so slowly, so we don‘t see it‖

Amit Yoran - National Cyber Security Division, DHS

Cyber, cyber ..... everywhere!

“For all these reasons, it's now clear this cyber

threat is one of the most serious economic and

national security challenges we face as a nation.” Remarks by the President on the need to

secure the US national cyber infrastructure -

May 31, 2009

Cyber has moved from the realm of the military to the mainstream


Signs of a growing menace:

Perhaps the biggest theft in history?

3

• M44 U.S. nuclear warhead design, from Livermore Labs

• F35 wing fabrication machinery and electronic design blueprints, from Lockheed-

Martin

• Selected Boeing airframe designs

• Navigation and rocket design for Intercontinental Ballistic Missiles (specifically,

the Long March series), from both Boeing and Lockheed

• High-speed router designs from Cisco

• Source code to Windows, from Microsoft;

• Complete car designs from Chevy, Ford and VW

• Advanced chip and fabrication designs from IBM, Intel

• High-speed rail systems from Japan

Here are some of the crown jewels obtained by cyber attack in the last decade:

Here are some respected organisations that have allegedly

been attacked recently:

• Boeing, Cisco, Kawasaki, Qualcomm, 3Com, Sony, Google,

The White House; GCHQ, MasterCard, Visa, PayPal, Dutch

Certificate Authority

Source: The Economist & WSJ 2010


The business context


Why Has Cyber Security Become Such

A Big Deal?

5

Cost of Failure

Fragmented

Narrow Broad

Organized &

Capable

High $$ Cost Mission

Failure

Inconvenience

Present

Attack Surface • IP is ubiquitous

• Interconnected

Adversary

Capability

Mid 90’s

• The internet is a great place to commit crime – global connectivity, anonymity, lack of traceability, rich targets

• As many motives as perpetrators

• Many different attack vectors – supply chain; insider attacks, remote attacks, product vulnerabilities, system miss configurations, social engineering

• The internet is shared and integrated

• The consequences of an attack are difficult to predict

• The worst-case scenarios are alarming

The cyber threat is difficult to assess and mitigate for six reasons:

Copyright © 2008 Accenture All Rights Reserved.

The environment

6

―Every year, an amount of intellectual property many times larger than all the intellectual property contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government agencies.‖

U.S. Sec. of Defense, William Lynn

• Corporations operate in the cyber space. Every aspect of the business depends on Internet-oriented computing and communications.

• Security is not built in. Systems that designers assumed would operate behind physical or logical barriers are now accessible via networks.

• Change is constant. A ―good enough‖ defense today won't be good enough in six months.

• Corporations are lucrative targets. Attackers can gain intellectual property, personally identifiable information, sensitive competitive data, etc.

• No one is immune. Google reported losing intellectual property in a Dec. 2009 attack based in China. Cyber thieves stole more than $1 million in a July 2010 attack on 3,000 customers of a British bank.

And the list goes on.

Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.


The adversary

• Adversaries are smarter, better organized, more persistent. Many are part of criminal organizations, some are agents for nation-states.

• Attackers have a huge advantage. In cyber, offense is far cheaper and easier than defense, which must be 100% effective. The adversary needs only to find one weakness.

• Variety of adversaries and motivations leads to variety of attack types.

7

Today’s intruders rarely fit the image of a lone wolf probing corporate systems for bragging rights.



The methods of attack

8

Adversaries only need to find one vulnerability— their methods of attack are multiple and rapidly changing

• Advanced Persistent Threats are targeted, ―low and slow‖ attacks that stealthily move through a network without generating regular or predictable network traffic.

• U.S. military‘s worst attack was launched from USB thumb drive bearing malicious program from foreign intelligence agency.

• Virus hidden on legitimate websites infected British bank customers‘ computers, stole money from their online accounts.

• Google attack began with instant message sent to Google employee, who clicked a link to a poisoned website.

• Some attackers infect commercial software, hardware with ―logic bombs‖ before it is sold.



Threats from within

• Using popular social networking Websites, possibly exposing employers‘ computers and networks to worms, malware, etc.

• Checking corporate email from unsecured personal devices, including smart phones and home computers.

• Self-provisioning potentially unsecure cloud-based applications.

• Accessing organization data from unsecure WIFI hotspots.

9

Many of today’s security threats result from the behavior of organizations’ employees.



The susceptible enterprise


Security breaches have serious business consequences

11

Not just a technical issue

* Fourth Annual US Cost of Data Breach Study, 2009, Ponemon Institute

• In 2009, security breaches cost organizations an average of $6.6 million each—up from $6.3 million in 2007 and $4.7 million in 2006.*

• Stock prices of publicly-held companies typically drop five percent when breaches are made public.

• Fines and lawsuit losses can exceed $100 million.

• The loss of intellectual property due to cyber attacks can be significant.

• Cyber attacks can disrupt business operations (production interruptions, inability to process sales, etc.).

• Brand reputation and consumer and partner trust can be severely damaged by a data breach.



Security thinking must evolve!

Perimeter

Security

―Defense in

Depth‖

I&AM +

Consolidation

Advanced

Security

Capabilities

Iden

tity

Access control via

network identity

Application silos, or not at

all

Migration to directories for

enterprise infrastructure

(e.g., network, email)

Application silos

Process integration and

workflow for user

add/delete/change across

silos

Centralized policy

enforcement, user

management, and reporting

Data security is attached

to the information asset

itself across its life-cycle

Enterprise identity, tied

to applications, network,

and physical access

Integrated access to

services based on

identity roles and

privileges, not physical

device

Security as a

consumable set of

services for business

processes, physical and

logical assets

Infra

stru

ctu

re

Focus on defining the

network boundary

Firewalls, router access

control, VPNs, etc.

Controls at all layers of the

stack – network, server,

application, database

Proliferation of devices: IDS,

IPS, audit

Consolidation of

infrastructure security via

fewer physical devices

Enables economies of scale,

more consistent policy

enforcement, reduced cost,

simplified management

Today ?

• Inherent weaknesses in IT

• Ineffective approaches to information security



Company

Perimeter is increasingly blurred and elastic

Cloud computing and

flex sourcing

Portable devices and

storages and

everywhere access

The irreversible digitalization of life

Digitalization

Move to All-IP

Virtualization

The increasing power of cyber crime

The compliance ―tsunami‖ Cyber threats and

crimes

Social networks and Web 2.0

Millennials and

consumerization

Globalization

Public control and

regulations

The rising strength of individual

Dealing with the technology shift

13

http://www.affiliateespionage.com/l/?r=1602

http://www.aoddesign.com/blog/wp-content/uploads/2008/04/socialicons.jpg


14

Security standards:

Those damn standards!

So called ‗best-of-breed‘ technologies, and ‗best practices‘, based on standards, are

becoming security‘s Achilles Heel

ITIL – Service Management

Management

Technology Operations

ISO2702/2005 –Security Management

Line of Business/Geographic/Regulatory Specific

ISO9001 –

Quality

Management

HIPAA

(Healthcare)

SB1386

(CA Privacy)

PCI-DSS

(Digital Payment)

Six Sigma –

Quality

Assurance

Sarbanes/Oxley

(SEC Reporting)

…

SAS70 –

Controls

Performance

ISO27001

Audit

ISO27004

Metrics

&

Measurement

CobiT v4.0 – IT Governance

Architecture

Design

Risk

Management SSE-CMM

App.

Maturity

ADM

Project

Management


The shifting threat landscape

The severity and speed of the

threats are growing

Advanced Persistent Threat - style

attacks are typically:

• Highly Targeted – tailored to a specific organisation

• Well-Funded – resource intensive

• Well-Researched – with a focus about information on

personnel

• Designed to evade detection – refined ‗low and slow‘

techniques

• Multi-modal and multi-step – using multiple vectors,

gaining entry via end users and end points

The parameters are dramatically

shifting because of APT

17

• Well-resourced and determined adversaries

• High value digital assets, IP , national security data

• Selected organisations and industries

• Market manipulation, strategic advantage, damage to critical infrastructure, politics

• Exploit end-users and end-points

• Custom designed or tailored malware

• Reconnaissance: in-depth knowledge of , people, business processes, and n/w topology

• Learn and modify

• Opportunistic hackers or cyber criminals

• Generically valuable information

• Broad based attacks

• Financial gain, fraud, spam recognition

• Entry by attacking perimeter

• Propagate off-the-shelf malware

• Technical skills

• Move to an easier target

Who?

What?

Where?

How?

Why?

With?

Skills?

Response?

Conventional Threats Advanced Persistent Threats


The response


1. Identify and secure the IT assets themselves, not just the perimeter

• Identify data and technology that are essential to operations and business continuity (many large organization have not yet done so).

• Create a detailed plan to protect these assets and capabilities, not just the perimeter.

• Assure plan meets regulatory, compliance, privacy and business demands.

• Assure plan viability with robust test.

• Embed cyber resilience and defensive capabilities throughout the organization, not just individual components.

19 Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.


2. Build a hard-nosed ―culture of security‖

• Clearly, explicitly define who is responsible for cyber security.

• Ensure a holistic approach to information management and protection.

• Consider your organization a steward, not an owner of personal data.

• Implement strong data protection policies.

• Get serious about effective user training

20

Data protection policies matter*

*Source: Accenture survey, 2009.



3. Pay closer attention to applications

• Many serious breaches result from application-level weaknesses.

• Most developers have not included security in their applications, assuming the software would run inside a secure perimeter.

• Extend security to device level as well as to application layer.

• Measure security strength of off-the-shelf applications.

21


4. Reclaim access control

• Stop relying on authentication information (e.g. mother‘s maiden name) that has become more available or discoverable.

• Integrate strong authentication technologies with access management technologies.

• Biometrics (fingerprint, retinal scans), smart cards becoming more cost-effective.

• Embed pervasive security while maintaining ease of use (e.g. single sign-on, immediate access revocation, self-service functionality, real-time analysis).

• Consider two-factor authentication (e.g. smart card plus password).

22


5. Develop acute situational awareness

23

Situational awareness capability map

Up-level intelligence gathering and analysis:

• Must-have intelligence on threats

• Required knowledge of internal systems

• Essential information about incidents

Activate smart monitoring:

• Security data analytics

• Visibility on the network

• Construct an incident response process


• Current impasse on information sharing has reached a point that

requires legislation

• Sharing mechanisms must be real-time

• Will need incentives for organisations to collaborate rather than just

receive

• Valuable role for government to remove the impediments to sharing:

– Liability issues

– Encouraging trust communities for CI or large enterprises.

– Mechanisms to ensure source anonymity

• Organisations must start working with law enforcement

24

6. Participate in information

exchange

Defending against APT will take not only new models

for enterprise IT, but also new models for information

sharing

Copyright © 2008 Accenture All Rights Reserved. 25

Manage executive expectations

• Stop thinking in terms of watertight security—there is

no such thing.

• Fortress mentality must give way to a realistic,

simplified and practical approach to IT security.

• What‘s needed is cascaded, reflex-like security

architecture

• Complete data protection is a myth

• Get attuned to regulations governing privacy and

develop a risk-based approach to data privacy.

• Key questions to consider are:

– how to plan the right responses to leaks

– whether the data should be created or acquired

in the first place.


Dr. Alastair MacWillson Global Managing Director

Security Practice

Accenture London

London 30 Fenchurch

Phone +44 20-7844-6131

[email protected]

Date post:	21-May-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Into the Danger Zone: The Cyber Threat September …...Security Coordinator, White House. • ‖The...

Documents