Copyright © 2008 Accenture All Rights Reserved. Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Dr. Alastair MacWillson
Global Managing Director, Security Practice
Into the Danger Zone: The Cyber Threat
September 2011
Copyright © 2008 Accenture All Rights Reserved. 2
• ―The decentralized, asymmetrical nature of cyber-threats makes them particularly dangerous. Not
only is cybercrime expanding, but cyber-terrorism is capable of damage on a par with the Sept. 11,
2001, attacks‖. Former Homeland Security Secretary - Michael Chertoff
• ―The United States is fighting a cyber-war today, and we‘re losing‖ Mike McConnell – Director
NSA
• ―What we‘ve already lost in the cyber-battle is tantamount to the Soviet and Chinese theft of
nuclear bomb secrets in 40‘s and 50‘s‖ Richard Clark – Author ‗Cyber War‘ and Ex-National
Security Coordinator, White House.
• ‖The UK's critical infrastructure - such as power grids and emergency services - faces a "real and
credible" threat of cyber-attack‖ Iain Lobban – Director GCHQ , October 2010
• ―Cyber 9/11 has happened over the last ten years, but it happened so slowly, so we don‘t see it‖
Amit Yoran - National Cyber Security Division, DHS
Cyber, cyber ..... everywhere!
“For all these reasons, it's now clear this cyber
threat is one of the most serious economic and
national security challenges we face as a nation.” Remarks by the President on the need to
secure the US national cyber infrastructure -
May 31, 2009
Cyber has moved from the realm of the military to the mainstream
Copyright © 2008 Accenture All Rights Reserved. Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Signs of a growing menace:
Perhaps the biggest theft in history?
3
• M44 U.S. nuclear warhead design, from Livermore Labs
• F35 wing fabrication machinery and electronic design blueprints, from Lockheed-
Martin
• Selected Boeing airframe designs
• Navigation and rocket design for Intercontinental Ballistic Missiles (specifically,
the Long March series), from both Boeing and Lockheed
• High-speed router designs from Cisco
• Source code to Windows, from Microsoft;
• Complete car designs from Chevy, Ford and VW
• Advanced chip and fabrication designs from IBM, Intel
• High-speed rail systems from Japan
Here are some of the crown jewels obtained by cyber attack in the last decade:
Here are some respected organisations that have allegedly
been attacked recently:
• Boeing, Cisco, Kawasaki, Qualcomm, 3Com, Sony, Google,
The White House; GCHQ, MasterCard, Visa, PayPal, Dutch
Certificate Authority
Source: The Economist & WSJ 2010
Copyright © 2008 Accenture All Rights Reserved. Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
The business context
Copyright © 2008 Accenture All Rights Reserved. Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Why Has Cyber Security Become Such
A Big Deal?
5
Cost of Failure
Fragmented
Narrow Broad
Organized &
Capable
High $$ Cost Mission
Failure
Inconvenience
Present
Attack Surface • IP is ubiquitous
• Interconnected
Adversary
Capability
Mid 90’s
• The internet is a great place to commit crime – global connectivity, anonymity, lack of traceability, rich targets
• As many motives as perpetrators
• Many different attack vectors – supply chain; insider attacks, remote attacks, product vulnerabilities, system miss configurations, social engineering
• The internet is shared and integrated
• The consequences of an attack are difficult to predict
• The worst-case scenarios are alarming
The cyber threat is difficult to assess and mitigate for six reasons:
Copyright © 2008 Accenture All Rights Reserved.
The environment
6
―Every year, an amount of intellectual property many times larger than all the intellectual property contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government agencies.‖
U.S. Sec. of Defense, William Lynn
• Corporations operate in the cyber space. Every aspect of the business depends on Internet-oriented computing and communications.
• Security is not built in. Systems that designers assumed would operate behind physical or logical barriers are now accessible via networks.
• Change is constant. A ―good enough‖ defense today won't be good enough in six months.
• Corporations are lucrative targets. Attackers can gain intellectual property, personally identifiable information, sensitive competitive data, etc.
• No one is immune. Google reported losing intellectual property in a Dec. 2009 attack based in China. Cyber thieves stole more than $1 million in a July 2010 attack on 3,000 customers of a British bank.
And the list goes on.
Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Copyright © 2008 Accenture All Rights Reserved.
The adversary
• Adversaries are smarter, better organized, more persistent. Many are part of criminal organizations, some are agents for nation-states.
• Attackers have a huge advantage. In cyber, offense is far cheaper and easier than defense, which must be 100% effective. The adversary needs only to find one weakness.
• Variety of adversaries and motivations leads to variety of attack types.
7
Today’s intruders rarely fit the image of a lone wolf probing corporate systems for bragging rights.
Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Copyright © 2008 Accenture All Rights Reserved.
The methods of attack
8
Adversaries only need to find one vulnerability— their methods of attack are multiple and rapidly changing
• Advanced Persistent Threats are targeted, ―low and slow‖ attacks that stealthily move through a network without generating regular or predictable network traffic.
• U.S. military‘s worst attack was launched from USB thumb drive bearing malicious program from foreign intelligence agency.
• Virus hidden on legitimate websites infected British bank customers‘ computers, stole money from their online accounts.
• Google attack began with instant message sent to Google employee, who clicked a link to a poisoned website.
• Some attackers infect commercial software, hardware with ―logic bombs‖ before it is sold.
Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Copyright © 2008 Accenture All Rights Reserved.
Threats from within
• Using popular social networking Websites, possibly exposing employers‘ computers and networks to worms, malware, etc.
• Checking corporate email from unsecured personal devices, including smart phones and home computers.
• Self-provisioning potentially unsecure cloud-based applications.
• Accessing organization data from unsecure WIFI hotspots.
9
Many of today’s security threats result from the behavior of organizations’ employees.
Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Copyright © 2008 Accenture All Rights Reserved. Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
The susceptible enterprise
Copyright © 2008 Accenture All Rights Reserved.
Security breaches have serious business consequences
11
Not just a technical issue
* Fourth Annual US Cost of Data Breach Study, 2009, Ponemon Institute
• In 2009, security breaches cost organizations an average of $6.6 million each—up from $6.3 million in 2007 and $4.7 million in 2006.*
• Stock prices of publicly-held companies typically drop five percent when breaches are made public.
• Fines and lawsuit losses can exceed $100 million.
• The loss of intellectual property due to cyber attacks can be significant.
• Cyber attacks can disrupt business operations (production interruptions, inability to process sales, etc.).
• Brand reputation and consumer and partner trust can be severely damaged by a data breach.
Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Copyright © 2008 Accenture All Rights Reserved.
Security thinking must evolve!
Perimeter
Security
―Defense in
Depth‖
I&AM +
Consolidation
Advanced
Security
Capabilities
Iden
tity
Access control via
network identity
Application silos, or not at
all
Migration to directories for
enterprise infrastructure
(e.g., network, email)
Application silos
Process integration and
workflow for user
add/delete/change across
silos
Centralized policy
enforcement, user
management, and reporting
Data security is attached
to the information asset
itself across its life-cycle
Enterprise identity, tied
to applications, network,
and physical access
Integrated access to
services based on
identity roles and
privileges, not physical
device
Security as a
consumable set of
services for business
processes, physical and
logical assets
Infra
stru
ctu
re
Focus on defining the
network boundary
Firewalls, router access
control, VPNs, etc.
Controls at all layers of the
stack – network, server,
application, database
Proliferation of devices: IDS,
IPS, audit
Consolidation of
infrastructure security via
fewer physical devices
Enables economies of scale,
more consistent policy
enforcement, reduced cost,
simplified management
Today ?
• Inherent weaknesses in IT
• Ineffective approaches to information security
Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Copyright © 2008 Accenture All Rights Reserved. Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Company
Perimeter is increasingly blurred and elastic
Cloud computing and
flex sourcing
Portable devices and
storages and
everywhere access
The irreversible digitalization of life
Digitalization
Move to All-IP
Virtualization
The increasing power of cyber crime
The compliance ―tsunami‖ Cyber threats and
crimes
Social networks and Web 2.0
Millennials and
consumerization
Globalization
Public control and
regulations
The rising strength of individual
Dealing with the technology shift
13
Copyright © 2008 Accenture All Rights Reserved. Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
14
Security standards:
Those damn standards!
So called ‗best-of-breed‘ technologies, and ‗best practices‘, based on standards, are
becoming security‘s Achilles Heel
ITIL – Service Management
Management
Technology Operations
ISO2702/2005 –Security Management
Line of Business/Geographic/Regulatory Specific
ISO9001 –
Quality
Management
HIPAA
(Healthcare)
SB1386
(CA Privacy)
PCI-DSS
(Digital Payment)
Six Sigma –
Quality
Assurance
Sarbanes/Oxley
(SEC Reporting)
…
SAS70 –
Controls
Performance
ISO27001
Audit
ISO27004
Metrics
&
Measurement
CobiT v4.0 – IT Governance
Architecture
Design
Risk
Management SSE-CMM
App.
Maturity
ADM
Project
Management
Copyright © 2008 Accenture All Rights Reserved. Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
The shifting threat landscape
The severity and speed of the
threats are growing
Advanced Persistent Threat - style
attacks are typically:
• Highly Targeted – tailored to a specific organisation
• Well-Funded – resource intensive
• Well-Researched – with a focus about information on
personnel
• Designed to evade detection – refined ‗low and slow‘
techniques
• Multi-modal and multi-step – using multiple vectors,
gaining entry via end users and end points
The parameters are dramatically
shifting because of APT
17
• Well-resourced and determined adversaries
• High value digital assets, IP , national security data
• Selected organisations and industries
• Market manipulation, strategic advantage, damage to critical infrastructure, politics
• Exploit end-users and end-points
• Custom designed or tailored malware
• Reconnaissance: in-depth knowledge of , people, business processes, and n/w topology
• Learn and modify
• Opportunistic hackers or cyber criminals
• Generically valuable information
• Broad based attacks
• Financial gain, fraud, spam recognition
• Entry by attacking perimeter
• Propagate off-the-shelf malware
• Technical skills
• Move to an easier target
Who?
What?
Where?
How?
Why?
With?
Skills?
Response?
Conventional Threats Advanced Persistent Threats
Copyright © 2008 Accenture All Rights Reserved. Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
The response
Copyright © 2008 Accenture All Rights Reserved.
1. Identify and secure the IT assets themselves, not just the perimeter
• Identify data and technology that are essential to operations and business continuity (many large organization have not yet done so).
• Create a detailed plan to protect these assets and capabilities, not just the perimeter.
• Assure plan meets regulatory, compliance, privacy and business demands.
• Assure plan viability with robust test.
• Embed cyber resilience and defensive capabilities throughout the organization, not just individual components.
19 Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Copyright © 2008 Accenture All Rights Reserved.
2. Build a hard-nosed ―culture of security‖
• Clearly, explicitly define who is responsible for cyber security.
• Ensure a holistic approach to information management and protection.
• Consider your organization a steward, not an owner of personal data.
• Implement strong data protection policies.
• Get serious about effective user training
20
Data protection policies matter*
*Source: Accenture survey, 2009.
Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Copyright © 2008 Accenture All Rights Reserved.
3. Pay closer attention to applications
• Many serious breaches result from application-level weaknesses.
• Most developers have not included security in their applications, assuming the software would run inside a secure perimeter.
• Extend security to device level as well as to application layer.
• Measure security strength of off-the-shelf applications.
21
Copyright © 2008 Accenture All Rights Reserved.
4. Reclaim access control
• Stop relying on authentication information (e.g. mother‘s maiden name) that has become more available or discoverable.
• Integrate strong authentication technologies with access management technologies.
• Biometrics (fingerprint, retinal scans), smart cards becoming more cost-effective.
• Embed pervasive security while maintaining ease of use (e.g. single sign-on, immediate access revocation, self-service functionality, real-time analysis).
• Consider two-factor authentication (e.g. smart card plus password).
22
Copyright © 2008 Accenture All Rights Reserved.
5. Develop acute situational awareness
23
Situational awareness capability map
Up-level intelligence gathering and analysis:
• Must-have intelligence on threats
• Required knowledge of internal systems
• Essential information about incidents
Activate smart monitoring:
• Security data analytics
• Visibility on the network
• Construct an incident response process
Copyright © 2008 Accenture All Rights Reserved. Copyright © 2011 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
• Current impasse on information sharing has reached a point that
requires legislation
• Sharing mechanisms must be real-time
• Will need incentives for organisations to collaborate rather than just
receive
• Valuable role for government to remove the impediments to sharing:
– Liability issues
– Encouraging trust communities for CI or large enterprises.
– Mechanisms to ensure source anonymity
• Organisations must start working with law enforcement
24
6. Participate in information
exchange
Defending against APT will take not only new models
for enterprise IT, but also new models for information
sharing
Copyright © 2008 Accenture All Rights Reserved. 25
Manage executive expectations
• Stop thinking in terms of watertight security—there is
no such thing.
• Fortress mentality must give way to a realistic,
simplified and practical approach to IT security.
• What‘s needed is cascaded, reflex-like security
architecture
• Complete data protection is a myth
• Get attuned to regulations governing privacy and
develop a risk-based approach to data privacy.
• Key questions to consider are:
– how to plan the right responses to leaks
– whether the data should be created or acquired
in the first place.
Copyright © 2008 Accenture All Rights Reserved.
Dr. Alastair MacWillson Global Managing Director
Security Practice
Accenture London
London 30 Fenchurch
Phone +44 20-7844-6131