Date post: | 12-Apr-2017 |
Category: |
Internet |
Upload: | nathan-desfontaines |
View: | 205 times |
Download: | 0 times |
1
Nathan Desfontaines
Removing Fear, Uncertainty and Doubt
2016
The Proactive Approach
to Cyber Security
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
4
THE THREAT CONTINUES TO RISE
• Concern over cyber attacks has grown by 7%, with 37% believing
they are a target for cyber attacks.
• 76% have seen increase in the rate of cyber attacks.
• 38% have had to deal with 1 or more
major cyber security incidents
in the last 12 months.
WHAT OUR SURVEYS HAVE FOUND
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
5
AN EVER-CHANGING THREAT LANDSCAPE
BE IN A DEFENSIBLE POSITION, BE CYBER RESILIENT
Extortion-driven attacks and ransomware attempts will increase
Pressure to disclose data breaches and threat responses will
intensify
Widespread use of mobile devices and IoT brings a parallel
increase in risk
Organisations will make greater use of real-time intelligence
tools to monitor attacks
Organisations will focus much more on risks posed by
third party vendors and suppliers
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
6
1. Widespread use of new platforms
Three significant reasons as to why cyber security
will remain a key concern for IT managers:
3. Attacks are becoming more sophisticated
and have specific targets
2. Increasingly available and simple to use
exploit kits
CYBER REMAINS A CONCERN FOR IT
NEW THREATS PUT STRAIN ON EXISTING IT SECURITY CONTROLS
NEW PLATFORMS, NEW THREATS
MORE USERS + MORE DEVICES = MORE RISK
Impersonation
• SMS Redirection
• Sending Email Messages
• Posting to Social Media
Financial
• Stealing Transaction Authentication
Numbers (TANs)
• Extortion via Ransomware
• Fake Antivirus
• Premium Calls and SMSs
Data Theft
• Account Details
• Contacts
• Call Logs
• Application Data
Surveillance
• Audio
• Camera
• Call Logs
• Location
• SMS Messages
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
8
“
”
WHAT IS BEING
STOLEN?Thousands of South Africans have
fallen victim to phishing and other
types of cyber fraud, and financial
institutions have lost in excess of
R80-million and continue to lose
money every day as a result.
Dries Morris, Securicom
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
9
MOTIVATIONS HAVE CHANGED
FROM “TARGET OF OPPORTUNITY” TO “TARGET OF CHOICE”
Yesterday…
Bad “actors”
Isolated criminals
“Script kiddies”
Targets
Identity theft
Self-promotion
opportunities
Theft of services
“Target of opportunity”
Today…
Bad “actors”
Organized criminals
Nation states
Hactivists
Insiders
Targets
Intellectual property
Financial
information
Strategic access
“Target of choice”
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
11
RECENT ATTACKS - RANSOMWARE
WHEN ALL YOUR DATA IS ENCRYPTED, RESISTANCE IS FUTILE
Ransomware – Malware that
infects the target host by
encrypting all data thereby holding
the victim hostage
• Looks legitimate to the
unsuspecting user
• The user is extorted for money
• Tactic achieves – Fear,
Uncertainty and Doubt
• The alternative – “in order to
resolve the situation in an
above-mentioned way you
should pay a fine of $300”
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
12
RECENT ATTACKS - HACKING
CORPORATES UNDER SIEGE
Anonymous – Thousands of South
African websites were hacked in
February 2016. The hacking group
found a vulnerability shared hosting
servers:
• The servers are old and vulnerable
with legacy websites that are out
of date
• Opportunistic attacks are evolving
into targeted attacks
• Advanced Cyber controls are now
a necessity not a leading practice
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
13
RECENT ATTACKS – DATA BREACH
LIFE IS SHORT, HAVE AN AFFAIR, WHAT’S THE
WORST THAT CAN HAPPEN
In July Ashley Madison, an online
platform for would-be adulterers with
the slogan “Life is short. Have an
Affair” was hacked.
• Data from about 31 million
accounts was breached with
sensitive information about the
users being published
• Data breach led to the resignation
of the website’s CEO
• Ashley Madison is now facing
multiple lawsuits for failing to take
proper security measures to
protect its users’ information
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
14
RECENT ATTACKS – INDUSTRIAL
NATIONS UNDER SIEGE
BlackEnergy – In December 2015
over 1.4 million people were left
without electricity in Ivano-Frankivsk
region, Ukraine.
• BlackEnergy backdoor plants a
KillDisk component which renders
computers unbootable
• Infection is through Microsoft
Office files containing malicious
macros
• The virus can overwrite its
corresponding executable file on
the hard drive with random data
which makes restoration of the
system more difficult
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
15
A BIT MORE DETAIL ON BREACHES
EACH YEAR BREACHES CONTINUE TO RISE IN SCALE AND IMPACT
• Sony Pictures – Sony was attacked by Ransomware which resulted ina complete shut down as its computer in New York and around theworld were infiltrated, encrypting workstations & data drives. Thehacker group claimed to have obtained corporate secrets andthreatened to reveal said secrets if Sony didn’t meet their demands.(LA Times, 2014)
• Heartland – Credit card payment processing company Heartland washacked in 2008. This hack affected an estimated 130 million customerswith Heartland having to pay $110 million back to Visa, MasterCardand American Express. This hack is rated as the biggest credit cardhack. (CNN Money, 2014)
• Target – Target holds the title for the biggest retail hack in historylosing 40 million credit card numbers to the hackers who usedMalware to infiltrate the Target systems and capture credit cardnumber at one of the stores busiest times of the year, Thanksgivingand Christmas. Target is facing more than 90 lawsuits from customersand banks for negligence and compensatory damages. (Bloomberg,2014)
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
17
CLOSING THE LOOP
3 KEY PRINCIPLES
1
2
3
What are we trying to protect
and from whom?
Accept the fact that a breach is
inevitable
Focus on early detection and
response
getting an up-to-date, detailed snapshot of the current cyber
threat landscape that is understood by all
whether or not your organisation has doing enough due diligence to
mitigate risks, preparing for a breach is now mandatory
Real-time intelligence solutions, heads-up situational awareness and
proactive “hunting” of incidents is the new status-quo
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
18
RED TEAM
EXERCISES
Test your processes and
systems in a real-life simulation,
providing assurance on your
ability to respond rather than
prevent.
INTRUSION
TOLERANCE:
ASSUME THAT
INTRUSIONS HAVE
HAPPENED AND
WILL HAPPEN
We must maximize the probability
that we can tolerate the direct
effect of those intrusions, and that
whatever damage is done by the
intruder, the system can continue
to do its job to the extent possible.
DEPLOYMENT OF
SECURITY
INTELLIGENCE
SYSTEMS
Ponemon says, provides a
substantially higher ROI (at 23
percent) than all other
technology categories
surveyed.
THINKING BROADER THAN CIA
APPROACHES TO CYBER SECURITY HAVE CHANGED
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
19
RED TEAMING + IS INTELLIGENCE LED
UTILISE “ALL SOURCES” TO SUPPORT AN EXHAUSTIVE TEST STRATEGY
Understand your adversaries' and
their tactics, model their attack
vectors, and then test exhaustively to
obtain the necessary intelligence to
adapt your defenses.
“
”
The lion fish has adapted
to ward off threats in the
most challenging and
irregular environments.
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
20
“
”
ADAPT AND SURVIVE
ANALYTICS AND DATA CAN SAVE US
New behavioural analytics
solutions and threat data
analytics platforms such as
FireEye and DarkTrace
emulate the human
immune system to protect
us – understanding what
belongs and what does not
A combination of protection, early
warning signals and instant
remediation against sophisticated
attacks is a proactive stance.
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
22
WHO, WHAT, WHEN?
UNDERSTANDING YOUR RISK
Your Organisation
Privileged insider
Trusted insider
Insider Organisation
Group
Nation-state
Capability Motivation
Level 0 X No interest in attacking the system
Level 1 Opportunistic attacks May casually investigate or attack a system if exposed
to it, but not by design
Level 2 Some IT knowledge and resources for basic attacks
(including the use of free malware, non zero type
attacks)
Actor will attempt to attack the system; but one person
attack; part-time
Level 3 Considerable IT knowledge however actors lack the
capability and resources to implement sophisticated
attacks
Focused on the system; full-time attacker; with support
from part-timers
Level 4 Very capable with the resources to execute
sophisticated attacks using zero-day exploits
involving significant customisation
Attack system frequently or constantly; several people;
bribe or coerce
Level 5 Sophisticated attacks, well-funded and resourced. Absolute priority employing detailed research in
conjunction with social engineering, bribery and
coercion
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
23
“
”
THE ANATOMY OF AN ATTACK
THE LOCKHEED INTRUSION KILL CHAIN
The realm of
digital security is
an open-ended
arms race
between system
defenses on the
one hand and
creative, highly
persistent
attackers on the
other
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
25
What is that holy grail of security?
• IPS/IDS
• ISO 27001
• IAM
• Encryption at rest
• Anti-Virus
• Server isolation
• Strong governance, policies and procedures
• Application whitelisting
• Memory blocking
• Privileged access management
PROTECTION ISN’T ENOUGH
CYBER SECURITY DEMANDS THE FULL MONTY
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
27
Mistake #1:
“We have to
achieve 100 percent
security.”
Reality:
100 percent
security is
neither feasible
nor the
appropriate
goal.
THE 5 COMMON MISTAKES
100% SECURITY IS NOT FEASIBLE NOR APPROPRIATE
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
28
Mistake #2:
“When we invest in
best-in-class
technical tools, we
are safe.”
Reality:
Effective
cybersecurity
is less
dependent on
technology
than you
think.
THE 5 COMMON MISTAKES
TECHNOLOGY IS NOT THE BE ALL AND END ALL
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
29
Mistake #3:
“Our weapons have
to be better than
those of our
attackers.”
Reality:
The security
policy should
primarily be
determined
by your
goals, not
those of
your attacker
THE 5 COMMON MISTAKES
YOU DON’T NEED TO ARM YOURSELF TO THE TEETH
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
30
Mistake #4:
“Cybersecurity
compliance is all
about effective
monitoring.”
Reality:
The ability to
learn is just as
important as the
ability to
monitor.
THE 5 COMMON MISTAKES
BEHAVIOURAL ANALYTICS IS THE FUTURE OF MONITORING
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
31
Mistake #5:
“We need to recruit
the best
professionals to
defend ourselves
against cybercrime.”
Reality:
Cybersecurity
is not a
department,
but an
attitude.
THE 5 COMMON MISTAKES
EVERYONE IS RESPONSIBLE FOR CYBER SECURITY
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
33
KNOWING ATTACKS WILL OCCUR
PREPARE FOR THE WORST SO
YOU CAN RESPOND AT YOUR
BEST
• Train or outsource the capability to
respond to a potential threat
• Establish a data breach team
• Make sure everybody knows
what their responsibilities are
WHAT EXACTLY AM I PROTECTING
• Understand what you are trying to
protect – you can’t effectively protect
everything (what are your crown
jewels?).
• Make sure the threats and
opportunities are understood are
EARLY DETECTION AND
RESPONSE IS
EVERYTHING
• Traditional monitoring is
no longer effective
• Monitoring is art, don’t
rush it
• Being sure how to
respond is key
BUILD AN ECO-SYSTEM
• This should not be an island
• It should integrate into the business
of IT
• It should integrate across people,
processes and technology
IS THE FIRST STEP TO RECOVERY
© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
34
TAKING AN HOLISTIC APPROACH
KPMG’S CYBER MATURITY MODEL
Nathan Desfontaines
Cyber Security Manager
• 082 719 2426
The information contained herein is of a general nature and is not
intended to address the circumstances of any particular individual or
entity. Although we endeavour to provide accurate and timely
information, there can be no guarantee that such information is
accurate as of the date it is received or that it will continue to be
accurate in the future. No one should act on such information
without appropriate professional advice after a thorough
examination of the particular situation.
© 2016 KPMG International Cooperative (“KPMG International”), a
Swiss entity. Member firms of the KPMG network of independent
firms are affiliated with KPMG International. KPMG International
provides no client services. No member firm has any authority to
obligate or bind KPMG International or any other member firm vis-à-
vis third parties, nor does KPMG International have any such
authority to obligate or bind any member firm. All rights reserved.
NDPPS 133584
KEEP IN TOUCH