Cyber Resilience

Malta Association of

Risk Management (MARM)

Donald Tabone

24 June 2013

1

Agenda

Where are we coming from?

What the stats say

Who‟s being targeted?

1

4

3

Cyber resilience defined 6

A six-point plan to becoming resilient 7

Cause for concern? 5

Cybercrime and threat actors 2

2

Where are we coming from?

The foundations • ‟62 J.C. R. Licklider introduced the idea of an „Intergalactic Network‟

• „76 Dr. Robert Metcalfe invented Ethernet, coaxial cables

• „78 Gary Thuerek – first spam email sent to 400 users of ARPANET

• „84 Dr. Jon Postel described his idea for .com, .org, .gov etc. In a series of papers published by the IETF

• „89 The World was the first ISP to offer commercial dial up internet

• ‟92 The Corporation for Education and Research Network (CREN) released the world wide web

The beginning of eCommerce • „94 Pizza hut offered online ordering through their website

• „95 Pierre Omidyar released AuctionWeb which later became eBay

• „96 Hotmail was launched. The following year Microsoft bought it out for $400m

• „98 Google received funding to become Google Technology Incorporated.

• „99 The Internet consisted of 19.5m hosts and over 1m websites

3

Where are we coming from?

The Dot-com bubble • „00 The Dot-com bubble burst

• „03 Apple launched the iTunes store with 200,000 songs

• „03 The hacktivisit group Anonymous was born

• „04 Google launched Gmail with 1Gb of storage

• ‟05 YouTube is launched. The following year Google bought it out for $1.6b

• „06 Twitter and Facebook came around

• „06 There are an estimated 92m websites online

40 years from its inception

• ‟09 Mobile data traffic exceeds voice traffic every single month

• „09 Cloud-based file hosting from the likes of Dropbox came around

• „10 Facebook announces it reached 400m active members

• „10 Syria and China attempt to control Internet access

• „10 The Wikileaks drama ensues whilst Anonymous conduct several cyber attacks on government, religious and corporate websites

• „11 Interest in virtualisation and cloud computing reach their highest peak

• „13 The interest in BYOD and Big Data has reached a new high

4

Opportunity for crime

www

Our dependence

Cybercrime & Cyber criminals

As a result, we face new challenges related to..

• Our online privacy,

• The confidentiality and integrity of the data we entrust to online entities, and

• Our ability to conduct business on the net through the use of ecommerce web applications

Because of the nature of how the net works, accountability is also a challenge!

5

Threat actors..1

Organised Crime

• Traditionally based in former Soviet Republics

(Russia, Belarus, Ukraine)

• Common attacks: Theft of PII for resale and

misuse or resources for hosting of illicit

material

• Occasionally employ blackmail in terms of

availability (Threats of denial of service attacks

to companies and threats of exposing

individuals to embarrassment)

6

Threat actors..2

State Sponsored

• Nations where commercial and state interests

are very aligned

• Military or Intelligence assets deployed in

commercial environments

• Limitless resources?

• Main aim to achieve competitive advantage for

business

• Theft of commercial secrets (Bid information,

M&A details)

7

Just this week

8

Hacktivism

Will attack companies, organizations and individuals who are seen as

being unethical or not doing the right thing

Hacking for fun… seriously!

Entire nations can be taken down (Estonia)

9

Stolen information

• 18.5m people have been affected by PC theft

• 75% of data loss incidents in Retail were

attributed to Hacking

• 96% of data loss incidents in Media were

attributed to Hacking

Source: 2012 KPMG Data Loss Barometer

10

2012 KPMG cybercrime survey

Source: KPMG A nuanced perspective on cybercrime, shifting viewpoints – call for action. The results were based on over 170 responses from CIOs/CISOs or professionals in related

professions in the Netherlands.

11

Traditional crime, redefined?

Network based attacks

• Identify a target website

• Conduct network reconnaissance / mapping

• Engage in DDoS attacks to deny accessibility

• The result is direct loss of business

Spear phishing attacks

• Identify a target individual

• Build a profile / biography

• Directly target with a personal email

• Trick user into accessing a malicious website

• Implant malware and gain control of a device

• Use a compromised machine to obtain otherwise confidential information

Human based attacks

• Human error incidents

• Inside users become the target as they are often trusted users

• Scorned / disgruntled employees

3 C

om

mon

Att

acks

The reality is that cyber attackers and

organised crime perpetuators often use

a combination of attack avenues to

profile a target and map out their internal

systems – the information is readily

available!

Competitive edge is eroded

Organisation secrets are

stolen

Corporate reputations

are damaged

Source: 2012 KPMG Cyber Vulnerability Index

12

Who are they targeting?

Sources: * The study was carried out by the Federation of Small Businesses in the UK and is based on its 20000 members, http://www.fsb.org.uk/News.aspx?loc=pressroom&rec=8083, accessed 12/6/2013

** The study was conducted by PollOne in April 2013 for Tripwire on 1000 users, http://www.tripwire.com/company/research/survey-half-uk-population-worried-about-nation-state-cyber-attacks/, accessed 12/6/2013

One study* conducted in the UK showed that small businesses suffer an estimated loss of £800m a year, averaging nearly £4000 per

business

• 30% of its members were victims of fraud as a result of virus infections

• 50% hit by malware

• 8% victims of hacking

• 5% suffered security breaches

As a consequence, a second recent cybercrime study** revealed that

• 53% of the British public is worried about the damage of cyber attacks

• 40% feel more vulnerable to cyber attacks now than a year ago

• 38% feel that their personal data exchanged with organisations they do business with may already have been compromised

Increased attack

sophistication

Inappropriate business response

UNCERTAINITY

=

13

In the US

The unverified losses that victims

claimed in 2012 jumped 8.3% from

$485m the previous year

Sources: SC Magazine and Internet Crime Complaint Center

Losses

Complaints

14

Meanwhile in a non-descript building …

… just outside of Shanghai, “Unit 61398” of the Peoples Liberation Army is the alleged source of

Chinese hacking attacks…

Source: Businessweek.com

Why should you be concerned?

… although the Chinese government consistently denies its involvement in such activities

claiming that such allegations are “irresponsible and unprofessional”

Source: Hello, Unit 61398, The Economist. 19 February 2013, accessed 13/06/2013

15

Convictions?

The fight against cybercrime seems to be ongoing

Why should you be concerned?

Sources: ValueWork, Help Net Security, SC Magazine

• Romanian hacker Cezar Butu – 21 months in prison for compromising credit card processing systems

• Darnell Albert-El, 53 – 27 months in prison for hacking

• Steven Kim, 40 – 12 months in prison for stealing personal data

• Bruce Raisley, 48 – 24 months in prison for creating a botnet virus to launch DDoS atacks

• Shawn Reilly, 34 – 33 months in prison for committing 84 fraudulent wire transfers

• Eduard Arakelyan, 21 and Arman Vardanyan, 23 – 36 months in prison for theft of credit card information and committed bank fraud

• Sonya Martin, 45 – 30 months in prison for being part of a gang to evade encryption

41

MONTHS

16

Next generation cybercrime threat?

What if hackers hijacked a key satellite? Could space be cybercrime's new frontier?

Source: The Independent, Space : the new cybercrime frontier, http://www.independent.co.uk/life-style/gadgets-and-tech/news/space-the-new-cyber-crime-frontier-

8194801.html accessed 16/2/2013

FACT #1

We have an overwhelming reliance on

space technology for vital streams of

information

Makes us acutely vulnerable!

FACT #2

Satellites are frightfully vulnerable to

collisions and there are over 5500

redundant ones at the moment !

17

Juggling the risks

Examine threats

Determine the risk level

Risk Assessment

AIM: reduce organisational risk

• With appropriate due diligence, management accept the potential risk and continue operating Risk Assumption

• Management approve the implementation of controls to lower risk to an acceptable level Risk Alleviation

• Eliminate the process that could cause the risks Risk Avoidance

• Management limit the risk exposure by putting controls to limit the impact of a threat Risk Limitation

• A process to manage risk by developing an architecture that prioritises, implements and maintains controls Risk Planning

• Management transfer the risk by using other options to compensate for a loss – e.g. Purchasing an insurance policy Risk Transference

18

Risk Transference

Bespoke insurance products providing tailor made

policies targeting key professional liability exposures for

technology companies

19

Becoming resilient – a six point action plan

“ The ability of a system or a domain to withstand attacks or

failures and in such events to re-establish itself quickly ”

– Nigel Inkster, International Institute of Strategic Studies

Cyber

Resilience

3. Cyber defence

1. Organizational Readiness

2. Situational awareness

4. Detection

5. Mitigation and containment

6. Recovery

20

#1 - Organisational Readiness

Corporate awareness

Ownership at the C-level

Assign the role and responsibility for information security oversight

Understand your business risks

Focus on your information and reputation

Share intelligence and experiences

21

#2 - Situational intelligence

Specialist knowledge

Keep abreast of the latest advanced threats

Hacking for fame & glory

Cybercrime moved into

monetisation Criminal gangs

Protest hacktivism

Anonymous & Lulzsec target

corporate infrastructures

Corporate espionage

Disruption

Know your information assets

Classify your information assets

“ One of the problems is that we all tend to be technology professionals weathered by our experiences rather than looking at

new ways of managing risk and gaining or using new sources of intelligence ” - Pat Brady, Information Security Manager,

National Australia Group

22

#3 – Cyber defence

Get a grip on infrastructure and access security

Assert the levels of staff awareness

Define strict access control and remote access control

Ensure strong visitor procedures for key buildings

Keep your basic security controls in sight e.g. Password change policy

Infrastructure changes should trigger network configuration changes allowing you to move the shape of the target

23

#4 – Detection

Develop the ability to detect attacks

Ensure you have an effective internal & external monitoring process

Scan outbound messages for abnormal volumes and patterns

Early recognition of a compromise is key to early reaction

24

#5 – Mitigation and containment

The aim is to limit the damage to your services and reputation

Limit the impact / shutdown the source

Being prepared is the key

Contingency planning – define and review your plans

Ensure adequate testing of business continuity plans

Prepared PR statements

Continuity of Operations Plan

Disaster Recovery Plan

IT / Network Contingency

Plans

Crisis Communication

Plan

Cyber Incident

Plan

Occupant Emergency Plan

25

#6 – Recovery

You need to develop the ability to re-establish normal service

Your survival as a business depends on it

Apply the lessons learnt

Give feedback to senior executives

Here’s what happened to

us

This is how we reacted

This is what we’ve done to

mitigate / prevent it

26

Conclusions

Some final thoughts..

• The cyber crime threat is actual and here to stay

• It’s NOT a question of IF but WHEN

• Be prepared for incidents

• Ensure security awareness between departments

• Protect your information assets, regardless of where are being held

• Ensure adequate crisis management between departments

• Align individual goals with the organisations‟ cyber security ambitions

• Cyber risk teams need to consist of flexible people who can build relationships across departments

• Take a pragmatic approach to investing in your defences – overinvesting is a real danger

Cyber Resiliency

Business Continuity

IT Service Continuity

Management functions

BEING PROACTIVE IS THE NAME OF THE GAME

Awareness

Knowledge

Controls

Detection

Mitigation

Recovery

27

References

Andrew Auernheimer, http://en.wikipedia.org/wiki/Weev

Bandit Country, Amir Singh, Chartech March/April 2013

Cyber Crime Study Reveals Uncertainty, http://www.tripwire.com/state-of-security/it-security-data-protection/cyber-security/viewpoints-on-cyber-crime-reveal-uncertainty/

Eight cyber crooks who got less prison time than Andrew Auernheimer, http://www.scmagazine.com/here-are-eight-cyber-crooks-who-got-less-prison-time-than-andrew-auernheimer/article/284928/ -

KPMG data loss barometer 2012, http://www.kpmg.com/uk/en/services/advisory/risk-consulting/pages/data-loss-barometer-2012.aspx

KPMG seven ways to beat cyber crime, http://www.kpmg.com/UK/en/IssuesAndInsights/ArticlesPublications/Documents/PDF/Advisory/seven-ways-beat-cyber-crime-nov2012.pdf

KPMG shifting viewpoints - A nuanced perspective on cybercrime, http://www.kpmg.com/NL/en/Issues-And-Insights/ArticlesPublications/Pages/Shifting-viewpoints.aspx

Microsoft and FBI disrupt global cybercrime ring, http://www.net-security.org/malware_news.php?id=2511

Most small businesses can't restore all data after a cyber attack, http://www.net-security.org/secworld.php?id=15012

Operation cyber taskforce, Gerry O’Neill, Chartech March/April 2013

Space: the new cyber crime frontier, http://www.independent.co.uk/life-style/gadgets-and-tech/news/space-the-new-cyber-crime-frontier-8194801.html

The cost of cybercrime, http://securityaffairs.co/wordpress/14628/cyber-crime/cost-of-cybercrime-for-uk-small-businesses.html

Thank you!

Donald Tabone B.Sc. (Hons), LL.M. (Strath)

donaldtabone@kpmg.com.mt