cyber security transformation - a new approach for 2015 & beyond - daryl pereira

Cyber Security Transformation – A New Approach for 2015 and Beyond Daryl Pereira Partner ASEAN Management Consulting KPMG

2 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Cyber Threat Landscape has Evolved

Forecast by Word Economic Forum Delays in adopting cyber security capabilities could result in a US$ 3 trillion loss in economic value by 2020

Figure 1: Top 5 Global Risks in Terms of Likelihood 2014 - WEF

Figure 2:Source: World Economic Forum “Global Risks 2014”

World Economic Forum Cyber attacks are one of the Top 5 Global Risks in Terms of Likelihood in 2014 (missing in 2013)


Cyber Security is now the World’s 3rd Corporate-Risk Priority Overall

Corporate risk priorities and attitudes among 588 C-Suite and board level executives*

Survey respondents distributed across Asia-Pacific (31%), Europe (28%), North America (26%), Latin America (10%) and South Africa (5%).

*Source: Lloyd’s Risk Index 2013


J.P. Morgan Chase 83M customer PII

were stolen

Home Depot 56 million payment cards compromised

Sony

Company's inner workings completely

exposed

South Korea 27M Bank

customer’s records were stolen

SCB confidential

information was stolen from 647

private bank clients

Target 40M credit card

records and 70M customer PII compromised

BankMuscat and

Rakbank Hackers stole total

of US$45M

Ghostnet large-scale cyber spying operation

Subway

80,000 customer credit and debit card

data lost

Global Payment Systems

Compromised 1.5M credit card records

and 5.5M consumer records

2013 2008 to 2012

2014

The FS industry topped the list of 26 different industries targeted by cyber criminals*

*Source: Mandiant 2013

Increasing Scale and Impact of Cyber Attacks


Who are the “Threat Actors” and the Targets?

Hacktivists (i.e. Wikileaks, Anonymous, LulzSec)

Malicious Insiders (i.e. Bradley Manning and the U.S. Department of State memos)

Cyber Mafia - Organised crime (i.e. stealing credit card numbers)

Cyber Warfare - State sponsored & corporate espionage (i.e. Night Dragon, StuxNet, DuQU, SHAMOON)

Intellectual Property Data

Merger & Acquisition Transaction Information

Senior Executive Emails

Control Systems

Process Control Networks (supports exploration &

production activity)

Network and connectivity data

Operational and assets specific data

Targets

Threat Actors

Customer Data


Recent Cyber Security Incident – Retail sector

Target could be facing losses of

up to $420 million as a

result of this breach

US$61M in breach-related cost as of Feb 2014

CIO and CEO resigns

Will spend US$100M to upgrade payment system

40M credit card records and 70M customer PID compromised

Impact

Malware installed on POS

Phishing email sent to HVAC firm and credentials used to access Target’s Purchase/Order and Billing system

Observation

Target – 2014


Recent Cyber Security Incident – Insurance sector

Biggest data theft in

healthcare industry

Reputational loss in Anthem regarding IT Security

Impact PID of 80 million customers and clients were stolen, including Social Security Numbers

Setup of evil WellPoint / Anthem infrastructure in the Internet

Targeted attack (APT) by cyber espionage group

Observation Infrastructure and malware was also used for attack on US Defense contractor

Anthem – 2015


Recent Cyber Security Incident – Banking sector

Computer security budget will be doubled in the next 5 years to $250M

PID of 7 million small businesses were stolen

Impact PID of 76 Million households were stolen, including email addresses, home addresses and phone numbers

12 other major US financial institutions alongside J.P.Morgan were targeted

Hackers stole the login credentials for a J.P.Morgan employee in Spring 2014

Observation

JP Morgan – 2014


Reputation and financial damage

Attack was executed by a Hacktivist

Information stolen from a 3rd party / vendor printing facility at Fuji Xerox Singapore

Observation

Reputational loss for Private Bank business

MAS said it took "appropriate supervisory actions” against SCB

Impact Financial Data of 647 clients stolen

Recent Cyber Security Incident – Banking sector (outsourced vendor)

Standard Chartered Bank & Fuji Xerox – 2013


Recent Cyber Security Incident – Entertainment sector

North Korea is blamed for the attack

When the breach was discovered, Sony had been infiltrated for one year

Observation

Massive impact to Sony Pictures, its employees and clients

Sensitive personal and corporate data was leaked, including emails, salaries and unreleased movies

Impact Company's inner workings completely exposed

Sony Pictures – 2014


“Are we prepared and resilient against cyber attacks?”

Leadership and

Governance

Human Factors

Information Risk

Management

Business Continuity and Crisis

Management

Operations and Technology

Legal and Compliance


Cyber Security Transformation Lever 1: Implementing a strategic, institution-wide approach to cyber security

Cyber Security

Leadership & Governance

Human Factors

Information Risk

Management

BCM / Crisis Management

Operations & Technology

Legal & Compliance

Cyber security collaboration to be extended beyond company walls to address common

enemies

A dedicated cyber security operations centre (SOC) to be established, using threat intelligence driven approach to

security

Cyber risk governance driven by the Board and Cyber risk strategy driven at Executive level as

an integral part of corporate strategy. Looks beyond technical preparedness and takes a

holistic view of people, process and technology The human factors in the defence chain must be strengthened as part of

a cyber risk aware culture

Focus on risk-based mitigation, early detection, robust

response, automation and analytics to create

internal and external risk transparency

Resiliency and ability to quickly return to normal operations or

repair damage


Respond

Incident response capability is built by drafting playbooks, performing regular incident response exercises and doing red team testing.

The capability to delay transactions for fraud investigations and having trained call centre employees are most important in being able to modern online banking attacks.

Detect

Real-time detection of incidents and fraudulent transactions requires correlation of information from various data sources. It is important to monitor customer behaviour, transactions and log files from applications and systems.

Incident detection will not function properly without adequate processes and trained people for detection rule management.

Threat Intelligence

Acquiring external threat information is necessary to keep an up to date view on current and future threats for your organisation.

Best practices include connecting external intelligence sources, information sharing with other banks and other industries, and cooperation with police and law enforcement.

Cyber Security Transformation Lever 2: Actionable Threat Intelligence is the key to managing evolving cyber threats

Threat

Intelligence

Prevention will ultimately fail. Actionable threat intelligence combined with detection and response capability is the key

Prevent Protecting customers and your own infrastructure requires measures on people, processes and technology layers.


Training & awareness of all management and staff on Cyber Risks Better threat intelligence

Establish an institution-wide accountability for managing cyber risks

Leadership and Governance

Insufficient understanding of cyber risk by Senior Management

Increased awareness of Senior Management on Cyber Security risks

Insufficient oversight of IT risk by CEO and CIO

Accountability and responsibility for IT risk extended to the Board , CEO and senior management

What went wrong?

Cyber Security raised to Board & Senior Management agenda

Sony Pictures

What should you do?

How can this be addressed?

Board and Senior Management's governance, ownership, and effective management of risk.

Target


Training and awareness programmes Tone from the top - leadership staff to demonstrate security/risk mindset to rank & file teams

Process to assure appropriate skills and capabilities of vendor staff

Human Factors

POS was accessed using remote access software over internet, due to staff’s default password not being changed

Proper security awareness programs should be provided to the employees

Information stolen from the server s of a third party vendor providing printing services

Upgrade security skills and capabilities of staff maintaining customer data & third party servers

What went wrong?

Subway Standard Chartered Bank

What should you do?


Level of security-focused culture that empowers and ensures the right people, skills, culture and knowledge.

Extension of security policies & HR policies to vendors/3rd parties


Integration of information classification into security architecture design Data governance

Detection mechanisms and alerts Analytics to correlate unusual customer behaviour, transactions and log files from applications and systems

Information Risk Management

All sensitive personal and corporate information was stolen

Establish information classification process together with Data Loss Prevention solutions

Intrusion of vendor servers containing customer data was not detected

Detection tools and security assessments should be performed on all servers that connect to an external network

What went wrong?

Sony Pictures Standard Chartered Bank

What should you do?


The approach to achieving comprehensive and effective risk management of information throughout the organisation and its delivery and supply partners.

Information sharing and data loss prevention


Business continuity with cyber resiliency

Cyber incident response embedded into Crisis Management process

Business Continuity and Crisis Management

Employees needed to go back to pen and paper

Backup & recovery coupled with resilient system architecture

Information of the breach was announced too late causing public backlash

Improvement of communication to public

What went wrong?

Business continuity plan incorporated as part of cyber security readiness

Sony Pictures Target

What should you do?


The preparations for a security event and the ability to prevent or minimise the impact through successful crisis and stakeholder management.

Internal and External Stakeholder management


Threat and vulnerability management Asset lifecycle management Network security

Incident Response Actionable threat intelligence Network segmentation/isolation

Operations and Technology

2FA missing on one neglected server

Rollout of security services on all assets and proper Vulnerability Management

Intrusion/malware was detected but Security Ops did not follow-up

Effective Incident Management process – diagnosis, prioritisation, and fast response

What went wrong?

Drafting playbooks, performing regular incident response exercises, doing red team testing

Physical security Personnel security

J.P. Morgan Chase Target

What should you do?


The level of control measures implemented within the organisation to address identified risks, and minimise the impact of compromise.


Outsourcing governance & risk management framework Outsourcing gap analysis and audit review

Legislative compliance Role of the audit committee

Legal and Compliance

647 of its private bank clients information stolen through outsourced vendor’s server.

Bank needs to extend cyber security practices to all outsourced arrangements - new regulatory mandate.

Faces several law cases due to violation of PID storage

Legal department to address new cyber laws for processing and storage of sensitive information

What went wrong?

Threat intelligence and information sharing across other industries Collaboration with industry

peers to address common enemies

Standard Chartered Bank Sony Pictures

What should you do?


Regulatory, international standards and laws relevant to your organisation (e.g. ISO27000, PCI-DSS, Data Privacy laws, TRM regulatory requirements, NIST).


Conclusion

Cyber Security Frameworks

ISO 27032: Cyber

Security

MAS/HKMA TRM

Guidelines NIST COBIT Etc.

Strategic, Institution-

wide approach

Actionable Threat

Intelligence

Cyber Security

Readiness


Appendix: KPMG Cyber Security Framework

Cyber Maturity Assessment (CMA)

Cyber Security Strategy

Cyber Gaming

Cyber Defense Operating Model Design

Identity and Access Management

Security and Technology Assessments

Certification Services

Development and Implementation of Threat Intelligence Operating Models Design and Implementation of Security Operations Centers

Cyber Attack Detection

Rapid Response Teams

Forensic Evidence Recovery and Investigation

Advanced Training and Cyber Response Capability Development

Board Training

Enterprise Risk Management and Implementation Business Continuity Planning

Behavioral Change Management

Design and Delivery of Institution-wide Cyber Security Transformation Programs


Contact Details

[email protected] RISK & REGULATION | COST & EFFICIENCY | CUSTOMER & GROWTH

© 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

DARYL PEREIRA Partner ASEAN Management Consulting KPMG Tel: +65 6411 8116