cyber security transformation - a new approach for 2015 & beyond - daryl pereira
TRANSCRIPT
Cyber Security Transformation – A New Approach for 2015 and Beyond Daryl Pereira Partner ASEAN Management Consulting KPMG
2 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Threat Landscape has Evolved
Forecast by Word Economic Forum Delays in adopting cyber security capabilities could result in a US$ 3 trillion loss in economic value by 2020
Figure 1: Top 5 Global Risks in Terms of Likelihood 2014 - WEF
Figure 2:Source: World Economic Forum “Global Risks 2014”
World Economic Forum Cyber attacks are one of the Top 5 Global Risks in Terms of Likelihood in 2014 (missing in 2013)
3 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security is now the World’s 3rd Corporate-Risk Priority Overall
Corporate risk priorities and attitudes among 588 C-Suite and board level executives*
Survey respondents distributed across Asia-Pacific (31%), Europe (28%), North America (26%), Latin America (10%) and South Africa (5%).
*Source: Lloyd’s Risk Index 2013
4 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
J.P. Morgan Chase 83M customer PII
were stolen
Home Depot 56 million payment cards compromised
Sony
Company's inner workings completely
exposed
South Korea 27M Bank
customer’s records were stolen
SCB confidential
information was stolen from 647
private bank clients
Target 40M credit card
records and 70M customer PII compromised
BankMuscat and
Rakbank Hackers stole total
of US$45M
Ghostnet large-scale cyber spying operation
Subway
80,000 customer credit and debit card
data lost
Global Payment Systems
Compromised 1.5M credit card records
and 5.5M consumer records
2013 2008 to 2012
2014
The FS industry topped the list of 26 different industries targeted by cyber criminals*
*Source: Mandiant 2013
Increasing Scale and Impact of Cyber Attacks
5 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Who are the “Threat Actors” and the Targets?
Hacktivists (i.e. Wikileaks, Anonymous, LulzSec)
Malicious Insiders (i.e. Bradley Manning and the U.S. Department of State memos)
Cyber Mafia - Organised crime (i.e. stealing credit card numbers)
Cyber Warfare - State sponsored & corporate espionage (i.e. Night Dragon, StuxNet, DuQU, SHAMOON)
Intellectual Property Data
Merger & Acquisition Transaction Information
Senior Executive Emails
Control Systems
Process Control Networks (supports exploration &
production activity)
Network and connectivity data
Operational and assets specific data
Targets
Threat Actors
Customer Data
6 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Recent Cyber Security Incident – Retail sector
Target could be facing losses of
up to $420 million as a
result of this breach
US$61M in breach-related cost as of Feb 2014
CIO and CEO resigns
Will spend US$100M to upgrade payment system
40M credit card records and 70M customer PID compromised
Impact
Malware installed on POS
Phishing email sent to HVAC firm and credentials used to access Target’s Purchase/Order and Billing system
Observation
Target – 2014
7 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Recent Cyber Security Incident – Insurance sector
Biggest data theft in
healthcare industry
Reputational loss in Anthem regarding IT Security
Impact PID of 80 million customers and clients were stolen, including Social Security Numbers
Setup of evil WellPoint / Anthem infrastructure in the Internet
Targeted attack (APT) by cyber espionage group
Observation Infrastructure and malware was also used for attack on US Defense contractor
Anthem – 2015
8 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Recent Cyber Security Incident – Banking sector
Computer security budget will be doubled in the next 5 years to $250M
PID of 7 million small businesses were stolen
Impact PID of 76 Million households were stolen, including email addresses, home addresses and phone numbers
12 other major US financial institutions alongside J.P.Morgan were targeted
Hackers stole the login credentials for a J.P.Morgan employee in Spring 2014
Observation
JP Morgan – 2014
9 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Reputation and financial damage
Attack was executed by a Hacktivist
Information stolen from a 3rd party / vendor printing facility at Fuji Xerox Singapore
Observation
Reputational loss for Private Bank business
MAS said it took "appropriate supervisory actions” against SCB
Impact Financial Data of 647 clients stolen
Recent Cyber Security Incident – Banking sector (outsourced vendor)
Standard Chartered Bank & Fuji Xerox – 2013
10 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Recent Cyber Security Incident – Entertainment sector
North Korea is blamed for the attack
When the breach was discovered, Sony had been infiltrated for one year
Observation
Massive impact to Sony Pictures, its employees and clients
Sensitive personal and corporate data was leaked, including emails, salaries and unreleased movies
Impact Company's inner workings completely exposed
Sony Pictures – 2014
11 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
“Are we prepared and resilient against cyber attacks?”
Leadership and
Governance
Human Factors
Information Risk
Management
Business Continuity and Crisis
Management
Operations and Technology
Legal and Compliance
12 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security Transformation Lever 1: Implementing a strategic, institution-wide approach to cyber security
Cyber Security
Leadership & Governance
Human Factors
Information Risk
Management
BCM / Crisis Management
Operations & Technology
Legal & Compliance
Cyber security collaboration to be extended beyond company walls to address common
enemies
A dedicated cyber security operations centre (SOC) to be established, using threat intelligence driven approach to
security
Cyber risk governance driven by the Board and Cyber risk strategy driven at Executive level as
an integral part of corporate strategy. Looks beyond technical preparedness and takes a
holistic view of people, process and technology The human factors in the defence chain must be strengthened as part of
a cyber risk aware culture
Focus on risk-based mitigation, early detection, robust
response, automation and analytics to create
internal and external risk transparency
Resiliency and ability to quickly return to normal operations or
repair damage
13 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Respond
Incident response capability is built by drafting playbooks, performing regular incident response exercises and doing red team testing.
The capability to delay transactions for fraud investigations and having trained call centre employees are most important in being able to modern online banking attacks.
Detect
Real-time detection of incidents and fraudulent transactions requires correlation of information from various data sources. It is important to monitor customer behaviour, transactions and log files from applications and systems.
Incident detection will not function properly without adequate processes and trained people for detection rule management.
Threat Intelligence
Acquiring external threat information is necessary to keep an up to date view on current and future threats for your organisation.
Best practices include connecting external intelligence sources, information sharing with other banks and other industries, and cooperation with police and law enforcement.
Cyber Security Transformation Lever 2: Actionable Threat Intelligence is the key to managing evolving cyber threats
Threat
Intelligence
Prevention will ultimately fail. Actionable threat intelligence combined with detection and response capability is the key
Prevent Protecting customers and your own infrastructure requires measures on people, processes and technology layers.
14 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Training & awareness of all management and staff on Cyber Risks Better threat intelligence
Establish an institution-wide accountability for managing cyber risks
Leadership and Governance
Insufficient understanding of cyber risk by Senior Management
Increased awareness of Senior Management on Cyber Security risks
Insufficient oversight of IT risk by CEO and CIO
Accountability and responsibility for IT risk extended to the Board , CEO and senior management
What went wrong?
Cyber Security raised to Board & Senior Management agenda
Sony Pictures
What should you do?
How can this be addressed?
Board and Senior Management's governance, ownership, and effective management of risk.
Target
15 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Training and awareness programmes Tone from the top - leadership staff to demonstrate security/risk mindset to rank & file teams
Process to assure appropriate skills and capabilities of vendor staff
Human Factors
POS was accessed using remote access software over internet, due to staff’s default password not being changed
Proper security awareness programs should be provided to the employees
Information stolen from the server s of a third party vendor providing printing services
Upgrade security skills and capabilities of staff maintaining customer data & third party servers
What went wrong?
Subway Standard Chartered Bank
What should you do?
How can this be addressed?
Level of security-focused culture that empowers and ensures the right people, skills, culture and knowledge.
Extension of security policies & HR policies to vendors/3rd parties
16 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Integration of information classification into security architecture design Data governance
Detection mechanisms and alerts Analytics to correlate unusual customer behaviour, transactions and log files from applications and systems
Information Risk Management
All sensitive personal and corporate information was stolen
Establish information classification process together with Data Loss Prevention solutions
Intrusion of vendor servers containing customer data was not detected
Detection tools and security assessments should be performed on all servers that connect to an external network
What went wrong?
Sony Pictures Standard Chartered Bank
What should you do?
How can this be addressed?
The approach to achieving comprehensive and effective risk management of information throughout the organisation and its delivery and supply partners.
Information sharing and data loss prevention
17 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Business continuity with cyber resiliency
Cyber incident response embedded into Crisis Management process
Business Continuity and Crisis Management
Employees needed to go back to pen and paper
Backup & recovery coupled with resilient system architecture
Information of the breach was announced too late causing public backlash
Improvement of communication to public
What went wrong?
Business continuity plan incorporated as part of cyber security readiness
Sony Pictures Target
What should you do?
How can this be addressed?
The preparations for a security event and the ability to prevent or minimise the impact through successful crisis and stakeholder management.
Internal and External Stakeholder management
18 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Threat and vulnerability management Asset lifecycle management Network security
Incident Response Actionable threat intelligence Network segmentation/isolation
Operations and Technology
2FA missing on one neglected server
Rollout of security services on all assets and proper Vulnerability Management
Intrusion/malware was detected but Security Ops did not follow-up
Effective Incident Management process – diagnosis, prioritisation, and fast response
What went wrong?
Drafting playbooks, performing regular incident response exercises, doing red team testing
Physical security Personnel security
J.P. Morgan Chase Target
What should you do?
How can this be addressed?
The level of control measures implemented within the organisation to address identified risks, and minimise the impact of compromise.
19 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Outsourcing governance & risk management framework Outsourcing gap analysis and audit review
Legislative compliance Role of the audit committee
Legal and Compliance
647 of its private bank clients information stolen through outsourced vendor’s server.
Bank needs to extend cyber security practices to all outsourced arrangements - new regulatory mandate.
Faces several law cases due to violation of PID storage
Legal department to address new cyber laws for processing and storage of sensitive information
What went wrong?
Threat intelligence and information sharing across other industries Collaboration with industry
peers to address common enemies
Standard Chartered Bank Sony Pictures
What should you do?
How can this be addressed?
Regulatory, international standards and laws relevant to your organisation (e.g. ISO27000, PCI-DSS, Data Privacy laws, TRM regulatory requirements, NIST).
20 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Conclusion
Cyber Security Frameworks
ISO 27032: Cyber
Security
MAS/HKMA TRM
Guidelines NIST COBIT Etc.
Strategic, Institution-
wide approach
Actionable Threat
Intelligence
Cyber Security
Readiness
21 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Appendix: KPMG Cyber Security Framework
Cyber Maturity Assessment (CMA)
Cyber Security Strategy
Cyber Gaming
Cyber Defense Operating Model Design
Identity and Access Management
Security and Technology Assessments
Certification Services
Development and Implementation of Threat Intelligence Operating Models Design and Implementation of Security Operations Centers
Cyber Attack Detection
Rapid Response Teams
Forensic Evidence Recovery and Investigation
Advanced Training and Cyber Response Capability Development
Board Training
Enterprise Risk Management and Implementation Business Continuity Planning
Behavioral Change Management
Design and Delivery of Institution-wide Cyber Security Transformation Programs
22 © 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Contact Details
[email protected] RISK & REGULATION | COST & EFFICIENCY | CUSTOMER & GROWTH
© 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
DARYL PEREIRA Partner ASEAN Management Consulting KPMG Tel: +65 6411 8116