new “vectors” of threats are accelerating the concern bad “actors” isolated criminals ...
Post on 25-Dec-2015
214 Views
Preview:
TRANSCRIPT
New “Vectors” of Threats are Accelerating the Concern
Bad “Actors” Isolated criminals
“Script Kiddies”
YESTERDAY…
TODAY…
Targets Identity Theft
Self Promotion Opportunities
Theft of Services
Bad “Actors” Organized criminals
Foreign States
Hactivists
Targets Intellectual Property
Financial Information
Strategic Access
“Target of Opportunity”
“Target of Choice”
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
1
2© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Costs
*Ponemon Institute 2014 $5,100,000
$5,200,000
$5,300,000
$5,400,000
$5,500,000
$5,600,000
$5,700,000
$5,800,000
$5,900,000Average dollar loss per breach
(US)
2014 2013
*Ponemon Institute 2014 $180
$185
$190
$195
$200
$205
Average dollar loss per record stolen
(US)
2014 2013
3© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Threat Landscape
4© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Impacts for Boards
5© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Attack Vectors
ADVANCED PERSISTENT THREATS (APT’s)
• TERM COINED BY THE US AIR FORCE IN 2006
• STATE SPONSORED
• COMPLICIT OR PERMISSIVE STATES
• TACTICAL HACKING GROUPS
• STEALTHY (PACKET CRAFTING TO AVOID IDS – IPS)
• ADVANCED IN NATURE
• PATIENT (SUPPLY CHAIN INFECTIONS)
• CUSTOM MADE TOOLS AND EXPLOITS
• INTRODUCED THROUGH SOCIAL ENGINEERNIG AS WELL AS TRADITIONAL ATTACK SURFACES
• ONGOING PRESENCE (14 MONTHS UNTIL DISCOVERY)
• EXFILTRATION PLAN
6© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Underground Forums
7© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
What are hackers talking about?
• Exploit Tools• Ddos Tools• Keyloggers• Traffic Generators• RATs• Brute Force• Crypters• Malware
• POS malware• Mobile Malware• ATM Skimmers
• System Vulnerability Disclosure• SQL • XSS and other vulnerabilities
• Black Market• Remote access to POS systems• Hijacked Network Traffic• Hacking Services• Bulletproof Hosting• Stolen Credit Card credentials• Compromised user accounts• Email addresses and Passwords
Tactical Teams - Customer Service
Proliferation of Do It Yourself Kits
Malware offered for $249 with a service level agreement (SLA) and replacement warranty if the creation is detected by any antivirus within 9 months
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
9
Scenario: A Cyber Breach is “Suspected”
5© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
FOR INTERNAL USE ONLY
Your organization is notified by an external partner that they believe your company may have been “hacked” and your customer data may be at risk. What do you do?
• Prepare to conduct an investigation.
• Should it be done internal/external? Who should be notified? Who should lead the investigation?
• Contact Law Enforcement.
• Which agency? Who has jurisdiction? Do you have relationships?
• Prepare Communication Strategy.
• Who should we tell? When? What should be shared?
• Conduct Immediate Impact Assessment.
• What data could be a risk? What’s the worst case scenario? Should transactions stop?
• Determine Preliminary Legal Approach.
• Seek prosecution, civil action? Reduce disruption?
Scenario: A Cyber Breach is “Confirmed”
6© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
FOR INTERNAL USE ONLY
You have now confirmed that an unauthorized individual or team has gained access to your systems and data. You’re not sure exactly what was accessed or what may have been lost. What next?
• Continue the investigation.
• Any shift in investigation structure? Should external experts be brought in? Is everything under Attorney privilege?
• Contact Law Enforcement.
• Should be priority and working closely at this point.
• Approve Communication Strategy.
• When should we start? What should be said? Any unintended messaging?
• Update Impact Assessment.
• What data could be a risk? What’s the worst case scenario? Should transactions stop?
• Finalize Legal Approach Strategy.
• Collect evidence in a forensically sound way. Prepare litigation/penalty strategy.
Scenario: Data Loss is Validated
7© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
FOR INTERNAL USE ONLY
You now know, with some degree of certainty, what data has been lost and who is likely impacted. The methods and approaches are understood and have been tactically remediated. How do you respond?
• Prepare notification approach.
• Determine audience. Customers/employees/business partners? What protection is expected?
• Execute Communication Strategy.
• How will this impact business? Customer support ramp up? Website updates? Marketing shifts?
• Enter Business Resumption Mode.
• How to regain Business-As-Usual momentum? What strategies are impacted? What changes are expected?
• Establish Proactive Legal PMO.
• Establish inquiry & subpoena list. Determine key exposures. Understand insurance coverage.
Scenario: How to Regain Stakeholder Trust
8© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
FOR INTERNAL USE ONLY
You have completed your obligations under various Data Breach notifications. Security vulnerabilities have been remediated. How do you regain trust of customers and regain market momentum?
• Provide Transparency.
• Continue to communicate with key stakeholders. Address questions openly and transparently as possible.
• Establish Ongoing Security Improvement Plan.
• Business and technology works together to ensure this does not repeat. Introduce new controls.
• Establish Executive & Board Priorities.
• Influence on other business objectives? Prioritization? Funding?
• Conduct a Post Mortem.
• What lessons were learned? What should be changed/modified? Cyber Insurance changes? SEC Disclosure?
Stages of Response after a Cyber Breach
9© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
FOR INTERNAL USE ONLY
Focus
Timeline
Key Activities
Key Participants
Phase REACT RESPOND
TRANSFORM
SUSTAIN
Understand the issue Address key concerns and gaps
Change organizational perspectives
Create sustainable approaches
30-60 Days 3 Months 6 - 12 Months Ongoing
• Legal evaluation for impact
• Forensic investigation
• Discovery and evidence preservation
• Validation of data
• Report on findings
• Communications to customers, internal stakeholders, and key business partners
• Impacted by regulatory and legal expectations
• Written notice and disclosure as required
• Define governance for tactical remediation and future response
• Understand the control environment
• People
• Process
• Technology
• Build a tactical plan
• Ensure root cause is addressed
• Plan to remediate all known gaps
• Define the control framework
• Regulatory• Business
Expectations• Update policies and
procedures• Implement awareness
campaigns• Classify data and map
regulations to data elements
• Deploy technical control solutions
• Encryption• Access Control• Security event
mgmt• Data loss
prevention• GRC
• Clearly align responsibilities and accountability to performance needs
• Implement metrics and key performance indicators
• Create a monitoring program to ensure adherence
• Review reports
• Review the program at specified intervals
• Incident Response Team, Exec Team, Key Customers & Vendors, IT Mgmt., Legal, Public/ Investor Relations, Corp. Communications
• Incident Response Team, IT Management, Vendors, Legal, Business Stakeholders, Information Security, Internal Audit
• Information Security, IT Team, Executive Management, Business Stakeholders, Vendors, Internal Audit
• Information Security, IT Team, Business Stakeholders, Internal Audit
15© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Legislation
On 7/28/2014, the US House of Representatives passed The National Cybersecurity and Critical Infrastructure Protection Act of 2014 (H.R. 3696), sending the measure to the Senate.
Section 202 of would amend the DHS SAFETY Act to extend liability protections from “acts of terrorism” to include “qualifying cybersecurity incidents”.
Qualifying incidents are defined as something that “disrupts or imminently jeopardizes the integrity, operation, confidentiality, or availability of programmable electronic devices, communication networks, including hardware, software and data that are essential to their reliable operation, electronic storage devices, or any other information system, or the information that system controls, processes, stores, or transmits.”
Private and commercial data that is stolen, misappropriated, corrupted, disrupted, or adversely affected will qualify for protection under this proposed law.
Organizations can voluntarily submit their cybersecurity procedures to the DHS SAFETY Act office to gain additional liability protections in the event of an act of terrorism or a qualifying cyber incident.
Corporate liability protection and relief will be assessed based upon,
“Qualifying safety act technologies”
16© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
PCII 3.0
“It’s a serious problem – more than 868 million records with sensitive information have been breached between January 2005 and June 2014, according to PrivacyRights.org. As you are a key participant in payment card transactions, it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.”
www.pcisecuritystandards.org
top related