cybersecurity op de bestuurstafel

1

Cyber security A topic for the Board

A new approach to Cyber Security

17 May 2016

2

Cyber Security - Definition

Cyber Security is about technologies, processes and practices

designed to protect networks, computers, programs and data

from attack, damage or unauthorized access.

Cyber security is not new, only the number and impact of cyber

incidents increased dramatically;

Due this increase of impactful cyber incidents (with huge media

intention), we see more and more attention from customers, media

and regulators

1 Source: NCSS 2

4

Determining Cyber Risk Profile

Cyber risk profile

Business environment

Possibletargets

(crown jewels)

Threat ActorsVulnerability /

Resilience

Legal & regulatory

requirements

5

CHANGING

“BUSINESS MODEL”

FAST TECHNOLOGY

DEVELOPMENTS2

1Increased digitalization, offline to online (customer as active actor in

online business proces), doing business in risk countries, new services

Cloud computing, big data, social media, consumerisation, BYOD,

mobile banking

CUSTOMER

EXPECTATIONS3Customer expects that his data is protected when stored / processed by

leading organizations.

Business environment

6

What is being stolen?Possible targets(crown jewels)

Information That Is Valuable

Business Critical Information

Critical Business Transactions

Intellectual property

Business processes

Customer, supplier and personnel data

Financials

Business plans

New products

New markets

Raising finance

M&A

JV

Divestitures

What is trending?

— CEO & CFO Fraud / Whaling

— SWIFT fraud

— Ransom-ware

— DDoS

— IP theft

7

Threat Landscape

Each threat actor has their own motivations, capabilities and targetsThreat Actors

8

Threat Landscape

Each threat actor has their own motivations, capabilities and targetsThreat Actors

Organised Crime –

global, difficult to trace

and prosecute

+ Financial assets

+ Personal data, including financial records

TYPICAL ASSETS THEY TARGET

Nation States –

cyber espionage

and warfare

+ Intellectual Property

+ Strategic/Operational Plans

+ M&A activity

+ Critical Infrastructure (for cyber

warfare)

Hacktivists –

hacking inspired

by ideology

+ Reputation – public and media perception

+ Publications – websites

+ Services – disruption

The Insider –

disgruntled by change

and uncertainty

+ Customer and client lists

+ Processes and plans

+ Services – disruption

Journalist –

Investigative

reporting

+ Confidential information through leaks and hacking

9

Vulnerability / Resilience

Assess the level of vulnerability / resilience for relevant threat actors

Assess vulnerability: • Assess whether your organisation is vulnerable for specific attack vectors used by

specific attackers – based on Kill Chain approach

• Assess whether your organisation was able to detect such attach vector (knowing

that most organisations detect advanced attacks only after 200 days after the

attack itself occurred)

Build / Assess resilience:• Build crisis plan for these types of attacks and test this plan periodically!


10

Social Engineering

What is social engineering?

You and your employees are the weakest link..

.. but when well trained, can be the strongest weapon of the organisation against social engineering attacks.

Technology

Process

People


12

Social Engineering

Evolution of the attacks

Attacks are getting more complex and difficultto recognize.


13

Social Engineering

Evolution of the attacks

Malware creation tools that can be used in social engineering attacks are today available “off the shelf”.

Cybercrime-as-a-service marketplaceEnables fraudsters to cash in without the need for technical knowledge

Cybercrime “service providers” must improve the quality of malware more then ever to keep and

win customers

Many attacks are easy to perform and low cost

• Phishing attacks: 500.000 email addresses costs $ 30,-

• Hosting a phishing site can be done for free

• 1000 credit card numbers cost $ 100,-


14

Social Engineering

Psychological concepts (that are used by social engineers)

Six basic principles from Robert Cialdini• Liking (Sympathie)

• Authority (Autoriteit)

• Social Proof (Sociale bewijskracht)

• Consistency (Consistentie)

• Reciprocation (Wederkerigheid)

• Scarcity (Schaarste)

Other concepts• Similarity (gelijkheid)

• Do the unexpected (het onverwachte doen)

• Perceptual contrast (verschil in perceptie)


15

Real life examples

KPMG attack simulation: using USB sticksVulnerability /

Resilience

Dit is een van de USB sticks zoals afgelopen donderdag uitgedeeld door “Brasserie Mimicry”

16

Real life examples

KPMG attack simulation: using USB sticks

Within 40 minutes after initiating the attack we had full access to• The “crown jewels” of the bank. We could read and edit financial details of al their

clients.

• As we had access to multiple desktops segregation of duties did not exist anymore.

• Network shares full with further sensitive internal information on clients and

employees.

But we could also:• Use the compromised systems to perform further attacks. E.g. use the mailbox of the

victims as trusted source to spread malware further on the network.


17

Real life examples

KPMG attack simulation: Hide in plain sight

Dutch Sinterklaas on assignment…


18

Legal and Regulatory changes

DNB / DUTCH CENTRAL BANK EUROPEAN UNION

• Cybercrime: theme 2014/2015

• Mandatory periodical self-assessment – required maturity level 3 / 4

• ECB: similar scheme, using NIST as regulatory framework

• On 12 August 2013, Directive 2013/40/EU on attacks against

information systems (the Cyber Crime Directive) came into force.

• The Cyber Crime Directive requires Member States to bring into force

laws, regulations and administrative provisions by 4 September 2015 in

order to provide a pan European approach to cyber crime.

• Focus on critical infrastructures.

Legal & regulatory

requirements

DUTCH GOVERNMENT UNITED STATES

• National Cyber Security Strategy 2- Government will act if required. If required, regulations and

standards will be proposed – as a consequence of the implementation of the EU Cyber Risk Directive

• Primary focus: critical infrastructures

• AP: maximum fine EUR 800.000, after implementation of EU Privacy Regulation: maximum fine 2% to 5% of global turn over

• Obama’s Executive Order February 2013 aimed at increasing the cyber

resilience of US organisations

- Focus critical infrastructures.

- Development of NIST Cybersecurity Framework.

• PCAOB issued guidelines for financial auditors related to cyber crime /

cyber security

- NBA is working on a Public Management Letter

19

Dutch data privacy changes

Current regulation?

Dutch changesThe bill ‘Meldplicht datalekken en uitbreiding boetebevoegdheid CBP’ was passed by the Tweede Kamer on

February 10th 2015 and passed by the Eerste Kamer on May 26th 2015. This law will is enforced as of January 1st 2016.

Key changes:• Data Protection Authorities (‘Cbp’) should be notified of data breaches without delay.

• Penalties up to €810k in case of not reporting a data breach, the careless processing of (sensitive) personal data, storing personal data too

long, inadequate protection, or failure to comply with disclosure requirements.

• Penalties up to 10% of annual sales (a.o. if binding instructions are not followed, to relate the height of fine to the size of the organization, i.e.

Google, Facebook)

• In case of data breaches the data controller should inform involved persons and society and provide information on:

• Nature and scope of data breach

• Harmful effects of the infringement

• Required effort for recovery actions

• The Cbp’s name is changed to Autoriteit Persoonsgegevens and is authorized supervisor of the Telecommunications Act

Wet Persoons-

Registratie

(WPR)

1989

Wet

Bescherming

Persoonsgegevens

(Wbp)

2001

+ Meldplicht

Datalekken &

Uitbreiding

Boetebevoegdheid

2016

EU General

Data

Protection

Regulation

2016 (exp.)

Legal & regulatory

requirements

20

Cyber risk is driven and managed

by more than technology

The drivers of inherent Cyber risk include the threats, your vulnerabilities, your assets and the regulatory and

business environment in which you operate.

This inherent risk can be mitigated by deploying controls and having response capability and plans. In

the worst case, resiliency and contingency planning will reduce the impact of significant cyber

incidents.

The readiness of technical systems to protect, detect and react to an attack is important but in many

organisations the people are the weakest link but can become the greatest asset for defence if properly informed

and trained.

Threats Regulations VulnerabilitiesBusiness drivers

Assets

Threat ActorActor

CapabilityAttack

ImmediacyPeople Process Technology

Information Assets

Systems Applications

Business Resilience and

contingency

Protect and Defend

Technical Controls

Behavioural Controls

Respond

Immediate Incident

ResponseInvestigations

21

Lessons learned: how to mitigate the risks?

Protect & Defend

Technical Controls

Behavioural Controls

Respond

Immediate Incident

ResponseInvestigations

Human factor is

weakest link,

unless…

Cooperation is

required

ISAC, Sector,

NCSC, (IT-)

partners

Shift from

prevent only to

prevent, detect

& respond

How to react if

you are hacked

(and you will)…

PROTECT YOUR

“CROWN JEWELS”

22

Five Steps to Minimize your Exposure

Perform a cyber maturity assessment to look at areas such as Leadership and

Governance, Human Factors, Information Risk Management, Business Continuity

and Crisis Management.

Identify your critical assets but remember that what you consider to be of no value,

may be considered valuable to an attacker. Take a look at the lifecycle of your

critical information assets from creation all the way to destruction.

Based on your assessment and your critical assets, select your defenses. Know

what threats you are going to defend against – trying to prevent them all gets very

expensive

Everyone in the organization – from the boardroom to the mailroom – must

understand the value and sensitivity of the information they possess and, more

importantly, how to protect it.

Being able to adequately respond to a security incident through established tested

processes should not be taken lightly. Supported by a security monitoring platform

and good threat intelligence, you can get a better grip on monitoring and

responding to cyber crime.

ASSESS YOUR READINESS

TO RESPOND / RESILIENCE1

HONE IN ON YOUR CRITICAL

ASSETS2

SELECT YOUR DEFENSE3

BOOST YOUR SECURITY

AWARENESS AND

EDUCATION4

ENHANCE MONITORING &

INCIDENT RESPONSE 5

23

John Hermans

Partner

John Hermans

Partner

KPMG Advisory N.V.

Laan van Langerhuize 1

1186DS Amstelveen

[email protected]

Function and specialization

• Cyber Security Lead Partner, Advisory KPMG

The Netherlands

• EMA Cyber Security Lead Partner and Member

of KPMG global Cyber Security leadership

Education, licenses and certifications

• Bachelor degree in Information Management

• Post Graduate EDP Auditing - Certifications as

chartered IT auditor (RE).

Background

John is partner of the Amstelveen practice of KPMG IT Advisory and member of

KPMG’s Global Leadership on Cyber Security. In his current position he is

heading the Cyber Security Services of KPMG in the Netherlands and, covering

the following services:

• Security Strategy Services / Cyber Security In the Board Room

• IT Governance, Risk and Compliance

• Technical Security Services

• Cyber Security Services

• Identity & Access Management

• Business Continuity Services

• Data Privacy Services

Furthermore, John is leading KPMG’s Strategic Growth Initiative on Cyber

Security services within the Netherlands as well in Europe, Middle East and

Africa, and member of KPMG’s global Cyber Security Leadership.

Professional experience

John worked for numerous International and National organisations in most

industry sectors, such as Financial Services, Oil & Gas, Retail and Government

and is considered as one of the leaders in his field of expertise. John was

involved in more than 100 national and international information security

projects across the world. John’s major involvements were in advising and

supporting our clients in developing, defining and implementing their overall

Information Security strategy, building the required business cases for

Executive Boards as well as Supervisory Boards, and performing multiple

program management activities as well as executing quality assurance

assignments.

Next to being involved in many information security and cyber security programs

and projects, John is involved in multiple Cloud Computing projects in both the

private and public sector. John’s major involvements relate to advising and

supporting our clients in developing, defining and implementing their cloud

computing strategy as well as advising on cloud security/assurance advisory

topics.

Industry experience

• Financials Services: Insurance, Mortgages and Banking

• Oil & Gas

• Telecommunications

• Government

• Health Technologies

24

© 2016 KPMG N.V., registered with the trade register in the Netherlands under number 34153857, is a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

The KPMG name and logo are registered trademarks of KPMG International.

John HermansPartner, Risk Consulting

Laan van Langerhuize 1

1186 DS Amstelveen

Tel: +31 20 656 8394

Mob: + 31 6 51 366 389

Email: [email protected]