new “vectors” of threats are accelerating the concern bad “actors” isolated criminals ...

New “Vectors” of Threats are Accelerating the Concern

Bad “Actors” Isolated criminals

“Script Kiddies”

YESTERDAY…

TODAY…

Targets Identity Theft

Self Promotion Opportunities

Theft of Services

Bad “Actors” Organized criminals

Foreign States

Hactivists

Targets Intellectual Property

Financial Information

Strategic Access

“Target of Opportunity”

“Target of Choice”

© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

1

2© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Costs

*Ponemon Institute 2014 $5,100,000

$5,200,000

$5,300,000

$5,400,000

$5,500,000

$5,600,000

$5,700,000

$5,800,000

$5,900,000Average dollar loss per breach

(US)

2014 2013

*Ponemon Institute 2014 $180

$185

$190

$195

$200

$205

Average dollar loss per record stolen

(US)

2014 2013


Cyber Threat Landscape


Impacts for Boards


Attack Vectors

ADVANCED PERSISTENT THREATS (APT’s)

• TERM COINED BY THE US AIR FORCE IN 2006

• STATE SPONSORED

• COMPLICIT OR PERMISSIVE STATES

• TACTICAL HACKING GROUPS

• STEALTHY (PACKET CRAFTING TO AVOID IDS – IPS)

• ADVANCED IN NATURE

• PATIENT (SUPPLY CHAIN INFECTIONS)

• CUSTOM MADE TOOLS AND EXPLOITS

• INTRODUCED THROUGH SOCIAL ENGINEERNIG AS WELL AS TRADITIONAL ATTACK SURFACES

• ONGOING PRESENCE (14 MONTHS UNTIL DISCOVERY)

• EXFILTRATION PLAN


Underground Forums


What are hackers talking about?

• Exploit Tools• Ddos Tools• Keyloggers• Traffic Generators• RATs• Brute Force• Crypters• Malware

• POS malware• Mobile Malware• ATM Skimmers

• System Vulnerability Disclosure• SQL • XSS and other vulnerabilities

• Black Market• Remote access to POS systems• Hijacked Network Traffic• Hacking Services• Bulletproof Hosting• Stolen Credit Card credentials• Compromised user accounts• Email addresses and Passwords

Tactical Teams - Customer Service

Proliferation of Do It Yourself Kits

Malware offered for $249 with a service level agreement (SLA) and replacement warranty if the creation is detected by any antivirus within 9 months

© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

9

Scenario: A Cyber Breach is “Suspected”

5© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.

FOR INTERNAL USE ONLY

Your organization is notified by an external partner that they believe your company may have been “hacked” and your customer data may be at risk. What do you do?

• Prepare to conduct an investigation.

• Should it be done internal/external? Who should be notified? Who should lead the investigation?

• Contact Law Enforcement.

• Which agency? Who has jurisdiction? Do you have relationships?

• Prepare Communication Strategy.

• Who should we tell? When? What should be shared?

• Conduct Immediate Impact Assessment.

• What data could be a risk? What’s the worst case scenario? Should transactions stop?

• Determine Preliminary Legal Approach.

• Seek prosecution, civil action? Reduce disruption?

Scenario: A Cyber Breach is “Confirmed”



You have now confirmed that an unauthorized individual or team has gained access to your systems and data. You’re not sure exactly what was accessed or what may have been lost. What next?

• Continue the investigation.

• Any shift in investigation structure? Should external experts be brought in? Is everything under Attorney privilege?

• Contact Law Enforcement.

• Should be priority and working closely at this point.

• Approve Communication Strategy.

• When should we start? What should be said? Any unintended messaging?

• Update Impact Assessment.

• What data could be a risk? What’s the worst case scenario? Should transactions stop?

• Finalize Legal Approach Strategy.

• Collect evidence in a forensically sound way. Prepare litigation/penalty strategy.

Scenario: Data Loss is Validated



You now know, with some degree of certainty, what data has been lost and who is likely impacted. The methods and approaches are understood and have been tactically remediated. How do you respond?

• Prepare notification approach.

• Determine audience. Customers/employees/business partners? What protection is expected?

• Execute Communication Strategy.

• How will this impact business? Customer support ramp up? Website updates? Marketing shifts?

• Enter Business Resumption Mode.

• How to regain Business-As-Usual momentum? What strategies are impacted? What changes are expected?

• Establish Proactive Legal PMO.

• Establish inquiry & subpoena list. Determine key exposures. Understand insurance coverage.

Scenario: How to Regain Stakeholder Trust



You have completed your obligations under various Data Breach notifications. Security vulnerabilities have been remediated. How do you regain trust of customers and regain market momentum?

• Provide Transparency.

• Continue to communicate with key stakeholders. Address questions openly and transparently as possible.

• Establish Ongoing Security Improvement Plan.

• Business and technology works together to ensure this does not repeat. Introduce new controls.

• Establish Executive & Board Priorities.

• Influence on other business objectives? Prioritization? Funding?

• Conduct a Post Mortem.

• What lessons were learned? What should be changed/modified? Cyber Insurance changes? SEC Disclosure?

Stages of Response after a Cyber Breach



Focus

Timeline

Key Activities

Key Participants

Phase REACT RESPOND

TRANSFORM

SUSTAIN

Understand the issue Address key concerns and gaps

Change organizational perspectives

Create sustainable approaches

30-60 Days 3 Months 6 - 12 Months Ongoing

• Legal evaluation for impact

• Forensic investigation

• Discovery and evidence preservation

• Validation of data

• Report on findings

• Communications to customers, internal stakeholders, and key business partners

• Impacted by regulatory and legal expectations

• Written notice and disclosure as required

• Define governance for tactical remediation and future response

• Understand the control environment

• People

• Process

• Technology

• Build a tactical plan

• Ensure root cause is addressed

• Plan to remediate all known gaps

• Define the control framework

• Regulatory• Business

Expectations• Update policies and

procedures• Implement awareness

campaigns• Classify data and map

regulations to data elements

• Deploy technical control solutions

• Encryption• Access Control• Security event

mgmt• Data loss

prevention• GRC

• Clearly align responsibilities and accountability to performance needs

• Implement metrics and key performance indicators

• Create a monitoring program to ensure adherence

• Review reports

• Review the program at specified intervals

• Incident Response Team, Exec Team, Key Customers & Vendors, IT Mgmt., Legal, Public/ Investor Relations, Corp. Communications

• Incident Response Team, IT Management, Vendors, Legal, Business Stakeholders, Information Security, Internal Audit

• Information Security, IT Team, Executive Management, Business Stakeholders, Vendors, Internal Audit

• Information Security, IT Team, Business Stakeholders, Internal Audit


Legislation

On 7/28/2014, the US House of Representatives passed The National Cybersecurity and Critical Infrastructure Protection Act of 2014 (H.R. 3696), sending the measure to the Senate.

Section 202 of would amend the DHS SAFETY Act to extend liability protections from “acts of terrorism” to include “qualifying cybersecurity incidents”.

Qualifying incidents are defined as something that “disrupts or imminently jeopardizes the integrity, operation, confidentiality, or availability of programmable electronic devices, communication networks, including hardware, software and data that are essential to their reliable operation, electronic storage devices, or any other information system, or the information that system controls, processes, stores, or transmits.”

Private and commercial data that is stolen, misappropriated, corrupted, disrupted, or adversely affected will qualify for protection under this proposed law.

Organizations can voluntarily submit their cybersecurity procedures to the DHS SAFETY Act office to gain additional liability protections in the event of an act of terrorism or a qualifying cyber incident.

Corporate liability protection and relief will be assessed based upon,

“Qualifying safety act technologies”


PCII 3.0

“It’s a serious problem – more than 868 million records with sensitive information have been breached between January 2005 and June 2014, according to PrivacyRights.org. As you are a key participant in payment card transactions, it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.”

www.pcisecuritystandards.org

new “vectors” of threats are accelerating the concern bad “actors” isolated criminals ...

Documents