Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
2. Agenda
1
Where are we coming from?
2
Cybercrime and threat actors
3
What the stats say
4
Who‟s being targeted?
5
Cause for concern?
6
Cyber resilience defined
7
A six-point plan to becoming resilient
1
3. Where are we coming from?
The foundations
• ‟62 J.C. R. Licklider introduced the idea of an „Intergalactic Network‟
• „76 Dr. Robert Metcalfe invented Ethernet, coaxial cables
• „78 Gary Thuerek – first spam email sent to 400 users of ARPANET
• „84 Dr. Jon Postel described his idea for .com, .org, .gov etc. In a
series of papers published by the IETF
• „89 The World was the first ISP to offer commercial dial up internet
• ‟92 The Corporation for Education and Research Network (CREN)
released the world wide web
The beginning of eCommerce
• „94 Pizza hut offered online ordering through their website
• „95 Pierre Omidyar released AuctionWeb which later became eBay
• „96 Hotmail was launched. The following year Microsoft bought it out
for $400m
• „98 Google received funding to become Google Technology
Incorporated.
• „99 The Internet consisted of 19.5m hosts and over 1m websites
2
4. Where are we coming from?
The Dot-com bubble
• „00 The Dot-com bubble burst
• „03 Apple launched the iTunes store with 200,000 songs
• „03 The hacktivisit group Anonymous was born
• „04 Google launched Gmail with 1Gb of storage
• ‟05 YouTube is launched. The following year Google bought it out for
$1.6b
• „06 Twitter and Facebook came around
• „06 There are an estimated 92m websites online
40 years from its inception
• ‟09 Mobile data traffic exceeds voice traffic every single month
• „09 Cloud-based file hosting from the likes of Dropbox came around
• „10 Facebook announces it reached 400m active members
• „10 Syria and China attempt to control Internet access
• „10 The Wikileaks drama ensues whilst Anonymous conduct several cyber
attacks on government, religious and corporate websites
• „11 Interest in virtualisation and cloud computing reach their highest peak
• „13 The interest in BYOD and Big Data has reached a new high
3
5. Opportunity for crime
www
Cybercrime
& Cyber
criminals
Our
dependence
As a result, we face new challenges related to..
• Our online privacy,
• The confidentiality and integrity of the data we entrust to online entities, and
• Our ability to conduct business on the net through the use of ecommerce web
applications
Because of the nature of how the net works, accountability is also a challenge!
4
6. Threat actors..1
Organised Crime
• Traditionally based in former Soviet Republics
(Russia, Belarus, Ukraine)
• Common attacks: Theft of PII for resale and
misuse or resources for hosting of illicit
material
• Occasionally employ blackmail in terms of
availability (Threats of denial of service attacks
to companies and threats of exposing
individuals to embarrassment)
5
7. Threat actors..2
State Sponsored
• Nations where commercial and state interests
are very aligned
• Military or Intelligence assets deployed in
commercial environments
• Limitless resources?
• Main aim to achieve competitive advantage for
business
• Theft of commercial secrets (Bid information,
M&A details)
6
9. Hacktivism
Will attack companies, organizations and individuals who are seen as
being unethical or not doing the right thing
Hacking for fun… seriously!
Entire nations can be taken down (Estonia)
8
10. Stolen information
• 18.5m people have been affected by PC theft
• 75% of data loss incidents in Retail were
attributed to Hacking
• 96% of data loss incidents in Media were
attributed to Hacking
Source: 2012 KPMG Data Loss Barometer
9
11. 2012 KPMG cybercrime survey
Source: KPMG A nuanced perspective on cybercrime, shifting viewpoints – call for action. The results were based on over 170 responses from CIOs/CISOs or professionals in related
professions in the Netherlands.
10
12. 3 Common
Attacks
Traditional crime, redefined?
Network based attacks
Spear phishing attacks
Human based attacks
• Identify a target website
• Conduct network
reconnaissance / mapping
• Engage in DDoS attacks to
deny accessibility
• The result is direct loss of
business
• Identify a target individual
• Build a profile / biography
• Directly target with a
personal email
• Trick user into accessing a
malicious website
• Implant malware and gain
control of a device
• Use a compromised
machine to obtain
otherwise confidential
information
• Human error incidents
• Inside users become the
target as they are often
trusted users
• Scorned / disgruntled
employees
The reality is that cyber attackers and
organised crime perpetuators often use
a combination of attack avenues to
profile a target and map out their internal
systems – the information is readily
available!
Competitive
edge is
eroded
Organisation
secrets are
stolen
Corporate
reputations
are
damaged
Source: 2012 KPMG Cyber Vulnerability Index
11
13. Who are they targeting?
Increased
attack
sophistication
Inappropriate
business
response
=
UNCERTAINITY
One study* conducted in the UK showed that
small businesses suffer an estimated loss of
£800m a year, averaging nearly £4000 per
business
• 30% of its members were victims of fraud as a
result of virus infections
• 50% hit by malware
• 8% victims of hacking
• 5% suffered security breaches
As a consequence, a second recent cybercrime
study** revealed that
• 53% of the British public is worried about the
damage of cyber attacks
• 40% feel more vulnerable to cyber attacks now
than a year ago
• 38% feel that their personal data exchanged
with organisations they do business with may
already have been compromised
Sources: * The study was carried out by the Federation of Small Businesses in the UK and is based on its 20000 members, http://www.fsb.org.uk/News.aspx?loc=pressroom&rec=8083, accessed 12/6/2013
** The study was conducted by PollOne in April 2013 for Tripwire on 1000 users, http://www.tripwire.com/company/research/survey-half-uk-population-worried-about-nation-state-cyber-attacks/, accessed 12/6/2013
12
14. In the US
The unverified losses that victims
claimed in 2012 jumped 8.3% from
$485m the previous year
Losses
Complaints
Sources: SC Magazine and Internet Crime Complaint Center
13
15. Meanwhile in a non-descript building …
… just outside of Shanghai, “Unit 61398” of the Peoples Liberation Army is the alleged source of
Chinese hacking attacks…
Source: Businessweek.com
… although the Chinese government consistently denies its involvement in such activities
claiming that such allegations are “irresponsible and unprofessional”
Why should you be concerned?
Source: Hello, Unit 61398, The Economist. 19 February 2013, accessed 13/06/2013
14
16. Convictions?
The fight against cybercrime seems to be ongoing
41
MONTHS
• Romanian hacker Cezar Butu – 21 months in prison for compromising
systems
credit card processing
• Darnell Albert-El, 53 – 27 months in prison for hacking
• Steven Kim, 40 – 12 months in prison for stealing personal data
• Bruce Raisley, 48 – 24 months in prison for creating a botnet virus to launch DDoS atacks
• Shawn Reilly, 34 – 33 months in prison for committing 84 fraudulent wire transfers
• Eduard Arakelyan, 21 and Arman Vardanyan, 23 – 36 months in prison for theft of credit card
Why should you be concerned?
information and committed bank fraud
• Sonya Martin, 45 – 30 months in prison for being part of a gang to evade encryption
Sources: ValueWork, Help Net Security, SC Magazine
15
17. Next generation cybercrime threat?
What if hackers hijacked a key satellite? Could space be cybercrime's new frontier?
FACT #1
We have an overwhelming reliance on
space technology for vital streams of
information
FACT #2
Satellites are frightfully vulnerable to
collisions and there are over 5500
redundant ones at the moment !
Makes us acutely vulnerable!
Source: The Independent, Space : the new cybercrime frontier, http://www.independent.co.uk/life-style/gadgets-and-tech/news/space-the-new-cyber-crime-frontier8194801.html accessed 16/2/2013
16
18. Juggling the risks
Examine
threats
Determine
the risk level
Risk
Assessment
AIM: reduce organisational risk
Risk Assumption
Risk Alleviation
Risk Avoidance
Risk Limitation
Risk Planning
Risk Transference
• With appropriate due diligence, management accept the potential
risk and continue operating
• Management approve the implementation of controls to lower risk to
an acceptable level
• Eliminate the process that could cause the risks
• Management limit the risk exposure by putting controls to limit the
impact of a threat
• A process to manage risk by developing an architecture that
prioritises, implements and maintains controls
• Management transfer the risk by using other options to compensate
for a loss – e.g. Purchasing an insurance policy
17
19. Risk Transference
Bespoke insurance products providing tailor made
policies targeting key professional liability exposures for
technology companies
18
20. Becoming resilient – a six point action plan
Cyber
Resilience
“ The ability of a system or a domain to withstand attacks or
failures and in such events to re-establish itself quickly ”
– Nigel Inkster, International Institute of Strategic Studies
1. Organizational Readiness
2. Situational awareness
3. Cyber defence
4. Detection
5. Mitigation and containment
6. Recovery
19
21. #1 - Organisational Readiness
Corporate awareness
Ownership at the C-level
Assign the role and responsibility for
information security oversight
Understand your business risks
Focus on your information and reputation
Share intelligence and experiences
20
22. #2 - Situational intelligence
Hacking for fame
& glory
Cybercrime
moved into
monetisation
Disruption
Criminal gangs
Protest
hacktivism
Corporate
espionage
Anonymous &
Lulzsec target
corporate
infrastructures
Specialist knowledge
Know your
information assets
Keep abreast of the
latest advanced threats
Classify your
information assets
“ One of the problems is that we all tend to be technology professionals weathered by our experiences rather than looking at
new ways of managing risk and gaining or using new sources of intelligence ” - Pat Brady, Information Security Manager,
National Australia Group
21
23. #3 – Cyber defence
Get a grip on infrastructure and access security
Assert the levels of staff awareness
Define strict access control and remote access control
Ensure strong visitor procedures for key buildings
Keep your basic security controls in sight e.g. Password
change policy
Infrastructure changes should trigger network configuration
changes allowing you to move the shape of the target
22
24. #4 – Detection
Develop the ability to detect attacks
Ensure you have an effective internal
& external monitoring process
Scan outbound messages for
abnormal volumes and patterns
Early recognition of a compromise is
key to early reaction
23
25. #5 – Mitigation and containment
The aim is to limit the damage to your
services and reputation
Continuity of
Operations Plan
Limit the impact / shutdown the source
Disaster
Recovery Plan
Being prepared is the key
IT / Network
Contingency
Plans
Contingency planning – define and
review your plans
Crisis
Communication
Plan
Ensure adequate testing of business
continuity plans
Prepared PR statements
Cyber
Incident
Plan
Occupant
Emergency Plan
24
26. #6 – Recovery
You need to develop the ability to re-establish
normal service
Your survival as a business depends on it
Apply the lessons learnt
Give feedback to senior executives
Here’s what
happened to
us
This is how
we reacted
This is what
we’ve done to
mitigate /
prevent it
25
27. Conclusions
Some final thoughts..
• The cyber crime threat is actual and here to stay
• It’s NOT a question of IF but WHEN
IT Service
Continuity
Management
functions
Business
Continuity
• Be prepared for incidents
• Ensure security awareness between departments
Cyber
Resiliency
• Protect your information assets, regardless of where are being
held
• Ensure adequate crisis management between departments
Awareness
• Align individual goals with the organisations‟ cyber security
ambitions
Knowledge
• Cyber risk teams need to consist of flexible people who can build
relationships across departments
• Take a pragmatic approach to investing in your defences –
overinvesting is a real danger
Controls
Detection
Mitigation
Recovery
BEING PROACTIVE IS THE NAME OF THE GAME
26
28. References
Andrew Auernheimer, http://en.wikipedia.org/wiki/Weev
Bandit Country, Amir Singh, Chartech March/April 2013
Cyber Crime Study Reveals Uncertainty, http://www.tripwire.com/state-of-security/it-security-data-protection/cyber-security/viewpoints-oncyber-crime-reveal-uncertainty/
Eight cyber crooks who got less prison time than Andrew Auernheimer, http://www.scmagazine.com/here-are-eight-cyber-crooks-who-gotless-prison-time-than-andrew-auernheimer/article/284928/ KPMG data loss barometer 2012, http://www.kpmg.com/uk/en/services/advisory/risk-consulting/pages/data-loss-barometer-2012.aspx
KPMG seven ways to beat cyber crime,
http://www.kpmg.com/UK/en/IssuesAndInsights/ArticlesPublications/Documents/PDF/Advisory/seven-ways-beat-cyber-crime-nov2012.pdf
KPMG shifting viewpoints - A nuanced perspective on cybercrime, http://www.kpmg.com/NL/en/Issues-AndInsights/ArticlesPublications/Pages/Shifting-viewpoints.aspx
Microsoft and FBI disrupt global cybercrime ring, http://www.net-security.org/malware_news.php?id=2511
Most small businesses can't restore all data after a cyber attack, http://www.net-security.org/secworld.php?id=15012
Operation cyber taskforce, Gerry O’Neill, Chartech March/April 2013
Space: the new cyber crime frontier, http://www.independent.co.uk/life-style/gadgets-and-tech/news/space-the-new-cyber-crime-frontier8194801.html
The cost of cybercrime, http://securityaffairs.co/wordpress/14628/cyber-crime/cost-of-cybercrime-for-uk-small-businesses.html
27