– How Your Business is Knowing Your Enemy Attacked Andrew Rogoyski
by user
Comments
Transcript
– How Your Business is Knowing Your Enemy Attacked Andrew Rogoyski
Knowing Your Enemy – How Your Business is Attacked Andrew Rogoyski June 2014 © CGI Group Inc. 2014 Why “Cyber” is the New Security 2007: Cyber attack on Estonian Government 1986: Lawrence Berkeley NL discovers attempt to copy US Government Information on Arpanet 2003: DHS creates National Cyber Security Division 2007: iPhone 3 launched 2010: US Intelligence on Wikileaks 2003: Slammer worm 1988: First worm created at Cornell 1990: Arpanet becomes the Internet 1998: Google Founded 2010: Stuxnet 2010: US Cyber Command becomes operational 2004: Facebook launched 2010: iPad launched “IA” “Cyber” The era of early connectedness A technology issue The era of mass interdependence A leadership issue 1984 Drivers for Change: 1. Industrialised Cyber espionage 2. Militarisation of cyberspace 3. Rise of hacktivism 4. Organised cybercrime 5. Growing dependency on the Internet 6. The rise of the devices 7. Privacy and Data Protection 2000 2000: ILOVEYOU worm 2001: Budapest Convention on Cybercrime 2008: Marathon Oil, ExxonMobil and ConocoPhillips hacked for oil discovery data 2009: The Aurora attacks, hit Google and 33 companies 2011: RSA and Lockheed attacked 2 2011: Sony Playstation network hacked, costing © CGI Group Inc.$170m 2014 2014 2013: Edward Snowden reveals stolen NSA data 2013: South Korean media and banks attacked 2012: Aramco loses 30,000 PCs to attack Cybercrime “The global cost of cybercrime is US$113 Billion annually, cost per cybercrime victim up 50%” Norton Annual Cybercrime Report 2013 “One thing is very clear: The cyber security programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries” PWC 2014 U.S. State of Cybercrime Survey. 3 © CGI Group Inc. 2014 Large Cybercrime motivations • • • Cyber Terrorism • Scale/Reward • Copyright Infringement - Pharma • IP Theft Copyright Infringement - Video • Insider Trading • • Copyright Infringement - Music Money Laundering Copyright Infringement - Software • Card skimming • • • Small • Ransomware • Money Mules Card not Present Fake Antivirus Digital Blackmail • • Hard DDoS Advanced Fee Fraud Spam • Hacktivism • Digital Mugging • Cyber Stalking • Cyber Bullying Effort/Complexity 4 Easy © CGI Group Inc. 2014 Copying, Counterfeiting and IP Theft • Impact • • • • Hundreds of billions dollars per year Millions of jobs A drag on US GDP growth Degraded capacity to innovate • Issues • • • • • • Long supply chains Poor legal protection of IPR Protectionist industrial policies IP Theft is justified Business pace outstrips legal remedy Inadequate institutional capacity “The greatest transfer of wealth in history” General Keith Alexander, Director US Cyber Command 5 © CGI Group Inc. 2014 Cyber Attack in Corporate Finance • Threats • Individuals, nation states, hacktivists, employees & contractors, organised crime and competitors • Targeting Transactions • The very act of putting information together may trigger interest, it may also create an attractive target • A complex mix of external advisors, short timescales and high stakes leads to vulnerabilities • Issues • How secure is each contributor and stakeholder in this transaction? • • • • Who needs to know? Can you monitor access to information? What is your strategy for breaches? Do you have a security partner? 6 © CGI Group Inc. 2014 Key Trends in Cybercrime Social Profiling… 7 © CGI Group Inc. 2014 Methods of Attack • Hack Attacks • Stolen Credentials • SQL injection • Brute Force • Privilege abuse • Footprinting • Malware • Export data • Memory attack • Backdoor • Rootkit • Spyware • Network scanning • Adminware • Downloader • • • • Controls disabler Password capture Stored Data Capture Command & Control • Social • Phishing • Blackmail • Physical • Tampering • Keylogger • Data tap • Infrastructure • ARP spoofing • IP & MAC spoofing • DNS poisoning/pharming 8 © CGI Group Inc. 2014 Steps to protect your organisation… • Management Structure • Resilience Preparedness • Organisational • External Awareness Commitment • Internal Monitoring • Security Context • Business Architecture • Capability Development Strategy • Supplier and Partner Strategy • Technology Strategy • Business Resilience • Compliance • Protective Monitoring • Incidient Management • Investigation • Data Integrity • Business as Usual Reassurance • Legal Process bsi PAS 555 • Asset Management • Threat Assessment • Vulnerability Assessment • People Security • Physical Security • Technical Security 9 © CGI Group Inc. 2014 Impact and Mitigation “More than two-thirds (67%) of those who detected a security incident were not able to estimate the financial costs. Among those that could, the average annual monetary loss was approximately $415,000” PWC 2014 U.S. State of Cybercrime Survey. 10 © CGI Group Inc. 2014 Quantifying the impact of cyber attack Costs incurred: • • • • • • • • • • • • • • Channel disruption Supply chains Internal communications Customer confidence Share price Regulatory fines Reputation damage Remedial actions Long-term fixes Loss of IP Loss of business advantage Staff confidence Damages claims Victim notification Impact Quantification Drives: • Investment • Security posture • Priorities • Board visibility • Comparitors • Insurance • Business continuity • Training • Information strategy • Security governance Informs: • Risk Modelling 11 © CGI Group Inc. 2014 Example – Share Price Impact 12 © CGI Group Inc. 2014 A Call to Action… • Capture your own organisation’s impact costs of cyber incidents (you will have them): • Preventative costs • Post event assessment (up to a year following an attack) • Create an agreed taxonomy of cyber impact categories and measurements • Educate and raise awareness • Enable companies to capture such data • Dare to share • Mechanisms for data aggregation and exchange • Create / drive the insurance market: • Cyber as a standalone policy or part of corporate risk/professional insurance • Capture cyber-related claims • Quantify underwriting risk • Understand risk and claims assessment 13 © CGI Group Inc. 2014 Questions? Andrew Rogoyski Head of UK Cyber Security Services CGI UK, Springfield Drive, KT22 7LP • • • • • • Cyber Security Clients 35 years of experience working with government and commercial as a trusted advisor on security One of the only companies with three accredited security certification facilities, one in the US, one in the UK and one in Canada 9 Security Operations Centres globally Managed services support over 100 clients in 16 countries across all industries Defend against 43 million cyber attack incidents each day on military and intelligence networks and infrastructure Business-focused approach to security 14 © CGI Group Inc. 2014