...

– How Your Business is Knowing Your Enemy Attacked Andrew Rogoyski

by user

on
Category: Documents
29

views

Report

Comments

Transcript

– How Your Business is Knowing Your Enemy Attacked Andrew Rogoyski
Knowing Your Enemy – How Your Business is
Attacked
Andrew Rogoyski
June 2014
© CGI Group Inc. 2014
Why “Cyber” is the New Security
2007: Cyber attack on
Estonian Government
1986: Lawrence Berkeley
NL discovers attempt to
copy US Government
Information on Arpanet
2003: DHS creates
National Cyber
Security Division
2007: iPhone 3 launched
2010: US Intelligence
on Wikileaks
2003: Slammer
worm
1988: First worm
created at Cornell
1990: Arpanet becomes
the Internet
1998: Google
Founded
2010: Stuxnet
2010: US Cyber
Command becomes
operational
2004: Facebook
launched
2010: iPad launched
“IA”
“Cyber”
The era of early connectedness
A technology issue
The era of mass interdependence
A leadership issue
1984
Drivers for Change:
1. Industrialised Cyber
espionage
2. Militarisation of cyberspace
3. Rise of hacktivism
4. Organised cybercrime
5. Growing dependency on
the Internet
6. The rise of the devices
7. Privacy and Data Protection
2000
2000: ILOVEYOU worm
2001: Budapest
Convention on Cybercrime
2008: Marathon Oil,
ExxonMobil and
ConocoPhillips hacked for
oil discovery data
2009: The Aurora
attacks, hit Google
and 33 companies
2011: RSA and
Lockheed attacked
2
2011: Sony Playstation
network hacked,
costing
© CGI Group
Inc.$170m
2014
2014
2013: Edward
Snowden
reveals stolen
NSA data
2013: South
Korean media
and banks
attacked
2012: Aramco
loses 30,000
PCs to attack
Cybercrime
“The global cost of cybercrime is US$113 Billion annually, cost per
cybercrime victim up 50%”
Norton Annual Cybercrime Report 2013
“One thing is very clear: The cyber security programs of U.S.
organizations do not rival the persistence, tactical skills, and
technological prowess of their potential cyber adversaries”
PWC 2014 U.S. State of Cybercrime Survey.
3
© CGI Group Inc. 2014
Large
Cybercrime motivations
•
•
•
Cyber Terrorism
•
Scale/Reward
•
Copyright Infringement - Pharma
•
IP Theft
Copyright Infringement - Video
•
Insider Trading
•
•
Copyright Infringement - Music
Money Laundering
Copyright Infringement - Software
•
Card skimming
•
•
•
Small
•
Ransomware
•
Money Mules
Card not Present
Fake Antivirus
Digital Blackmail
•
•
Hard
DDoS
Advanced Fee Fraud
Spam
•
Hacktivism
•
Digital Mugging
•
Cyber Stalking
•
Cyber Bullying
Effort/Complexity
4
Easy
© CGI Group Inc. 2014
Copying, Counterfeiting and IP Theft
• Impact
•
•
•
•
Hundreds of billions dollars per year
Millions of jobs
A drag on US GDP growth
Degraded capacity to innovate
• Issues
•
•
•
•
•
•
Long supply chains
Poor legal protection of IPR
Protectionist industrial policies
IP Theft is justified
Business pace outstrips legal remedy
Inadequate institutional capacity
“The greatest transfer of wealth in history”
General Keith Alexander, Director US Cyber Command
5
© CGI Group Inc. 2014
Cyber Attack in Corporate Finance
• Threats
• Individuals, nation states, hacktivists,
employees & contractors, organised
crime and competitors
• Targeting Transactions
• The very act of putting information
together may trigger interest, it may also
create an attractive target
• A complex mix of external advisors,
short timescales and high stakes leads
to vulnerabilities
• Issues
• How secure is each contributor and
stakeholder in this transaction?
•
•
•
•
Who needs to know?
Can you monitor access to information?
What is your strategy for breaches?
Do you have a security partner?
6
© CGI Group Inc. 2014
Key Trends in Cybercrime
Social Profiling…
7
© CGI Group Inc. 2014
Methods of Attack
• Hack Attacks
• Stolen Credentials
• SQL injection
• Brute Force
• Privilege abuse
• Footprinting
• Malware
• Export data
• Memory attack
• Backdoor
• Rootkit
• Spyware
• Network scanning
• Adminware
• Downloader
•
•
•
•
Controls disabler
Password capture
Stored Data Capture
Command & Control
• Social
• Phishing
• Blackmail
• Physical
• Tampering
• Keylogger
• Data tap
• Infrastructure
• ARP spoofing
• IP & MAC spoofing
• DNS poisoning/pharming
8
© CGI Group Inc. 2014
Steps to protect your organisation…
• Management Structure
• Resilience Preparedness
• Organisational
• External Awareness
Commitment
• Internal Monitoring
• Security Context
• Business Architecture
• Capability Development
Strategy
• Supplier and Partner
Strategy
• Technology Strategy
• Business Resilience
• Compliance
• Protective Monitoring
• Incidient Management
• Investigation
• Data Integrity
• Business as Usual
Reassurance
• Legal Process
bsi PAS 555
• Asset Management
• Threat Assessment
• Vulnerability Assessment
• People Security
• Physical Security
• Technical Security
9
© CGI Group Inc. 2014
Impact and Mitigation
“More than two-thirds (67%) of those who detected a security
incident were not able to estimate the financial costs. Among
those that could, the average annual monetary loss was
approximately $415,000”
PWC 2014 U.S. State of Cybercrime Survey.
10
© CGI Group Inc. 2014
Quantifying the impact of cyber attack
Costs incurred:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Channel disruption
Supply chains
Internal communications
Customer confidence
Share price
Regulatory fines
Reputation damage
Remedial actions
Long-term fixes
Loss of IP
Loss of business
advantage
Staff confidence
Damages claims
Victim notification
Impact
Quantification
Drives:
• Investment
• Security posture
• Priorities
• Board visibility
• Comparitors
• Insurance
• Business continuity
• Training
• Information strategy
• Security governance
Informs:
• Risk Modelling
11
© CGI Group Inc. 2014
Example – Share Price Impact
12
© CGI Group Inc. 2014
A Call to Action…
• Capture your own organisation’s impact costs of cyber incidents (you will have
them):
• Preventative costs
• Post event assessment (up to a year following an attack)
• Create an agreed taxonomy of cyber impact categories and measurements
• Educate and raise awareness
• Enable companies to capture such data
• Dare to share
• Mechanisms for data aggregation and exchange
• Create / drive the insurance market:
• Cyber as a standalone policy or part of corporate risk/professional insurance
• Capture cyber-related claims
• Quantify underwriting risk
• Understand risk and claims assessment
13
© CGI Group Inc. 2014
Questions?
Andrew Rogoyski
Head of UK Cyber Security Services
CGI UK, Springfield Drive, KT22 7LP
•
•
•
•
•
•
Cyber Security Clients
35 years of experience working with government and
commercial as a trusted advisor on security
One of the only companies with three accredited
security certification facilities, one in the US, one in
the UK and one in Canada
9 Security Operations Centres globally
Managed services support over 100 clients in 16
countries across all industries
Defend against 43 million cyber attack incidents each
day on military and intelligence networks and
infrastructure
Business-focused approach to security
14
© CGI Group Inc. 2014
Fly UP