Information Protection Removing Fear, Uncertainty and Doubt. September 2015

Transcription

1 Information Protection Removing Fear, Uncertainty and Doubt September 2015

2 Agenda 1 State of the Nation for cybersecurity Dynamic world of change Key Cyber trends New vectors of threats Potential impacts and implications for the board 2 Common Cyber Mistakes Common Cyber Security mistakes Addressing the threat 3 Where do we need focus Prepare for the breach - Balance is everything 2

3 Key Cyber Trends

4 Dynamic Change Home User Ransomware Malware that infects the target host by encrypting all data thereby holding the victim hostage Looks legitimate to the unsuspecting user The user is extorted for money Tactic achieves Fear, Uncertainty and Doubt The alternative in order to resolve the situation in an above-mentioned way you should pay a fine of $300 4

5 Dynamic Change Corporates under siege Ransomware Sony Corporation attacked with Randsomware, encrypting workstations & data drives, teaching us: Existing corporate security controls provide a false sense of security Opportunistic attacks are evolving into targeted attacks Redundancy is not a backup backups are critical Advanced Cyber control are now a necessity not a leading practice 5

6 Dynamic change - vectors of threats are accelerating the concern Yesterday Bad actors Isolated criminals Script kiddies Target of opportunity Targets Identity theft Self-promotion opportunities Theft of services Today Bad actors Organized criminals Nation states Hactivists Insiders Target of choice Targets Intellectual property Financial information Strategic access 6

7 Lets set the scene Threat Modelling Capability Motivation Level 0 X No interest in attacking the system Level 1 Opportunistic attacks May casually investigate or attack a system if exposed to it, but not by design Level 2 Some IT knowledge and resources for basic attacks (including the use of free Actor will attempt to attack the system; but one person attack; part-time malware, non zero type attacks) Level 3 Considerable IT knowledge however actors lack the capability and resources Focused on the system; full-time attacker; with support from part-timers to implement sophisticated attacks Level 4 Very capable with the resources to execute sophisticated attacks using zeroday Attack system frequently or constantly; several people; bribe or coerce exploits involving significant customisation Level 5 Sophisticated attacks, well-funded and resourced. Absolute priority employing detailed research in conjunction with social engineering, bribery and coercion 7

8 Common sense is not common 8

9 Holy grail of security Protecting us from Cyber Attacks? What is that holy grail of security? IPS/IDS ISO IAM Encryption at rest Anti-Virus Server isolation Strong governance, policies and procedures Application whitelisting Memory blocking Privileged access management 9

10 Some incidents The Sony Pictures Exploitation of a SQL injection vulnerability on an Internet based Webserver. Information, including login credentials & passwords (which were stored in clear text) were breached (Henderson, 2011:1; Wisniewski, 2011:1) HBGary - Exploitation of a SQL Injection vulnerability, Social Engineering, un-patched servers and an inherent failure of adequate server based authentication which resulted in s being stolen as well as unauthorised access to internal servers and personal and Twitter accounts (Hong & Greg, 2012:1; Bright, 2011) YouPorn.com Exposure of login credentials & passwords (which were stored in clear text) as result of a careless programmer accidentally left debug logging on to a publicly accessible URL as early as November 2007, and it has been storing all registrations ever since (Nilsson, 2012) 10

11 Some incidents E-Harmony The breach resulted in the disclosure of password hashes which utilised the MD5 hash algorithm (which is flawed) as well as the elimation of all capital letters before hashing (Messmer, 2012). The passwords were obtained through the exploitation of a 3 rd party library used for E-Harmony s CMS (McMillian, 2011) RockYou.com 32 Million usernames and passwords stolen as result of a SQL injection vulnerability. Passwords were also stored in clear text. (Vance A, 2010:1; Leyden, 2009) at&t - the employees of the vendor were able to view AT&T customers' Social Security numbers and possibly their dates of birth 11

12 UK Stats Data Breach trends from the UK S ICO Top Five Breach SECTORS 11% 8% 6% 16% 59% Health Local Gov Education Charities Solicitors 12

13 What is the cost of not complying? 2/3 customers would leave you, if you mistreated their data 76% of companies said a data breach caused moderate to severe impact on the business $3.5M average cost of a data breach "Investors see data breaches as a threat to a company's material value and feel discouraged in investing in a business that has had its sensitive information compromised" - Malcolm Marshall, global leader of KPMG's cyber security practice 13

14 Lessons to be learnt Security Awareness Training Security Awareness Training Ex Hacker Kevin Mitnik now turned white hatter was quoted as saying that resorting to a technical hack over social engineering was rare, since the latter was far quicker and often more successful. People are the weakest link! Passwords are dead! Take the a*s out of password RockYou password analysis 14

15 The five most common cybersecurity mistakes

16 The five most common cybersecurity mistakes Mistake #1: We have to achieve 100 percent security. Reality: 100 percent security is neither feasible nor the appropriate goal. 16

17 The five most common cybersecurity mistakes (continued) Mistake #2: When we invest in best-in-class technical tools, we are safe. Reality: Effective cybersecurity is less dependent on technology than you think. 17

18 The five most common cybersecurity mistakes (continued) Mistake #3: Our weapons have to be better than those of our attackers. Reality: The security policy should primarily be determined by your goals, not those of your attackers. 18

19 The five most common cybersecurity mistakes (continued) Mistake #4: Cybersecurity compliance is all about effective monitoring. Reality: The ability to learn is just as important as the ability to monitor. 19

20 The five most common cybersecurity mistakes (continued) Mistake #5: We need to recruit the best professionals to defend ourselves against cybercrime. Reality: Cybersecurity is not a department, but an attitude. 20

21 Cybersecurity: Questions? 21

22 Protection of Personal Information Act: An Introduction

23 Protection of Personal Information Act Quick Facts What is the Protection of Personal Information Act? South Africa s first piece of comprehensive data protection legislation that aims to promote the Constitutional rights of individuals to privacy. It defines 8 conditions for the lawful processing of personal information. Who is required to comply? All public and private entities that process personal information for commercial purposes. When do I need to comply? The POPI Act is currently not effective in full. Once the POPI Act is effective in full organisation s will have a one year grace period in which to align themselves with its conditions. What else do I need to know? The Information Regulator is yet to be established. Additional Regulations and Industry Codes of Conduct will support the POPI Act. 23

24 Protection of Personal Information Act Key Definitions 24

25 Protection of Personal Information Act Eight Information Protection Conditions Accountability The organisation must ensure that the conditions contained in the Act are complied with. Purpose Specification Personal information may only be processed for specific, explicitly defined and legitimate reasons. Data Quality Organisation must ensure that personal information is kept reliable, accurate and up-to-date. Security Safeguards Personal information must be protected through the use of reasonable technical and organisational safeguards. Processing Limitation Personal information may only be processed in a fair and lawful manner. Further Processing Limitation Personal information may not be processed for a secondary incompatible purpose. Openness Data subject to be aware that personal information is being collected by the organisation. Data Subject Participation Data subjects may request the correction/deletion of any personal information held about them that may be inaccurate or misleading. 25

26 Protection of Personal Information Act Consequences of non-compliance Enforcement Notices Civil Liability Claims Criminal Liability Financial Fines Potential Breach of Fiduciary Duties Costs of Investigation and Response Financial and Reputational Loss Loss of Consumer Confidence and Trust 26

27 Where do we need to focus?

28 Preparing for the worst Prepare for the Worst So You Can Respond at Your Best Train or outsource the capability to respond to a potential threat Establish a data breach team Make sure everybody knows what their responsibilities are Build an eco-system This should not be an island It should integrate into the business of IT What exactly am I protecting Understand what you are trying to protect you can t effectively protect everything. Make sure the threats and opportunities are understood are Early detection and response is everything Traditional monitoring is no longer effective Monitoring is art, don t rush it Being sure how to respond is key 28

29 POPI: Questions? 29

30 Contacts Sipho Ndaba Partner Head: Technology Advisory Jason Gottschalk Associate Director Technology Advisory Information Protection and Business Resilience Darius Law Senior Manager Technology Advisory ERP Technology Enablement 2015 KPMG International Cooperative ( KPMG International ), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS