CFIR - Finance IT 2015 Cyber security September 2015

Transcription

1 Cyber security Audit. Tax. Consulting.

2 Our global team and credentials Our team helps organisations understand dynamic cyber challenges, adapt and respond to risks inherent to their business ecosystem, and prioritise and protect the most valuable assets fundamental to their business strategy. 3,200+ professionals Focused on consulting, solution implementation, incident response, and forensic investigation Knowledge and experience across key industries and sectors Largest professional security consulting provider as ranked by Gartner 1 Leader ranking by Forrester Research " has very strong global delivery capabilities, and the firm offers solid, comprehensive services with the ability to address almost all of the security and risk challenges that clients will face 2 Knowledge & Experience Advanced degrees and certifications including Certified Information System Security Professional (CISSP) Encase Certified Examiner (EnCE) Certified Information Security Manager (CISM) Certified Ethical Hacker (CEH) Identity Management Specialization Former federal and international law enforcement and intelligence officers Security clearances that allow for classified discussions that often stem from cyber related incidents We provide pragmatic insight and a balanced view of how to prioritise investments in people, processes and technology solutions needed to address the cybersecurity challenge 60+ labs Technical security and forensics labs located in forty countries Designed to conduct assessments, design and test security solutions, and conduct cyber forensic analysis and investigations. Proprietary tools and methods Extensive library of templates, tools, and accelerators Cyber threat intelligence fusion and big data analysis platforms to process data related to cyber threats and incidents 1 Gartner: Competitive Landscape: Professional Security Consulting Services, Worldwide, The Forrester Wave: Information Security and Risk Consulting Services, Q1 2013, Forrester Research, Ed Ferrara and Andrew Rose, February 1,

3 The landscape Users Criminals The employees trying to survive every work day with an increased level of enforced security. single opportunists, well-organised criminals etc. valuables customer services Business sensitive information intellectual capital Customers A business trying to create attractive services for new and existing customers while also trying to limit the cost of actually managing these services in favour of an increasing share price. Consuming the services, using credit and debit cards, managing their financials and expecting to be sufficiently secured. 3

4 The PAVA model The PAVA model is developed by Denmark and is based on our experience with cyber security assessment. The model aims to quantify the level of coverage of a given analysis within Process, Awareness, Vulnerabilities and Architecture. There are five levels for each area, and the analysis will always contain at least level one of all areas. The higher the level of an area, the more in-depth the analysis will be. Process This area clarifies the processes that exist in the company. The area also covers to which degree the theoretical aspect correlates with the practical aspect. Depending on the level, the company will be assessed based on e.g. the ISO standard, SANS Critical Security Controls, various NIST standards or similar frameworks. Awareness This area clarifies how users of the systems actually act in everyday life. It examines whether users know about the company security policy and whether it is respected. This could for example also include social engineering attacks. Vulnerabilities This area clarifies the level of security in terms of actual vulnerabilities of the analysed systems. Depending on the level, a given analysis will vary from an automated analysis to an indepth manual analysis. This could for example also include source code analysis. Architecture This area clarifies whether the company's system landscape, network design and interfaces are sound with regards to security. Depending on the level, we can prepare a statement of the sensitivity of different systems, i.e. how sensitive they are to crashes in various parts of the infrastructure. 4

5 The crazy ideas Pop-up branches - Lets close down some branches and do it all via ipads. Lost my card it would be neat if I could withdraw cash using my smart phone I wonder if we could utilise ibeacons for access to ATMs in anyway Why not use transactional data for analysis and do targeted marketing 5

6 Business vs security The auditors won t accept this No support for HSMs We need to embrace change The technology isn t mature enough Why all this security stuff log management will solve it.. The security team is always the bottleneck for progress We can t deploy an insecure solution like this on a flat network The supported crypto algorithms isn t compliant with our standards Let s try it out in the cloud and ask security later on 6

7 Concluding thoughts Business: Is it possible to engage with security at an earlier stage? Both: Acknowledge the conflict and communicate Security: What are the actual attack vectors and can we be more pragmatic when considering the controls? Both: Promote security awareness and education. Consider a more decentralised security approach 7

8 Thanks for listening! See you at: Cyber Crime Conference on 7 Oct Questions? Mark Barnkob Security Architect Security & Technology Mobile: mko@pwc.dk Together we succeed This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers Statsautoriseret Revisionspartnerselskab, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it PricewaterhouseCoopers Statsautoriseret Revisionspartnerselskab. All rights reserved. In this document, refers to PricewaterhouseCoopers Statsautoriseret Revisionspartnerselskab which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.