Cyber Security. The changing landscape. Financial Sector. March 4-5, 2014

Transcription

1 Cyber Security Discussioni The changing landscape 2nd Information Security Workshop for Financial Sector March 4-5, 2014

2 Agenda Agenda How vulnerable is the banking sector Closer look at the security threat Cyber security response program Closing remarks 1

3 How vulnerable is the banking sector

4 Information Protection has Become an Executive Driven Issue Nov 27 Dec 15, million debit and credit cards breached with 70 million records of names, home addresses, s and phone numbers USA Today Feb 22, 2014 Jan 22, million credit cards were breached at Neiman Marcus October 7, 2012 Six big U.S. banks had their websites jammed, one after another, preventing their customers from logging on to their personal or business accounts, and from paying bills online. The banks affected were Bank of America, JPMorgan Chase, Citigroup, U.S. Bank, Wells Fargo and PNC. CNN News, Bob Greene Top Concerns for Audit Committees Governance, Processes, Controls and Risk Management IT Risk and Emerging Technologies Uncertainty Information Privacy/ Security/Cyber Security Is Governance Keeping Pace?, KPMG LLP (U.S.) 2012 The cyber threats we face are real and immediate Sen. Jay Rockefeller September 19, 2012 By Siobhan Gorman WASHINGTON Heads of major U.S. companies could be in for some interesting mail Wednesday. Frustrated by congressional failure to pass a cybersecurity bill, a top lawmaker is sending letters to the chief executives of every Fortune 500 company, asking them to describe their company's handling of computer security. Companies won't be required legally to respond to the letters, but it shows how lawmakers continue to press companies to step up cybersecurity measures. "The cyber threats we face are real and immediate, and Congress's failure to pass legislation this year leaves the country increasingly vulnerable to a catastrophic cyber attack," Sen. Jay Rockefeller (D., W.Va.), the Senate Commerce Committee chairman, writes in a copy of the letter, which was reviewed by The Wall Street Journal. 3

5 Board Priorities Survey IT Risks Which two areas of IT risk and emerging technologies give you the most angst? Information data privacy and security 58% Failure to capitalize on opportunities present by emerging technology 36% Social Media (impact on reputation, customer strategy..) 28% Cyber terrorism 26% Disruption of IT systems by natural disaster Blurring of lines between enterprise technology and personal technology Compliance risk posed by consumer privacy laws (federal and state) 12% 20% 18% Source: KPMG Audit Committee Institute Survey

6 State of the Union for Cyber Security In a digital age, where online communication has become the norm, internet users and governments face increased risks of becoming the targets of cyber attacks. As cyber criminals continue to develop and advance their techniques, they are also shifting their targets focusing less on theft of financial information and more on business espionage and accessing government information. - Source: KPMG International Issues Monitor 5

7 Cyber risk Advanced, persistent threat one of the most serious economic and national security threats our nation faces. (US President Barack Obama) What s at risk? IP and all things digital Information / data privacy and security Compliance with consumer privacy laws (federal and state) Reputation 6

8 Where are the attacks occurring in the Financial Services Industry? Heat-map of information leaking countries 7

9 Where do the various Industries stand Top 10 information leaking sectors Top 10 information leaking countries 8

10 Closer look at the security threatt

11 Dynamic World of Change Business Delivery Stack Business Layer Industry Leading Practices Geopolitical Drivers Business Process Corporate Objectives Areas of Dynamic Change Slow economic recovery Driving Growth & Profitability New Products/Services Mergers/Acquisitions Globalization Strategic Sourcing Competitive Differentiation Increased Regulatory Scrutiny KPMG Approach Enablement Layer Application Data Mobile & Cloud Deployments Big Data, BI & Analytics Self service & Consumerization Traditional Approach Infrastructure Layer Servers/Hosts Networks Physical Environment Virtualization & Cloud Platforms Internetworking/VPNs New Operating Systems Low cost computing models Changing DataCenter models 10

12 Who is trying to attack what? The business impacts are financial and reputational including loss of competitive advantage in accessing new markets, losing deals and disputes (or winning them on unfavourable terms), regulatory fines, share price drops and negative international media coverage. Intellectual Property Organized crime (i.e. stealing credit card numbers) Personal or non-public Data (i.e. Addresses, DOB) State sponsored & corporate espionage (i.e. Night Dragon) Hacktivists (i.e. Wikileaks, Anonymous, LulzSec) Malicious users (i.e. e Bradley Manning and the U.S. Department of State memos) Threats Information Assets Merger & Acquisition Transaction Information Senior Executive s (i.e. CEO) Quarterly & Annual Financials Legal Disputes Process Control Networks (supports exploration & production activity) The threat landscape, business models, technology ogy and ways of working are constantly t changing g and old strategies es to protect critical information and systems are no longer viable. 11

13 Attack scenarios Scenario Organized Crime (e.g., Shamoon) Description / Result Spear-phishing / Target Malware (APT) Victim opens or clicks the malware The attacker takes control of an internal machine connected directly to the internet, and use it as a proxy to the external Command-and-Control (C2) server The attacker then executes the malware, wiping all evidence of other malicious software or stolen data from the infected machines Theft of Intellectual Property or Confidential Information, Malicious destruction of data for financial gain. Cyber Espionage State Funded / Well Organized Intellectual property: Agra-Chem Pharmaceuticals, Chemicals, Software, Oil/Gas, Lay and wait scenarios: Compromised for potential future financial gain such as Mergers and acquisitions and future IP Reputational Impact Hactivisim Attackers compromise public or private systems (e.g. Web servers) of an organization and use them as a proxy to launch a DDoS attacks (Peak DDoS floods can exceed 60 Gb/s) Web Defacement Theft of confidential information made available to public. Public embarrassment Reputational Risk Insider Threats Disgruntled administrator or data centre backup manager extracts dump of confidential data to portable storage device Administrator then leaks the information in the market or to organized crime Intense media interest tin the details of finner workings of fpi Priceline and din the personal information/discussions within 12

14 Cyber security response program

15 Cyber Security Framework 14

16 Cyber Security Framework Phase Activities Prepare Understanding your Environmental Risks How secure do you think you are? Where is your confidential data located? What security issues are you already aware of? What don t you know? Protect Process, People, Technology Do you have properly functioning Security programs in place? Have the necessary tools been procured/implemented to support the process and people? Detect and Respond Will processes and technologies in place detect a breach in the event of: External Attacks Internal Attacks / Insider threats Data loss or theft (Accidental or Intentional Integrate Does Security have support from Executive management? Resource Needs, Financial support for required technologies Is Security integrated with the business in a leadership capacity? Security as an enabler or driver? 15

17 Cyber Security Framework - Threat Intelligence 1. Cyber Intelligence Strategy & Budget: The strategy for cyber intelligence and team budget The ability to decide what intelligence we need to improve understanding of the threat and to set our intelligence gathering priorities SET 2. Cyber Intelligence processes The ability to gather cyber intelligence relating lti to cyber security threats and vulnerabilities from a range of sources and translate these into a common language GATHER ACT The ability to make intelligencedriven decisions and act both tactically and strategically to prevent or respond to threats ANALYSE The ability to analyse cyber intelligence gathered and to make links between discrete pieces of information to create intelligence that can inform actions 3. Cb Cyber Intelligence Resources: Structure, roles, skills and leadership 16

18 Where are we today? Cyber Maturity Assessment Legal and Compliance Regulatory and international certification standards as relevant Leadership and Governance Board demonstrating due diligence, ownership and effective management of risk Operations and Technology The level of control measures implemented to address identified risks and minimize the impact of compromise Human Factors The level and integration of a security culture that empowers and ensures the right people, skills, culture and knowledge Business Continuity and Crisis Management Preparations for a security event and ability to prevent or minimize the impact through successful crisis and stakeholder Management Information Risk Management The approach to achieve comprehensive and effective risk management of information throughout the organization and its delivery and supply partners 17

19 Comprehensive Cloud Information Protection Cloud Discovery Shine a light on shadow IT Cloud Data Discovery Understand compliance risks Identify, categorize, and Pinpoint i sensitive data in the evaluate the risks for all cloud based on corporate cloud apps in use within DLP policies an organization Protect Anomaly Detection Find needles in haystacks Spot anomalies and potentially ti malicious i interactions with the cloud User Activity Monitoring Expose insider threats Detailed capture and analysis of all user activity across devices & geolocations 18

20 Not to forget key agenda items for your CISO Security Analytics BYOD & Tech Consumerization Software Acquisition Lifecycle Meaningful Access Management Information Governance Security Change Management 19

21 Closing remarks

22 Changing the approach to Information Protection 21

23 The KPMG Security Capabilities Model Strategy Management Knowledge Technologies Security Leadership Security Sponsorship/Posture Security Strategy Security Program Security Program Structure Security Program Resources and Skill sets Security Policies Security Policies, Standard, and Guidelines Security Management Security Operations Security Monitoring User Management User Management User Awareness Information Asset Security Application Security Database/Metadata Security Host Security Internal Network Security Network Perimeter Security Causes Support Technology Protection and Continuity Physical and Environment Controls Contingency Planning Controls Effects 22

24 Primary Contact: Shahed Latif Principal, Advisory, KPMG LLP slatif@kpmg.com 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.