CYBERSTRAT IS PART OF GMTL LLP, 26 YORK STREET, LONDON, W1U 6PZ, UNITED KINGDOM

Transcription

1 CYBERSTRAT IS PART OF GMTL LLP, 26 YORK STREET, LONDON, W1U 6PZ, UNITED KINGDOM

2 CYBER, INFORMATION SECURITY - OVERVIEW A cyber security breach is no longer just an IT problem. It can cause significant reputational and share price damage, compromise strategic negotiations or transactions, provide an opportunity for a class action, result in market disclosures and compliance breaches, and undermine years of research and development. It demands the CEO and Board s attention. Cyber attacks on companies rose by 15% last year while efforts to penetrate some sectors rose by 600%. At JP Morgan the names, addresses, telephone numbers and s of 76m households were stolen. At US retailer Target, a similar attack caused a crisis in shareholder confidence and led to the CEO losing his job. The widely publicised attack on Sony Pictures had a similar impact. In a typical company, a board director, CEO, CFO and CTO now has to be prepared for such threats on a daily basis. To do this, vulnerabilities must be identified and addressed without compromising their business. Locking down a system to make it invulnerable to cyber attack can hinder a company s commercial operations. Good cyber security is just as dependent on people and process as technology. Making sense of cyber security Customer, supplier and shareholder confidence Continuing advice and support We enable CEOs and the board to take control of cyber security governance by demystifying cyber security. We help companies categorise and protect their most sensitive information assets and explain technical and other areas of concern. It is not always necessary to perform complex network redesign or other expensive solutions to protect adequately from cyber attack. We focus on threats to commercial areas which really matter revenue, earnings, cash flow as well as ensuring compliance with existing standards such as ISO and the EU Network and Information Security Directive. We act as an accessible, impartial advisor to senior executives helping determine how an attack might best be avoided, the appropriate levels of response and the work involved in protecting against future incursions.

3 CYBERSTRAT SENIOR TEAM Our senior team gained their experience in the intelligence sector, giving them significant exposure to the threat environment and the processes to deal with it. This distinguishes us from other cyber security providers operating out of an accounting, auditing or wider consultancy base. Our broader team comprises cyber intelligence experts, training specialists and training practitioners. Dave Woodfine Formerly senior officer cyber command UK Ministry of Defence Led implementation of the UK National Cyber Security Programme Member UK Computer Emergency Response Team Advisor to industry (defence companies, Bank of England, FTSE250) on cyber security strategy Tim Scully Director of Australian DoD intelligence & cyber security Founder & CEO Stratsec (later BAE Systems Australia Head of Cyber Security) Huge experience advising board level executives and government officials on cyber security issues Has run several large cyber security training programmes James Griffiths CyberStrat technical director Over 17 years experience in the technical cyber and information assurance fields. Previously UK Ministry of Defence and the Joint Cyber Unit at GCHQ. Extensive knowledge of both the offensive and defensive cyber frameworks in banking Ian McCredie Former senior UK intelligence officer based in Washington DC Previously head of national security at Shell with responsibility for cyber security and risk management Lectures frequently at board level on cyber security issues in the UK and US Patrick Naegeli Experienced strategy advisor, senior partner in global consulting firm and co-founder of GMTL Defence/government advisor on cyber & information security Corporate advisor on M&A, technology and corporate development Simon King Experienced strategy adviser and former partner at top UK corporate intelligence firm Advisor to UK government on cyber and information security strategy Completed several international cyber security studies involving best practice, technology development, market dynamics and M&A

4 SELECTED CYBERSTRAT EXPERIENCE LARGE UK FINANCIAL INSTITUTION Review and refinement of Secure Operations Centre (SOC) procedures and capabilities Cyber security training of relevant personnel Scenario planning and forecasting of future threat environment CyberStrat continue to do a great job for us in helping to promote awareness of specific cyber issues as well as providing some specialised technical support. UK financial institution exec MAJOR EUROPEAN DEFENCE & SECURITY COMPANY UK CRITICAL NATIONAL INFRASTRUCTURE ORGANISATION Adjudication of third party specialist cyber security providers Red team reviews of potential procurement options Support in management of Secure Operations Centre (SOC) Design of a practical engagement schedule between the CEO, Board, IT practitioners and employees on cyber security Advice on areas of cyber-compliance, under both UK and EU law, (e.g. Network and Information Security Directive (2013/0027 COM (2013) 48). Review of cyber security best practice. The CyberStrat team really helped us get the most our of our existing specialist suppliers as well as provide very helpful support around the running of our SOC. CTO European defence org

5 RECENT CYBER ATTACKS - EXAMPLES There are two kinds of big companies in the U.S. Those who've been hacked by the Chinese, and those who don't know they've been hacked by the Chinese." - James Corney, FBI Chief Several attacks took place in August 2014 against large financial institutions. JP Morgan reported that it had suffered one of these attacks resulting in user contact data being breached, affecting approximately seven million small businesses. Attacker: Likely to have been a collaborative strategic attack aimed at several financial companies. Fallout: Negative brand impact in addition to the expense of providing affected clients with financial data monitoring services. Korea Credit Bureau. A 2014 hack put 20 million clients personal data at risk. This included user addresses and account numbers at banks partnered with KCB. Approximately 104 million card numbers were compromised. Attacker: Disgruntled KCB employee who, over the course of 18 months, copied customer client data via an external hard drive. Fallout: Resignation of three top KCB executives. 145 million customer accounts hacked last spring. The attack was the result of cross-site scripting, a stealthy exploit that redirects users to "spoof" sites mocked up to resemble a legitimate checkout page where they divulge sensitive billing information. Attacker: Unsolved -- remains unknown. Fallout: EBay claims no social security or account numbers were taken, but it's likely that hackers gained access to certain user data including encrypted passwords, , birth dates and addresses opening up the possibility of a second phase of exploits. Attack occurred between April and September 2014, impacting 56 million consumers' payment card data across the retailer's North America and Canada locations. Attacker: Unsolved -- remains unknown Fallout: Major media attention. Costs to alert customers regarding the fraudulent unauthorized access to payment card data that may have impacted credit and debit card purchases.

6 THE GENERAL CYBER SECURITY ENVIRONMENT THREATS + VULNERABILITIES VALUES AT RISK RESPONSES HACKTIVISM CORPORATE ESPIONAGE STATE SPONSORED TERRORISM CRIMINAL PEOPLE PROCESSES TECHNOLOGY ASSETS REPUTATION FINANCIAL PERSONNEL CUSTOMERS TRADITIONAL COMMUNITY SYSTEMIC POLICIES REGULATIONS GOVERNANCE INFORMATION SHARING MUTUAL AID COORDINATED ACTION RISK MARKETS EMBEDDED SECURITY Insider threat known Other issues not recognized/understood (e.g. social media) Constant technology development (mobile, cloud, Big Data, etc.) Compliance breaches Loss of confidence IP loss Share price damage Increasingly coherent & joint Good practice is now the norm Mandatory in all but name

7 DIFFERENT SECTORS HAVE DIFFERENT SECURITY PRIORITIES Levels of awareness, preparedness and effective investment vary across sectors, as does the procurement of 3 rd party services. Public sector Security/intelligence agencies Departments handling sensitive public data Continued use of outsourcing Procurement through frameworks Defence/security sectors (Tiers 1 & 2) High levels of awareness of technical issues, increasing understanding of non-technical areas Influenced by international considerations Work closely with government on sector-level issues Use large/prime contractors Large company Information dependency varies, but issues are relevant to all sectors Concerns extend from business to control systems Utilise consulting/technology service providers Small company Increasingly digital, but low levels of security awareness Buy-in security as part of a package Limited in-house expertise or resource

8 CYBERSTRAT OFFERS A SET OF WORK PACKAGES DISCOVERY REALISATION ASSURANCE Explaining cyber to your board Cyber infrastructure review Cyber road map Strategic cyber review & compliance assessment Cyber infrastructure protection Testing and certification Cyber intelligence assessment Cyber security training Horizon scanning

9 PACKAGE ONE: CYBER DISCOVERY EXPLAINING CYBER TO YOUR BOARD STRATEGIC CYBER REVIEW & COMPLIANCE ASSESSMENT Understanding the motives and types of cyber attacks can often be drawn into technical and laboured discussions. Our Executive Cyber Scenario Based Planning service details the most likely cyber attacks that you might face. We explain the different motives and attack methods that can be used as well as the potential impact on your business. Board level executives end up with a comprehensive understanding of what cyber security is about. Cyber security compliance standards (e.g. EU Network and Information Security Directive 2013, ISO 22001, payment card industry security requirements) are either in place or rapidly approaching. We provide an assessment and road-map to make sure an organisation complies with these standards. CYBER INTELLIGENCE ASSESSMENT We help identifying information on your system that is openly available to any potential attacker. Our assessment exposes the potential ease of social engineering threats and vulnerabilities. It can also expose how vulnerable your company and your key personnel would be to internet based attack methods (spear phishing, spam, web-site malware).

10 PACKAGE TWO: CYBER REALISATION CYBER INFRASTRUCTURE REVIEW A detailed analysis of your infrastructure to determine the degree to which your systems are protected from internal and external attacks. We test the robustness of existing servers, software and hardware, setting out the vulnerabilities that could be exploited. CYBER INFRASTRUCTURE PROTECTION Ethical hacking by professionals. We will help you get to grips with network security through external penetration tests (both remote and local), wireless network security, physical security, vulnerability and compliance audits. We advise on options for managed security cyber services that can protect and defend large volumes of networked information. We also advise on disaster recovery and business continuity options. CYBER SECURITY TRAINING & COMMUNICATIONS Poor user awareness of cyber threats can be the easiest way for an attacker to gain entry into a business. We provide training on operating safely within a cyber context, focusing on the potential for targeted attacks through social media, internet browsing and s. We also build a practical engagement schedule between the CEO, IT practitioners and employees. It provides the basis for company wide communication of cyber security issues. If the CEO gets it, the rest of the company will also get it.

11 PACKAGE THREE: CYBER ASSURANCE CYBER ROAD MAP Cyber security is not a one-off service. We provide you with a cyber road map to help you address future information security gaps. By engaging at both executive and technical levels we will ensure that a business has peace of mind in its own security posture. TESTING AND CERTIFICATION Our audit package will provide regular checks of your website, mobile and network to ensure everything is updated with the necessary security products. Our penetration testing packages provide a more detailed technical review of your networks. Our certification package provides the guidance required to implement information security standards applicable to your business. HORIZON SCANNINGOur horizon scanning service provides regular cyber threat and intelligence reports tailored to your business sector to ensure you keep pace with the ever changing threat.

12 VIRTUAL INFORMATION SECURITY EXECUTIVES Although many large organisations employ a Chief Information Officer (CIO) a Chief Information Security Officer (CISO) and/or a Chief Technical Officers (CTO), smaller companies often lack the resources to provide them. We can provide virtual information security executives who work with you, on-site on a part-time basis or remotely, to enhance your information security and cyber posture. Our Trusted Cyber Advisors will work across the whole spectrum of Cyber Discovery, Realisation and Assurance to ensure your business remains fully aware of the cyber challenges they will face and the optimum way of protecting their core information assets.

13 CyberStrat (a division of GMTL LLP), 26 York Street, London, W1U 6PZ, UK +44 (0)