Knowing Your Enemy How Your Business is Attacked. Andrew Rogoyski June 2014

Transcription

1 Knowing Your Enemy How Your Business is Attacked Andrew Rogoyski June 2014

2 Why Cyber is the New Security 1986: Lawrence Berkeley NL discovers attempt to copy US Government Information on Arpanet 1988: First worm created at Cornell 1990: Arpanet becomes the Internet 1998: Google Founded 2003: DHS creates National Cyber Security Division 2003: Slammer worm 2004: Facebook launched 2007: Cyber attack on Estonian Government 2007: iphone 3 launched 2010: US Intelligence on Wikileaks 2010: Stuxnet 2010: US Cyber Command becomes operational 2010: ipad launched 1984 Drivers for Change: 1. Industrialised Cyber espionage 2. Militarisation of cyberspace 3. Rise of hacktivism 4. Organised cybercrime 5. Growing dependency on the Internet 6. The rise of the devices 7. Privacy and Data Protection IA The era of early connectedness A technology issue 2000: ILOVEYOU worm 2001: Budapest Convention on Cybercrime : Marathon Oil, ExxonMobil and ConocoPhillips hacked for oil discovery data Cyber The era of mass interdependence A leadership issue 2009: The Aurora attacks, hit Google and 33 companies 2011: RSA and Lockheed attacked 2011: Sony Playstation network hacked, CGI Group costing Inc. $170m : Edward Snowden reveals stolen NSA data 2013: South Korean media and banks attacked 2012: Aramco loses 30,000 PCs to attack

3 Cybercrime The global cost of cybercrime is US$113 Billion annually, cost per cybercrime victim up 50% Norton Annual Cybercrime Report 2013 One thing is very clear: The cyber security programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries PWC 2014 U.S. State of Cybercrime Survey. 3

4 Scale/Reward Small Large Cybercrime motivations Copyright Infringement - Pharma Copyright Infringement - Music Cyber Terrorism IP Theft Copyright Infringement - Video Insider Trading DDoS Money Laundering Ransomware Copyright Infringement - Software Card skimming Money Mules Card not Present Digital Blackmail Hacktivism Fake Antivirus Spam Advanced Fee Fraud Digital Mugging Cyber Stalking Cyber Bullying Hard Effort/Complexity Easy 4

5 Copying, Counterfeiting and IP Theft Impact Hundreds of billions dollars per year Millions of jobs A drag on US GDP growth Degraded capacity to innovate Issues Long supply chains Poor legal protection of IPR Protectionist industrial policies IP Theft is justified Business pace outstrips legal remedy Inadequate institutional capacity The greatest transfer of wealth in history General Keith Alexander, Director US Cyber Command 5

6 Cyber Attack in Corporate Finance Threats Individuals, nation states, hacktivists, employees & contractors, organised crime and competitors Targeting Transactions The very act of putting information together may trigger interest, it may also create an attractive target A complex mix of external advisors, short timescales and high stakes leads to vulnerabilities Issues How secure is each contributor and stakeholder in this transaction? Who needs to know? Can you monitor access to information? What is your strategy for breaches? Do you have a security partner? 6

7 Key Trends in Cybercrime Social Profiling 7

8 Methods of Attack Hack Attacks Stolen Credentials SQL injection Brute Force Privilege abuse Footprinting Malware Export data Memory attack Backdoor Rootkit Spyware Network scanning Adminware Downloader Controls disabler Password capture Stored Data Capture Command & Control Social Phishing Blackmail Physical Tampering Keylogger Data tap Infrastructure ARP spoofing IP & MAC spoofing DNS poisoning/pharming 8

9 Steps to protect your organisation Management Structure Organisational Commitment Security Context Business Architecture Capability Development Strategy Supplier and Partner Strategy Technology Strategy Business Resilience Compliance Asset Management Threat Assessment Vulnerability Assessment People Security Physical Security Technical Security Resilience Preparedness External Awareness Internal Monitoring Protective Monitoring Incidient Management Investigation Data Integrity Business as Usual Reassurance Legal Process bsi PAS 555 9

10 Impact and Mitigation More than two-thirds (67%) of those who detected a security incident were not able to estimate the financial costs. Among those that could, the average annual monetary loss was approximately $415,000 PWC 2014 U.S. State of Cybercrime Survey. 10

11 Quantifying the impact of cyber attack Costs incurred: Channel disruption Supply chains Internal communications Customer confidence Share price Regulatory fines Reputation damage Remedial actions Long-term fixes Loss of IP Loss of business advantage Staff confidence Damages claims Victim notification Impact Quantification Drives: Investment Security posture Priorities Board visibility Comparitors Insurance Business continuity Training Information strategy Security governance Informs: Risk Modelling 11

12 Example Share Price Impact 12

13 A Call to Action Capture your own organisation s impact costs of cyber incidents (you will have them): Preventative costs Post event assessment (up to a year following an attack) Create an agreed taxonomy of cyber impact categories and measurements Educate and raise awareness Enable companies to capture such data Dare to share Mechanisms for data aggregation and exchange Create / drive the insurance market: Cyber as a standalone policy or part of corporate risk/professional insurance Capture cyber-related claims Quantify underwriting risk Understand risk and claims assessment 13

14 Questions? Andrew Rogoyski Head of UK Cyber Security Services CGI UK, Springfield Drive, KT22 7LP Cyber Security Clients 35 years of experience working with government and commercial as a trusted advisor on security One of the only companies with three accredited security certification facilities, one in the US, one in the UK and one in Canada 9 Security Operations Centres globally Managed services support over 100 clients in 16 countries across all industries Defend against 43 million cyber attack incidents each day on military and intelligence networks and infrastructure Business-focused approach to security 14