CYBER SECURITY PROTECTING YOUR BUSINESS James Hatch Director, Cyber Services BAE Systems Applied Intelligence 1

CYBER SECURITY AT BAE SYSTEMS Professional Services Technical Services Prepare Protect Cyber Products Respond Monitor Managed Security 2

CONTENTS Cyber risk why it is different Challenges and organising to address them My suggestions for internal audit 3

CYBER SECURITY IN PHYSICAL TERMS Images from http://commons.wikimedia.org: "Three Surveillance cameras" by Hustvedt, "HH Polizeihauptmeister MZ" by Daniel Schwen, "Janeskh11leakedphoto" by Naval Intelligence Support Center, "T-72 Ajeya1" by Vivek Patankarderivative 4

CURRENT TRENDS Cyber crime Continued industrialization and specialization of digital criminality International law enforcement disruptions Point-of-sale and mobile emerging but still localised DDoS and data breaches continue to grab headlines 5

SHYLOCK FINANCIAL CRIME OPERATION 50k machines compromised globally but mainly in Western Europe and United States UK US IT BR TW UA DE Other 6

CURRENT TRENDS Cyber crime Cyber espionage Continued industrialization and specialization of digital criminality International law enforcement disruptions Point-of-sale and mobile emerging but still localised DDoS and data breaches continue to grab headlines More revelations about nation state activity US authorities increasing pressure on Chinese cyber-espionage Security community focusing more on Russian groups More specialist companies dealing in exploits and malware 7

MONITORING THE EVOLVING THREAT SOC threat intelligence Incident Response Team Malware feeds Open source & security research communities Active & passive tracking Social media & hacker forums 93 Attack Groups tracked; 5 do not have a known location Intelligence exchange with trusted partners 8

CURRENT TRENDS Cyber crime Cyber espionage Cyber activism Continued industrialization and specialization of digital criminality International law enforcement disruptions Point-of-sale and mobile emerging but still localised DDoS and data breaches continue to grab headlines More revelations about nation state activity US authorities increasing pressure on Chinese cyber-espionage Security community focusing more on Russian groups More specialist companies dealing in exploits and malware Low-level activity continues under Anonymous banner Crossover between nation state operations and activism Anti-security activism and research Middle East hot-bed for cyber-attacks and terrorism crossover 9

ANATOMY OF SONY PICTURES ATTACK Phishing Initial compromise Skilled attackers arrive Attacker network Announce Multiple spear phishing e-mails Some users visit convincing website Website drops custom remote access and inventory tools Command and control Admin credentials Data removed through encrypted files Network destroyed Sony Pictures network 10

EVOLUTION OF CYBER THREATS 11

CONTENTS Cyber risk why it is different Challenges and organising to address them My suggestions for internal audit 12

CHALLENGES OF ACHIEVING CYBER SECURITY Labour intensive Scarce resources BEING EFFICIENT Swamped in data Automation and integration Asymmetric threat Situational awareness EFFECTIVE AGAINST REAL THREATS The threat keeps changing Compliance is not security Trap of risk acceptance Achieving coverage IMPLEMENTING CONTROLS Funding and prioritisation Project execution Suppliers and processors KNOWING YOUR ESTATE Shadow IT and BYOD Legacy systems and data Weak architecture and change 13

CYBER SECURITY LAYERS ORGANISATION & GOVERNANCE SECURITY MANAGEMENT SECURITY OPERATIONS Long-term priority (years) Focus on building and overseeing a mature and capable organisation Medium-term priority (months) Focus on understanding and managing down specific security risks Short-term priority (hours / days) Focus on defending against and dealing with live incidents 14

SUMMARY VIEW OF CYBER SECURITY ORGANISATION & GOVERNANCE STRATEGY CAPABILITY BUILD CULTURE AND LEADERSHIP RISK REPORTING MATURITY SECURITY MANAGEMENT PRIORISATION CHANGE PROCESS CONTINUOUS IMPROVEMENT SITUATIONAL AWARENESS TESTING & ASSURANCE SECURITY OPERATIONS 15

KEY STANDARDS AND GUIDANCE ORGANISATION & GOVERNANCE SECURITY MANAGEMENT SECURITY OPERATIONS Three Lines of Defence Operations Assurance Audit BSI PAS555 Cyber risk governance Leadership and governance Risk assessment Protection and mitigation Detection and response Recovery Capability based ISO27000 family 1. Specification for Information Security Management System 2. Potential controls 3. Implementation guidance 4. Measurement and metrics 5. Risk management 6. Certificating organisations Key issues are scope and appetite 10 Steps to Cyber Security Cyber Essentials Critical Security Controls Council on Cyber Security Formerly SANS Top 20 Industry-specific standards Eg Payment Card Industry Data Security Standard Tend to have high overlap and narrow scope 16

CONTENTS Cyber risk why it is different Challenges and organising to address them My suggestions for internal audit 17

ORGANISATIONS SHOULD SHOW THAT THEY Are clear who is responsible Understand their cyber risk Make active decisions on risk Plan for resilience Support strategic priorities 18

ORGANISATIONS SHOULD SHOW THAT THEY Are clear who is responsible Who on the board is responsible? Who explains the risk to them? On what information will we make decisions? Understand their cyber risk Make active decisions on risk Plan for resilience Support strategic priorities 19

CYBER RESPONSIBILITY SOME CHALLENGES Personal experience poor guide Many legitimate demands Nature Sustaining interest is difficult Much is deliberately hidden Moves suddenly from hypothetical to emotional Culture Organisations underestimate their significance / attractiveness Security often treated as compliance or IT issue Skill / language Needs three different skills: Strategic (Impact) Technical (Vulnerability) Intelligence (Threat) People struggle to cover breadth Bad news Not about making money Often asking for cash FD risk owners focussed on cost control Negative baseline 20

ENGAGING WITH BOARD MEMBERS IS THIS A KEY CONCERN FOR THE NEXT 5 YEARS? HOW CAN I HAVE A SECURE BUT AGILE, COMPETITIVE AND GROWING BUSINESS? CEO/Chairmen/ CFO and NEDs HOW SECURE IS MY SUPPLY CHAIN? CFO/COO/CIO HOW DO WE GET CYBER ON THE BOARD AGENDA? General Counsel and NEDs A CYBER AWARE BOARD WHAT IS MY MOST VALUABLE INFORMATION AND WHAT S OUR RISK APPETITE? CRO/CIO WHAT S THE BUSINESS CASE FOR CYBER SECURITY? CFO/CRO/CIO WHAT S THE FINANCIAL IMPACT OF CYBER ATTACK? CFO/CRO/CIO Different board members worry about different questions Find the one whose agenda matches your concern 21

ORGANISATIONS SHOULD SHOW THAT THEY Are clear who is responsible Understand their cyber risk Who on the board is responsible? Who explains the risk to them? On what information will we make decisions? What information is most important to us? What types of cyber risk do we care about? How exposed are we to those risks? Make active decisions on risk Plan for resilience Support strategic priorities 22

CYBER RISK PRINCIPLES Assets Confidentiality Integrity Availability Consequences Risk Impact x Likelihood Vulnerability x Threat Systems Configuration Connectivity Third parties Controls Effectiveness Actors Motivation Intent Tools and techniques 23

UNDERSTAND THEIR CYBER RISK Censure and Embarrassment Client Loss How big is our risk? Direct Fraud Sabotage What type is it? Cyber Espionage Do we care? 24

ORGANISATIONS SHOULD SHOW THAT THEY Are clear who is responsible Understand their cyber risk Make active decisions on risk Who on the board is responsible? Who explains the risk to them? On what information will we make decisions? What information is most important to us? What types of cyber risk do we care about? How exposed are we to those risks? What is our appetite for risk? Have we communicated this to all functions? Are our resources deployed efficiently? Plan for resilience Support strategic priorities 25

MAKE ACTIVE DECISIONS ON RISK 26

EXAMPLE SCENARIO Chris Retail Marketing Campaigns Manager Despite working long hours and over the weekend for the last year, Chris does not get promoted. He applies for another job with a competitor. His new manager invites him out for drinks before he starts the new job to meet the team and suggests he takes some of the customer data with him when he leaves Chris downloads thousands of records via a printer onto a USB stick, for which he has rights. He uploads the details onto the CRM system at his new employer when he joins. The team are then able to use this information to try to win over the customers as it contains details about their accounts and rates. This is made worse by One of the customers that is persistently contacted by the competitor is not happy, she wants to know how they got her details. When no satisfactory answer is forthcoming the customer reports the incident to the Information Commissioner s Office and FSA. The source is traced back to the Bank; there is extensive media coverage with very negative headlines; people lose patience with responses of an ongoing internal investigation and calls are made for the Retail Customer Service Director s resignation. What this means Customers unaware that their details have been leaked are successfully persuaded to switch providers, the organisation loses revenue nadmarket share Negative media coverage. Reputation with customers and within industry is damaged. Additional funds in social media monitoring and a campaign to counter the affect of negative sentiment. FSA and ICO fines. Where we have seen this happen before? A well-publicized data breach can translate into lost business opportunity to the tune of 71 per leaked customer record, according to the Ponemon study A survey by the Ponemon Institute reveals that one-third (34 percent) of customers would move their business to another supplier after learning about a single security breach Blizzard s General Manager for China quit in Dec 2010 after a large data breach involving global subscriber details, financial data and the games release roadmap 27

RISK TREATMENT DECISIONS AVOID REDUCE SHARE RETAIN Bring decisions together in an integrated, prioritised plan 28

ORGANISATIONS SHOULD SHOW THAT THEY Are clear who is responsible Understand their cyber risk Make active decisions on risk Plan for resilience Who on the board is responsible? Who explains the risk to them? On what information will we make decisions? What information is most important to us? What types of cyber risk do we care about? How exposed are we to those risks? What is our appetite for risk? Have we communicated this to all functions? Are our resources deployed efficiently? Do we cover 10 Steps to Cyber Security? How will we know we are being attacked? How will we thrive despite attacks? Support strategic priorities 29

BEING CYBER SECURE PROTECTION DETECTION RESPONSE INTELLIGENCE SECURITY OPERATIONS RISK MANAGEMENT 30

ORGANISATIONS SHOULD SHOW THAT THEY Are clear who is responsible Understand their cyber risk Make active decisions on risk Plan for resilience Support strategic priorities Who on the board is responsible? Who explains the risk to them? On what information will we make decisions? What information is most important to us? What types of cyber risk do we care about? How exposed are we to those risks? What is our appetite for risk? Have we communicated this to all functions? Are our resources deployed efficiently? Do we cover 10 Steps to Cyber Security? How will we know we are being attacked? How will we thrive despite attacks? Does our risk mitigation facilitate and enable growth? Are our controls delaying or blocking progress? Are we agile enough to exploit market opportunities? 31

SUPPORT STRATEGIC PRIORITIES Risks identified early can be managed without compromising opportunity Opportunity Executives focus on pursuing opportunity while managing cost and risk Piecemeal decisions often balance risk and opportunity poorly Business cases for new projects often defer consideration of cyber risk Risk Cost Information security often identifies risk late and in isolation from business Weak costing of information assets and risks means they are ignored Good risk management focuses spend where it is most needed. 32

ORGANISATIONS SHOULD SHOW THAT THEY Are clear who is responsible Understand their cyber risk Make active decisions on risk Plan for resilience Support strategic priorities Who on the board is responsible? Who explains the risk to them? On what information will we make decisions? What information is most important to us? What types of cyber risk do we care about? How exposed are we to those risks? What is our appetite for risk? Have we communicated this to all functions? Are our resources deployed efficiently? Do we cover 10 Steps to Cyber Security? How will we know we are being attacked? How will we thrive despite attacks? Does our risk mitigation facilitate and enable growth? Are our controls delaying or blocking progress? Are we agile enough to exploit market opportunities? 33

CONTACT DETAILS James Hatch Director, Cyber Security Services BAE Systems Applied Intelligence Surrey Research Park Guildford Surrey GU2 7YP United Kingdom T: +44 (0)1483 816086 E: james.hatch3@baesystems.com Copyright BAE Systems 2015. All rights reserved. BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc. BAE Systems Detica and BAE Systems Applied Intelligence are trading names of Detica Limited registered in England (No.1337451) with its registered office at Surrey Research Park, Guildford, England, GU2 7YP. 34