EY Cyber Security Hacktics Center of Excellence
The Cyber Crime Underground Page 2
The Darknet Page 3
What can we find there? Hit men Page 4
What can we find there? Drug dealers Page 5
What can we find there? Stolen credit cards Page 6
What can we find there? Hackers for hire Page 7
What can we find there? who will do anything for money Page 8
How do we get there? Tor Onion https://www.torproject.org/ Wikileaks: http://kpvz7ki2v5agwt35.onion Silkroad: http://silkroadvb5piz3r.onion/silkroad/home Random but good foum: http://clsvtzwzdgzkjda7.onion/index.php Facebook: https://facebookcorewwwi.onion/ Page 9
The Cyber Security Arena Page 10
Cybersecurity How have cybersecurity threats evolved? Unsophisticated attackers (script kiddies) You are attacked because you are on the internet and have a vulnerability. Sophisticated attackers (hackers) You are attacked because you are on the internet and have information of value. Corporate espionage (malicious insiders) Your current or former employee seeks financial gain from stealing and selling your intellectual property (IP). Organized crime (criminal gangs) You are attacked because you have money or something else of value that can be sold. State-sponsored attacks and advanced persistent threat 1 (APT) You are targeted because of who you are, what you do or the value of your IP. APT Criminal gangs Cash, credit cards, Identities, inside information State-sponsored espionage Market manipulation Competitive advantage Military/political objectives Risk Hackers Malicious insiders Money, embarrassment, political, social or environmental causes Revenge, personal gain, stock price manipulation Script kiddies Amusement, experimentation, nuisance, notoriety Attacker resources and sophistication 1 An advanced persistent threat (APT) is a set of sophisticated, stealthy and continuous computer attacks often targeting a specific entity with business or political motives. The processes used involve a high degree of covertness over a long period of time using sophisticated techniques to exploit vulnerabilities in systems. Page 11
Cybersecurity Is every company a target? Common misconception Reality I don t store credit card details, therefore, my company is not a target. I have nothing to hide. We do not hold personally identifiable information. Companies can be targeted for many reasons: Company is a vendor of the ultimate target. Gain access to IP or research and development information. Stock price manipulation. Gain access to sensitive merger and acquisition information. Disrupt operations. Page 12
Cybersecurity Everyone is vulnerable 552 million identities were exposed in 2013 the year of the mega breach 493% increase in victim volume Number of breaches in 2014 was 66% higher than in 2013 Social media scams and malware flourish on mobile devices Small businesses targeted to reach larger businesses Email campaigns in 2014 91% increase in email campaigns since 2013 29 billion spam emails per day are estimated in 2014 1 in 296 contain malware 25% of email traffic contains a malicious URL 39% 61% 2,500+ 1,501 to 2,500 employees 2013 Attacks by size of targeted company *Source: Symantec Corporation Internet Security Threat Report 2014: Volume 19. Page 13
Famous Hacks 2012-2014 Many hacked, many others don t know they were hacked Page 14
Understanding the cyber landscape: Strategic business risks Situation Well-funded, patient and highly-skilled threat actors (i.e., nation-states, organized crime, hacktivists) Engaged in elaborate, longterm campaigns and cyberenabled economic schemes designed to overcome economic, education and labor-force barriers to illicitly gain competitive advantage Focused on leap-frogging competitors through conversion of stolen intellectual property, theft of financial assets, corruption and the manipulation of markets $500 Billion Financial impact: The risk of cyber attacks could decelerate the pace of technology and business innovation with as much as $500 billion Strategic risks 200 Days Response time: It takes, on average, 200 days to discover that a cyber-attack has been perpetrated within your company Response Leading companies Take an outside-in approach to address the issue Examine and correlate financial, market and geopolitical data with criminal and cyberintelligence information Assess business risks from the perspective of potential threat actors Proactively predict, manage and monitor emerging cyber-economic threats to mitigate business risks and protect shareholder value Page 15
Development path of favored industries in Nation State 96% of cyber espionage originates from China or through China related threat actors. (Verizon, 2013) Mainland campaign International expansion campaign Four Primary CE Phases Joint-Venture Reliance Stage 1 Targeting Stage 2 Enticement Stage 3 Transformation Independence Emerging Markets Leader Market Cap Leader Stage 4 Control Stage 1 Targeting Stage 2 Enticement Stage 3 Transformation Stage 4 Control Transformers Hi speed rail Coal power Pharmaceuticals Wind Turbines Solar Logistics Civilian aerospace Medical Devices Heavy equipment Wireless telecommunications Robotics Domestic Entry Domestic Leader International Entry International leader Page 16
Guiding principles for the Board Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue. Directors should understand the legal implications of cyber risks as they relate to their company s specific circumstances. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach. The National Association of Corporate Directors (NACD), in conjunction with the American International Group (AIG) and the Internet Security Alliance (ISA) Page 17
Questions to ask Does the organization use a security framework? What are the top five risks the organization has related to cybersecurity? How are employees made aware of their role related to cybersecurity? Are external and internal threats considered when planning cybersecurity program activities? How is security governance managed within the organization? In the event of a serious breach, has management developed a robust response protocol? Page 18
Cyber Security Budget While IT budget is 4%, cyber security budget is 8% Small to Medium companies invest 0.9 3 million dollars Larger companies invest in average of 11 million dollars Small and medium companies transition to managed services Some of the budget is invested in cyber liability insurance 90% growth of sophisticated attacks causes in more cost of mitigation Page 19 Presentation title
What can be done? Create your Cyber Posture Baseline Identify your data assets Identify your cyber related risks, predict future ones Build your threat scenarios Perform an industry benchmark Build your protection plan strategy Be Proactive! Protect Detect Respond Page 20
Tal.Mozes@il.ey.com April Page 212015 4 Insights from EY s global clients