SlideShare a Scribd company logo

David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht

Download as PPTX, PDF
Infosecurity2010
Infosecurity2010

Current Cyber Threat Challenges

1 of 22
Infosecurity.nl 2010 Current Cyber Threat Challenges 3 November 2010 www.pwc.com
PwC Contents 2 Real threats in the real world Targeting Sensitive Data with Commercial Value Targeting Sensitive Data with Economic Value Public-Private Partnership Considerations as we go forward
PwC Real threats in the real world 3
PwC Risks we face • Significant threat profile, like never before in history; • Adversaries that are patient, meticulous, smart; • Sophisticated attackers hold access to environments, undetected for months, even years; and • Require new thinking related to how we protect and manage sensitive data. Infosecurity.nl 2010 4
PwC Threat Continuum Infosecurity.nl 2010 5 Source Motivation Amateur attackers • Thrill • Bragging rights Criminal groups • Bot-network Operators • Phishers/Spammers • Malware authors • Industrial spies/competitors • Financial profit - Fraud - Blackmail - Bot recruitment - Trusted launch pad for further infrastructure attacks - Identity and intellectual property theft - Industrial espionage “Insiders” • Employees • Business partners • Retaliation • Financial profit Foreign state- sponsored agents • Economic Espionage • Disrupt supply, communications, and economic infrastructures ThreatContinuum
PwC Common failures that enable the attackers 1. Don’t know where sensitive data is located; 2. Don’t properly utilize monitoring and investigative tools; 3. Failure to address/shut down known security vulnerabilities; and 4. Have suboptimal Organizational design. Infosecurity.nl 2010 6
PwC Targeting Sensitive Data with Commercial Value 7
Attack Diagram 8 Infosecurity.nl 2010
PwC Hypothetical Attack Overview Preparation and Reconnaissance Slide 9 Preparation and Reconnaissance Initial Compromise Expand Footprint Execute Attack Major Activities • Identify Potential Targets: Use search engines and browse web sites to identify potential targets • Prepare Tools: Write custom applications and assemble publicly available tools to bypass antivirus • Identify Initial Entry Point: Test identified websites for SQL injection vulnerabilities to gain access to the target network Timeline 13 Days Impact • Read/Write access to database records • Administrative privileges to database OS • Ability to initiate connections to other internal systems • Recode web applications to accept a white list of characters and filter all unnecessary characters • Use unprivileged accounts for databases • Perform web application security assessments Slide 9 Infosecurity.nl 2010
PwC Hypothetical Attack Overview Initial Compromise Slide 10 Preparation and Reconnaissance Initial Compromise Expand Footprint Execute Attack Major Activities •Information Gathering: Craft SQL queries to obtain database structure and contained data •Exploit Database Links: Identify linked databases and search the databases for sensitive data or credit/debit card data •Upload Tools through SQL Injection: Upload malicious tools to database servers to obtain Domain Administrator password and target other systems Timeline 12 Days13 Days Impact • Identified dozens of databases with sensitive personal or business data or credit/debit card data • Obtained Domain Administrator privileges Slide 10
PwC Hypothetical Attack Overview Expand Footprint Slide 11 Preparation and Reconnaissance Initial Compromise Expand Footprint Execute Attack Major Activities •Establish presence in environment: Push custom developed network sniffer or other custom hacker tools onto dozens of systems to understand network topology and system traffic •Upload Web Based Tools: Upload custom web pages to external web servers to perform command and control functions on tools on internal systems •Exfiltrate data: Obtain target data •Locate Business Critical Hardware: Identify system (HSM) that creates encrypted PIN numbers Timeline 3 Days12 Days13 Days Impact • Attackers able to authenticate with privileged access to Windows systems Slide 11 Infosecurity.nl 2010
PwC Hypothetical Attack Overview Execute Attack Slide 12 Preparation and Reconnaissance Initial Compromise Expand Footprint Execute Attack Major Activities •Initiate Attack on HSM: Obtain clear text PIN numbers by attacking HSM device. Reverse engineer/decode sensitive encrypted data and/or gain control of wire transfer authorization process •Manipulate Financial Account Values: Use custom web pages on external web servers to modify internal database values such as the balance and transaction limits to assist in financial fraud •Distribute compromised payment cards •Set up recipient accounts to obtain fraudulent proceeds Timeline • Initiate unauthorized ATM withdrawals or transactions • Unauthorized ACH wires issued Impact 3 Days12 Days13 Days 4 Days Slide 12 Infosecurity.nl 2010
PwC Targeting Data with Economic Value 13
PwC Infosecurity.nl 2010 14
PwC Public Private Partnership 15
PwC Public-Private Partnership Examples across this Continuum • Collaboration with law enforcement; • Collaboration with select corporate peers (Google example); • Collaboration among Financial Services in US (FS-ISAC - hundreds of Companies sharing information about critical threats to systems within the financial services sector); • Collaboration among industry (US Department of Defense); and • Collaboration to protect National Critical Infrastructure (US Department of Homeland Security). Infosecurity.nl 2010 16
PwC Considerations as we go forward 17
PwC Considerations as we go forward 1: Sensitive Data • Inventory and prioritize sensitive data; • Include electronic communication among key component of the definition of sensitive data; and • Enhance vigilance around the protection of these assets. Key takeaways: 18 Infosecurity.nl 2010
PwC Considerations as we go forward 2: Technical • Increase visibility into live memory on user systems; • Increase vigilance on Domain Controller logs; • Increase focus on analysis of outbound traffic (look for large outbound RAR files); • Perform ongoing audits of key personnel (i.e., M&A team) – look for web based mail login from machines not normally used by employee; and • Automate the above to minimize human time commitment. Key takeaways: 19 Infosecurity.nl 2010
PwC Considerations as we go forward 3: Organizational • Cyber security, and the CISO or equivalent, should be independent of IT and the CIO; • Cyber security should have deep insight into business operations to be effective: if the CEO is traveling outside the US or if a 10-person team is working on a deal in Country X, cyber security should be aware; and • Applying cyber security based on business operations will likely require a broader perspective than most technical oriented types are capable, making cyber security ripe for alignment under the CSO. Key takeaways: 20 Infosecurity.nl 2010
PwC PwC - Who we are • PwC has greater than 160,000 in greater than 150 countries. We focus on audit and assurance, tax and advisory services. We help our clients resolve complex issues and identify opportunities. • PwC is a leading provider of security advisory and assessment services. Our Global Security practice has more than 2,100 professionals helping our clients solve complex security challenges. • PwC was recognized by the Forrester Wave Vendor Summary as a leader in information security and IT risk consulting. • PwC has assisted Fortune 500 companies in responding to security breaches, including network and system forensics, containment, and remediation activities. 21 Infosecurity.nl 2010
Sincere thanks for your time. © 2010 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate legal entity. This proposal is protected under the copyright laws of the United States and other countries. This proposal contains information that is proprietary and confidential to PricewaterhouseCoopers LLP, and shall not be disclosed outside the recipient's company or duplicated, used or disclosed in whole or in part by the recipient for any purpose other than to evaluate this proposal. Any other use or disclosure in whole or in part of this information without the express written permission of PricewaterhouseCoopers LLP is prohibited.

Recommended

Peter Kornelisse, Infosecurity.nl, 4 november, Jaarbeurs Utrecht
Peter Kornelisse, Infosecurity.nl, 4 november, Jaarbeurs UtrechtPeter Kornelisse, Infosecurity.nl, 4 november, Jaarbeurs Utrecht
Peter Kornelisse, Infosecurity.nl, 4 november, Jaarbeurs Utrecht
Infosecurity2010
 
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs UtrechtAndrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Infosecurity2010
 
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-publicCyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Secunoid Systems Inc
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
Tommy Vandepitte
 
The 3 Phased Approach to Data Leakage Prevention (DLP)
The 3 Phased Approach to Data Leakage Prevention (DLP)The 3 Phased Approach to Data Leakage Prevention (DLP)
The 3 Phased Approach to Data Leakage Prevention (DLP)
Kirsty Donovan
 
Secure custody of digital assets - IDC Security conference
Secure custody of digital assets - IDC Security conferenceSecure custody of digital assets - IDC Security conference
Secure custody of digital assets - IDC Security conference
Nagib Aouini
 
Keep your data safe and be compliant via a 360° approach
Keep your data safe and be compliant via a 360° approachKeep your data safe and be compliant via a 360° approach
Keep your data safe and be compliant via a 360° approach
Nagib Aouini
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
blogzilla
 

Recommended

Peter Kornelisse, Infosecurity.nl, 4 november, Jaarbeurs Utrecht
Peter Kornelisse, Infosecurity.nl, 4 november, Jaarbeurs UtrechtPeter Kornelisse, Infosecurity.nl, 4 november, Jaarbeurs Utrecht
Peter Kornelisse, Infosecurity.nl, 4 november, Jaarbeurs Utrecht
Infosecurity2010
 
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs UtrechtAndrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Infosecurity2010
 
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-publicCyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Secunoid Systems Inc
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
Tommy Vandepitte
 
The 3 Phased Approach to Data Leakage Prevention (DLP)
The 3 Phased Approach to Data Leakage Prevention (DLP)The 3 Phased Approach to Data Leakage Prevention (DLP)
The 3 Phased Approach to Data Leakage Prevention (DLP)
Kirsty Donovan
 
Secure custody of digital assets - IDC Security conference
Secure custody of digital assets - IDC Security conferenceSecure custody of digital assets - IDC Security conference
Secure custody of digital assets - IDC Security conference
Nagib Aouini
 
Keep your data safe and be compliant via a 360° approach
Keep your data safe and be compliant via a 360° approachKeep your data safe and be compliant via a 360° approach
Keep your data safe and be compliant via a 360° approach
Nagib Aouini
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
blogzilla
 
Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019
Sagara Gunathunga
 
A Data Breach Prevention, Detection & Response Strategy to Combat Today' Threats
A Data Breach Prevention, Detection & Response Strategy to Combat Today' ThreatsA Data Breach Prevention, Detection & Response Strategy to Combat Today' Threats
A Data Breach Prevention, Detection & Response Strategy to Combat Today' Threats
Kirsty Donovan
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Ulf Mattsson
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the art
James Mulhern
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
Michelangelo van Dam
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
Michelangelo van Dam
 
The journey to Private AI, where Privacy-Preserving ML meets DLT
The journey to Private AI, where Privacy-Preserving ML meets DLTThe journey to Private AI, where Privacy-Preserving ML meets DLT
The journey to Private AI, where Privacy-Preserving ML meets DLT
Omid Mogharian
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by Design
Unisys Corporation
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
Kristyn Greenwood
 
Identity, Security and Healthcare
Identity, Security and HealthcareIdentity, Security and Healthcare
Identity, Security and Healthcare
NetIQ
 
Continuous Compliance 14.9.2016
Continuous Compliance 14.9.2016Continuous Compliance 14.9.2016
Continuous Compliance 14.9.2016
Digia Plc
 
How Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedHow Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is Implemented
Jerry Paul Acosta
 
Are You Being Anti-Social
Are You Being Anti-SocialAre You Being Anti-Social
Are You Being Anti-Social
NetIQ
 
Blockchain security a different perspective
Blockchain security a different perspectiveBlockchain security a different perspective
Blockchain security a different perspective
Secunoid Systems Inc
 
Privacy for IoT with XMPP
Privacy for IoT with XMPPPrivacy for IoT with XMPP
Privacy for IoT with XMPP
Peter Waher
 
Data Security Solutions @ Lithuania CIO Forum 2015 - Mobility will happen by ...
Data Security Solutions @ Lithuania CIO Forum 2015 - Mobility will happen by ...Data Security Solutions @ Lithuania CIO Forum 2015 - Mobility will happen by ...
Data Security Solutions @ Lithuania CIO Forum 2015 - Mobility will happen by ...
Andris Soroka
 
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Floyd DCosta
 
Globally Scalable Mobile Digital ID using IEEE P1451.99
Globally Scalable Mobile Digital ID using IEEE P1451.99Globally Scalable Mobile Digital ID using IEEE P1451.99
Globally Scalable Mobile Digital ID using IEEE P1451.99
Peter Waher
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention
Digital Guardian
 
CRI Retail Cyber Threats
CRI Retail Cyber ThreatsCRI Retail Cyber Threats
CRI Retail Cyber Threats
OCTF Industry Engagement
 
File Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesFile Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial Services
BlackBerry
 

More Related Content

What's hot

A Data Breach Prevention, Detection & Response Strategy to Combat Today' Threats
A Data Breach Prevention, Detection & Response Strategy to Combat Today' ThreatsA Data Breach Prevention, Detection & Response Strategy to Combat Today' Threats
A Data Breach Prevention, Detection & Response Strategy to Combat Today' Threats
Kirsty Donovan
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Ulf Mattsson
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
Michelangelo van Dam
 
Identity, Security and Healthcare
Identity, Security and HealthcareIdentity, Security and Healthcare
Identity, Security and Healthcare
NetIQ
 
Data Security Solutions @ Lithuania CIO Forum 2015 - Mobility will happen by ...
Data Security Solutions @ Lithuania CIO Forum 2015 - Mobility will happen by ...Data Security Solutions @ Lithuania CIO Forum 2015 - Mobility will happen by ...
Data Security Solutions @ Lithuania CIO Forum 2015 - Mobility will happen by ...
Andris Soroka
 
Globally Scalable Mobile Digital ID using IEEE P1451.99
Globally Scalable Mobile Digital ID using IEEE P1451.99Globally Scalable Mobile Digital ID using IEEE P1451.99
Globally Scalable Mobile Digital ID using IEEE P1451.99
Peter Waher
 
The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention
Digital Guardian
 

What's hot (20)

Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019
 
A Data Breach Prevention, Detection & Response Strategy to Combat Today' Threats
A Data Breach Prevention, Detection & Response Strategy to Combat Today' ThreatsA Data Breach Prevention, Detection & Response Strategy to Combat Today' Threats
A Data Breach Prevention, Detection & Response Strategy to Combat Today' Threats
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the art
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
 
The journey to Private AI, where Privacy-Preserving ML meets DLT
The journey to Private AI, where Privacy-Preserving ML meets DLTThe journey to Private AI, where Privacy-Preserving ML meets DLT
The journey to Private AI, where Privacy-Preserving ML meets DLT
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by Design
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
 
Identity, Security and Healthcare
Identity, Security and HealthcareIdentity, Security and Healthcare
Identity, Security and Healthcare
 
Continuous Compliance 14.9.2016
Continuous Compliance 14.9.2016Continuous Compliance 14.9.2016
Continuous Compliance 14.9.2016
 
How Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedHow Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is Implemented
 
Are You Being Anti-Social
Are You Being Anti-SocialAre You Being Anti-Social
Are You Being Anti-Social
 
Blockchain security a different perspective
Blockchain security a different perspectiveBlockchain security a different perspective
Blockchain security a different perspective
 
Privacy for IoT with XMPP
Privacy for IoT with XMPPPrivacy for IoT with XMPP
Privacy for IoT with XMPP
 
Data Security Solutions @ Lithuania CIO Forum 2015 - Mobility will happen by ...
Data Security Solutions @ Lithuania CIO Forum 2015 - Mobility will happen by ...Data Security Solutions @ Lithuania CIO Forum 2015 - Mobility will happen by ...
Data Security Solutions @ Lithuania CIO Forum 2015 - Mobility will happen by ...
 
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
 
Globally Scalable Mobile Digital ID using IEEE P1451.99
Globally Scalable Mobile Digital ID using IEEE P1451.99Globally Scalable Mobile Digital ID using IEEE P1451.99
Globally Scalable Mobile Digital ID using IEEE P1451.99
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
 
The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention
 

Similar to David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht

Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
Resilient Systems
 
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxProject 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
anitramcroberts
 
Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEs
Sonny Hashmi
 
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Doeren Mayhew
 

Similar to David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht (20)

CRI Retail Cyber Threats
CRI Retail Cyber ThreatsCRI Retail Cyber Threats
CRI Retail Cyber Threats
 
File Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesFile Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial Services
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Cyber 101 for smb execs v1
Cyber 101 for smb execs v1Cyber 101 for smb execs v1
Cyber 101 for smb execs v1
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updated
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security
 
March cybersecurity powerpoint
March cybersecurity powerpointMarch cybersecurity powerpoint
March cybersecurity powerpoint
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud Services
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
IT Security Services
IT Security ServicesIT Security Services
IT Security Services
 
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxProject 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
 
Secure and Compliant Data Management in FinTech Applications
Secure and Compliant Data Management in FinTech ApplicationsSecure and Compliant Data Management in FinTech Applications
Secure and Compliant Data Management in FinTech Applications
 
Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEs
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb es
 
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
 

More from Infosecurity2010

Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Infosecurity2010
 
Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -
Stephan Hendriks Eric IJpelaar - Identity access management in the cloud - Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -
Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -
Infosecurity2010
 
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
Infosecurity2010
 
Emiel Brok, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Event...
Emiel Brok, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Event...Emiel Brok, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Event...
Emiel Brok, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Event...
Infosecurity2010
 
Ruud Mollema, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Ruud Mollema, Infosecurity.nl, 3 november 2010, Jaarbeurs UtrechtRuud Mollema, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Ruud Mollema, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Infosecurity2010
 
Stefan Eisses, Infosecurity 3 november 2010 jaarbeurs utrecht
Stefan Eisses, Infosecurity 3 november 2010 jaarbeurs utrechtStefan Eisses, Infosecurity 3 november 2010 jaarbeurs utrecht
Stefan Eisses, Infosecurity 3 november 2010 jaarbeurs utrecht
Infosecurity2010
 

More from Infosecurity2010 (12)

Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs U...
 
Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -
Stephan Hendriks Eric IJpelaar - Identity access management in the cloud - Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -
Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -
 
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
 
Emiel Brok, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Event...
Emiel Brok, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Event...Emiel Brok, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Event...
Emiel Brok, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Event...
 
Ruud Mollema, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Ruud Mollema, Infosecurity.nl, 3 november 2010, Jaarbeurs UtrechtRuud Mollema, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Ruud Mollema, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
 
Stefan Eisses, Infosecurity 3 november 2010 jaarbeurs utrecht
Stefan Eisses, Infosecurity 3 november 2010 jaarbeurs utrechtStefan Eisses, Infosecurity 3 november 2010 jaarbeurs utrecht
Stefan Eisses, Infosecurity 3 november 2010 jaarbeurs utrecht
 
Eric Verheul, Infosecurity.nl, 3 november, Jaarbeurs Utrecht
Eric Verheul, Infosecurity.nl, 3 november, Jaarbeurs UtrechtEric Verheul, Infosecurity.nl, 3 november, Jaarbeurs Utrecht
Eric Verheul, Infosecurity.nl, 3 november, Jaarbeurs Utrecht
 
Koen Gijsbers, Infosecurity.nl, 4 november, Jaarbeurs Utrecht
Koen Gijsbers, Infosecurity.nl, 4 november, Jaarbeurs UtrechtKoen Gijsbers, Infosecurity.nl, 4 november, Jaarbeurs Utrecht
Koen Gijsbers, Infosecurity.nl, 4 november, Jaarbeurs Utrecht
 
Jeroen de Boer, Infosecurity.nl, 3 november, Jaarbeurs Utrecht
Jeroen de Boer, Infosecurity.nl, 3 november, Jaarbeurs UtrechtJeroen de Boer, Infosecurity.nl, 3 november, Jaarbeurs Utrecht
Jeroen de Boer, Infosecurity.nl, 3 november, Jaarbeurs Utrecht
 
Auke Huistra, Infosecurity.nl, 3 november, Jaarbeurs Utrecht
Auke Huistra, Infosecurity.nl, 3 november, Jaarbeurs UtrechtAuke Huistra, Infosecurity.nl, 3 november, Jaarbeurs Utrecht
Auke Huistra, Infosecurity.nl, 3 november, Jaarbeurs Utrecht
 
Helmer Wieringa, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Helmer Wieringa, Infosecurity.nl, 3 november 2010, Jaarbeurs UtrechtHelmer Wieringa, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Helmer Wieringa, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
 
Paul James Adams, InfoSecurity.nl 2010, 3 november, Jaarbeurs Utrecht
Paul James Adams, InfoSecurity.nl 2010, 3 november, Jaarbeurs UtrechtPaul James Adams, InfoSecurity.nl 2010, 3 november, Jaarbeurs Utrecht
Paul James Adams, InfoSecurity.nl 2010, 3 november, Jaarbeurs Utrecht
 

David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht

  • 1. Infosecurity.nl 2010 Current Cyber Threat Challenges 3 November 2010 www.pwc.com
  • 2. PwC Contents 2 Real threats in the real world Targeting Sensitive Data with Commercial Value Targeting Sensitive Data with Economic Value Public-Private Partnership Considerations as we go forward
  • 3. PwC Real threats in the real world 3
  • 4. PwC Risks we face • Significant threat profile, like never before in history; • Adversaries that are patient, meticulous, smart; • Sophisticated attackers hold access to environments, undetected for months, even years; and • Require new thinking related to how we protect and manage sensitive data. Infosecurity.nl 2010 4
  • 5. PwC Threat Continuum Infosecurity.nl 2010 5 Source Motivation Amateur attackers • Thrill • Bragging rights Criminal groups • Bot-network Operators • Phishers/Spammers • Malware authors • Industrial spies/competitors • Financial profit - Fraud - Blackmail - Bot recruitment - Trusted launch pad for further infrastructure attacks - Identity and intellectual property theft - Industrial espionage “Insiders” • Employees • Business partners • Retaliation • Financial profit Foreign state- sponsored agents • Economic Espionage • Disrupt supply, communications, and economic infrastructures ThreatContinuum
  • 6. PwC Common failures that enable the attackers 1. Don’t know where sensitive data is located; 2. Don’t properly utilize monitoring and investigative tools; 3. Failure to address/shut down known security vulnerabilities; and 4. Have suboptimal Organizational design. Infosecurity.nl 2010 6
  • 7. PwC Targeting Sensitive Data with Commercial Value 7
  • 9. PwC Hypothetical Attack Overview Preparation and Reconnaissance Slide 9 Preparation and Reconnaissance Initial Compromise Expand Footprint Execute Attack Major Activities • Identify Potential Targets: Use search engines and browse web sites to identify potential targets • Prepare Tools: Write custom applications and assemble publicly available tools to bypass antivirus • Identify Initial Entry Point: Test identified websites for SQL injection vulnerabilities to gain access to the target network Timeline 13 Days Impact • Read/Write access to database records • Administrative privileges to database OS • Ability to initiate connections to other internal systems • Recode web applications to accept a white list of characters and filter all unnecessary characters • Use unprivileged accounts for databases • Perform web application security assessments Slide 9 Infosecurity.nl 2010
  • 10. PwC Hypothetical Attack Overview Initial Compromise Slide 10 Preparation and Reconnaissance Initial Compromise Expand Footprint Execute Attack Major Activities •Information Gathering: Craft SQL queries to obtain database structure and contained data •Exploit Database Links: Identify linked databases and search the databases for sensitive data or credit/debit card data •Upload Tools through SQL Injection: Upload malicious tools to database servers to obtain Domain Administrator password and target other systems Timeline 12 Days13 Days Impact • Identified dozens of databases with sensitive personal or business data or credit/debit card data • Obtained Domain Administrator privileges Slide 10
  • 11. PwC Hypothetical Attack Overview Expand Footprint Slide 11 Preparation and Reconnaissance Initial Compromise Expand Footprint Execute Attack Major Activities •Establish presence in environment: Push custom developed network sniffer or other custom hacker tools onto dozens of systems to understand network topology and system traffic •Upload Web Based Tools: Upload custom web pages to external web servers to perform command and control functions on tools on internal systems •Exfiltrate data: Obtain target data •Locate Business Critical Hardware: Identify system (HSM) that creates encrypted PIN numbers Timeline 3 Days12 Days13 Days Impact • Attackers able to authenticate with privileged access to Windows systems Slide 11 Infosecurity.nl 2010
  • 12. PwC Hypothetical Attack Overview Execute Attack Slide 12 Preparation and Reconnaissance Initial Compromise Expand Footprint Execute Attack Major Activities •Initiate Attack on HSM: Obtain clear text PIN numbers by attacking HSM device. Reverse engineer/decode sensitive encrypted data and/or gain control of wire transfer authorization process •Manipulate Financial Account Values: Use custom web pages on external web servers to modify internal database values such as the balance and transaction limits to assist in financial fraud •Distribute compromised payment cards •Set up recipient accounts to obtain fraudulent proceeds Timeline • Initiate unauthorized ATM withdrawals or transactions • Unauthorized ACH wires issued Impact 3 Days12 Days13 Days 4 Days Slide 12 Infosecurity.nl 2010
  • 13. PwC Targeting Data with Economic Value 13
  • 16. PwC Public-Private Partnership Examples across this Continuum • Collaboration with law enforcement; • Collaboration with select corporate peers (Google example); • Collaboration among Financial Services in US (FS-ISAC - hundreds of Companies sharing information about critical threats to systems within the financial services sector); • Collaboration among industry (US Department of Defense); and • Collaboration to protect National Critical Infrastructure (US Department of Homeland Security). Infosecurity.nl 2010 16
  • 17. PwC Considerations as we go forward 17
  • 18. PwC Considerations as we go forward 1: Sensitive Data • Inventory and prioritize sensitive data; • Include electronic communication among key component of the definition of sensitive data; and • Enhance vigilance around the protection of these assets. Key takeaways: 18 Infosecurity.nl 2010
  • 19. PwC Considerations as we go forward 2: Technical • Increase visibility into live memory on user systems; • Increase vigilance on Domain Controller logs; • Increase focus on analysis of outbound traffic (look for large outbound RAR files); • Perform ongoing audits of key personnel (i.e., M&A team) – look for web based mail login from machines not normally used by employee; and • Automate the above to minimize human time commitment. Key takeaways: 19 Infosecurity.nl 2010
  • 20. PwC Considerations as we go forward 3: Organizational • Cyber security, and the CISO or equivalent, should be independent of IT and the CIO; • Cyber security should have deep insight into business operations to be effective: if the CEO is traveling outside the US or if a 10-person team is working on a deal in Country X, cyber security should be aware; and • Applying cyber security based on business operations will likely require a broader perspective than most technical oriented types are capable, making cyber security ripe for alignment under the CSO. Key takeaways: 20 Infosecurity.nl 2010
  • 21. PwC PwC - Who we are • PwC has greater than 160,000 in greater than 150 countries. We focus on audit and assurance, tax and advisory services. We help our clients resolve complex issues and identify opportunities. • PwC is a leading provider of security advisory and assessment services. Our Global Security practice has more than 2,100 professionals helping our clients solve complex security challenges. • PwC was recognized by the Forrester Wave Vendor Summary as a leader in information security and IT risk consulting. • PwC has assisted Fortune 500 companies in responding to security breaches, including network and system forensics, containment, and remediation activities. 21 Infosecurity.nl 2010
  • 22. Sincere thanks for your time. © 2010 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate legal entity. This proposal is protected under the copyright laws of the United States and other countries. This proposal contains information that is proprietary and confidential to PricewaterhouseCoopers LLP, and shall not be disclosed outside the recipient's company or duplicated, used or disclosed in whole or in part by the recipient for any purpose other than to evaluate this proposal. Any other use or disclosure in whole or in part of this information without the express written permission of PricewaterhouseCoopers LLP is prohibited.