Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
RISK CONSULTING
An ethical investigation into cyber
security across the FTSE350
UK Cyber
Vulnerability
Index 2013
What doe...
1 | Cyber Vulnerability Index
of the FTSE 350 have out
of date and potentially
vulnerable web servers.
more than
Cyber Vulnerability Index | 2
KPMG performed research across the FTSE 350
constituent companies (over January to June 2013...
3 | Cyber Vulnerability Index
1
excludes Beverages, Media,Travel & Leisure and Equity Invest Instruments
Corporate website...
“Telecommunications, Aerospace and Defence, Utilities ,Financial
Services, Oil Equipment and Services recorded the highest...
5 | Cyber Vulnerability Index
“Utilities rated worst for leaking internal user
names - on average 126 per company”
Support Services
217
16792
80
78
55
54
45 45 38
36
29
26
24
19
M
ining
GeneralRetailers
OilEquipment,Services&
Distributio...
7 | Cyber Vulnerability Index
What we found - Hacking forums
Hackers will often share information on potential
or already ...
Cyber Vulnerability Index | 8
The spotlight is on theAerospace and Defence sector
Aerospace and Defence stand out as a hig...
9 | Cyber Vulnerability Index
Focus on
the future…
Cyber Vulnerability Index | 10
…Companies should look too miniimisse the amount of meta-
data that can be associated back ...
Contact us to find out more
Malcolm Marshall
Partner
T: +44 (0)20 7311 5456
E: malcolm.marshall@kpmg.co.uk
Stephen Bonner
P...
Upcoming SlideShare
Loading in …5
×

of

UK Cyber Vulnerability Index 2013 Slide 1 UK Cyber Vulnerability Index 2013 Slide 2 UK Cyber Vulnerability Index 2013 Slide 3 UK Cyber Vulnerability Index 2013 Slide 4 UK Cyber Vulnerability Index 2013 Slide 5 UK Cyber Vulnerability Index 2013 Slide 6 UK Cyber Vulnerability Index 2013 Slide 7 UK Cyber Vulnerability Index 2013 Slide 8 UK Cyber Vulnerability Index 2013 Slide 9 UK Cyber Vulnerability Index 2013 Slide 10 UK Cyber Vulnerability Index 2013 Slide 11 UK Cyber Vulnerability Index 2013 Slide 12
Upcoming SlideShare
KPMG Publish and Be Damned Cyber Vulnerability Index 2012
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

UK Cyber Vulnerability Index 2013

Download to read offline

An assessment of UK cyber resilience across the commercial sector. The report highlights information disclosure, as used by hackers to construct attack intelligence.

  • Be the first to like this

UK Cyber Vulnerability Index 2013

  1. 1. RISK CONSULTING An ethical investigation into cyber security across the FTSE350 UK Cyber Vulnerability Index 2013 What does your online corporate profile reveal?
  2. 2. 1 | Cyber Vulnerability Index of the FTSE 350 have out of date and potentially vulnerable web servers. more than
  3. 3. Cyber Vulnerability Index | 2 KPMG performed research across the FTSE 350 constituent companies (over January to June 2013), with the aim of performing the same initial steps that hackers and organised criminals would perform when profiling a target organisation for attack or infiltration.This included some of the techniques used by threat actors often referred to as Advanced PersistentThreats, or ‘APTs’. Our research focused on finding publicly available technical information about the FTSE350 group’s respective corporate IT.We mapped the structure of relevant corporate websites to identify potentially sensitive file locations or hidden functionality useful to cyber attackers.We then reviewed the content and meta-data of publicly accessible documents.While navigating the sites, we found interesting internal file locations, email addresses and technical data that would stimulate further investigation by hackers. In addition to websites, we also reviewed the content published on selected public sharing websites. All profiling information was sourced from the public documents located on the FTSE350 corporate websites, document meta-data, search engines and public internet forums, and no hacking or illegal actions were performed. How we put together our Index. The perpetrators of modern cyber attacks – whether these are social activists, criminals, competitors, or national governments – make extensive use of publicly available company information when planning their activity.Technical IT data, such as the versions of software used, usernames and email addresses, and technical details about a firm’s web-facing systems is of particular interest to perpetrators. Such data is almost never relevant to the firm’s customers or website visitors, but may end up online due to negligence, deficient document publishing procedures, or as a result of earlier security breaches. Even so, it is useful to hackers as it helps profile the target firm’s IT and employees, and may reveal weaknesses in the firm’s security defences. Due to the non-intrusive nature of the discovery process, it leaves minimal to no footprint and is therefore difficult to detect or protect against.The best course of action may still be minimising the data unnecessarily published in the first place. How cyber criminals use organisations’ data against them.
  4. 4. 3 | Cyber Vulnerability Index 1 excludes Beverages, Media,Travel & Leisure and Equity Invest Instruments Corporate websites are supported by a number of web technologies.When a website is accessed, the web server often reveals its software version which is typically hidden from a web browser’s view.The disclosure of these web banner software versions can prove to be of significant value to an attacker when profiling a remote target site and server. Out of the 53 percent vulnerable to attack due to missing security patches or outdated server software, the sectors with the highest number of web vulnerabilities1 , were; - Support Services - Software and Computer Services - General Retailers - Mining - Oil and Gas producers - Pharmaceuticals and Biotechnology - Aerospace and Defence - Banks - Telecommunications - General Industrial Across the whole FTSE 350 group of companies, we identified an average of three potential web server vulnerabilities per company, with a total of 1121 vulnerabilities recorded.The highest recorded instance of web server vulnerabilities attributed to one company was 32. We also noted the large number of development and preproduction web servers during our analysis. In one particular instance we discovered a home-use web server, which provides a significantly lower level of sophistication and security, was in use by a FTSE350 company. It’s no longer acceptable to patch internal servers and corporate laptops within four weeks of a patch being released. On a recent piece of client work we witnessed a patching policy of 48 hours for internal systems, covering some 2000 servers and 20,000 laptops, which shows what can be done. What we found -Vulnerable web servers We observed that over 53 percent of corporate websites were supported by out-of-date and potentially vulnerable technologies.
  5. 5. “Telecommunications, Aerospace and Defence, Utilities ,Financial Services, Oil Equipment and Services recorded the highest average vulnerable software” 130 Support Services 87 Software & Computer Services 23 Chemicals Nonlife Insurance 82 Travel & Leisure Mining 54 General Industrials Technology Hardware & Equipment 27 Electronic & Electrical Equipment 24 Oil & Gas Producers 50 Pharmaceuticals & Biotechnology 42 Banks 32 Media Aerospace & Defence 35 73General Retailers Telecommunications 55 Cyber Vulnerability Index | 4 PPotteenntiiaal wwwweeebb sseeerrrvvvveeerrr vvulnneraaabbiiliittyyy -- AAAVAVVVVEEEERRRRAAAAAAGGGGEEEE cccoouunnnt pperr coommmppaaannnyyy ppppeeeerr ssseeecccttttooooorrr[ PPoottenntttiaalll wwwwweeeebbbbb sssseeeeerrvvvvveeeerrr vvuulneerrraabbbilliiittyyyy ----TTTTTOOOOOTTTAAAAAAALLLLLL ccoouunt ppeeeerr ssseeeeccctttooooorrr[ Looking at the results by industry group, the highest averages for out-of-date web servers were held by: 7 FinancialServices 6 OilEquipment& Services Pharmaceuticals& Biotechnology 6 HealthCareEquipment& Services 6 5 GeneralRetailers 5 OilEquipment,Services& Distribution 5 TechnologyHardware& Equipment 4 Utilities 4 Aerospace& Defence 5 Banks 4 SupportServices 4 PersonalGoods 4 Oil& GasProducers GeneralIndustrial 7 9 Software& ComputerServices Telecommunications 7
  6. 6. 5 | Cyber Vulnerability Index “Utilities rated worst for leaking internal user names - on average 126 per company”
  7. 7. Support Services 217 16792 80 78 55 54 45 45 38 36 29 26 24 19 M ining GeneralRetailers OilEquipment,Services& Distribution Pharmaceuticals& Biotechnology RealEstateInvestmentTrusts GeneralFinancial Oil& GasProducers Utilities IndustrialEngineering Software& ComputerServices Banks Aerospace& Defence LifeInsurance Telecommunications Cyber Vulnerability Index | 6 What we found - Sensitive information within meta-data Meta-data (information stored inside a document about the document itself) often constitutes an information leak as it can provide attackers with a view of corporate network users, their email addresses, the software versions they use to create documents and internal network locations where files are stored Information within document. As part of our research, we were able to obtain an average of 41 internal usernames and 44 email addresses per company.These may be used to facilitate targeted phishing email scams. Looking at the results by industry group, most internal email address were disclosed by companies in the Aerospace and Defence (212 emails per company),Tobacco (100), Oil Equipment, Services and Distribution (94) and Pharmaceuticals and Biotechnology (93). What we found - Internal network locations Internal network locations point to internal server names and assist hackers in gaining an insight into your internet structure2 . We obtained an average of 41 internal usernames and 44 email addresses per company. 2 An internal file name may look something like compxlonserv1MandAsecretfile1. 3 Excludes Equity investment instruments, Media, Household Goods. TToottaal rreeccoooorrrdddddeeeeddddd innttterrnnnaalll fifififilleeee lloooooccccaaaatttttiiooonnss ppeer sseeecctttoooorr[ We managed to extract an average of five sensitive internal file locations per company, with the highest recorded instance of 139 internal file locations in one company. The sectors leaking the most internal network locations3 were:
  8. 8. 7 | Cyber Vulnerability Index What we found - Hacking forums Hackers will often share information on potential or already compromised companies as posts on underground forums, using digital whiteboard technology to quickly paste information.These postings often reveal email addresses of individuals to be targeted in ‘spear-phishing4 ’ attacks, passwords of users on internal and external systems, as well as details internet facing firewalls andVPN (Virtual Private Network) hosts. 4 An e-mail spoofing fraud attempt that targets a specific organisation, seeking “unauthorised access to confidential data. Source: http://searchsecurity.techtarget.com/definition/spear-phishing 5 Numbers based on six month collection period (over January to June 2013). Excludes household goods, travel and leisure Companies within the following sectors are discussed the most in these forums5 : We found that on average a FTSE 350 company will have 12 postings on these forums relating to sensitive corporate information.The highest recorded instance of posts was 748, related to companies in the General Financial sector.The second and third highest recorded entry related to a company in theTechnology Hardware and Equipment sector, with 603 and 346 posts respectively. - Banking - General Financial - General Retailers - Oil and Gas Producers - Pharmaceuticals and Biotechnology - Software and Computer Services - Support Services - Technology Hardware and Equipment - Telecommunications - Tobacco “Technology Hardware and Equipment had the greatest amount of posts on hacking forums with an average of 163 per company” 16 M ining 18 18 18 20 21 22 OilOilEquipment& Services 23 SupportServices 23 IndustrialEngineering 25 Software& ComputerServices 26 Telecommunications 26 GeneralIndustrials 26 Aerospace& Defence 27 Banks Utilities 30 LifeInsurance Oil& GasProducers GeneralFinancial TechnologyHardware& Equipment Pharmaceuticals& Biotechnology KKPPPMMGGGG ‘HHHiighhhTTThhhhrrreeeeaaattt CCCCCllluuuuuubbbbbb*** ’’’ [* Sectors most likely to be targeted. Sum of following averages: - Internal file locations - Vulnerable Software - Vulnerable Web Servers
  9. 9. Cyber Vulnerability Index | 8 The spotlight is on theAerospace and Defence sector Aerospace and Defence stand out as a high risk sector. Using an email designed to dupe the unsuspecting corporate user, hackers will embed a piece of malware, or a link to a malicious external site.When the user clicks on the link a piece of malware will be delivered to the user’s computer. From this point a user’s machine will be controlled by a third party and data extracted from the corporate network.The hackers will have the same access to everything as the user. In June 2013, the FBI warned of an increase in criminals using spear-phishing attacks to target multiple industry sectors. (source - http://www.fbi.gov/scams-safety/e-scams) Did you know? Used by criminals and foreign intelligence services alike, phishing is the targeting mechanism of choice when penetrating an organisation’s network. “Aerospace and Defence leaked the most email addresses with an average of 212 per company” Many well publicised breaches have occurred in this sector over the years. As a sector, Aerospace and Defence leaked the most email addresses with an average of 212 per company. In addition, the Aerospace and Defence sector had 1209 recorded meta-data email leaks which was the highest recorded across all sectors.The sector also had the highest number of potentially vulnerable software with a total of 34. Vulnerablesoftware Hackingforums Internalfilelocations Users Emails 212 53 16 8 6 Average count: Vulnerablewebservers 4
  10. 10. 9 | Cyber Vulnerability Index Focus on the future…
  11. 11. Cyber Vulnerability Index | 10 …Companies should look too miniimisse the amount of meta- data that can be associated back tto ttheir company. Plenty of tools exist to strip this data from ddocuments before they are published. People in sennsitivee roles that are likely to be the target of phishing or simmilar cybeer attacks should have little online presence and their emmails should be filtered. Such roles include IT administratoors,, heads of research, financial directors and otherr execcutivves with control over vital corporate information oor nettworks. Finally, and critically, CEOs and non-executive directorss shhould scrutinise and challenge what they are beinng told byy their teams about cyber defences, questioning how rrobusst thheir defences are and have they been actively tested.Thhis reqquirres the people at the very top of their organisation to hhave in-ddepth understanding of both the threats and the couuntermmeaasures.
  12. 12. Contact us to find out more Malcolm Marshall Partner T: +44 (0)20 7311 5456 E: malcolm.marshall@kpmg.co.uk Stephen Bonner Partner T: +44 (0)20 7694 1644 M: stephen.bonner@kpmg.co.uk Charles Hosner Partner T: +44 (0)7500 809 597 M: charles.hosner@kpmg.co.uk Martin Jordan Head of Cyber Response T: +44 (0)776 846 7896 E: martin.jordan@kpmg.co.uk The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. RR Donnelley | RRD-285392 | July 2013 |www.kpmg.co.uk

An assessment of UK cyber resilience across the commercial sector. The report highlights information disclosure, as used by hackers to construct attack intelligence.

Views

Total views

319

On Slideshare

0

From embeds

0

Number of embeds

13

Actions

Downloads

10

Shares

0

Comments

0

Likes

0

×