Cyber Resilience


Published on

Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cyber Resilience

  1. 1. Cyber Resilience Malta Association of Risk Management (MARM) Donald Tabone 24 June 2013
  2. 2. Agenda 1 Where are we coming from? 2 Cybercrime and threat actors 3 What the stats say 4 Who‟s being targeted? 5 Cause for concern? 6 Cyber resilience defined 7 A six-point plan to becoming resilient 1
  3. 3. Where are we coming from? The foundations • ‟62 J.C. R. Licklider introduced the idea of an „Intergalactic Network‟ • „76 Dr. Robert Metcalfe invented Ethernet, coaxial cables • „78 Gary Thuerek – first spam email sent to 400 users of ARPANET • „84 Dr. Jon Postel described his idea for .com, .org, .gov etc. In a series of papers published by the IETF • „89 The World was the first ISP to offer commercial dial up internet • ‟92 The Corporation for Education and Research Network (CREN) released the world wide web The beginning of eCommerce • „94 Pizza hut offered online ordering through their website • „95 Pierre Omidyar released AuctionWeb which later became eBay • „96 Hotmail was launched. The following year Microsoft bought it out for $400m • „98 Google received funding to become Google Technology Incorporated. • „99 The Internet consisted of 19.5m hosts and over 1m websites 2
  4. 4. Where are we coming from? The Dot-com bubble • „00 The Dot-com bubble burst • „03 Apple launched the iTunes store with 200,000 songs • „03 The hacktivisit group Anonymous was born • „04 Google launched Gmail with 1Gb of storage • ‟05 YouTube is launched. The following year Google bought it out for $1.6b • „06 Twitter and Facebook came around • „06 There are an estimated 92m websites online 40 years from its inception • ‟09 Mobile data traffic exceeds voice traffic every single month • „09 Cloud-based file hosting from the likes of Dropbox came around • „10 Facebook announces it reached 400m active members • „10 Syria and China attempt to control Internet access • „10 The Wikileaks drama ensues whilst Anonymous conduct several cyber attacks on government, religious and corporate websites • „11 Interest in virtualisation and cloud computing reach their highest peak • „13 The interest in BYOD and Big Data has reached a new high 3
  5. 5. Opportunity for crime www Cybercrime & Cyber criminals Our dependence As a result, we face new challenges related to.. • Our online privacy, • The confidentiality and integrity of the data we entrust to online entities, and • Our ability to conduct business on the net through the use of ecommerce web applications Because of the nature of how the net works, accountability is also a challenge! 4
  6. 6. Threat actors..1 Organised Crime • Traditionally based in former Soviet Republics (Russia, Belarus, Ukraine) • Common attacks: Theft of PII for resale and misuse or resources for hosting of illicit material • Occasionally employ blackmail in terms of availability (Threats of denial of service attacks to companies and threats of exposing individuals to embarrassment) 5
  7. 7. Threat actors..2 State Sponsored • Nations where commercial and state interests are very aligned • Military or Intelligence assets deployed in commercial environments • Limitless resources? • Main aim to achieve competitive advantage for business • Theft of commercial secrets (Bid information, M&A details) 6
  8. 8. Just this week 7
  9. 9. Hacktivism Will attack companies, organizations and individuals who are seen as being unethical or not doing the right thing Hacking for fun… seriously! Entire nations can be taken down (Estonia) 8
  10. 10. Stolen information • 18.5m people have been affected by PC theft • 75% of data loss incidents in Retail were attributed to Hacking • 96% of data loss incidents in Media were attributed to Hacking Source: 2012 KPMG Data Loss Barometer 9
  11. 11. 2012 KPMG cybercrime survey Source: KPMG A nuanced perspective on cybercrime, shifting viewpoints – call for action. The results were based on over 170 responses from CIOs/CISOs or professionals in related professions in the Netherlands. 10
  12. 12. 3 Common Attacks Traditional crime, redefined? Network based attacks Spear phishing attacks Human based attacks • Identify a target website • Conduct network reconnaissance / mapping • Engage in DDoS attacks to deny accessibility • The result is direct loss of business • Identify a target individual • Build a profile / biography • Directly target with a personal email • Trick user into accessing a malicious website • Implant malware and gain control of a device • Use a compromised machine to obtain otherwise confidential information • Human error incidents • Inside users become the target as they are often trusted users • Scorned / disgruntled employees The reality is that cyber attackers and organised crime perpetuators often use a combination of attack avenues to profile a target and map out their internal systems – the information is readily available! Competitive edge is eroded Organisation secrets are stolen Corporate reputations are damaged Source: 2012 KPMG Cyber Vulnerability Index 11
  13. 13. Who are they targeting? Increased attack sophistication Inappropriate business response = UNCERTAINITY One study* conducted in the UK showed that small businesses suffer an estimated loss of £800m a year, averaging nearly £4000 per business • 30% of its members were victims of fraud as a result of virus infections • 50% hit by malware • 8% victims of hacking • 5% suffered security breaches As a consequence, a second recent cybercrime study** revealed that • 53% of the British public is worried about the damage of cyber attacks • 40% feel more vulnerable to cyber attacks now than a year ago • 38% feel that their personal data exchanged with organisations they do business with may already have been compromised Sources: * The study was carried out by the Federation of Small Businesses in the UK and is based on its 20000 members,, accessed 12/6/2013 ** The study was conducted by PollOne in April 2013 for Tripwire on 1000 users,, accessed 12/6/2013 12
  14. 14. In the US The unverified losses that victims claimed in 2012 jumped 8.3% from $485m the previous year Losses Complaints Sources: SC Magazine and Internet Crime Complaint Center 13
  15. 15. Meanwhile in a non-descript building … … just outside of Shanghai, “Unit 61398” of the Peoples Liberation Army is the alleged source of Chinese hacking attacks… Source: … although the Chinese government consistently denies its involvement in such activities claiming that such allegations are “irresponsible and unprofessional” Why should you be concerned? Source: Hello, Unit 61398, The Economist. 19 February 2013, accessed 13/06/2013 14
  16. 16. Convictions? The fight against cybercrime seems to be ongoing 41 MONTHS • Romanian hacker Cezar Butu – 21 months in prison for compromising systems credit card processing • Darnell Albert-El, 53 – 27 months in prison for hacking • Steven Kim, 40 – 12 months in prison for stealing personal data • Bruce Raisley, 48 – 24 months in prison for creating a botnet virus to launch DDoS atacks • Shawn Reilly, 34 – 33 months in prison for committing 84 fraudulent wire transfers • Eduard Arakelyan, 21 and Arman Vardanyan, 23 – 36 months in prison for theft of credit card Why should you be concerned? information and committed bank fraud • Sonya Martin, 45 – 30 months in prison for being part of a gang to evade encryption Sources: ValueWork, Help Net Security, SC Magazine 15
  17. 17. Next generation cybercrime threat? What if hackers hijacked a key satellite? Could space be cybercrime's new frontier? FACT #1 We have an overwhelming reliance on space technology for vital streams of information FACT #2 Satellites are frightfully vulnerable to collisions and there are over 5500 redundant ones at the moment ! Makes us acutely vulnerable! Source: The Independent, Space : the new cybercrime frontier, accessed 16/2/2013 16
  18. 18. Juggling the risks Examine threats Determine the risk level Risk Assessment AIM: reduce organisational risk Risk Assumption Risk Alleviation Risk Avoidance Risk Limitation Risk Planning Risk Transference • With appropriate due diligence, management accept the potential risk and continue operating • Management approve the implementation of controls to lower risk to an acceptable level • Eliminate the process that could cause the risks • Management limit the risk exposure by putting controls to limit the impact of a threat • A process to manage risk by developing an architecture that prioritises, implements and maintains controls • Management transfer the risk by using other options to compensate for a loss – e.g. Purchasing an insurance policy 17
  19. 19. Risk Transference Bespoke insurance products providing tailor made policies targeting key professional liability exposures for technology companies 18
  20. 20. Becoming resilient – a six point action plan Cyber Resilience “ The ability of a system or a domain to withstand attacks or failures and in such events to re-establish itself quickly ” – Nigel Inkster, International Institute of Strategic Studies 1. Organizational Readiness 2. Situational awareness 3. Cyber defence 4. Detection 5. Mitigation and containment 6. Recovery 19
  21. 21. #1 - Organisational Readiness Corporate awareness Ownership at the C-level Assign the role and responsibility for information security oversight Understand your business risks Focus on your information and reputation Share intelligence and experiences 20
  22. 22. #2 - Situational intelligence Hacking for fame & glory Cybercrime moved into monetisation Disruption Criminal gangs Protest hacktivism Corporate espionage Anonymous & Lulzsec target corporate infrastructures Specialist knowledge Know your information assets Keep abreast of the latest advanced threats Classify your information assets “ One of the problems is that we all tend to be technology professionals weathered by our experiences rather than looking at new ways of managing risk and gaining or using new sources of intelligence ” - Pat Brady, Information Security Manager, National Australia Group 21
  23. 23. #3 – Cyber defence Get a grip on infrastructure and access security Assert the levels of staff awareness Define strict access control and remote access control Ensure strong visitor procedures for key buildings Keep your basic security controls in sight e.g. Password change policy Infrastructure changes should trigger network configuration changes allowing you to move the shape of the target 22
  24. 24. #4 – Detection Develop the ability to detect attacks Ensure you have an effective internal & external monitoring process Scan outbound messages for abnormal volumes and patterns Early recognition of a compromise is key to early reaction 23
  25. 25. #5 – Mitigation and containment The aim is to limit the damage to your services and reputation Continuity of Operations Plan Limit the impact / shutdown the source Disaster Recovery Plan Being prepared is the key IT / Network Contingency Plans Contingency planning – define and review your plans Crisis Communication Plan Ensure adequate testing of business continuity plans Prepared PR statements Cyber Incident Plan Occupant Emergency Plan 24
  26. 26. #6 – Recovery You need to develop the ability to re-establish normal service  Your survival as a business depends on it Apply the lessons learnt Give feedback to senior executives Here’s what happened to us This is how we reacted This is what we’ve done to mitigate / prevent it 25
  27. 27. Conclusions Some final thoughts.. • The cyber crime threat is actual and here to stay • It’s NOT a question of IF but WHEN IT Service Continuity Management functions Business Continuity • Be prepared for incidents • Ensure security awareness between departments Cyber Resiliency • Protect your information assets, regardless of where are being held • Ensure adequate crisis management between departments Awareness • Align individual goals with the organisations‟ cyber security ambitions Knowledge • Cyber risk teams need to consist of flexible people who can build relationships across departments • Take a pragmatic approach to investing in your defences – overinvesting is a real danger Controls Detection Mitigation Recovery BEING PROACTIVE IS THE NAME OF THE GAME 26
  28. 28. References Andrew Auernheimer, Bandit Country, Amir Singh, Chartech March/April 2013 Cyber Crime Study Reveals Uncertainty, Eight cyber crooks who got less prison time than Andrew Auernheimer, KPMG data loss barometer 2012, KPMG seven ways to beat cyber crime, KPMG shifting viewpoints - A nuanced perspective on cybercrime, Microsoft and FBI disrupt global cybercrime ring, Most small businesses can't restore all data after a cyber attack, Operation cyber taskforce, Gerry O’Neill, Chartech March/April 2013 Space: the new cyber crime frontier, The cost of cybercrime, 27
  29. 29. Thank you! Donald Tabone B.Sc. (Hons), LL.M. (Strath) 