4. Paul C Dwyer
Paul C Dwyer is an internationally recognised
information security authority with over two decades
experience.
A certified industry professional by the International Information
Systems Security Certification Consortium (ISC2) and the
Information System Audit & Control Association (ISACA) and
recently selected for the IT Governance Expert Panel.
Paul's credentials include:
• -Qualified Hacker
• -SOX (SAS70) Auditor
• -ISO 27001 Lead Auditor
• -BS25999 / BCP Expert
• -Forensic Investigator
• -PCI DSS Specialist
• -Prince2
He has worked and trained with such organisations as the US
Secret Service, Scotland Yard, FBI, National Counter Terrorism
Security Office (MI5), is approved by the National Crime Faculty
and is a member of the High Tech Crime Network (HTCN).
Paul is currently CEO of Cyber Risk International and President of
the ICTTF.
6. What is Cyber Crime?
Cyber crime or computer crime as it is
generally known is a form of crime
where the Internet or computers are
used as a medium or method to
commit crime which includes hacking,
copyright infringement, scams, denial
of service attacks, web defacement
and fraud.
7. Cybercrime Drivers
It’s a business with an excellent economic model.
Other reasons, you name it:
• Technology
• Internet
• Recession
• “A safe crime”
• It’s easy to get involved
• Part of Something
8. Crimeware Toolkits
Criminal gangs are creating fake banking apps
Traditional Banking Trojan kits are attacking:
mTAN (Transaction Authentication Number)
• Zeus MITMO
• Spitmo (SpyEye)
• Citmo (Carberp)
• Tattanga
New generic mobile kits are being developed independently
of PC kits for Zeus, Ice IX, SpyEye, Citadel, Carberp.
Increasingly industrialized, new distribution channels
Legit apps used with stolen credentials
10. “actions by a nation-state to penetrate another nation's computers or
networks for the purposes of causing damage or disruption.”
• “Digital Infrastructure….Strategic National Asset”
President Barack Obama
• May 2010 – Pentagon – Cybercom
• UK - a cyber-security "operations centre” (GCHQ)
• “Fifth Domain” The Economist
What is Cyber Warfare?
21. Reconnaissance Weaponisation Delivery Exploitation C2
Lateral
Movement
Exfiltration Maintenance
Gathers Intelligence About
Employee and Assets
Targets Individual (Asset)Bad Guy
Exploit Run – Comms
Established – Command &
Control Server
Move Laterally Across Network
Chooses Weapon from
underground forum
Exfiltrate Data
Protection – Maint Mode
37. Prepaid Debit Cards – Bank Muskat –
Oman
Hackers cancelled withdrawal limits –
“Hacked Payment Processor”
Card Numbers – Sent to foot soldiers
around the world – “Unlimited Operation”
“Cashing Crews” Imprinted Data on Cards
“Flash Mob” Using Secure IM Sites
What Happened?
39. Dominican – Yonkers – North of Manhattan
Entire crew within streets of “Strattan Street”
Dry run – Dec 2012 – Rak Bank
Nearly $400,000 - 700 Withdrawals
40. Why Trust a Criminal?
Copyright - Paul C Dwyer Ltd - All Rights Reserved
47. Some Recommendations
• Prepare for the Strategic Challenge
• Build Cyber resilience and detection within your organisation
• Develop Strategy and Governance
• Develop Incident Management Capability
• Secure your Supply Chain
• Learn from the “Bad Guys”
• Access Relevant Actionable Cyber Threat Intelligence
• Don’t Forget the Basics
• Make Everyone Responsible and “Cyber Loyal”
• Look Ahead
50. Government and Regulators
• Governments have a role
• They expect organisations
to do their part
• Regulations can not keep
pace with technology
• Nobody can protect and
organisation better than
the organisation
54. Cyber Risks for You
• Tangible Costs
– Loss of funds
– Damage to Systems
– Regulatory Fines
– Legal Damages
– Financial Compensation
• Intangible Costs
– Loss of competitive advantage (Stolen IP)
– Loss of customer and/or partner trust
– Loss of integrity (compromised digital assets)
– Damage to reputation and brand
Quantitative vs. Qualitative
46% Reduction in Profits Following Breach
55. Regulatory and Legal
EU Data Privacy Directive
EU Network
Information
Security
Directive
European Convention on
Cybercrime
400+ Others
– 10,000+
Controls –
175 Legal
Jurisdictions
Your
Organisation
56. Responsibility – Convention Cybercrime
All organisations need to be aware of the Convention’s
provisions in article 12, paragraph 2:
‘ensure that a legal person can be held liable where the
lack of supervision or control by a natural person…has
made possible the commission of a criminal offence
established in accordance with this Convention’.
Now Sit Forward!
59. Operational
Level
Strategic Level
Technical Level
Cyber is a Strategic Issue
59
Macro Security
Micro Security
How do cyber attacks affect, policies,
industry, business decisions?
What kind of policies, procedures and
business models do we need?
How can we solve our security
problems with technology?
60. •Loss of market share and reputation
•Legal ExposureCEO
•Audit Failure
•Fines and Criminal Charges
•Financial Loss
CFO/COO
•Loss of data confidentiality, integrity and/or availability
CIO
•Violation of employee privacy
CHRO
•Loss of customer trust
•Loss of brand reputationCMO
Board Room Discussion
Increasingly companies are appointing CRO’s and CISO’s with a direct line to the audit committee.
73. The Real CISO Challenge
• What cyber controls are in place?
• Are They Appropriate?
• What Maturity Level?
• Why?
• Prove they Are In Place
• Prove they are Appropriate (Inherent Risk)
• How to you deal with dynamic threat landscape?
• How do you deal with interdependence?
• Show metrics and evidence (Level 4)
• How do you align with business?
80. Risk / Maturity Relationship
• As inherent risk rises, an institution’s maturity levels should also increase
• Inherent risk profile and maturity levels will change over time
• Consider reevaluating inherent risk profile and cybersecurity maturity
periodically