SlideShare a Scribd company logo

CRI Cyber Board Briefing

OCTF Industry Engagement
OCTF Industry Engagement

Nov 2015 redacted version of slides Conrad Hotel Dublin

Leadership & Management
1 of 83
Cyber Executive Briefing Presenter: Paul C Dwyer Date: Nov 26th 2015 REDACTED VERSION
Slides and Material May NOT be Distributed In Any Format Without Written Permission Copyright Cyber Risk International Ltd – All Rights Reserved
Peer Group
Paul C Dwyer Paul C Dwyer is an internationally recognised information security authority with over two decades experience. A certified industry professional by the International Information Systems Security Certification Consortium (ISC2) and the Information System Audit & Control Association (ISACA) and recently selected for the IT Governance Expert Panel. Paul's credentials include: • -Qualified Hacker • -SOX (SAS70) Auditor • -ISO 27001 Lead Auditor • -BS25999 / BCP Expert • -Forensic Investigator • -PCI DSS Specialist • -Prince2 He has worked and trained with such organisations as the US Secret Service, Scotland Yard, FBI, National Counter Terrorism Security Office (MI5), is approved by the National Crime Faculty and is a member of the High Tech Crime Network (HTCN). Paul is currently CEO of Cyber Risk International and President of the ICTTF.
THE CYBER WORLD AND THE PHYSICAL ARE INTEGRATED
What is Cyber Crime? Cyber crime or computer crime as it is generally known is a form of crime where the Internet or computers are used as a medium or method to commit crime which includes hacking, copyright infringement, scams, denial of service attacks, web defacement and fraud.
Cybercrime Drivers It’s a business with an excellent economic model. Other reasons, you name it: • Technology • Internet • Recession • “A safe crime” • It’s easy to get involved • Part of Something
Crimeware Toolkits Criminal gangs are creating fake banking apps Traditional Banking Trojan kits are attacking: mTAN (Transaction Authentication Number) • Zeus MITMO • Spitmo (SpyEye) • Citmo (Carberp) • Tattanga New generic mobile kits are being developed independently of PC kits for Zeus, Ice IX, SpyEye, Citadel, Carberp. Increasingly industrialized, new distribution channels Legit apps used with stolen credentials
Underground Stock Exchange • Categories – Carding Forums – Dump Vendors – Non Carding Forums
“actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption.” • “Digital Infrastructure….Strategic National Asset” President Barack Obama • May 2010 – Pentagon – Cybercom • UK - a cyber-security "operations centre” (GCHQ) • “Fifth Domain” The Economist What is Cyber Warfare?
Hacktivism? Part of …..
Control of the Internet
Motivation?
Cyber Crime Cyber X Cyber Warfare Cyber Espionage Adversary
Blurred Lines NOT Silos
APT
Cyber fronts in the Ukraine! Is it War?
Reconnaissance Weaponisation Delivery Exploitation C2 Lateral Movement Exfiltration Maintenance Gathers Intelligence About Employee and Assets Targets Individual (Asset)Bad Guy Exploit Run – Comms Established – Command & Control Server Move Laterally Across Network Chooses Weapon from underground forum Exfiltrate Data Protection – Maint Mode
What do they Want? 22
Unit 61398
Surface Web Deep Web 90%+
Old Stuff – New Way
Psych(BI)ology of Cyber
The Devil – Really?
Three Clicks is Now One Click!
Cybercriminals are Business People!
I’m not joking! Hack the Human!
Reality?
Cyber Case Study Extended Presentation Material
Cyber Heist Uncovered
Tue Feb 19th 2013 4.31 PM
Military Precision – 24 Countries 36,000 Withdrawal's Totaling - $45,000,000
Prepaid Debit Cards – Bank Muskat – Oman Hackers cancelled withdrawal limits – “Hacked Payment Processor” Card Numbers – Sent to foot soldiers around the world – “Unlimited Operation” “Cashing Crews” Imprinted Data on Cards “Flash Mob” Using Secure IM Sites What Happened?
Cybercriminal Mastermind Hacker Money Mule Manager Money Mules Mule Mule Manager
Dominican – Yonkers – North of Manhattan Entire crew within streets of “Strattan Street” Dry run – Dec 2012 – Rak Bank Nearly $400,000 - 700 Withdrawals
Why Trust a Criminal? Copyright - Paul C Dwyer Ltd - All Rights Reserved
Cybercrime Has Consequences
Some Recommendations • Prepare for the Strategic Challenge • Build Cyber resilience and detection within your organisation • Develop Strategy and Governance • Develop Incident Management Capability • Secure your Supply Chain • Learn from the “Bad Guys” • Access Relevant Actionable Cyber Threat Intelligence • Don’t Forget the Basics • Make Everyone Responsible and “Cyber Loyal” • Look Ahead
It’s a IT Cyber Security Problem, Right?
49 Legally It’s a Challenge for the Board! NO
Government and Regulators • Governments have a role • They expect organisations to do their part • Regulations can not keep pace with technology • Nobody can protect and organisation better than the organisation
Resilience 51 Recognise: Interdependence Leadership Role Responsibility Integrating Cyber Risk Management Leverage Relationships and Encourage Suppliers
Security Industry Evolved ? Defence in Depth Breaches are Inevitable
Cyber Risks for You • Tangible Costs – Loss of funds – Damage to Systems – Regulatory Fines – Legal Damages – Financial Compensation • Intangible Costs – Loss of competitive advantage (Stolen IP) – Loss of customer and/or partner trust – Loss of integrity (compromised digital assets) – Damage to reputation and brand Quantitative vs. Qualitative 46% Reduction in Profits Following Breach
Regulatory and Legal EU Data Privacy Directive EU Network Information Security Directive European Convention on Cybercrime 400+ Others – 10,000+ Controls – 175 Legal Jurisdictions Your Organisation
Responsibility – Convention Cybercrime All organisations need to be aware of the Convention’s provisions in article 12, paragraph 2: ‘ensure that a legal person can be held liable where the lack of supervision or control by a natural person…has made possible the commission of a criminal offence established in accordance with this Convention’. Now Sit Forward!
It can get even worse
Automatic Governance Event Fundamental Uncertainty Board Accountability Are you already compromised?
Operational Level Strategic Level Technical Level Cyber is a Strategic Issue 59 Macro Security Micro Security How do cyber attacks affect, policies, industry, business decisions? What kind of policies, procedures and business models do we need? How can we solve our security problems with technology?
•Loss of market share and reputation •Legal ExposureCEO •Audit Failure •Fines and Criminal Charges •Financial Loss CFO/COO •Loss of data confidentiality, integrity and/or availability CIO •Violation of employee privacy CHRO •Loss of customer trust •Loss of brand reputationCMO Board Room Discussion Increasingly companies are appointing CRO’s and CISO’s with a direct line to the audit committee.
Corporate Governance Project Governance Risk Management Cyber Governance Risk Management Cyber Governance Cyber Risk Legal & Compliance Operational Technical
Case Study – How Can CRI Help?
It’s About Maturity
What’s The Next Step?
The Real CISO Challenge • What cyber controls are in place? • Are They Appropriate? • What Maturity Level? • Why? • Prove they Are In Place • Prove they are Appropriate (Inherent Risk) • How to you deal with dynamic threat landscape? • How do you deal with interdependence? • Show metrics and evidence (Level 4) • How do you align with business?
CISO Why? Business Alignment (Management) ICT (Technology) Business Cyber
CISO How? CISO Office SOC RISK IT Security Change Control
Inherent Risk - Metrics Key To Success on Every Level
CISO Framework Starts with Assessment
5 Domains
Assessment Factors
Risk / Maturity Relationship • As inherent risk rises, an institution’s maturity levels should also increase • Inherent risk profile and maturity levels will change over time • Consider reevaluating inherent risk profile and cybersecurity maturity periodically
Delivers • CISO Framework • Independent Cyber Security Assessment • Roadmap • Metrics of Cyber Risk Status • Cyber Strategy
Q&A
Thank You – Stay Connected www.paulcdwyer.com youtube.com/paulcdwyer mail@paulcdwyer.com +353-(0)85 888 1364 @paulcdwyer WE IDENTIFY, MITIGATE AND MANAGE CYBER RISKS Cyber Risk International Broadmeadow Hall– Applewood Village -Swords – Co Dublin – Ireland +353-(0)1- 905 3260 xxxxxx mail@cyberriskinternational.com www.cyberriskinternational.com

Recommended

Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
Operational risk & incident reporting
Operational risk & incident reportingOperational risk & incident reporting
Operational risk & incident reportingShivaLeela Choudary
 
cybersecurite-passons-lechelle-rapport.pdf
cybersecurite-passons-lechelle-rapport.pdfcybersecurite-passons-lechelle-rapport.pdf
cybersecurite-passons-lechelle-rapport.pdfGaudefroy Ariane
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopLife Cycle Engineering
 
Cyber threat intelligence
Cyber threat intelligenceCyber threat intelligence
Cyber threat intelligenceMondher Smii
 

Recommended

Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
Operational risk & incident reporting
Operational risk & incident reportingOperational risk & incident reporting
Operational risk & incident reportingShivaLeela Choudary
 
cybersecurite-passons-lechelle-rapport.pdf
cybersecurite-passons-lechelle-rapport.pdfcybersecurite-passons-lechelle-rapport.pdf
cybersecurite-passons-lechelle-rapport.pdfGaudefroy Ariane
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopLife Cycle Engineering
 
Cyber threat intelligence
Cyber threat intelligenceCyber threat intelligence
Cyber threat intelligenceMondher Smii
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management OverviewJIGNESH PADIA
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
French acreditation process homologation 2010-01-19
French acreditation process homologation 2010-01-19French acreditation process homologation 2010-01-19
French acreditation process homologation 2010-01-19Laurent Pingault
 
Afcdp 2017 mesures de protection des dcp
Afcdp 2017 mesures de protection des dcpAfcdp 2017 mesures de protection des dcp
Afcdp 2017 mesures de protection des dcpDenis VIROLE
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0Rachael Phelan
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesSlideTeam
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityArshad Khan
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Andrew Smart
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Nouveau cadre de gouvernance de la sécurité de l’information
Nouveau cadre de gouvernance de la sécurité de l’informationNouveau cadre de gouvernance de la sécurité de l’information
Nouveau cadre de gouvernance de la sécurité de l’informationISACA Chapitre de Québec
 
Cybersecurity in Banking Sector
Cybersecurity in Banking SectorCybersecurity in Banking Sector
Cybersecurity in Banking SectorQuick Heal Technologies Ltd.
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Michael Kaishar, MSIA | CISSP
 
La sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariésLa sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariésNRC
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin OCTF Industry Engagement
 
Retail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewRetail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewOCTF Industry Engagement
 

More Related Content

What's hot

Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management OverviewJIGNESH PADIA
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
French acreditation process homologation 2010-01-19
French acreditation process homologation 2010-01-19French acreditation process homologation 2010-01-19
French acreditation process homologation 2010-01-19Laurent Pingault
 
Afcdp 2017 mesures de protection des dcp
Afcdp 2017 mesures de protection des dcpAfcdp 2017 mesures de protection des dcp
Afcdp 2017 mesures de protection des dcpDenis VIROLE
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0Rachael Phelan
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesSlideTeam
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Andrew Smart
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Nouveau cadre de gouvernance de la sécurité de l’information
Nouveau cadre de gouvernance de la sécurité de l’informationNouveau cadre de gouvernance de la sécurité de l’information
Nouveau cadre de gouvernance de la sécurité de l’informationISACA Chapitre de Québec
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Michael Kaishar, MSIA | CISSP
 
La sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariésLa sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariésNRC
 

What's hot (20)

Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management Overview
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
French acreditation process homologation 2010-01-19
French acreditation process homologation 2010-01-19French acreditation process homologation 2010-01-19
French acreditation process homologation 2010-01-19
 
Afcdp 2017 mesures de protection des dcp
Afcdp 2017 mesures de protection des dcpAfcdp 2017 mesures de protection des dcp
Afcdp 2017 mesures de protection des dcp
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation Slides
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
Nouveau cadre de gouvernance de la sécurité de l’information
Nouveau cadre de gouvernance de la sécurité de l’informationNouveau cadre de gouvernance de la sécurité de l’information
Nouveau cadre de gouvernance de la sécurité de l’information
 
Cybersecurity in Banking Sector
Cybersecurity in Banking SectorCybersecurity in Banking Sector
Cybersecurity in Banking Sector
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...
 
La sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariésLa sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariés
 

Similar to CRI Cyber Board Briefing

CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin OCTF Industry Engagement
 
Retail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewRetail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewOCTF Industry Engagement
 
CRI Extract from "Cyber Lessons from the Front lines"
CRI Extract from "Cyber Lessons from the Front lines"CRI Extract from "Cyber Lessons from the Front lines"
CRI Extract from "Cyber Lessons from the Front lines"OCTF Industry Engagement
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxRambilashTudu
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016FERMA
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessJoAnna Cheshire
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Peter ODell
 
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerLet's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerSaraPia5
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and FutureJohn Gilligan
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
IIA August Briefing_15AUG2015
IIA August Briefing_15AUG2015IIA August Briefing_15AUG2015
IIA August Briefing_15AUG2015Robert Baldi
 
Digital Age-Preparing Yourself
Digital Age-Preparing YourselfDigital Age-Preparing Yourself
Digital Age-Preparing Yourselfjkl0202
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022PECB
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 

Similar to CRI Cyber Board Briefing (20)

CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin
 
Retail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewRetail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 Overview
 
CRI Extract from "Cyber Lessons from the Front lines"
CRI Extract from "Cyber Lessons from the Front lines"CRI Extract from "Cyber Lessons from the Front lines"
CRI Extract from "Cyber Lessons from the Front lines"
 
Cyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counselCyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counsel
 
CRI Retail Cyber Threats
CRI Retail Cyber ThreatsCRI Retail Cyber Threats
CRI Retail Cyber Threats
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014
 
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerLet's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
 
CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
 
Judgement Day - Slovakia
Judgement Day - SlovakiaJudgement Day - Slovakia
Judgement Day - Slovakia
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
IIA August Briefing_15AUG2015
IIA August Briefing_15AUG2015IIA August Briefing_15AUG2015
IIA August Briefing_15AUG2015
 
Digital Age-Preparing Yourself
Digital Age-Preparing YourselfDigital Age-Preparing Yourself
Digital Age-Preparing Yourself
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 

Recently uploaded

Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchRashtriya Kisan Manch
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixCIToolkit
 
Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsCIToolkit
 
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsFrom Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsCIToolkit
 
Fifteenth Finance Commission Presentation
Fifteenth Finance Commission PresentationFifteenth Finance Commission Presentation
Fifteenth Finance Commission Presentationmintusiprd
 
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)jennyeacort
 
How-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionHow-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionCIToolkit
 
LPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations ReviewLPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations Reviewthomas851723
 
Board Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch PresentationBoard Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch Presentationcraig524401
 
Management and managerial skills training manual.pdf
Management and managerial skills training manual.pdfManagement and managerial skills training manual.pdf
Management and managerial skills training manual.pdffillmonipdc
 
Introduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-EngineeringIntroduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-Engineeringthomas851723
 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingCIToolkit
 
Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insightWayne Abrahams
 
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证jdkhjh
 
Motivational theories an leadership skills
Motivational theories an leadership skillsMotivational theories an leadership skills
Motivational theories an leadership skillskristinalimarenko7
 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramCIToolkit
 
LPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business SectorLPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business Sectorthomas851723
 

Recently uploaded (18)

Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
 
Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield Metrics
 
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsFrom Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
 
Fifteenth Finance Commission Presentation
Fifteenth Finance Commission PresentationFifteenth Finance Commission Presentation
Fifteenth Finance Commission Presentation
 
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
 
How-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionHow-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem Resolution
 
LPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations ReviewLPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations Review
 
Board Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch PresentationBoard Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch Presentation
 
Management and managerial skills training manual.pdf
Management and managerial skills training manual.pdfManagement and managerial skills training manual.pdf
Management and managerial skills training manual.pdf
 
Introduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-EngineeringIntroduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-Engineering
 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
 
sauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Service
sauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Servicesauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Service
sauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Service
 
Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insight
 
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
 
Motivational theories an leadership skills
Motivational theories an leadership skillsMotivational theories an leadership skills
Motivational theories an leadership skills
 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
 
LPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business SectorLPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business Sector
 

CRI Cyber Board Briefing

  • 1. Cyber Executive Briefing Presenter: Paul C Dwyer Date: Nov 26th 2015 REDACTED VERSION
  • 2. Slides and Material May NOT be Distributed In Any Format Without Written Permission Copyright Cyber Risk International Ltd – All Rights Reserved
  • 4. Paul C Dwyer Paul C Dwyer is an internationally recognised information security authority with over two decades experience. A certified industry professional by the International Information Systems Security Certification Consortium (ISC2) and the Information System Audit & Control Association (ISACA) and recently selected for the IT Governance Expert Panel. Paul's credentials include: • -Qualified Hacker • -SOX (SAS70) Auditor • -ISO 27001 Lead Auditor • -BS25999 / BCP Expert • -Forensic Investigator • -PCI DSS Specialist • -Prince2 He has worked and trained with such organisations as the US Secret Service, Scotland Yard, FBI, National Counter Terrorism Security Office (MI5), is approved by the National Crime Faculty and is a member of the High Tech Crime Network (HTCN). Paul is currently CEO of Cyber Risk International and President of the ICTTF.
  • 5. THE CYBER WORLD AND THE PHYSICAL ARE INTEGRATED
  • 6. What is Cyber Crime? Cyber crime or computer crime as it is generally known is a form of crime where the Internet or computers are used as a medium or method to commit crime which includes hacking, copyright infringement, scams, denial of service attacks, web defacement and fraud.
  • 7. Cybercrime Drivers It’s a business with an excellent economic model. Other reasons, you name it: • Technology • Internet • Recession • “A safe crime” • It’s easy to get involved • Part of Something
  • 8. Crimeware Toolkits Criminal gangs are creating fake banking apps Traditional Banking Trojan kits are attacking: mTAN (Transaction Authentication Number) • Zeus MITMO • Spitmo (SpyEye) • Citmo (Carberp) • Tattanga New generic mobile kits are being developed independently of PC kits for Zeus, Ice IX, SpyEye, Citadel, Carberp. Increasingly industrialized, new distribution channels Legit apps used with stolen credentials
  • 9. Underground Stock Exchange • Categories – Carding Forums – Dump Vendors – Non Carding Forums
  • 10. “actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption.” • “Digital Infrastructure….Strategic National Asset” President Barack Obama • May 2010 – Pentagon – Cybercom • UK - a cyber-security "operations centre” (GCHQ) • “Fifth Domain” The Economist What is Cyber Warfare?
  • 11.
  • 13. Control of the Internet
  • 17. APT
  • 18.
  • 19. Cyber fronts in the Ukraine! Is it War?
  • 20.
  • 21. Reconnaissance Weaponisation Delivery Exploitation C2 Lateral Movement Exfiltration Maintenance Gathers Intelligence About Employee and Assets Targets Individual (Asset)Bad Guy Exploit Run – Comms Established – Command & Control Server Move Laterally Across Network Chooses Weapon from underground forum Exfiltrate Data Protection – Maint Mode
  • 22. What do they Want? 22
  • 25. Old Stuff – New Way
  • 27. The Devil – Really?
  • 28. Three Clicks is Now One Click!
  • 31.
  • 33. Cyber Case Study Extended Presentation Material
  • 35. Tue Feb 19th 2013 4.31 PM
  • 36. Military Precision – 24 Countries 36,000 Withdrawal's Totaling - $45,000,000
  • 37. Prepaid Debit Cards – Bank Muskat – Oman Hackers cancelled withdrawal limits – “Hacked Payment Processor” Card Numbers – Sent to foot soldiers around the world – “Unlimited Operation” “Cashing Crews” Imprinted Data on Cards “Flash Mob” Using Secure IM Sites What Happened?
  • 39. Dominican – Yonkers – North of Manhattan Entire crew within streets of “Strattan Street” Dry run – Dec 2012 – Rak Bank Nearly $400,000 - 700 Withdrawals
  • 40. Why Trust a Criminal? Copyright - Paul C Dwyer Ltd - All Rights Reserved
  • 41.
  • 42.
  • 43.
  • 44.
  • 46.
  • 47. Some Recommendations • Prepare for the Strategic Challenge • Build Cyber resilience and detection within your organisation • Develop Strategy and Governance • Develop Incident Management Capability • Secure your Supply Chain • Learn from the “Bad Guys” • Access Relevant Actionable Cyber Threat Intelligence • Don’t Forget the Basics • Make Everyone Responsible and “Cyber Loyal” • Look Ahead
  • 48. It’s a IT Cyber Security Problem, Right?
  • 49. 49 Legally It’s a Challenge for the Board! NO
  • 50. Government and Regulators • Governments have a role • They expect organisations to do their part • Regulations can not keep pace with technology • Nobody can protect and organisation better than the organisation
  • 51. Resilience 51 Recognise: Interdependence Leadership Role Responsibility Integrating Cyber Risk Management Leverage Relationships and Encourage Suppliers
  • 52. Security Industry Evolved ? Defence in Depth Breaches are Inevitable
  • 53.
  • 54. Cyber Risks for You • Tangible Costs – Loss of funds – Damage to Systems – Regulatory Fines – Legal Damages – Financial Compensation • Intangible Costs – Loss of competitive advantage (Stolen IP) – Loss of customer and/or partner trust – Loss of integrity (compromised digital assets) – Damage to reputation and brand Quantitative vs. Qualitative 46% Reduction in Profits Following Breach
  • 55. Regulatory and Legal EU Data Privacy Directive EU Network Information Security Directive European Convention on Cybercrime 400+ Others – 10,000+ Controls – 175 Legal Jurisdictions Your Organisation
  • 56. Responsibility – Convention Cybercrime All organisations need to be aware of the Convention’s provisions in article 12, paragraph 2: ‘ensure that a legal person can be held liable where the lack of supervision or control by a natural person…has made possible the commission of a criminal offence established in accordance with this Convention’. Now Sit Forward!
  • 57. It can get even worse
  • 59. Operational Level Strategic Level Technical Level Cyber is a Strategic Issue 59 Macro Security Micro Security How do cyber attacks affect, policies, industry, business decisions? What kind of policies, procedures and business models do we need? How can we solve our security problems with technology?
  • 60. •Loss of market share and reputation •Legal ExposureCEO •Audit Failure •Fines and Criminal Charges •Financial Loss CFO/COO •Loss of data confidentiality, integrity and/or availability CIO •Violation of employee privacy CHRO •Loss of customer trust •Loss of brand reputationCMO Board Room Discussion Increasingly companies are appointing CRO’s and CISO’s with a direct line to the audit committee.
  • 62.
  • 63. Case Study – How Can CRI Help?
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 69.
  • 72.
  • 73. The Real CISO Challenge • What cyber controls are in place? • Are They Appropriate? • What Maturity Level? • Why? • Prove they Are In Place • Prove they are Appropriate (Inherent Risk) • How to you deal with dynamic threat landscape? • How do you deal with interdependence? • Show metrics and evidence (Level 4) • How do you align with business?
  • 76. Inherent Risk - Metrics Key To Success on Every Level
  • 80. Risk / Maturity Relationship • As inherent risk rises, an institution’s maturity levels should also increase • Inherent risk profile and maturity levels will change over time • Consider reevaluating inherent risk profile and cybersecurity maturity periodically
  • 81. Delivers • CISO Framework • Independent Cyber Security Assessment • Roadmap • Metrics of Cyber Risk Status • Cyber Strategy
  • 82. Q&A
  • 83. Thank You – Stay Connected www.paulcdwyer.com youtube.com/paulcdwyer mail@paulcdwyer.com +353-(0)85 888 1364 @paulcdwyer WE IDENTIFY, MITIGATE AND MANAGE CYBER RISKS Cyber Risk International Broadmeadow Hall– Applewood Village -Swords – Co Dublin – Ireland +353-(0)1- 905 3260 xxxxxx mail@cyberriskinternational.com www.cyberriskinternational.com