SlideShare a Scribd company logo

CRI Cyber Board Briefing

OCTF Industry Engagement
OCTF Industry Engagement

Nov 2015 redacted version of slides Conrad Hotel Dublin

1 of 83
Cyber Executive Briefing Presenter: Paul C Dwyer Date: Nov 26th 2015 REDACTED VERSION
Slides and Material May NOT be Distributed In Any Format Without Written Permission Copyright Cyber Risk International Ltd – All Rights Reserved
Peer Group
Paul C Dwyer Paul C Dwyer is an internationally recognised information security authority with over two decades experience. A certified industry professional by the International Information Systems Security Certification Consortium (ISC2) and the Information System Audit & Control Association (ISACA) and recently selected for the IT Governance Expert Panel. Paul's credentials include: • -Qualified Hacker • -SOX (SAS70) Auditor • -ISO 27001 Lead Auditor • -BS25999 / BCP Expert • -Forensic Investigator • -PCI DSS Specialist • -Prince2 He has worked and trained with such organisations as the US Secret Service, Scotland Yard, FBI, National Counter Terrorism Security Office (MI5), is approved by the National Crime Faculty and is a member of the High Tech Crime Network (HTCN). Paul is currently CEO of Cyber Risk International and President of the ICTTF.
THE CYBER WORLD AND THE PHYSICAL ARE INTEGRATED
What is Cyber Crime? Cyber crime or computer crime as it is generally known is a form of crime where the Internet or computers are used as a medium or method to commit crime which includes hacking, copyright infringement, scams, denial of service attacks, web defacement and fraud.
Cybercrime Drivers It’s a business with an excellent economic model. Other reasons, you name it: • Technology • Internet • Recession • “A safe crime” • It’s easy to get involved • Part of Something
Crimeware Toolkits Criminal gangs are creating fake banking apps Traditional Banking Trojan kits are attacking: mTAN (Transaction Authentication Number) • Zeus MITMO • Spitmo (SpyEye) • Citmo (Carberp) • Tattanga New generic mobile kits are being developed independently of PC kits for Zeus, Ice IX, SpyEye, Citadel, Carberp. Increasingly industrialized, new distribution channels Legit apps used with stolen credentials
Underground Stock Exchange • Categories – Carding Forums – Dump Vendors – Non Carding Forums
“actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption.” • “Digital Infrastructure….Strategic National Asset” President Barack Obama • May 2010 – Pentagon – Cybercom • UK - a cyber-security "operations centre” (GCHQ) • “Fifth Domain” The Economist What is Cyber Warfare?
Hacktivism? Part of …..
Control of the Internet
Motivation?
Cyber Crime Cyber X Cyber Warfare Cyber Espionage Adversary
Blurred Lines NOT Silos
APT
Cyber fronts in the Ukraine! Is it War?
Reconnaissance Weaponisation Delivery Exploitation C2 Lateral Movement Exfiltration Maintenance Gathers Intelligence About Employee and Assets Targets Individual (Asset)Bad Guy Exploit Run – Comms Established – Command & Control Server Move Laterally Across Network Chooses Weapon from underground forum Exfiltrate Data Protection – Maint Mode
What do they Want? 22
Unit 61398
Surface Web Deep Web 90%+
Old Stuff – New Way
Psych(BI)ology of Cyber
The Devil – Really?
Three Clicks is Now One Click!
Cybercriminals are Business People!
I’m not joking! Hack the Human!
Reality?
Cyber Case Study Extended Presentation Material
Cyber Heist Uncovered
Tue Feb 19th 2013 4.31 PM
Military Precision – 24 Countries 36,000 Withdrawal's Totaling - $45,000,000
Prepaid Debit Cards – Bank Muskat – Oman Hackers cancelled withdrawal limits – “Hacked Payment Processor” Card Numbers – Sent to foot soldiers around the world – “Unlimited Operation” “Cashing Crews” Imprinted Data on Cards “Flash Mob” Using Secure IM Sites What Happened?
Cybercriminal Mastermind Hacker Money Mule Manager Money Mules Mule Mule Manager
Dominican – Yonkers – North of Manhattan Entire crew within streets of “Strattan Street” Dry run – Dec 2012 – Rak Bank Nearly $400,000 - 700 Withdrawals
Why Trust a Criminal? Copyright - Paul C Dwyer Ltd - All Rights Reserved
Cybercrime Has Consequences
Some Recommendations • Prepare for the Strategic Challenge • Build Cyber resilience and detection within your organisation • Develop Strategy and Governance • Develop Incident Management Capability • Secure your Supply Chain • Learn from the “Bad Guys” • Access Relevant Actionable Cyber Threat Intelligence • Don’t Forget the Basics • Make Everyone Responsible and “Cyber Loyal” • Look Ahead
It’s a IT Cyber Security Problem, Right?
49 Legally It’s a Challenge for the Board! NO
Government and Regulators • Governments have a role • They expect organisations to do their part • Regulations can not keep pace with technology • Nobody can protect and organisation better than the organisation
Resilience 51 Recognise: Interdependence Leadership Role Responsibility Integrating Cyber Risk Management Leverage Relationships and Encourage Suppliers
Security Industry Evolved ? Defence in Depth Breaches are Inevitable
Cyber Risks for You • Tangible Costs – Loss of funds – Damage to Systems – Regulatory Fines – Legal Damages – Financial Compensation • Intangible Costs – Loss of competitive advantage (Stolen IP) – Loss of customer and/or partner trust – Loss of integrity (compromised digital assets) – Damage to reputation and brand Quantitative vs. Qualitative 46% Reduction in Profits Following Breach
Regulatory and Legal EU Data Privacy Directive EU Network Information Security Directive European Convention on Cybercrime 400+ Others – 10,000+ Controls – 175 Legal Jurisdictions Your Organisation
Responsibility – Convention Cybercrime All organisations need to be aware of the Convention’s provisions in article 12, paragraph 2: ‘ensure that a legal person can be held liable where the lack of supervision or control by a natural person…has made possible the commission of a criminal offence established in accordance with this Convention’. Now Sit Forward!
It can get even worse
Automatic Governance Event Fundamental Uncertainty Board Accountability Are you already compromised?
Operational Level Strategic Level Technical Level Cyber is a Strategic Issue 59 Macro Security Micro Security How do cyber attacks affect, policies, industry, business decisions? What kind of policies, procedures and business models do we need? How can we solve our security problems with technology?
•Loss of market share and reputation •Legal ExposureCEO •Audit Failure •Fines and Criminal Charges •Financial Loss CFO/COO •Loss of data confidentiality, integrity and/or availability CIO •Violation of employee privacy CHRO •Loss of customer trust •Loss of brand reputationCMO Board Room Discussion Increasingly companies are appointing CRO’s and CISO’s with a direct line to the audit committee.
Corporate Governance Project Governance Risk Management Cyber Governance Risk Management Cyber Governance Cyber Risk Legal & Compliance Operational Technical
Case Study – How Can CRI Help?
It’s About Maturity
What’s The Next Step?
The Real CISO Challenge • What cyber controls are in place? • Are They Appropriate? • What Maturity Level? • Why? • Prove they Are In Place • Prove they are Appropriate (Inherent Risk) • How to you deal with dynamic threat landscape? • How do you deal with interdependence? • Show metrics and evidence (Level 4) • How do you align with business?
CISO Why? Business Alignment (Management) ICT (Technology) Business Cyber
CISO How? CISO Office SOC RISK IT Security Change Control
Inherent Risk - Metrics Key To Success on Every Level
CISO Framework Starts with Assessment
5 Domains
Assessment Factors
Risk / Maturity Relationship • As inherent risk rises, an institution’s maturity levels should also increase • Inherent risk profile and maturity levels will change over time • Consider reevaluating inherent risk profile and cybersecurity maturity periodically
Delivers • CISO Framework • Independent Cyber Security Assessment • Roadmap • Metrics of Cyber Risk Status • Cyber Strategy
Q&A
Thank You – Stay Connected www.paulcdwyer.com youtube.com/paulcdwyer mail@paulcdwyer.com +353-(0)85 888 1364 @paulcdwyer WE IDENTIFY, MITIGATE AND MANAGE CYBER RISKS Cyber Risk International Broadmeadow Hall– Applewood Village -Swords – Co Dublin – Ireland +353-(0)1- 905 3260 xxxxxx mail@cyberriskinternational.com www.cyberriskinternational.com

Recommended

The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber Security
Leon Fouche
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
Vladimir Jirasek
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 

Recommended

The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber Security
Leon Fouche
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
Vladimir Jirasek
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
BOC Group
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
Resilient Systems
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptx
MdMofijulHaque
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
Maganathin Veeraragaloo
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
Cydney Davis
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
Dr. Prashant Vats
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
PECB
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
Paul McGillicuddy
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
Goutama Bachtiar
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
Life Cycle Engineering
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin
OCTF Industry Engagement
 
Retail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewRetail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 Overview
OCTF Industry Engagement
 

More Related Content

What's hot

What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
BOC Group
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
Resilient Systems
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptx
MdMofijulHaque
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
Maganathin Veeraragaloo
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
Cydney Davis
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
Dr. Prashant Vats
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
PECB
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
Paul McGillicuddy
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
Goutama Bachtiar
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
Life Cycle Engineering
 

What's hot (20)

What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptx
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
 

Similar to CRI Cyber Board Briefing

CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin
OCTF Industry Engagement
 
Retail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewRetail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 Overview
OCTF Industry Engagement
 
CRI Extract from "Cyber Lessons from the Front lines"
CRI Extract from "Cyber Lessons from the Front lines"CRI Extract from "Cyber Lessons from the Front lines"
CRI Extract from "Cyber Lessons from the Front lines"
OCTF Industry Engagement
 
Cyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counselCyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counsel
OCTF Industry Engagement
 
CRI Retail Cyber Threats
CRI Retail Cyber ThreatsCRI Retail Cyber Threats
CRI Retail Cyber Threats
OCTF Industry Engagement
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
lior mazor
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
RambilashTudu
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
FERMA
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014
Peter ODell
 
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerLet's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
SaraPia5
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
John Gilligan
 
Judgement Day - Slovakia
Judgement Day - SlovakiaJudgement Day - Slovakia
Judgement Day - Slovakia
OCTF Industry Engagement
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
IIA August Briefing_15AUG2015
IIA August Briefing_15AUG2015IIA August Briefing_15AUG2015
IIA August Briefing_15AUG2015Robert Baldi
 
Digital Age-Preparing Yourself
Digital Age-Preparing YourselfDigital Age-Preparing Yourself
Digital Age-Preparing Yourself
jkl0202
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
PECB
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 

Similar to CRI Cyber Board Briefing (20)

CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin
 
Retail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 OverviewRetail Excellence Ireland - Cyber Threats 2015 Overview
Retail Excellence Ireland - Cyber Threats 2015 Overview
 
CRI Extract from "Cyber Lessons from the Front lines"
CRI Extract from "Cyber Lessons from the Front lines"CRI Extract from "Cyber Lessons from the Front lines"
CRI Extract from "Cyber Lessons from the Front lines"
 
Cyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counselCyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counsel
 
CRI Retail Cyber Threats
CRI Retail Cyber ThreatsCRI Retail Cyber Threats
CRI Retail Cyber Threats
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014
 
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerLet's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
 
CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
 
Judgement Day - Slovakia
Judgement Day - SlovakiaJudgement Day - Slovakia
Judgement Day - Slovakia
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
IIA August Briefing_15AUG2015
IIA August Briefing_15AUG2015IIA August Briefing_15AUG2015
IIA August Briefing_15AUG2015
 
Digital Age-Preparing Yourself
Digital Age-Preparing YourselfDigital Age-Preparing Yourself
Digital Age-Preparing Yourself
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 

Recently uploaded

W.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest ExperienceW.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest Experience
William (Bill) H. Bender, FCSI
 
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
gcljeuzdu
 
Leadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact PlanLeadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact Plan
Muhammad Adil Jamil
 
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
CIOWomenMagazine
 
Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)
Amir H. Fassihi
 
Modern Database Management 12th Global Edition by Hoffer solution manual.docx
Modern Database Management 12th Global Edition by Hoffer solution manual.docxModern Database Management 12th Global Edition by Hoffer solution manual.docx
Modern Database Management 12th Global Edition by Hoffer solution manual.docx
ssuserf63bd7
 
TCS AI for Business Study – Key Findings
TCS AI for Business Study – Key FindingsTCS AI for Business Study – Key Findings
TCS AI for Business Study – Key Findings
Tata Consultancy Services
 
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
juniourjohnstone
 
Training- integrated management system (iso)
Training- integrated management system (iso)Training- integrated management system (iso)
Training- integrated management system (iso)
akaash13
 

Recently uploaded (9)

W.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest ExperienceW.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest Experience
 
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
 
Leadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact PlanLeadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact Plan
 
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
 
Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)
 
Modern Database Management 12th Global Edition by Hoffer solution manual.docx
Modern Database Management 12th Global Edition by Hoffer solution manual.docxModern Database Management 12th Global Edition by Hoffer solution manual.docx
Modern Database Management 12th Global Edition by Hoffer solution manual.docx
 
TCS AI for Business Study – Key Findings
TCS AI for Business Study – Key FindingsTCS AI for Business Study – Key Findings
TCS AI for Business Study – Key Findings
 
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
 
Training- integrated management system (iso)
Training- integrated management system (iso)Training- integrated management system (iso)
Training- integrated management system (iso)
 

CRI Cyber Board Briefing

  • 1. Cyber Executive Briefing Presenter: Paul C Dwyer Date: Nov 26th 2015 REDACTED VERSION
  • 2. Slides and Material May NOT be Distributed In Any Format Without Written Permission Copyright Cyber Risk International Ltd – All Rights Reserved
  • 4. Paul C Dwyer Paul C Dwyer is an internationally recognised information security authority with over two decades experience. A certified industry professional by the International Information Systems Security Certification Consortium (ISC2) and the Information System Audit & Control Association (ISACA) and recently selected for the IT Governance Expert Panel. Paul's credentials include: • -Qualified Hacker • -SOX (SAS70) Auditor • -ISO 27001 Lead Auditor • -BS25999 / BCP Expert • -Forensic Investigator • -PCI DSS Specialist • -Prince2 He has worked and trained with such organisations as the US Secret Service, Scotland Yard, FBI, National Counter Terrorism Security Office (MI5), is approved by the National Crime Faculty and is a member of the High Tech Crime Network (HTCN). Paul is currently CEO of Cyber Risk International and President of the ICTTF.
  • 5. THE CYBER WORLD AND THE PHYSICAL ARE INTEGRATED
  • 6. What is Cyber Crime? Cyber crime or computer crime as it is generally known is a form of crime where the Internet or computers are used as a medium or method to commit crime which includes hacking, copyright infringement, scams, denial of service attacks, web defacement and fraud.
  • 7. Cybercrime Drivers It’s a business with an excellent economic model. Other reasons, you name it: • Technology • Internet • Recession • “A safe crime” • It’s easy to get involved • Part of Something
  • 8. Crimeware Toolkits Criminal gangs are creating fake banking apps Traditional Banking Trojan kits are attacking: mTAN (Transaction Authentication Number) • Zeus MITMO • Spitmo (SpyEye) • Citmo (Carberp) • Tattanga New generic mobile kits are being developed independently of PC kits for Zeus, Ice IX, SpyEye, Citadel, Carberp. Increasingly industrialized, new distribution channels Legit apps used with stolen credentials
  • 9. Underground Stock Exchange • Categories – Carding Forums – Dump Vendors – Non Carding Forums
  • 10. “actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption.” • “Digital Infrastructure….Strategic National Asset” President Barack Obama • May 2010 – Pentagon – Cybercom • UK - a cyber-security "operations centre” (GCHQ) • “Fifth Domain” The Economist What is Cyber Warfare?
  • 11.
  • 13. Control of the Internet
  • 17. APT
  • 18.
  • 19. Cyber fronts in the Ukraine! Is it War?
  • 20.
  • 21. Reconnaissance Weaponisation Delivery Exploitation C2 Lateral Movement Exfiltration Maintenance Gathers Intelligence About Employee and Assets Targets Individual (Asset)Bad Guy Exploit Run – Comms Established – Command & Control Server Move Laterally Across Network Chooses Weapon from underground forum Exfiltrate Data Protection – Maint Mode
  • 22. What do they Want? 22
  • 25. Old Stuff – New Way
  • 27. The Devil – Really?
  • 28. Three Clicks is Now One Click!
  • 31.
  • 33. Cyber Case Study Extended Presentation Material
  • 35. Tue Feb 19th 2013 4.31 PM
  • 36. Military Precision – 24 Countries 36,000 Withdrawal's Totaling - $45,000,000
  • 37. Prepaid Debit Cards – Bank Muskat – Oman Hackers cancelled withdrawal limits – “Hacked Payment Processor” Card Numbers – Sent to foot soldiers around the world – “Unlimited Operation” “Cashing Crews” Imprinted Data on Cards “Flash Mob” Using Secure IM Sites What Happened?
  • 39. Dominican – Yonkers – North of Manhattan Entire crew within streets of “Strattan Street” Dry run – Dec 2012 – Rak Bank Nearly $400,000 - 700 Withdrawals
  • 40. Why Trust a Criminal? Copyright - Paul C Dwyer Ltd - All Rights Reserved
  • 41.
  • 42.
  • 43.
  • 44.
  • 46.
  • 47. Some Recommendations • Prepare for the Strategic Challenge • Build Cyber resilience and detection within your organisation • Develop Strategy and Governance • Develop Incident Management Capability • Secure your Supply Chain • Learn from the “Bad Guys” • Access Relevant Actionable Cyber Threat Intelligence • Don’t Forget the Basics • Make Everyone Responsible and “Cyber Loyal” • Look Ahead
  • 48. It’s a IT Cyber Security Problem, Right?
  • 49. 49 Legally It’s a Challenge for the Board! NO
  • 50. Government and Regulators • Governments have a role • They expect organisations to do their part • Regulations can not keep pace with technology • Nobody can protect and organisation better than the organisation
  • 51. Resilience 51 Recognise: Interdependence Leadership Role Responsibility Integrating Cyber Risk Management Leverage Relationships and Encourage Suppliers
  • 52. Security Industry Evolved ? Defence in Depth Breaches are Inevitable
  • 53.
  • 54. Cyber Risks for You • Tangible Costs – Loss of funds – Damage to Systems – Regulatory Fines – Legal Damages – Financial Compensation • Intangible Costs – Loss of competitive advantage (Stolen IP) – Loss of customer and/or partner trust – Loss of integrity (compromised digital assets) – Damage to reputation and brand Quantitative vs. Qualitative 46% Reduction in Profits Following Breach
  • 55. Regulatory and Legal EU Data Privacy Directive EU Network Information Security Directive European Convention on Cybercrime 400+ Others – 10,000+ Controls – 175 Legal Jurisdictions Your Organisation
  • 56. Responsibility – Convention Cybercrime All organisations need to be aware of the Convention’s provisions in article 12, paragraph 2: ‘ensure that a legal person can be held liable where the lack of supervision or control by a natural person…has made possible the commission of a criminal offence established in accordance with this Convention’. Now Sit Forward!
  • 57. It can get even worse
  • 59. Operational Level Strategic Level Technical Level Cyber is a Strategic Issue 59 Macro Security Micro Security How do cyber attacks affect, policies, industry, business decisions? What kind of policies, procedures and business models do we need? How can we solve our security problems with technology?
  • 60. •Loss of market share and reputation •Legal ExposureCEO •Audit Failure •Fines and Criminal Charges •Financial Loss CFO/COO •Loss of data confidentiality, integrity and/or availability CIO •Violation of employee privacy CHRO •Loss of customer trust •Loss of brand reputationCMO Board Room Discussion Increasingly companies are appointing CRO’s and CISO’s with a direct line to the audit committee.
  • 62.
  • 63. Case Study – How Can CRI Help?
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 69.
  • 72.
  • 73. The Real CISO Challenge • What cyber controls are in place? • Are They Appropriate? • What Maturity Level? • Why? • Prove they Are In Place • Prove they are Appropriate (Inherent Risk) • How to you deal with dynamic threat landscape? • How do you deal with interdependence? • Show metrics and evidence (Level 4) • How do you align with business?
  • 76. Inherent Risk - Metrics Key To Success on Every Level
  • 80. Risk / Maturity Relationship • As inherent risk rises, an institution’s maturity levels should also increase • Inherent risk profile and maturity levels will change over time • Consider reevaluating inherent risk profile and cybersecurity maturity periodically
  • 81. Delivers • CISO Framework • Independent Cyber Security Assessment • Roadmap • Metrics of Cyber Risk Status • Cyber Strategy
  • 82. Q&A
  • 83. Thank You – Stay Connected www.paulcdwyer.com youtube.com/paulcdwyer mail@paulcdwyer.com +353-(0)85 888 1364 @paulcdwyer WE IDENTIFY, MITIGATE AND MANAGE CYBER RISKS Cyber Risk International Broadmeadow Hall– Applewood Village -Swords – Co Dublin – Ireland +353-(0)1- 905 3260 xxxxxx mail@cyberriskinternational.com www.cyberriskinternational.com