Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira

Cyber Security
Transformation – A New
Approach for 2015 and
Beyond
Daryl Pereira
Partner
ASEAN Management Consulting
KPMG

2© 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Threat Landscape has Evolved
Forecast by Word Economic Forum
Delays in adopting cyber security
capabilities could result in a US$ 3
trillion loss in economic value by 2020
Figure 1: Top 5 Global Risks in
Terms of Likelihood 2014 - WEF
Figure 2:Source: World Economic Forum “Global Risks 2014”
World Economic Forum
Cyber attacks are one
of theTop 5 Global
Risks inTerms of
Likelihood in 2014
(missing in 2013)

Cyber Security is now the World’s 3rd Corporate-Risk Priority Overall
Corporate risk priorities and attitudes among 588 C-Suite and board level executives*
Survey respondents distributed across Asia-Pacific (31%), Europe (28%), North America (26%), Latin America (10%) and South Africa (5%).
*Source: Lloyd’s Risk Index 2013

J.P. Morgan Chase
83M customer PII
were stolen
Home Depot
56 million payment
cards compromised
Sony
Company's inner
workings completely
exposed
South Korea
27M Bank
customer’s records
were stolen
SCB
confidential
information was
stolen from 647
private bank clients
Target
40M credit card
records and 70M
customer PII
compromised
BankMuscat and
Rakbank
Hackers stole total
of US$45M
Ghostnet
large-scale cyber
spying operation
Subway
80,000 customer
credit and debit card
data lost
Global Payment
Systems
Compromised 1.5M
credit card records
and 5.5M consumer
records
20132008 to 2012 2014
The FS industry topped the list of 26 different industries targeted by cyber criminals*
*Source: Mandiant 2013
Increasing Scale and Impact of Cyber Attacks

Who are the “Threat Actors” and the Targets?
Hacktivists
(i.e. Wikileaks, Anonymous,
LulzSec)
Malicious Insiders
(i.e. Bradley Manning and the
U.S. Department of State memos)
Cyber Mafia - Organised crime
(i.e. stealing credit card numbers)
Cyber Warfare - State sponsored &
corporate espionage (i.e. Night Dragon,
StuxNet, DuQU, SHAMOON)
Intellectual Property Data
Merger & Acquisition Transaction
Information
Senior Executive Emails
Control Systems
Process Control Networks
(supports exploration &
production activity)
Network and connectivity data
Operational and assets specific data
Targets
Threat
Actors
Customer Data

Recent Cyber Security Incident – Retail sector
Target could be
facing losses of
up to $420
million as a
result of this
breach
US$61M in breach-related cost as of Feb
2014
CIO and CEO resigns
Will spend US$100M to upgrade
payment system
40M credit card records and 70M customer
PID compromised
Impact
Malware installed on POS
Phishing email sent to HVAC firm and
credentials used to access Target’s
Purchase/Order and Billing system
Observation
Target – 2014

Recent Cyber Security Incident – Insurance sector
Biggest data
theft in
healthcare
industry
Reputational loss in Anthem regarding IT
Security
Impact PID of 80 million customers and clients
were stolen, including Social Security
Numbers
Setup of evil WellPoint / Anthem
infrastructure in the Internet
Targeted attack (APT) by cyber
espionage group
Observation Infrastructure and malware was also
used for attack on US Defense contractor
Anthem – 2015

Recent Cyber Security Incident – Banking sector
Computer security budget will be doubled in
the next 5 years to $250M
PID of 7 million small businesses were
stolen
Impact PID of 76 Million households were stolen,
including email addresses, home addresses
and phone numbers
12 other major US financial institutions
alongside J.P.Morgan were targeted
Hackers stole the login credentials for a
J.P.Morgan employee in Spring 2014
Observation
JP Morgan – 2014

Reputation and
financial
damage
Attack was executed by a Hacktivist
Information stolen from a 3rd party / vendor
printing facility at Fuji Xerox Singapore
Observation
Reputational loss for Private Bank business
MAS said it took "appropriate supervisory
actions” against SCB
Impact
Financial Data of 647 clients stolen
Recent Cyber Security Incident – Banking sector (outsourced vendor)
Standard Chartered Bank & Fuji Xerox – 2013

Recent Cyber Security Incident – Entertainment sector
North Korea is blamed for the attack
When the breach was discovered, Sony had
been infiltrated for one year
Observation
Massive impact to Sony Pictures, its
employees and clients
Sensitive personal and corporate data was
leaked, including emails, salaries and
unreleased movies
Impact Company's inner workings completely
exposed
Sony Pictures – 2014

“Are we prepared and resilient against cyber attacks?”
Leadership
and
Governance
Human
Factors
Information
Risk
Management
Business
Continuity
and Crisis
Management
Operations and
Technology
Legal and
Compliance

Cyber Security Transformation Lever 1:
Implementing a strategic, institution-wide approach to cyber security
Cyber
Security
Leadership &
Governance
Human
Factors
Information
Risk
Management
BCM / Crisis
Management
Operations &
Technology
Legal &
Compliance
Cyber security
collaboration to be
extended beyond
company walls to
address common
enemies
A dedicated cyber
security operations
centre (SOC) to be
established, using
threat intelligence
driven approach to
security
Cyber risk governance driven by the Board and
Cyber risk strategy driven at Executive level as
an integral part of corporate strategy. Looks
beyond technical preparedness and takes a
holistic view of people, process and technology The human factors in the
defence chain must be
strengthened as part of
a cyber risk aware
culture
Focus on risk-based
mitigation, early
detection, robust
response, automation
and analytics to create
internal and external risk
transparency
Resiliency and ability to quickly
return to normal operations or
repair damage

Respond
Incident response capability is built by
drafting playbooks, performing regular
incident response exercises and doing
red team testing.
The capability to delay transactions for
fraud investigations and having trained
call centre employees are most
important in being able to modern
online banking attacks.
Detect
Real-time detection of incidents and
fraudulent transactions requires
correlation of information from various
data sources. It is important to monitor
customer behaviour, transactions and
log files from applications and systems.
Incident detection will not function
properly without adequate processes
and trained people for detection rule
management.
Threat Intelligence
Acquiring external threat information
is necessary to keep an up to date view
on current and future threats for your
organisation.
Best practices include connecting
external intelligence sources,
information sharing with other banks
and other industries, and cooperation
with police and law enforcement.
Cyber Security Transformation Lever 2:
Actionable Threat Intelligence is the key to managing evolving cyber threats
Threat
Intelligence
Prevention will ultimately fail. Actionable threat intelligence
combined with detection and response capability is the key
Prevent
Protecting customers and your own
infrastructure requires measures on
people, processes and technology
layers.

Training & awareness of all
management and staff on Cyber
Risks
 Better threat intelligence
Establish an institution-wide
accountability for managing cyber
risks
Leadership and Governance
Insufficient understanding of
cyber risk by Senior Management
Increased awareness of Senior
Management on Cyber Security
risks
Insufficient oversight of IT risk by
CEO and CIO
Accountability and responsibility
for IT risk extended to the Board ,
CEO and senior management
What went
wrong?
 Cyber Security raised to Board
& Senior Management agenda
Sony Pictures
What should
you do?
How can this
be addressed?
Board and Senior Management's governance, ownership, and effective management
of risk.
Target

Training and awareness
programmes
Tone from the top - leadership
staff to demonstrate security/risk
mindset to rank & file teams
Process to assure appropriate
skills and capabilities of vendor staff
Human Factors
POS was accessed using
remote access software over
internet, due to staff’s default
password not being changed
Proper security awareness
programs should be provided to
the employees
Information stolen from the
server s of a third party vendor
providing printing services
Upgrade security skills and
capabilities of staff maintaining
customer data & third party
servers
What went
wrong?
Subway Standard Chartered Bank
What should
you do?
How can this
be addressed?
Level of security-focused culture that empowers and ensures the right people,
skills, culture and knowledge.
 Extension of security policies &
HR policies to vendors/3rd parties

 Integration of information
classification into security
architecture design
 Data governance
 Detection mechanisms and alerts
Analytics to correlate unusual
customer behaviour, transactions
and log files from applications and
systems
Information Risk Management
All sensitive personal and
corporate information was stolen
Establish information
classification process together
with Data Loss Prevention
solutions
Intrusion of vendor servers
containing customer data was not
detected
Detection tools and security
assessments should be performed
on all servers that connect to an
external network
What went
wrong?
Sony Pictures Standard Chartered Bank
What should
you do?
How can this
be addressed?
The approach to achieving comprehensive and effective risk management of information
throughout the organisation and its delivery and supply partners.
Information sharing and data
loss prevention

Business continuity with cyber
resiliency
Cyber incident response
embedded into Crisis Management
process
Business Continuity and Crisis Management
Employees needed to go back to
pen and paper
Backup & recovery coupled with
resilient system architecture
Information of the breach was
announced too late causing public
backlash
Improvement of communication
to public
What went
wrong?
 Business continuity plan
incorporated as part of cyber
security readiness
Sony Pictures Target
What should
you do?
How can this
be addressed?
The preparations for a security event and the ability to prevent or minimise the impact
through successful crisis and stakeholder management.
 Internal and External
Stakeholder management

Threat and vulnerability
management
Asset lifecycle management
 Network security
 Incident Response
Actionable threat intelligence
 Network segmentation/isolation
Operations and Technology
2FA missing on one neglected
server
Rollout of security services on all
assets and properVulnerability
Management
Intrusion/malware was detected
but SecurityOps did not follow-up
Effective Incident Management
process – diagnosis,
prioritisation, and fast response
What went
wrong?
 Drafting playbooks, performing
regular incident response
exercises, doing red team testing
 Physical security
 Personnel security
J.P. Morgan Chase Target
What should
you do?
How can this
be addressed?
The level of control measures implemented within the organisation to address
identified risks, and minimise the impact of compromise.

 Outsourcing governance & risk
management framework
 Outsourcing gap analysis and
audit review
 Legislative compliance
 Role of the audit committee
Legal and Compliance
647 of its private bank clients
information stolen through
outsourced vendor’s server.
Bank needs to extend cyber
security practices to all
outsourced arrangements - new
regulatory mandate.
Faces several law cases due to
violation of PID storage
Legal department to address new
cyber laws for processing and
storage of sensitive information
What went
wrong?
 Threat intelligence and
information sharing across other
industries Collaboration with industry
peers to address common enemies
Standard Chartered Bank Sony Pictures
What should
you do?
How can this
be addressed?
Regulatory, international standards and laws relevant to your organisation (e.g.
ISO27000, PCI-DSS, Data Privacy laws,TRM regulatory requirements, NIST).

Conclusion
Cyber Security Frameworks
ISO 27032:
Cyber
Security
MAS/HKMA
TRM
Guidelines
NIST COBIT Etc.
Strategic,
Institution-
wide
approach
Actionable
Threat
Intelligence
Cyber
Security
Readiness

Appendix: KPMG Cyber Security Framework
Cyber Maturity Assessment (CMA)
Cyber Security Strategy
Cyber Gaming
Cyber Defense Operating Model Design
Identity and Access Management
Security and Technology Assessments
Certification Services
Development and Implementation of Threat
Intelligence Operating Models
Design and Implementation of Security
Operations Centers
Cyber Attack Detection
Rapid Response Teams
Forensic Evidence Recovery and Investigation
Advanced Training and Cyber Response
Capability Development
Board Training
Enterprise Risk Management and
Implementation
Business Continuity Planning
Behavioral Change Management
Design and Delivery of Institution-wide
Cyber Security Transformation Programs

Contact Details
darylpereira@kpmg.com.sg
RISK & REGULATION | COST & EFFICIENCY | CUSTOMER & GROWTH
© 2015 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company
and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
DARYL PEREIRA
Partner
ASEAN Management Consulting
KPMG
Tel: +65 6411 8116

Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira

More Related Content

What's hot

Viewers also liked

Similar to Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira

More from Knowledge Group

Recently uploaded

Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira