The Proactive Approach to Cyber Security

1
Nathan Desfontaines
Removing Fear, Uncertainty and Doubt
2016
The Proactive Approach
to Cyber Security

3
“CYBER-SPACE IS REAL…
SO ARE THE RISKS THAT COME
WITH IT.”
PRESIDENT BARACK OBAMA

© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of
independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584
4
THE THREAT CONTINUES TO RISE
• Concern over cyber attacks has grown by 7%, with 37% believing
they are a target for cyber attacks.
• 76% have seen increase in the rate of cyber attacks.
• 38% have had to deal with 1 or more
major cyber security incidents
in the last 12 months.
WHAT OUR SURVEYS HAVE FOUND

5
AN EVER-CHANGING THREAT LANDSCAPE
BE IN A DEFENSIBLE POSITION, BE CYBER RESILIENT
Extortion-driven attacks and ransomware attempts will increase
Pressure to disclose data breaches and threat responses will
intensify
Widespread use of mobile devices and IoT brings a parallel
increase in risk
Organisations will make greater use of real-time intelligence
tools to monitor attacks
Organisations will focus much more on risks posed by
third party vendors and suppliers

6
1. Widespread use of new platforms
Three significant reasons as to why cyber security
will remain a key concern for IT managers:
3. Attacks are becoming more sophisticated
and have specific targets
2. Increasingly available and simple to use
exploit kits
CYBER REMAINS A CONCERN FOR IT
NEW THREATS PUT STRAIN ON EXISTING IT SECURITY CONTROLS

NEW PLATFORMS, NEW THREATS
MORE USERS + MORE DEVICES = MORE RISK
Impersonation
• SMS Redirection
• Sending Email Messages
• Posting to Social Media
Financial
• Stealing Transaction Authentication
Numbers (TANs)
• Extortion via Ransomware
• Fake Antivirus
• Premium Calls and SMSs
Data Theft
• Account Details
• Contacts
• Call Logs
• Application Data
Surveillance
• Audio
• Camera
• Call Logs
• Location
• SMS Messages

8
“
”
WHAT IS BEING
STOLEN?
Thousands of South Africans have
fallen victim to phishing and other
types of cyber fraud, and financial
institutions have lost in excess of
R80-million and continue to lose
money every day as a result.
Dries Morris, Securicom

9
MOTIVATIONS HAVE CHANGED
FROM “TARGET OF OPPORTUNITY”TO “TARGET OF CHOICE”
Yesterday…
Bad “actors”
 Isolated criminals
 “Script kiddies”
Targets
 Identity theft
 Self-promotion
opportunities
 Theft of services
“Target of opportunity”
Today…
Bad “actors”
 Organized criminals
 Nation states
 Hactivists
 Insiders
Targets
 Intellectual property
 Financial
information
 Strategic access
“Target of choice”

WHAT’S THE WORST
THAT CAN HAPPEN

11
RECENT ATTACKS - RANSOMWARE
WHEN ALL YOUR DATA IS ENCRYPTED, RESISTANCE IS FUTILE
Ransomware – Malware that
infects the target host by
encrypting all data thereby holding
the victim hostage
• Looks legitimate to the
unsuspecting user
• The user is extorted for money
• Tactic achieves – Fear,
Uncertainty and Doubt
• The alternative – “in order to
resolve the situation in an
above-mentioned way you
should pay a fine of $300”

12
RECENT ATTACKS - HACKING
CORPORATES UNDER SIEGE
Anonymous – Thousands of South
African websites were hacked in
February 2016. The hacking group
found a vulnerability shared hosting
servers:
• The servers are old and vulnerable
with legacy websites that are out
of date
• Opportunistic attacks are evolving
into targeted attacks
• Advanced Cyber controls are now
a necessity not a leading practice

13
RECENT ATTACKS – DATA BREACH
LIFE IS SHORT, HAVE AN AFFAIR, WHAT’S THE
WORST THAT CAN HAPPEN
In July Ashley Madison, an online
platform for would-be adulterers with
the slogan “Life is short. Have an
Affair” was hacked.
• Data from about 31 million
accounts was breached with
sensitive information about the
users being published
• Data breach led to the resignation
of the website’s CEO
• Ashley Madison is now facing
multiple lawsuits for failing to take
proper security measures to
protect its users’ information

14
RECENT ATTACKS – INDUSTRIAL
NATIONS UNDER SIEGE
BlackEnergy – In December 2015
over 1.4 million people were left
without electricity in Ivano-Frankivsk
region, Ukraine.
• BlackEnergy backdoor plants a
KillDisk component which renders
computers unbootable
• Infection is through Microsoft
Office files containing malicious
macros
• The virus can overwrite its
corresponding executable file on
the hard drive with random data
which makes restoration of the
system more difficult

15
A BIT MORE DETAIL ON BREACHES
EACH YEAR BREACHES CONTINUE TO RISE IN SCALE AND IMPACT
• Sony Pictures – Sony was attacked by Ransomware which resulted in
a complete shut down as its computer in New York and around the
world were infiltrated, encrypting workstations & data drives. The
hacker group claimed to have obtained corporate secrets and
threatened to reveal said secrets if Sony didn’t meet their demands.
(LA Times, 2014)
• Heartland – Credit card payment processing company Heartland was
hacked in 2008. This hack affected an estimated 130 million customers
with Heartland having to pay $110 million back to Visa, MasterCard
and American Express. This hack is rated as the biggest credit card
hack. (CNN Money, 2014)
• Target – Target holds the title for the biggest retail hack in history
losing 40 million credit card numbers to the hackers who used
Malware to infiltrate the Target systems and capture credit card
number at one of the stores busiest times of the year, Thanksgiving
and Christmas. Target is facing more than 90 lawsuits from customers
and banks for negligence and compensatory damages. (Bloomberg,
2014)

17
CLOSING THE LOOP
3 KEY PRINCIPLES
1
2
3
What are we trying to protect
and from whom?
Accept the fact that a breach is
inevitable
Focus on early detection and
response
getting an up-to-date, detailed snapshot of the current cyber
threat landscape that is understood by all
whether or not your organisation has doing enough due diligence to
mitigate risks, preparing for a breach is now mandatory
Real-time intelligence solutions, heads-up situational awareness and
proactive “hunting” of incidents is the new status-quo

18
RED TEAM
EXERCISES
Test your processes and
systems in a real-life simulation,
providing assurance on your
ability to respond rather than
prevent.
INTRUSION
TOLERANCE:
ASSUME THAT
INTRUSIONS HAVE
HAPPENED AND
WILL HAPPEN
We must maximize the probability
that we can tolerate the direct
effect of those intrusions, and that
whatever damage is done by the
intruder, the system can continue
to do its job to the extent possible.
DEPLOYMENT OF
SECURITY
INTELLIGENCE
SYSTEMS
Ponemon says, provides a
substantially higher ROI (at 23
percent) than all other
technology categories
surveyed.
THINKING BROADER THAN CIA
APPROACHES TO CYBER SECURITY HAVE CHANGED

19
RED TEAMING + IS INTELLIGENCE LED
UTILISE “ALL SOURCES” TO SUPPORT AN EXHAUSTIVE TEST STRATEGY
Understand your adversaries' and
their tactics, model their attack
vectors, and then test exhaustively to
obtain the necessary intelligence to
adapt your defenses.
“
”
The lion fish has adapted
to ward off threats in the
most challenging and
irregular environments.

20
“
”
ADAPT AND SURVIVE
ANALYTICS AND DATA CAN SAVE US
New behavioural analytics
solutions and threat data
analytics platforms such as
FireEye and DarkTrace
emulate the human
immune system to protect
us – understanding what
belongs and what does not
A combination of protection, early
warning signals and instant
remediation against sophisticated
attacks is a proactive stance.

22
WHO, WHAT, WHEN?
UNDERSTANDING YOUR RISK
Your
Organisation
Privileged
insider
Trusted
insider
Insider Organisation
Group
Nation-state
Capability Motivation
Level 0 X No interest in attacking the system
Level 1 Opportunistic attacks May casually investigate or attack a system if exposed
to it, but not by design
Level 2 Some IT knowledge and resources for basic attacks
(including the use of free malware, non zero type
attacks)
Actor will attempt to attack the system; but one person
attack; part-time
Level 3 Considerable IT knowledge however actors lack the
capability and resources to implement sophisticated
attacks
Focused on the system; full-time attacker; with support
from part-timers
Level 4 Very capable with the resources to execute
sophisticated attacks using zero-day exploits
involving significant customisation
Attack system frequently or constantly; several people;
bribe or coerce
Level 5 Sophisticated attacks, well-funded and resourced. Absolute priority employing detailed research in
conjunction with social engineering, bribery and
coercion

23
“
”
THE ANATOMY OF AN ATTACK
THE LOCKHEED INTRUSION KILL CHAIN
The realm of
digital security is
an open-ended
arms race
between system
defenses on the
one hand and
creative, highly
persistent
attackers on the
other

WE CANNOT
CONTINUE TO FOCUS
ON PRODUCTION
24

25
What is that holy grail of security?
• IPS/IDS
• ISO 27001
• IAM
• Encryption at rest
• Anti-Virus
• Server isolation
• Strong governance, policies and procedures
• Application whitelisting
• Memory blocking
• Privileged access management
PROTECTION ISN’T ENOUGH
CYBER SECURITY DEMANDS THE FULL MONTY

THE FIVE MOST
COMMON CYBER
SECURITY MISTAKES

27
Mistake #1:
“We have to
achieve 100 percent
security.”
Reality:
100 percent
security is
neither feasible
nor the
appropriate
goal.
THE 5 COMMON MISTAKES
100% SECURITY IS NOT FEASIBLE NOR APPROPRIATE

28
Mistake #2:
“When we invest in
best-in-class
technical tools, we
are safe.”
Reality:
Effective
cybersecurity
is less
dependent on
technology
than you
think.
TECHNOLOGY IS NOT THE BE ALL AND END ALL

29
Mistake #3:
“Our weapons have
to be better than
those of our
attackers.”
Reality:
The security
policy should
primarily be
determined
by your
goals, not
those of
your attacker
YOU DON’T NEED TO ARM YOURSELF TO THE TEETH

30
Mistake #4:
“Cybersecurity
compliance is all
about effective
monitoring.”
Reality:
The ability to
learn is just as
important as the
ability to
monitor.
BEHAVIOURAL ANALYTICS IS THE FUTURE OF MONITORING

31
Mistake #5:
“We need to recruit
the best
professionals to
defend ourselves
against cybercrime.”
Reality:
Cybersecurity
is not a
department,
but an
attitude.
EVERYONE IS RESPONSIBLE FOR CYBER SECURITY

33
KNOWING ATTACKS WILL OCCUR
PREPARE FOR THE WORST SO
YOU CAN RESPOND AT YOUR
BEST
• Train or outsource the capability to
respond to a potential threat
• Establish a data breach team
• Make sure everybody knows
what their responsibilities are
WHAT EXACTLY AM I PROTECTING
• Understand what you are trying to
protect – you can’t effectively protect
everything (what are your crown
jewels?).
• Make sure the threats and
opportunities are understood are
EARLY DETECTION AND
RESPONSE IS
EVERYTHING
• Traditional monitoring is
no longer effective
• Monitoring is art, don’t
rush it
• Being sure how to
respond is key
BUILD AN ECO-SYSTEM
• This should not be an island
• It should integrate into the business
of IT
• It should integrate across people,
processes and technology
IS THE FIRST STEP TO RECOVERY

34
TAKING AN HOLISTIC APPROACH
KPMG’S CYBER MATURITY MODEL

Nathan Desfontaines
Cyber Security Manager
• 082 719 2426
• nathan.desfontaines@kpmg.co.za
The information contained herein is of a general nature and is not
intended to address the circumstances of any particular individual or
entity. Although we endeavour to provide accurate and timely
information, there can be no guarantee that such information is
accurate as of the date it is received or that it will continue to be
accurate in the future. No one should act on such information
without appropriate professional advice after a thorough
examination of the particular situation.
© 2016 KPMG International Cooperative (“KPMG International”), a
Swiss entity. Member firms of the KPMG network of independent
firms are affiliated with KPMG International. KPMG International
provides no client services. No member firm has any authority to
obligate or bind KPMG International or any other member firm vis-à-
vis third parties, nor does KPMG International have any such
authority to obligate or bind any member firm. All rights reserved.
NDPPS 133584
KEEP INTOUCH

The Proactive Approach to Cyber Security

More Related Content

What's hot

Viewers also liked

Similar to The Proactive Approach to Cyber Security

The Proactive Approach to Cyber Security