cybercrime: “the new reality” · pwc cybersecurity is more than an it challenge—it’s a...
TRANSCRIPT
Cybercrime:“The new reality”
FSAA National Conference
20 May, 2014
www.pwc.com.au/consulting/cyber/
PwC
Agenda
1. Cybercrime: “The new reality”
2. Adapting to the new reality
3. Implications for the Financial Services industry
4. Questions
2
PwC
1. The new reality
3
PwC
Cybersecurity is more than an IT challenge—it’s a business imperative.
4
75% of respondents reporting1 the same or increase in thenumber of cyberattacks on their organization.
1 – 2013 PwC Co-Sponsored US State of Cybercrime (Co-sponsors include: CSO Magazine, United StatesSecret Service, The Software Engineering Institute CERT® Program at Carnegie Mellon University)
Per the Global CEO Survey, one-third of CEOs don’t think acyberattack would negatively impact their business. Yet 61% ofconsumers3 would stop using a company’s product or services ifan attack resulted in a known breach.
3 – 2012 PwC Consumer Intelligence Series
$10M+
75%
Average losses are going up with the number of organizationsreporting2 losses of $10M or greater increasing 75% from 2011.
2 – 2014 PwC Global State of Information Security
61%
PwC
2011 2012 2013
The number of incidents detected in the past 12 months increased by 25%, perhaps an indication of today’s elevated threat environment. It is troubling that respondents who do not know the number of incidents has doubled over two years. This may be due to continued investments in security products based on outdated models.
Respondents are detecting more security incidents.*
2,562
2,989
3,741Average number of security incidents in past 12 months
* A security incident is defined as any adverse incident that threatens some aspect of computer security.
Do not know
9%
Do not know14%
Do not know18%
Zero 31%Zero 20%
Zero 31%
5
PwC
• Technology-led innovation has enabled business models to evolve
• The extended enterprise has moved beyond supply chain and consumer integration
• Connectivity and collaboration now extends to all facets of business
The cyber challenge extends beyond the enterprise
Enterprise
Consumer
Suppliers
JV/Partners
Service Providers
Customer
Industry/Competitors
Technology
En
vir
on
me
nta
l
Economic
• A dynamic environment that is increasingly interconnected, integrated, and interdependent
• Where changing business drivers create opportunity and risk
Leading to:
The Evolution:
Global Business Ecosystem
Pressures and changes which create opportunity and risk 6
PwC
Cybercrime – Motive
Cybercrime isno longer the domain ofyoung hackers; instead itis committed by multipleoffenders with diverse motives.
• Organised crime
• State sponsored (foreign governments)
• Hackers / activists
• Insiders (employees / suppliers)
7
PwC
The threat environmentInternal and external threats
8
PwC
Why is the risk increasing?
1. Emerging technology – New technologies such as social media provides attackers with more information about targets
2. Sophistication of attacks - Attacks are becoming more sophisticated
3. Enterprise complexity – Businesses are becoming more distributed with larger volumes of data, making it hard to detect attacks
4. Severe implications – Attacks are impacting customers, shareholders and senior management, as well as bringing brand and financial damage.
Denial of service attacks
Password cracking
Your customer information is worth millions to criminals
Cybercrime is getting more specialised
9
PwC
2. Adapting to the new reality
10
PwC
HistoricalIT Security
Perspectives
Today’s Leading Cybersecurity
Insights
Scope of the challenge • Limited to your “four walls” and the extended enterprise
• Spans your interconnected global business ecosystem
Ownership and accountability
• IT led and operated • Business-aligned and owned; CEO and board accountable
Adversaries’ characteristics
• One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain
• Organized, funded and targeted; motivated by economic, monetary and political gain
Information asset protection
• One-size-fits-all approach • Prioritize and protect your “crown jewels”
Defense posture • Protect the perimeter; respond if attacked
• Plan, monitor, and rapidly respond when attacked
Security intelligence and information sharing
• Keep to yourself • Public/private partnerships; collaboration with industry working groups
Evolving perspectivesConsiderations for businesses adapting to the new reality
11
PwC
The Cyber LifecycleThere are five key elements to effective cyber security
Effective cyber security involves security, risk, forensics, analytics and operational specialists working together across all five elements of the Cyber Lifecycle.
12
PwC
Keeping pace with the new realityOperating in the global business ecosystem requires you to think differently about your security program and investments.
Business Alignment and Enablement
Ris
k a
nd
Im
pa
ct
Ev
alu
ati
on
Board, Audit Committee, and Executive Leadership
Security Program, Resources and Capabilities
Engage and commit with the business
Transform and execute the security program
Investment Activities
Projects and InitiativesFunctions and Services
Rationalize and prioritise investments
Security Strategy and RoadmapR
es
ou
rc
e P
rio
ritiz
atio
n
13
PwC
Why organisations have not kept paceYears of underinvestment in certain areas has left organisations unable toadequately adapt and respond to dynamic cyber risks.
Product & Service Security
PhysicalSecurity
Operational Technology
Security
Public/PrivateInformation
Sharing
ThreatModeling
& Scenario Planning
TechnologyAdoption andEnablement
Ecosystem &Supply Chain
Security
GlobalSecurity
Operations
Breach Investigationand Response
Notificationand
Disclosure
Privileged AccessManagement
SecurityTechnology
Rationalization
Patch & ConfigurationManagement
InsiderThreat
UserAdministration
TechnologyDebt
Management
Secure Mobileand CloudComputing
Security Strategy and Roadmap
Board, Audit Committee, and Executive Leadership Engagement
Business Alignment and Enablement
Process and Technology
Fundamentals
Threat Intelligence
Incident and Crisis
Management
Ris
k a
nd
Im
pa
ct
Ev
alu
ati
on
Re
so
ur
ce
Pr
ior
itiza
tion
Security Program, Functions, Resources and Capabilities
Compliance Remediation
Security Culture and
Mindset
Monitoring and Detection
Critical Asset Identification and
Protection
14
PwC
Product & Service Security
PhysicalSecurity
Operational Technology
Security
Public/PrivateInformation
Sharing
ThreatModeling
& Scenario Planning
TechnologyAdoption andEnablement
Ecosystem &Supply Chain
Security
GlobalSecurity
Operations
Breach Investigationand Response
Notificationand
Disclosure
Privileged AccessManagement
SecurityTechnology
Rationalization
Patch & ConfigurationManagement
InsiderThreat
UserAdministration
TechnologyDebt
Management
Secure Mobileand CloudComputing
Security Strategy and Roadmap
Board, Audit Committee, and Executive Leadership Engagement
Business Alignment and Enablement
Ris
k a
nd
Im
pa
ct
Ev
alu
ati
on
Re
so
ur
ce
Pr
ior
itiza
tion
Security Program, Functions, Resources and Capabilities
Compliance Remediation
Have you kept pace?Questions to consider when evaluating your ability to respond to thenew challenges.
Security Culture and
Mindset
Process and Technology
Fundamentals
Threat Intelligence
Monitoring and Detection
Critical Asset Identification and
Protection
Incident and Crisis
Management
Develop a cross-functional incident response plan for effective crisis management
Evaluate and improve effectiveness of existing processes and technologies
Enhance situational awareness to detect and respond to security events
Identify, prioritise, and protect the assets most essential to the business
Establish values and behaviors to create and promote security effectiveness
Understand the threats to your industry and your business
15
PwC
Recap of key points to consider
Business models have evolved creating a dynamic environment that is increasingly interconnected, integrated, and interdependent - necessitating the transformation of your security practices to keep pace.
The global business ecosystem has
changed the risk landscape
Rather than treating everything equally, you should identify and enhance the protection of your “crown jewels” while maintaining a consistent security baseline within their environment.
Focus on securing high value information and
protecting what matters most
Creating an integrated, business aligned security strategy and program requires awareness and commitment from the highest executive levels of the organisation – in order to apply the appropriate resources and investments.
Embed cybersecurity into board oversight and executive-level
decision making
Sophisticated adversaries are actively exploiting cyber weaknesses in the business ecosystem for economic, monetary or political gain – requiring threat intelligence, proactive monitoring and deep response capabilities.
Know your adversary – motives, means, and methods
16
PwC
3. Implications for Financial Services
17
PwC
"Zeus in the mobile”, is designed to circumvent the two-factor authentication mechanism, by intercepting one-time passwords on mobile phones
“Zeus malware” for mobile devices has stolen $47 million, from more than 30,000 corporate and private banking customers
Targeting the Android and Blackberry Operating Systems.
Cybercrime in the Financial Services Industry
18
PwC
How does “Zeus in the mobile” work
19
2
1
3 4
PwC
Cybercrime in the Financial Services Industry
20
“Global Payments” have lost 1.5 million card details (including card numbers, encrypted pins and three digit security number)
Organised crime gang steals $30 million using credit card details of 30,000 Australians
Bank of America Merchant Service's third party service provider sent customer information (name, address, social security numbers) to three external parties
PwC
Click to edit Master text stylesCybercrime in the Financial Services Industry
21
Botnet rentals: $535 for five hours a day for one week ofdistributed denial-of-service attacks
Two easily sourced botnets, targeted Facebook users affecting 11 million systems leading to the theft of $850 million
New versions of the “ZeuS” botnet code costs $3,000
Specialised password cracking ("Cloud Cracking"): $17 for 300 million attempts, which takes about 20 minutes
PwC
Case Study 1Responding to a potential compromise using analytics
Background
• Companies often get breach ‘tip offs’ from external parties such as government agencies or telecommunication companies
• The information they receive is often restricted (ie due to privacy) or incomplete.
Challenge
Security teams need to quickly determine if the threat is ‘real’ and start their response.
22
PwC
Case Study 1Responding to a potential compromise using analytics (cont’d)
A company receives the following information from a global Telco
23
Bot infection detected on 14 March, 2014
Type: “Zeus”
IP: 82.xx.xx.26
IP is obscured for security reasons
PwC
Case Study 1Responding to a potential compromise using analytics (cont’d)
24
Zero hour tip off
received
Kick-off a search against known
threat sources for the keyword “zeus”
to gather intelligence.
Search Results
Collate results of the intelligence search and extract IP addresses. Using ‘Regular Expressions’, search the IP addresses for the pattern provided in the “tip off”
Cross-match results of the searches
against the firewall logs for the known
time period.
At the 96 hour mark, the initial intelligence provider confirms the IP address identified through analytics matches their intelligence
Using analytics to source intelligence and match against firewall logs, the computer that is potentially infected was able to be identified within 48 hours.
The team is able to focus on the containment of the malware and perform remediation activities.
Day 1 Day 2 Day 3 Day 4
PwC
Case Study 2Conducting breach investigations
Background
• Breaches in companies are increasing
• Companies are moving their attention from not only prevention and detection, but now effective response.
Challenge
Security incident response teams need to quickly triage the very large volumes of datato determine:
• Who breached them
• How did they enter the company
• When did they get in
• What did they do.
25
PwC
Case Study 2Conducting breach investigations (cont’d)
26
A credit card processing company is breached at multiple points, impacting hundreds of systems. Initial assessments have identified over 200 terabytes of log data to analyse.
Traditional forensic investigation methods can not meet the volume and velocity requirements of an incident response of this nature.
How can an incident response team process, analyse and report on this volume of data in weeks instead of months?
PwC
Case Study 2Conducting breach investigations (cont’d)
27
Da
ta
Pr
es
er
va
-ti
on
Pr
oc
es
s-
ing
an
d
Ex
tra
cti
on
Forensic Data Extraction, and Big Data ingestion
An
aly
tic
sR
ev
iew
Visualisa-tion
GraphingForensic analysis
Log analytics
Link analytics
Keywordsearches
Forensic timelines
Forensic images
Logs/journals Other sources
PwC
Case Study 2Conducting breach investigations (cont’d)
To effectively communicate the findings, we created visualisations that showed:
• An overall incident visualisation depicting systems affected
• Day-by-day visual breakdowns of significant intruder activity
• Reports of how specific customers were affected
• Reports of how specific systems were affected.
28
PwC
4. Questions?
Thank you
© 2014 PricewaterhouseCoopers. All rights reserved.
PwC refers to the Australian member firm, and may sometimes refer to the PwC network.
Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
Liability limited by a scheme approved under Professional Standards Legislation
WL127015976