ddos and building business resilience presentation to ...isaca.or.ke/resources2017/cybersecurity...
TRANSCRIPT
Cyber Security
It’s not just about technology
May 2017
Introduction
3© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
The Internet has opened a new frontier in warfare: everything is networked and anything networked can be hacked.
- World Economic Forum Global Risk Report
4© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Cyber risk: Why is it topical now?
This is not a new threat, hackers have been infiltrating sensitive government and institutional systems since the early 1990’s, however, the Cyber Security market is erupting due to many high profile and highly disruptive/damaging security breaches threatening financial and physical damage across critical national and corporate infrastructures.
Source: 2017 the WEF Global Risks Landscape 2017
5© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
How perverse are Cyber Risks?
Source: 2017 the WEF Global Risks Landscape 2017
This has caught the attention of governments and policy makers, intelligence services, the media and increasingly also board-level executives across the globe. Cyber security has become an Executive driven issue.
6© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Cyberattacks prevalence, rank…
Source: 2016 the WEF Global Risks Landscape 2016
7© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
The Fourth Industrial Revolution is here…
Klaus Schwab, founder and executive chairman of the World Economic Forum (WEF) believes that we are at the beginning of the fourth industrial revolution
Source: 2016 the WEF Global Risks Landscape 2016
8© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Global CEO Outlook – East Africa
Source: KPMG 2016 CEO Outlook Survey
9© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Cyber Incidents are the new normal…
Source: Cyber Crime Survey, 2015, KPMG India
10© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Organisations are able to
46% Remediate only
if legitimate alerts received
44% Of operations managers
See more than 5000 security alerts per day
22% Of breached organisations lost customers
29% Of breached organisations lost revenue
23% Of breached organisations lost business
opportunitiesSource: Cisco 2017 Annual Cyber Security Report
Cyber Security Data Analytics
11© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Is the traditional approach effective?
No of incidents identified by internal IT teams < 6%
Time taken from infection to detection > 150 days
Post detection to reaction & Reaction to remediation –?
12© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Cyber Security – Traditional Approach
13© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Limitation with Traditional Approach
Trends and Lessons Learnt
15© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Trends Accelerating The Cyber Threat
External threats
1
Organized crime, nation-states, cyber espionage, hacktivism,
insider threats.
Change in the
way business is
conducted
2
Cloud computing, big data, social media, consumerization, BYOD,
mobile banking.
Rapid technology
change
3
Critical national infrastructure, smart/metering, internet of
all things.
Changing market
and client needs
Strategic shift, situational awareness, intelligence sharing,
cyber response.
Regulatory
compliance
4
Data loss, privacy, records management.
5
15
16© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Some considerations…
16
Considerations Factors to consider
Configuration management
•Is there a database of configuration items (CMDB)?•Has a security standard been implemented (list of secure settings applied on the platform)?
User access•Access creation, modification, deletion and review•Is access integrated across platforms (e.g., Windows, MS SQL and AD)?
Privileged access management
•Is privileged access appropriate granted, revoked, reviewed and monitored?
•Is there a segregation between users with privileged access at each level of the access path?
•Is access integrated across platforms - jump servers?
17© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Examples of lessons learnt and top risks
17
Key risks Factors to consider
Securityvulnerabilities
•Are security patches applied (not only OS and DB, also other applications like Adobe, Java etc)?
•Have network controls been implemented (Firewalls, IPS, APT etc.)?•Have appropriate malware controls been implemented?
Inappropriate / unauthorisedactivities
•Logging and monitoring of access (can be native logging or done by a third party tool).
•Is there a process to detect and follow-up on activities identified?•Are logs stored on a different server and access to the logs restricted (to a different set of people that who can access the server)?
3rd party risks
•Have 3rd party risks been assessed?•Are security requirements clearly articulated to 3rd parties?•Do we have a right to audit 3rd parties?•Have are the other key risks addressed with respect to 3rd parties
Where do we start?
19© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Key areas from board governance perspective….
Board Governance
• Roles and responsibilities
• Proactive Approach –identify new threats and risks
• Protect what Matters –Identify Crown Jewels
• Determine key risk indicators
• Socialize to Increase Awareness on Cyber Security across the enterprise
5
20© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Cyber Security: Board Room Questions?
21© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Cyber Security -A Comprehensive Program
21
22© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
Proactively identify changing threat environment
22
Thank you
Jared NyarumbaAssociate Director, KPMGRisk consulting
kpmg.com/socialmedia kpmg.com/app
The information contained herein is of a general nature and is not intended to address the circumstances of any
particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no
guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in
the future. No one should act on such information without appropriate professional advice after a thorough
examination of the particular situation.
© 2017 KPMG Advisory Services Limited, a Kenyan Limited Liability Company and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a
Swiss entity. All rights reserved.
The KPMG name, logo are registered trademarks or trademarks of KPMG International.