1

Cybersecurity: What’s at Stake?

22 July 2015

Prepared by: Spire Research and Consulting

Presented by: Leon Perera, CEOSpire Research and Consulting Group

2

Presentation Outline:

1. The evolution of cyber threats

2. Imminent risks to businesses

3. Why CEOs and senior management need to invest seriously in a cyber strategy– and how to measure ROI

Cyber Insecurity

3

Spire Research and ConsultingThe leading research-based consultancy in emerging markets

We were founded in the year 2000.

We have 100 employees in eight full-service offices.

We serve Global Fortune 1000 firms, governments and other leading organizations.

Our opinions frequently appear in print, television and radio media.

We provide a broad spectrum of research and consulting solutions for market growth and entry.

4

Cyber threat evolution

Advanced threats exist today that were unknown in the 1990s and 2000s

In the past, antivirus was the main weapon of defense needed

Hacking was uncommon, and centralized data was not nearly as abundant and critical

Mission-critical systems were not as developed, business was not as dependent on IT as it is today

Business was not as networked and less vulnerable to cyber crimes

5

What are the risks?

What are significant risks today?

Data theft, e.g. through more sophisticated phishing and hacking Malware that destroys data and renders systems unworkable, e.g. Stuxnet

Denial of service attacks, e.g. through zombie agents

Reputational attacks, e.g. defacing or rerouting public websites

Risks can come from external or internal sources

6

What are the risks?

What is at stake with these risks?

Confidentiality: could erode market share & brand equity as well as trigger litigation and fines Integrity: compromising the completeness of information needed to make business decisions

Availability: continuity of core business processes

Reputation: which affects customer and employee loyalty

7

Change in cyber crime tactics

Why has the landscape changed?

More networked organizations and larger, unregulated cross-border cyberspaces make cyber-crime more lucrative

Cyber crime is increasingly easy and cheap to commitAn effective botnet can be established for as little as USD700, or can be rented for just USD535 per week

TOR rooms and other platforms to help link buyers and sellers of threats

Organized syndicates have emerged, e.g. DefCon, Darknet.org.uk

State actors sponsor some activity in this area

8

Statistics on Incidence of Risk:42.8 Million cyber security attacks in 2014 were detected and reported. That comes out to an average of 117,339 incoming attacks every day, or a 48 percent increase from 2013. (PWC 2015)65% attacks come from the Inside: With 35% coming from current employees and 30% from past employees, internal threats are by far the leading cause for concern. (PWC 2015)On average there are 5,768 daily malware attacks on Android Google’s operating system alone, as measured over a six-month period, (CYREN’s Security Report 2013.)

Cyber Insecurity

9

Cyber Insecurity

How are businesses vulnerable?

10

What is at stake?

Cyber-threats can be devastating for a company’s finances, reputation and employee confidence

Case Study #1: As strong as your weakest link

In October 2014, JP Morgan’s account data for 76 million individuals and 7 million small businesses was stolenThe bank had been spending USD250 million a year on cybersecurityHowever, the failure arose due to the bank’s negligence in upgrading one server, which was part of a company that JP Morgan had acquiredThis single-point-of-failure created the perfect weakness for the hackers to exploit

11

What is at stake?

Case Study #2: Denial of services cripples the bottom line today just as work stoppages did in the 20th century

In the evening on 11 May 2015, NetEase, a Chinese Internet company was attacked causing several of its internet products to be unable to connect to the server.By the next morning (12 May 2015) all affected products recoveredLost revenues do its game products alone caused a loss of ~USD 2.5 million to NetEase over that one night of outage.NetEase claimed the reason was its backbone network had been attacked by hacker(s)

12

Cyber Insecurity

What are the types of security threats?

13

Types of security threats

Hacking:Hackers exploit weaknesses in a computer system or networkFirst, hackers obtain information about their intended targetThen, they identify weaknesses and potential attack approachesFinally, they execute on the attack plan

For example:• In recent years, several movies from Sony Pictures have been

stolen in cyber attacks, including "Fury“, "Annie" and “Still Alice.” These movies appeared on file-sharing sites prior to their box office release dates.

• In June & July 2015, private information of 21.5 million people were stolen via two hacks at the Office of Personnel Management of the Obama administration, leading to the resignation of its Director on 10 July.

• In 2013 a British hacker accessed information on current and former employees of the US Department of Energy

14

Types of security threats

Phishing:Phishers try to acquire sensitive information such as usernames, passwords, credit card details and intellectual property; and to impair the operations of a website or service They do this by masquerading as a trustworthy entity in an electronic communication

For example:Scoular Co. has international business interests and uses wire transfers frequently. Scoular did not raise a red flag when it’s controller received three emails to wire a total of USD17.2 million to a Chinese bank- Shanghai Pudong Development Bank in June 2014. The emails purportedly were sent by the CEO (they were actually not). During the investigation of the affair, the controller told the FBI that he ‘was not suspicious of the three wire transfer requests’ because there was an element of truth to all of it.”

15

Types of security threats

MITM:‘Man in the middle attack’ where a middleman impersonates each endpoint and is thus able to manipulate both victims.

For Example:Customers of a major financial services firm have been targeted with a man-in-the-middle attack (a variant of Zeus) that will install malware designed to intercept passcodes sent to BlackBerry and Symbian devices via SMS as part of a two-factor authentication scheme.

16

Types of security threats

Malware that destroys systems: Cyber criminals operate remotely in what is called ‘automation at a distance’ using various means of attack. These include:

VirusesWormsSpyware/Adware Trojans

For Example: The Stuxnet worm, reportedly a joint US-Israeli project, is said to have destroyed a fifth of Iran’s nuclear centrifuges. It was delivered into Iran’s Natanz nuclear plant via an employee’s thumb drive.The United States government has warned iPhone and iPad users about the "Masque Attack" vulnerability, a security flaw that can allow malicious third-party iOS apps to masquerade as legitimate apps via iOS enterprise provision profiles.

17

Types of security threats

Botnets that slow systems down:The term “bot” in the phrase BOT networks is the short form for robotWhen a computer is infected with BOT malware, it performs automated tasks over the internet without the owners’ knowledge or consent

For example:Many high-profile targets such as Citigroup, the US Senate, the International Monetary Fund, Sony, Northrup Grumman, Lockheed Martin and RSA have all been victims of botnet attacksThe source code for the builder and control panel of ZeusVM version 2.0.0.0 was leaked in June 2015, according to malware research agency MMD. This could cause a surge in botnets in the months ahead.

18

Types of security threats

Denial of service (DoS):The purposeful overload of a device, with the aim of making the device or a service provided by that device unavailable to users. A DoS usually originates from large numbers of bots or zombie PCs which are under the control of a botnet

For example:Stacheldraht is a typical Denial-of-Service agentThe attacker uses a client program to connect to compromised systems that issue commands to the zombie agentsAgents in turn facilitate the DoS attack

19

Types of security threats

Reputational risk attacks – website defacement, rerouting For example:

In October and November 2013, several Singapore government websites were hacked and defaced by “The Messiah”, including websites of the Istana, the PCF and Ang Mo Kio Town Council.

20

Types of security threats

The new risk landscape with the Internet of Things (IoT):Physical devices become connected through the Internet of Things (IoT)Internet of Things (IoT) devices are riddled with basic security flaws, such as weak passwords, unencrypted network services, insecure interfaces and cross-site scripting risksMany devices collect personal information such as name, address, date of birth, health information and even credit card numbersConcerns about security and privacy are multiplied when you add in cloud services and mobile applications that work alongside the device

For example:Cisco, a technology company, predicts that 50 billion connected devices will be in circulation by the end of the decade, up from 11 billion last year

21

Cyber Insecurity

Cybersecurity management practices

22

Managing cybersecurity threats

ROI measurement for investing:Calculating ROI is critical to analyze IT security’s value to the companyBe clear about how and where money is being spent on security

Funding for a specific project can be identified but funding for on-going security is often scattered throughout programs

Many Security Tools have a short Half-Life; choose those less prone to countermeasuresEliminating Software Vulnerabilities Leads to Major Cost Reductions

23

Managing cybersecurity threats

Do’s and don’ts Senior management should provide ultimate leadership on cybersecurity, not the IT department Sensible cost-benefit analysis is key – don’t just let the fox run the henhouseEnsure silo-less co-operation and decision-making in an emergencyEngage external auditors to “stress-test” security infrastructureEnsure emergency preparedness and contingency planning with real drillsEnsure timely notification to central authority of any data leaks or break-insInvesting in the Workforce leads to less cost over time

24

Tel: (65) 6838 5355 Fax: (65) 6838 5855

78 Shenton Way #20-01 Singapore 079120

sg.info@spireresearch.com www.spireresearch.com