cyber attack simulation in budapest with dbh group
TRANSCRIPT
www.CyberRescue.co.uk Page: 1
Cyber Crisis
Executive Simulation
Budapest, June 2017
www.CyberRescue.co.uk Page: 2
For full list, see our
Membership Manual
Who we are
www.CyberRescue.co.uk Page: 4
what we do
We help executives lead business recovery when hackers break through
Practice your Response with Executive Simulations
Bespoke Commercial Response Plan
Commercial Coach for Cyber Attack Response
www.CyberRescue.co.uk Page: 6
Where we do it
www.CyberRescue.co.uk Page: 9
FBI data storage in 1942 = 10 million sets of fingerprints,
plus 23 million paper cards = 680 Gigabytes
Why we do it
www.CyberRescue.co.uk Page: 10
Digital transformationof assets
£600 storage device in 2016 a “memory stick” from HyperX,
stores 1,000 Gigabytes
Digital opportunity
and cyber risk
www.CyberRescue.co.uk Page: 11
Option 1: Show market risk
www.CyberRescue.co.uk Page: 12
Cyber Threats Annual Growth
125% Zero Day
71% DDoS
55% Spear Phish
29% Malware
21% SQLi
38% growth in reported crime
Option 1: Show market risk
Typical Executive Response:“OK, the market must fix the problem”
www.CyberRescue.co.uk Page: 13
Option 2: Show systems risk
Client
Typical Executive Response:OK, the IT Director must fix the problem
www.CyberRescue.co.uk Page: 14
Option 2: Show systems risk Staff Systems Suppliers
www.CyberRescue.co.uk Page: 15
Staff Risks:•78% of staff don't obey info policy•63% of breaches involve passwords•41% of staff install apps on work PC•30% of phishing messages are opened•12% of staff download malicious s/ware
Supply Chain Risks:•41% of breaches affecting healthcare are caused by Third Parties•17% of breaches investigated by Kroll caused by Third Parties•AT&T, Home Depot, TalkTalk, and Target all suffered breaches via 3rd parties
Assess Risks beyond IT
www.CyberRescue.co.uk Page: 16
Option 3: Simulate a Breach
Typical Executive Response:OK, WE must work together on this
www.CyberRescue.co.uk Page: 17
Option 3: Simulate a Breach
www.CyberRescue.co.uk Page: 18
Do you have a plan?
www.CyberRescue.co.uk Page: 20Amy Pascal former CEO of Sony Pictures, February 2015 [Click on name for full interview]
There was this horrible moment where I realized there was absolutely nothing at all that I could do.
www.CyberRescue.co.uk Page: 21Robert Pera CEO of Ubiquiti, on “whaling”loss of $46.7m that his staff didn't tell him about, January 2016
I’ve been through stages of
denial, disbelief, frustration.
www.CyberRescue.co.uk Page: 22
The only crime that has been proven is the hack.
That is the story.
Ramon Fonseca founding partner of Mossack Fonseca ("Panama Papers"), April 2016
www.CyberRescue.co.uk Page: 23
I am incredibly angry about this data breach.
John Legere CEO, T-Mobile USA, on breach of T-Mobile customer data stored by Experian, October 2015
www.CyberRescue.co.uk Page: 24
The awful truth is that I don’t know.
Dame Dido Harding CEO of Talk Talk, when asked if affected customer data was encrypted, October 2015
www.CyberRescue.co.uk Page: 25
Atiur Rahman, Bangladesh Bank Governor,
after cyber thieves compromised their systems -
15th March 2016
It was like an Earthquake.
www.CyberRescue.co.uk Page: 26
CEOs struggle to visualize cyber response
www.CyberRescue.co.uk Page: 27
“Hands on your head” isn’t enough for adults
Material for Earthquake Response. Slogan “Shake Out. Don’t Freak Out.”
www.CyberRescue.co.uk Page: 28
Companies should be thinking about
decisions the CEO will need to make.
Michael Vatis Director, FBI's National Infrastructure Protection Center, January 2016
www.CyberRescue.co.uk Page: 29
You are “blindsided”
You weren’t told of other Security Incidents CEO (55%), HR (68%), Legal (72%).
You are told of the Breach by an outsiderLaw Enforcement (41%), 3rd Parties (35%), Fraud Detection (14%) or Internal (10%).
You are already weeks behind the attackersAverage time to discovery of breach: 69 days (114 days in health, and 46 in all other sectors)
Cyber Attacks are different from other business continuity challenges in
the “paralysing ambiguity” of the situation.
www.CyberRescue.co.uk Page: 30
Authorities are “difficult”
Who to call? 31 organisations fight cyber threats to Financial Services in UK. 68% of IoD Members are unaware of Action Fraud.
What resources do they have? UK NCSP gives £30m pa to combat cyber crime, including £12m to NCEC. The ICO has 30 officers handling over 200,000 concerns & 1,000 cases per year.
What do Authorities do? “4% of cyber crime dealt with appropriately by police.”
www.CyberRescue.co.uk Page: 31
There are a lot of opinions
Who is in charge? The UK Parliament expressed its view on 20th June 2016.
What has been breached? Only 45% of security professionals are confident they can determine the scope of a breach. External forensics typically lasts 43 days.
How soon to notify customers? 91% of consumers expect "24 hours or less." But32% of consumers say their loyalty would diminish if they knew of a data breach.
www.CyberRescue.co.uk Page: 32
(International)
Laws are complicated
Click to view DLA Piper’s 425 page summary of Privacy and Breach Notification laws
and other “response” documents
www.CyberRescue.co.uk Page: 33
Decisions imply a Budget
Insurance Pays?52% of UK CEOs believe they have cover, but <10% actually do. Some 81% of companies with cyber cover in USA have never claimed on it. Claims covered: In USA, 78% went on Crisis Services, 8% on Defence, 9% on Settlement, & 4% for Fines.
Big Gesture?53% of Breach Notifications offer Credit Monitoring, which is taken up by 10% of affected consumers.
www.CyberRescue.co.uk Page: 34
How to triage complaints?
Irate consumers want to receive the global standard in call centre response, 80% of calls answered in 20 seconds.
But volumes can be 100 times normal, with call duration x2 standard 4 mins.
And in addition - - Social Media - Regulators - Suppliers - Press - Staff - Police - Shareholders
You are overwhelmed
www.CyberRescue.co.uk Page: 35
Which attack to simulate?
www.CyberRescue.co.uk Page: 36
Risks vary by Sector
www.CyberRescue.co.uk Page: 37
We will now run a simple simulation
www.CyberRescue.co.uk Page: 38
Enjoy the SimulationMuch will be uncertain during the exercise. That is deliberate.
Paralysing ambiguity is a defining characteristic of cyber attacks.
Decisions have consequences, as does failure to take prompt action.
None of you will be evaluated.
The exercise is safe and enjoyable. It is OK to make mistakes.
Teamwork is key.
Who? How? Why?
www.CyberRescue.co.uk Page: 39
Tomorrow…
Acme Ltd is a new subsidiary of Acme PLC.
You employ 1,000 staff, with 100,000 customers.
You have 5 key partners you work closely with.
You launch a new service “Acme Cares” in a week.
Your IT Director is away.
You operate in Hungary, Germany, Singapore, UK, USA.
Acme Ltd
You work in the senior executive team of a medium-sized luxury hospitality business.
www.CyberRescue.co.uk Page: 40
Day 1 – Friday, 10:30amFORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are Attack Collective of Korea. We own all your secret. We paste WWW if you not pay 100 Bitcoins protection end of Monday to g9jq65SKx1jj721kca7H2L
Price to stop will go up 100 BTC for every day of attack. This is not joke.
Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will know you cooperated.
www.CyberRescue.co.uk Page: 41
Day 1 – Friday, 10:30
Acme Ltd
What do you do?
www.CyberRescue.co.uk Page: 42
Day 1 – Friday, 10:30What do you do?
Example responses -
1.Inform key colleagues
2.Pay the ransom
3.Inform regulators
4.Inform police
5.Inform customers
6.Ask IT how data was lost
7.Disconnect from internet
8.Back-up systems
9.Invoke business response plan
Acme Ltd
www.CyberRescue.co.uk Page: 43
Colleagues: Who gets told about their worst cyber security incident? CEO = 45%, HR =32%, Legal =28%, PR =24%. (Jan ‘16)
Police: 82% of companies don’t report breaches to police (May ‘16)68% of Directors unaware how to report cyber crime (March ‘16)
Pay Ransom: 91% of Executives say they won't pay a cyber ransom.But 64% do “if they have to.” (June ‘16)
www.CyberRescue.co.uk Page: 44
Day 4 – Monday, 10:30am
HERE PROOF YOU DONT CARE ABOUT CUSTOMERS!
Real data posted to WWW. Pay we post more every day.
Acme Ltd
www.CyberRescue.co.uk Page: 45
Day 4 – Monday, 13:10
HERE PROOF YOU DONT CARE ABOUT CUSTOMERS!
Real data posted to WWW. Pay we post more every day.
Acme’s Analysis
“Data looks real. It shows sensitive personal info held by Acme on 187 individuals who bought services
from us last year.”
Acme Ltd
www.CyberRescue.co.uk Page: 46
Day 4 – Monday, 14:00
Who to inform, today
Acme Ltd
www.CyberRescue.co.uk Page: 47
Day 4 – Monday, 14:00Who to inform, today
Example responses -1.Key Customers
2.All Customers
3.Suppliers
4.Distributors
5.Shareholders
6.Insurers
7.IT Remediation
8. IT Forensics
9. PR Agency
10. Regulator(s)
11. Law enforcement
12. Lawyers
13. Key Colleagues
14. Cyber Rescue Acme Ltd
www.CyberRescue.co.uk Page: 48
Consumer’s stated reactions to a data breach•91% say "24 hours or less" is acceptable for notification (May’16) •62% “would lose trust” if company didn’t communicate (Jan ‘16)•32% “would have diminished loyalty after a breach” (May ‘16)•11% “would quit doing business with hacked company” (April ‘16)
46% of Irish companies say they would not disclose a data breach to impacted third parties (July ‘16)
Among causes of a breach, the least harmful to consumer loyalty is Human Error (May ‘16)
www.CyberRescue.co.uk Page: 49
Day 4 – Monday, 16:00Acme’s IT Analysis
The Koreans are probably still in our systems. We can stop them taking our
crown jewels if we disconnect for 3 days.
One of our staff may have helped them. Too many staff have Admin accounts.
If only you’d approved our budget request for Silverbullet Cyber Security Software.
Our cloud provider says they are secure but won’t let us audit them.
www.CyberRescue.co.uk Page: 50
Time: How long for IT specialists to respond to Breach (June ‘16)•201 days to identify a breach (range = 20 to 569 days)•70 days to contain a breach (range = 11 to 126 days)
Missing Info: Log Files “often” poorly configured or unavailable (Oct ‘16)
Capability: 45% of IT security staff say they “can determine scope of a breach” (Jan ‘16)
www.CyberRescue.co.uk Page: 51
Day 4 – Monday, 17:00What do you say, today
a) Press release: Our IT systems were hacked by Korean criminals who will publish all our confidential information unless we pay 100 Bitcounts. We’re victims of an APT and we have invoked our crisis plan.
b) Holding Statement: We are working with police to investigate a claim that data on 187 individuals may have been compromised. All 187 are being informed. Our priority is our customers. We never ask customers for passwords. This is a police matter.
www.CyberRescue.co.uk Page: 52
Acme don’t care about my safety! Now Russians will steal my money
Because we careOn Friday, Acme launch a great new service to show customers how we care
Day 4 – Monday, 21:00
Comments about “a massive breach” spread quickly on social media, hijacking the long-planned “because we care” campaign
www.CyberRescue.co.uk Page: 53
Day 5 – Tuesday, 07:50“Door stepped” by Journalists
www.CyberRescue.co.uk Page: 54
Day 5 – Tuesday, 07:50“Door stepped” by Journalists
Do you care about your customers?
What are you doing to help them?
What data did the Russians steal?
What did celebrity Kara say?
How do you train your staff and help suppliers keep data safe?
Did you invest in SilverBullet?
Are you criminally negligent?
www.CyberRescue.co.uk Page: 55
On average it takes 21 hours before companies are able to issue meaningful external communications to defend themselves – Edelman – April 2016
www.CyberRescue.co.uk Page: 56
Day 5 – Tuesday, 09:10Group Finance Director calls
www.CyberRescue.co.uk Page: 57
Day 5 – Tuesday, 09:10Group Finance Director calls
How much will it cost to fix?
What does this do to next year’s forecast, will it hit sales or increase attrition?
What costs will your insurance cover?
What compensation will customers demand?
What do we say to our shareholders?
Why didn’t you invest in SilverBullet?
We will have to cancel bonuses this year.
www.CyberRescue.co.uk Page: 58
Insurance: 52% of British CEOs think their company is insured for cyber risks. Just 2% of large businesses actually have stand alone cyber insurance in UK (March ‘15)
“The market for cyber insurance isn’t sustainable” (Sept ‘15)
Why businesses say they do not have insurance (Nov ‘15) “Premiums too expensive” (52%) “Too many exclusions” (44%)
Companies with cyber insurance but not claimed = 81% (March ‘16)
£1m cyber policy costs £5 - 25k pa for “average” company (April ‘16)
www.CyberRescue.co.uk Page: 59
Day 5 – Tuesday, 11:40
Call Centre staff demand help, guidance & protection
“Do we let customers cancel their contracts with us?”
“Do the Russians have my annual appraisal, salary & medical details?”
“Shouldn’t we got someone else to handle calls about stolen data?”
Call Centre
Wait time 54 minutes
Call Duration9 minutes
www.CyberRescue.co.uk Page: 60
55% pa increase in spear-phishing attacks on employees (April ‘16)
52% of IT professionals re-use personal passwords for business apps
41% of Millennials install apps on work PC without consulting IT
30% of Millennials email company info to a personal email address
30% of phishing messages are opened (April ‘16)
29% of companies with mandatory data protection training give an exception to CEOs (May ‘16)
Cause of breach (March ‘16): - 48% Current Employee - 31% Outside Perpetrator - 17% Related Third Party - 4% Former Employee.
www.CyberRescue.co.uk Page: 61
Day 5 – Tuesday, 14:30
Public Network Acme’s Cloud Providers Acme’s Network
CustomerEdge
ServiceAPI
ServiceApplic
ServersComms
User DirectoryEg Admin Accounts
EnterpriseData
Enterprise ApplicationsEg Email, Payroll, Operations
Log Files
Cloud ApplicationsEg Salesforce, Procurement
Acme’s Distributors & Suppliers
Staff
EdgeService
Channel &Suppliers
Vendor 1Vendor 1Vendor 1Vendor 1Vendor 1Channel 1 Vendor 1Supplier 1 Development & Testing
Comms
Group IT Director calls: What are your crown jewels? Where are they held? Who has access? Why don’t you shut down for 3 days?
www.CyberRescue.co.uk Page: 62
Day 5 – Tuesday, 16:10
HERE PROOF YOU DONT CARE ABOUT CUSTOMERS!
Real data posted to WWW. Pay we post more every day.
Acme’s Analysis
Customers are in Hungary, Germany,
Singapore and USA. Includes
some celebrities.
Acme Ltd
www.CyberRescue.co.uk Page: 63
Day 5 – Tuesday, 22:50
Kremlin in Acme breach?
Tomorrow’s papers
Acme helping police investigationForensic police are analysing a filesaid to contain data on 187 Acme Customers. All have been contacted.
Kremlin in Acme breach?Russia stands accused by experts of taking secret data on 1 million people including celebrity Kara, who said “Acme should have done a better job”
www.CyberRescue.co.uk Page: 64
20% fall in share price in 1 week
2 month volume in 2 days
Day 6 – Wednesday, 09:40
www.CyberRescue.co.uk Page: 65
Day 6 – Wednesday, 11:00Messages & Requests building up
•23 individual consumers
•3 distribution partners
•2 supply partners
•1 police
•Chair of your Board
How do you handle these calls?
www.CyberRescue.co.uk Page: 66
Day 6 – Wednesday, 11:30Chairman of Board
“Get a Grip!”
•Set expectations for updates
•Find a way to close down the breach
•Offer credit monitoring to all customers
•Let customers break contract, but only if they can show harm caused by us
•Consider your position, unless there is someone else to blame
www.CyberRescue.co.uk Page: 67
Day 6 – Wednesday, 12:00Lucky Break - Authorities help
“The breach is at your partner!”
•We think your customer data was stolen from one of your distribution partners.
•We are investigating a breach of over 100 organisations.
•The breach happened five months ago.
•Data on your customers was posted on a dark web forum, two weeks ago.
www.CyberRescue.co.uk Page: 68
Day 6 – Wednesday, 22:50
Tomorrow’s papersPolice arrest teenage hackerAuthorities believe a student bought data on dark web to threaten over 100 businesses across the country.
A “lucky” breach?•Acme should have known its data was put at risk by distributor
•What lessons can be learned from each decision made?
•Many challenges weren’t faced in this short simulation, eglegal issues, procurement, compromised accounts, regulators.
www.CyberRescue.co.uk Page: 69
Which attack to simulate?
www.CyberRescue.co.uk Page: 70
the future?
Massive growth in digital opportunities and cyber threats.
Expectations on CEOs will rise:to have a detailed planto reduce harm fromcyber attack.
www.CyberRescue.co.uk Page: 71
what we do
We help executives reduce harm caused by cyber attacks
Practice your Response with Executive Simulations
Bespoke Commercial Response Plan
Commercial Coach for Cyber Attack Response
www.CyberRescue.co.uk Page: 72
thank you
www.CyberRescue.co.uk
Kevin DuffeyManaging Director
+44 (0)7920 766530
www.CyberRescue.co.uk Page: 73
Cyber Crisis Follow upGreater challenge? Unresponsive Vendors, Angry Regulators,
Communications compromised, Multiple frauds on consumers,
Other attacks: In your next annual simulation, what to focus on?
Data integrity attack; IoT attack; Ransomware;
Prevention: •“Trust but verify” partners – automatically tell them if compromised• Create a “cyber resilient culture” - train your staff
www.CyberRescue.co.uk Page: 74
Agree Goals with IT Director
www.CyberRescue.co.uk Page: 75
https://www.youtube.com/watch?v=sq-0tjv4_BA