Cyber SecurityWhy do people have the ‘fear’?

www.pwc.co.uk/cyber

September 2018

Cyber Security Context

We operate in a world where we don’t own the systems we use or control the data we rely on

Digital Revolution

Growing Cyber Risk

More Regulation

Cloud “IoTs” Big DataDigital Currency

EvolvingThreats

MoreConnections

TalentShortage

ArmsRace

2

3

What do we mean by ‘Cyber’ and ‘Cyber Resilience’?

A more connected world brings greater speed and value, and enriches our lives. Yet more connections also bring more vulnerability.

So what does it mean for you?

Cyber Security is the resources we put into preventing successful cyberattacks.

Cyber Resilience is the preparations we make for handling a successful attack and its consequences.

Cybersecurity

The protection of devices, services and networks — and the information on them —from theft or damage.

Cyber resilience

The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.

Cyber

Relating to or characteristic of the culture of computers, information technology, and virtual reality.

- National Cyber Security Centre – MITRE- Oxford Dictionary

Threat Landscape – A lot has happened in the last 18 months…

NSA leaks have accelerated the democratisation of threats.

4

2017

May 2017

WannaCry ransomware disrupts

74 countries and major organisations

WannaCry

June 2017

NOTPetya ransomware takes multiple systems

offline

Petya

July 2016

Internal breach affecting over

500,000 people

Shadow brokers release stolen

NSA tools to the world*

Sept 2017

143m customer details (potentially) stolen, wiped 1/3 of the value of the org.

Sept 2017

SEC admits breached in 2016 probably led

to insider trading

Aug 2017

Over 2.4 million customers potentially infected with malware

via the popular tool

cleaner

Aug 2016

The release of the NSA tools by shadow brokers has put “Nation State” tools in the hands of cyber criminals and organised crime. This has resulted in a major shift in the threat landscape for everyone.

Major impacts (+ direct costs) include…

• Maersk not being able to dock ships and unload cargo ($275m+)

• Millions of Fedex (TNT) packages were delayed ($300m+)

• A global shortage of critical drugs produced by Merck ($300m+)

• Saint-Gobain had to stop major construction projects (£250m+)

*

2018

June 2018

$70m lost in crypto attacks, resulting in service being taken offline for a period.

Sept 2017

BA report significant compromise and

mobile App

Threat Landscape – Business Interruptions Costs

Energy Infrastructures

Electricity blackout

Cloud Service Providers hack

Mass vulnerability attack

$243 – 1,024bn $5 – 53bn $10 – 29bn

5

The potential impact of disruption to material infrastructures.

Sources: Lloyd's (2015, 2017)

Targets

Cloud Providers Operating System

Losses

The Value of Data: Attackers and Companies Threat actors will act upon and exploit any data they choose

6

E-Mail Credentials $0.50 - $2.50

Personal Information $1 - $15

Financial Credentials $8 - $20

Health Records $50 - $60

Value to Hackers

Driving License Scans $20 - $25

Targeted Identity $250 +

Oracle MICROS Payment System

UBER Driver Names and License Plate Numbers

WADA Database and Health Records Hack

Impact on Company

Intellectual Property $ ???

Nortel Espionage Attack

RSA SecurID Authentication Technology

Business Impact of Breach(inclusive of forensic, investigative and

remediation costs to address breach)

As

so

ci

at

ed

Co

st

s

Average Impact$190 average cost per record

based on – detection, escalation and notification costs, lost business and reputational damage

Based on Ponemon Institute © Research Report – 2016 Cost of Data Breach Study: Global Analysis

N u m b e r o f r e c o r d s

What drives costs up?

• Third party involvement

• Extensive cloud migration

• Rush to notify

• Lost or stolen devices

What keeps costs down?

• Incident response team

• Employee training

• CISO appointed

• Board-level involvement

• Participation in threat sharing

• Data governance

Threat Trend – Are we getting any better?

7

99.9% of the

exploited vulnerabilities (in 2014) had been identified for more than a year, some of them as far back as 1999.

(Source: Verizon DBIR 2015)

So why does automation worry us?

Roads – current research

Key concerns – what ifs?

• Vehicles can be stolen or removed due to proximity keys

• Vehicles can leak data – location, PII, habits, ancillary location data

• Vehicle performance can be impacted in some way – speed, braking, gearing, steering

• Vehicles integrate with roadside tech to the detriment of drivers/passengers

• Multiplication factor of ‘all’ cars affected or all types of a vehicle affected

Where is this all going?

Threat Trend – Reading the Crystal Ball…

12

The PwC Prediction Lottery

13

Clearer ‘clanship’ syndicates in organised crime

A breach of a major Western bank and subsequent customer-impacting payment frauds

Continued targeting of major crypto currency exchanges & associated volatility

Self-propagating techniques causing widespread ‘collateral damage’

Increasing number of ‘big hits’ as players work out how far they can push the new norms

Continued exploitation of inherent trust in the (software) supply chain

Rapid redeployment of leaked or documented exploits and TTPs

Targeted attacks against system inputs / data feeds

The PwC Prediction Lottery

14

Phishing

Malware

• Extensive use of PowerShell and WMI, enabling memory-only execution

• Many new families focused on wallet identification and exfiltration

• Malware focused on the ability to edit/disrupt data feeds underpinning operations

• Continued uptick in the targeted use of commercial and opensource frameworks

• Hijacks of automated and standalone software updates to deliver & sideload malware

• Evasion frameworks begin to be shared – (encoding tricks, multi-hop docs etc.)

• HTTPs everywhere (letsencrypt)

• Imitation of personal bankers

The PwC Prediction Lottery

15

• Old favourites still abused – stickykeys, RDP bruteforcing etc.;

• Back to the 2000s – targeting of common perimeter stacks like LAMP or MEAN;

• Another ShadowBrokers leak with RDP and Server2012/Win8+ vulns; and,

• Increase in supply chain intrusions and island hopping.

• The emergence of new IoT botnets (reaper, etc.) made available for hire

• Targeting of domain registrars and DNS providers (fits in hacking too)

• Ransomware/wiper as DoS – another major event

• The KVM-3G combination, focused on call centres or payments centres

• The rise of the inadvertent insider – AWS/GitHub

• An insider leak of hostile FIS CNE tooling

Hacking

DDoS

Insider

The Bottom Line – A Round-Up

16

• Limit privileges, patch, and whitelist where possible

• Two-factor where possible, and strong credential storage/management practices

• Harden domain controllers, segment both your network and AD environment

• Move transaction teams onto highly locked down / OOB systems

• Gather command line, process execution and event telemetry for analysis – keep IT admins close to security to inform detection of malicious use of legitimate tooling

• Monitor for authenticated sessions to perimeter systems over TOR, unusual data transfer volumes and statistically anomalous traffic by endpoint. Inspect SSL.

• Make use of VPN authentication data to detect ‘impossible trips’

• Focus on the Essential Eight – https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm

Recurring Themes found Post-Incident

17

Awareness Data LegacyGovernance

• Phishing continues to be a successful strategy for attackers who rely on poor staff awareness combined with gaps in an organisation’s patching or currency

• In particular, we continue to see increasing use of crypto-malware

• Users are often the last line of defence and it is important to put in place strong education and awareness programmes.

• Tendency for data to be copied and shared increases the ‘threat surface’.

• Production data is being used in non-production environments where security controls are often less stringent.

• Organisations need to understand where they store sensitive customer, commercial and staff data and ensure that it is handled appropriately and protected.

• While organisations often focus on deploying secure systems, we find a ‘blind spot’ when it comes to securing legacy estates.

• Often legacy systems are built on insecure platforms or have been re-purposed in a way that exposes business systems.

• Decommissioning of old systems is often not verified, leaving sensitive data exposed.

• A lack of accountability for cyber security risks – senior executives and board members suggesting that it is solely an IT problem.

• Lack of effective governance over security risks.

• Identification and management of risks / critical assets is often fragmented and inconsistent.

• ‘Defence in depth’ is often thought of as ‘expense in depth’.

• In reality, many of the commodity threats can be mitigated by getting the basics right.

Culture

Managing cyber risk is a multi-faceted challenge…

18

Authenticating People• Password retirement

• Biometrics – done right

• Who are ‘my people’

• Strong federated authentication

• ‘Continuous authentication’

Validating Inputs• Automated processes ‘Corrupt

process by corrupting inputs’

• Authenticating systems

• Validating critical inputs Protecting Data• Securing data is no longer synonymous with securing system

• Data-centric approach to encryption

• Encryption everywhere

Fixing the Hard Basics• IT Architecture (Active Directory,

Network Segmentation, Virtualisation, Internet First)

• Automated controls (e.g. patching)

• Access Governance

• Data Architecture

• Legacy

Anomaly Detection• Holistic monitoring of people, process,

technology and physical

• ‘Risk scoring’ interactions

• Focus on ‘verifying good’

• Automated responses

Culture• Embedding cyber security in every

decision

• Empowering every individual to secure the organisation

Resilient Business• Processes that can continue when critical

IT fails

• Processes that can recover quickly from technology failure

• Minimising single points of failure

• ‘Worst case’ recovery capability

Untrusted Apps• Proliferation of apps

• Lack of control over development environment

• Isolating impact of malignant apps

• Automated compliance

Third Party Oversight• Third party attestations and audits no

longer good enough

• Operational oversight

• Real time visibility of vulnerability and threats through supply chain

Focus on managing risk to business processes, not securing kit.

Moving away from the core.

Different approach to controls.

Quantifying Risk.

Impactful Board Governance.

Clear understanding ofthreat and exposure.

www.pwc.co.uk/cyberThis publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2018 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.