why do people have the ‘fear’? · 2018-11-07 · the value of data: attackers and companies...
TRANSCRIPT
Cyber SecurityWhy do people have the ‘fear’?
www.pwc.co.uk/cyber
September 2018
Cyber Security Context
We operate in a world where we don’t own the systems we use or control the data we rely on
Digital Revolution
Growing Cyber Risk
More Regulation
Cloud “IoTs” Big DataDigital Currency
EvolvingThreats
MoreConnections
TalentShortage
ArmsRace
2
3
What do we mean by ‘Cyber’ and ‘Cyber Resilience’?
A more connected world brings greater speed and value, and enriches our lives. Yet more connections also bring more vulnerability.
So what does it mean for you?
Cyber Security is the resources we put into preventing successful cyberattacks.
Cyber Resilience is the preparations we make for handling a successful attack and its consequences.
Cybersecurity
The protection of devices, services and networks — and the information on them —from theft or damage.
Cyber resilience
The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.
Cyber
Relating to or characteristic of the culture of computers, information technology, and virtual reality.
- National Cyber Security Centre – MITRE- Oxford Dictionary
Threat Landscape – A lot has happened in the last 18 months…
NSA leaks have accelerated the democratisation of threats.
4
2017
May 2017
WannaCry ransomware disrupts
74 countries and major organisations
WannaCry
June 2017
NOTPetya ransomware takes multiple systems
offline
Petya
July 2016
Internal breach affecting over
500,000 people
Shadow brokers release stolen
NSA tools to the world*
Sept 2017
143m customer details (potentially) stolen, wiped 1/3 of the value of the org.
Sept 2017
SEC admits breached in 2016 probably led
to insider trading
Aug 2017
Over 2.4 million customers potentially infected with malware
via the popular tool
cleaner
Aug 2016
The release of the NSA tools by shadow brokers has put “Nation State” tools in the hands of cyber criminals and organised crime. This has resulted in a major shift in the threat landscape for everyone.
Major impacts (+ direct costs) include…
• Maersk not being able to dock ships and unload cargo ($275m+)
• Millions of Fedex (TNT) packages were delayed ($300m+)
• A global shortage of critical drugs produced by Merck ($300m+)
• Saint-Gobain had to stop major construction projects (£250m+)
*
2018
June 2018
$70m lost in crypto attacks, resulting in service being taken offline for a period.
Sept 2017
BA report significant compromise and
mobile App
Threat Landscape – Business Interruptions Costs
Energy Infrastructures
Electricity blackout
Cloud Service Providers hack
Mass vulnerability attack
$243 – 1,024bn $5 – 53bn $10 – 29bn
5
The potential impact of disruption to material infrastructures.
Sources: Lloyd's (2015, 2017)
Targets
Cloud Providers Operating System
Losses
The Value of Data: Attackers and Companies Threat actors will act upon and exploit any data they choose
6
E-Mail Credentials $0.50 - $2.50
Personal Information $1 - $15
Financial Credentials $8 - $20
Health Records $50 - $60
Value to Hackers
Driving License Scans $20 - $25
Targeted Identity $250 +
Oracle MICROS Payment System
UBER Driver Names and License Plate Numbers
WADA Database and Health Records Hack
Impact on Company
Intellectual Property $ ???
Nortel Espionage Attack
RSA SecurID Authentication Technology
Business Impact of Breach(inclusive of forensic, investigative and
remediation costs to address breach)
As
so
ci
at
ed
Co
st
s
Average Impact$190 average cost per record
based on – detection, escalation and notification costs, lost business and reputational damage
Based on Ponemon Institute © Research Report – 2016 Cost of Data Breach Study: Global Analysis
N u m b e r o f r e c o r d s
What drives costs up?
• Third party involvement
• Extensive cloud migration
• Rush to notify
• Lost or stolen devices
What keeps costs down?
• Incident response team
• Employee training
• CISO appointed
• Board-level involvement
• Participation in threat sharing
• Data governance
Threat Trend – Are we getting any better?
7
99.9% of the
exploited vulnerabilities (in 2014) had been identified for more than a year, some of them as far back as 1999.
(Source: Verizon DBIR 2015)
So why does automation worry us?
Roads – current research
Key concerns – what ifs?
• Vehicles can be stolen or removed due to proximity keys
• Vehicles can leak data – location, PII, habits, ancillary location data
• Vehicle performance can be impacted in some way – speed, braking, gearing, steering
• Vehicles integrate with roadside tech to the detriment of drivers/passengers
• Multiplication factor of ‘all’ cars affected or all types of a vehicle affected
Where is this all going?
Threat Trend – Reading the Crystal Ball…
12
The PwC Prediction Lottery
13
Clearer ‘clanship’ syndicates in organised crime
A breach of a major Western bank and subsequent customer-impacting payment frauds
Continued targeting of major crypto currency exchanges & associated volatility
Self-propagating techniques causing widespread ‘collateral damage’
Increasing number of ‘big hits’ as players work out how far they can push the new norms
Continued exploitation of inherent trust in the (software) supply chain
Rapid redeployment of leaked or documented exploits and TTPs
Targeted attacks against system inputs / data feeds
The PwC Prediction Lottery
14
Phishing
Malware
• Extensive use of PowerShell and WMI, enabling memory-only execution
• Many new families focused on wallet identification and exfiltration
• Malware focused on the ability to edit/disrupt data feeds underpinning operations
• Continued uptick in the targeted use of commercial and opensource frameworks
• Hijacks of automated and standalone software updates to deliver & sideload malware
• Evasion frameworks begin to be shared – (encoding tricks, multi-hop docs etc.)
• HTTPs everywhere (letsencrypt)
• Imitation of personal bankers
The PwC Prediction Lottery
15
• Old favourites still abused – stickykeys, RDP bruteforcing etc.;
• Back to the 2000s – targeting of common perimeter stacks like LAMP or MEAN;
• Another ShadowBrokers leak with RDP and Server2012/Win8+ vulns; and,
• Increase in supply chain intrusions and island hopping.
• The emergence of new IoT botnets (reaper, etc.) made available for hire
• Targeting of domain registrars and DNS providers (fits in hacking too)
• Ransomware/wiper as DoS – another major event
• The KVM-3G combination, focused on call centres or payments centres
• The rise of the inadvertent insider – AWS/GitHub
• An insider leak of hostile FIS CNE tooling
Hacking
DDoS
Insider
The Bottom Line – A Round-Up
16
• Limit privileges, patch, and whitelist where possible
• Two-factor where possible, and strong credential storage/management practices
• Harden domain controllers, segment both your network and AD environment
• Move transaction teams onto highly locked down / OOB systems
• Gather command line, process execution and event telemetry for analysis – keep IT admins close to security to inform detection of malicious use of legitimate tooling
• Monitor for authenticated sessions to perimeter systems over TOR, unusual data transfer volumes and statistically anomalous traffic by endpoint. Inspect SSL.
• Make use of VPN authentication data to detect ‘impossible trips’
• Focus on the Essential Eight – https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm
Recurring Themes found Post-Incident
17
Awareness Data LegacyGovernance
• Phishing continues to be a successful strategy for attackers who rely on poor staff awareness combined with gaps in an organisation’s patching or currency
• In particular, we continue to see increasing use of crypto-malware
• Users are often the last line of defence and it is important to put in place strong education and awareness programmes.
• Tendency for data to be copied and shared increases the ‘threat surface’.
• Production data is being used in non-production environments where security controls are often less stringent.
• Organisations need to understand where they store sensitive customer, commercial and staff data and ensure that it is handled appropriately and protected.
• While organisations often focus on deploying secure systems, we find a ‘blind spot’ when it comes to securing legacy estates.
• Often legacy systems are built on insecure platforms or have been re-purposed in a way that exposes business systems.
• Decommissioning of old systems is often not verified, leaving sensitive data exposed.
• A lack of accountability for cyber security risks – senior executives and board members suggesting that it is solely an IT problem.
• Lack of effective governance over security risks.
• Identification and management of risks / critical assets is often fragmented and inconsistent.
• ‘Defence in depth’ is often thought of as ‘expense in depth’.
• In reality, many of the commodity threats can be mitigated by getting the basics right.
Culture
Managing cyber risk is a multi-faceted challenge…
18
Authenticating People• Password retirement
• Biometrics – done right
• Who are ‘my people’
• Strong federated authentication
• ‘Continuous authentication’
Validating Inputs• Automated processes ‘Corrupt
process by corrupting inputs’
• Authenticating systems
• Validating critical inputs Protecting Data• Securing data is no longer synonymous with securing system
• Data-centric approach to encryption
• Encryption everywhere
Fixing the Hard Basics• IT Architecture (Active Directory,
Network Segmentation, Virtualisation, Internet First)
• Automated controls (e.g. patching)
• Access Governance
• Data Architecture
• Legacy
Anomaly Detection• Holistic monitoring of people, process,
technology and physical
• ‘Risk scoring’ interactions
• Focus on ‘verifying good’
• Automated responses
Culture• Embedding cyber security in every
decision
• Empowering every individual to secure the organisation
Resilient Business• Processes that can continue when critical
IT fails
• Processes that can recover quickly from technology failure
• Minimising single points of failure
• ‘Worst case’ recovery capability
Untrusted Apps• Proliferation of apps
• Lack of control over development environment
• Isolating impact of malignant apps
• Automated compliance
Third Party Oversight• Third party attestations and audits no
longer good enough
• Operational oversight
• Real time visibility of vulnerability and threats through supply chain
Focus on managing risk to business processes, not securing kit.
Moving away from the core.
Different approach to controls.
Quantifying Risk.
Impactful Board Governance.
Clear understanding ofthreat and exposure.
www.pwc.co.uk/cyberThis publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2018 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.