Post on 25-Jan-2017
2
Cyber Security - Definition
Cyber Security is about technologies, processes and practices
designed to protect networks, computers, programs and data
from attack, damage or unauthorized access.
Cyber security is not new, only the number and impact of cyber
incidents increased dramatically;
Due this increase of impactful cyber incidents (with huge media
intention), we see more and more attention from customers, media
and regulators
1 Source: NCSS 2
4
Determining Cyber Risk Profile
Cyber risk profile
Business environment
Possibletargets
(crown jewels)
Threat ActorsVulnerability /
Resilience
Legal & regulatory
requirements
5
CHANGING
“BUSINESS MODEL”
FAST TECHNOLOGY
DEVELOPMENTS2
1Increased digitalization, offline to online (customer as active actor in
online business proces), doing business in risk countries, new services
Cloud computing, big data, social media, consumerisation, BYOD,
mobile banking
CUSTOMER
EXPECTATIONS3Customer expects that his data is protected when stored / processed by
leading organizations.
Business environment
6
What is being stolen?Possible targets(crown jewels)
Information That Is Valuable
Business Critical Information
Critical Business Transactions
Intellectual property
Business processes
Customer, supplier and personnel data
Financials
Business plans
New products
New markets
Raising finance
M&A
JV
Divestitures
What is trending?
— CEO & CFO Fraud / Whaling
— SWIFT fraud
— Ransom-ware
— DDoS
— IP theft
7
Threat Landscape
Each threat actor has their own motivations, capabilities and targetsThreat Actors
8
Threat Landscape
Each threat actor has their own motivations, capabilities and targetsThreat Actors
Organised Crime –
global, difficult to trace
and prosecute
+ Financial assets
+ Personal data, including financial records
TYPICAL ASSETS THEY TARGET
Nation States –
cyber espionage
and warfare
+ Intellectual Property
+ Strategic/Operational Plans
+ M&A activity
+ Critical Infrastructure (for cyber
warfare)
Hacktivists –
hacking inspired
by ideology
+ Reputation – public and media perception
+ Publications – websites
+ Services – disruption
The Insider –
disgruntled by change
and uncertainty
+ Customer and client lists
+ Processes and plans
+ Services – disruption
Journalist –
Investigative
reporting
+ Confidential information through leaks and hacking
9
Vulnerability / Resilience
Assess the level of vulnerability / resilience for relevant threat actors
Assess vulnerability: • Assess whether your organisation is vulnerable for specific attack vectors used by
specific attackers – based on Kill Chain approach
• Assess whether your organisation was able to detect such attach vector (knowing
that most organisations detect advanced attacks only after 200 days after the
attack itself occurred)
Build / Assess resilience:• Build crisis plan for these types of attacks and test this plan periodically!
Vulnerability / Resilience
10
Social Engineering
What is social engineering?
You and your employees are the weakest link..
.. but when well trained, can be the strongest weapon of the organisation against social engineering attacks.
Technology
Process
People
Vulnerability / Resilience
12
Social Engineering
Evolution of the attacks
Attacks are getting more complex and difficultto recognize.
Vulnerability / Resilience
13
Social Engineering
Evolution of the attacks
Malware creation tools that can be used in social engineering attacks are today available “off the shelf”.
Cybercrime-as-a-service marketplaceEnables fraudsters to cash in without the need for technical knowledge
Cybercrime “service providers” must improve the quality of malware more then ever to keep and
win customers
Many attacks are easy to perform and low cost
• Phishing attacks: 500.000 email addresses costs $ 30,-
• Hosting a phishing site can be done for free
• 1000 credit card numbers cost $ 100,-
Vulnerability / Resilience
14
Social Engineering
Psychological concepts (that are used by social engineers)
Six basic principles from Robert Cialdini• Liking (Sympathie)
• Authority (Autoriteit)
• Social Proof (Sociale bewijskracht)
• Consistency (Consistentie)
• Reciprocation (Wederkerigheid)
• Scarcity (Schaarste)
Other concepts• Similarity (gelijkheid)
• Do the unexpected (het onverwachte doen)
• Perceptual contrast (verschil in perceptie)
Vulnerability / Resilience
15
Real life examples
KPMG attack simulation: using USB sticksVulnerability /
Resilience
Dit is een van de USB sticks zoals afgelopen donderdag uitgedeeld door “Brasserie Mimicry”
16
Real life examples
KPMG attack simulation: using USB sticks
Within 40 minutes after initiating the attack we had full access to• The “crown jewels” of the bank. We could read and edit financial details of al their
clients.
• As we had access to multiple desktops segregation of duties did not exist anymore.
• Network shares full with further sensitive internal information on clients and
employees.
But we could also:• Use the compromised systems to perform further attacks. E.g. use the mailbox of the
victims as trusted source to spread malware further on the network.
Vulnerability / Resilience
17
Real life examples
KPMG attack simulation: Hide in plain sight
Dutch Sinterklaas on assignment…
Vulnerability / Resilience
18
Legal and Regulatory changes
DNB / DUTCH CENTRAL BANK EUROPEAN UNION
• Cybercrime: theme 2014/2015
• Mandatory periodical self-assessment – required maturity level 3 / 4
• ECB: similar scheme, using NIST as regulatory framework
• On 12 August 2013, Directive 2013/40/EU on attacks against
information systems (the Cyber Crime Directive) came into force.
• The Cyber Crime Directive requires Member States to bring into force
laws, regulations and administrative provisions by 4 September 2015 in
order to provide a pan European approach to cyber crime.
• Focus on critical infrastructures.
Legal & regulatory
requirements
DUTCH GOVERNMENT UNITED STATES
• National Cyber Security Strategy 2- Government will act if required. If required, regulations and
standards will be proposed – as a consequence of the implementation of the EU Cyber Risk Directive
• Primary focus: critical infrastructures
• AP: maximum fine EUR 800.000, after implementation of EU Privacy Regulation: maximum fine 2% to 5% of global turn over
• Obama’s Executive Order February 2013 aimed at increasing the cyber
resilience of US organisations
- Focus critical infrastructures.
- Development of NIST Cybersecurity Framework.
• PCAOB issued guidelines for financial auditors related to cyber crime /
cyber security
- NBA is working on a Public Management Letter
19
Dutch data privacy changes
Current regulation?
Dutch changesThe bill ‘Meldplicht datalekken en uitbreiding boetebevoegdheid CBP’ was passed by the Tweede Kamer on
February 10th 2015 and passed by the Eerste Kamer on May 26th 2015. This law will is enforced as of January 1st 2016.
Key changes:• Data Protection Authorities (‘Cbp’) should be notified of data breaches without delay.
• Penalties up to €810k in case of not reporting a data breach, the careless processing of (sensitive) personal data, storing personal data too
long, inadequate protection, or failure to comply with disclosure requirements.
• Penalties up to 10% of annual sales (a.o. if binding instructions are not followed, to relate the height of fine to the size of the organization, i.e.
Google, Facebook)
• In case of data breaches the data controller should inform involved persons and society and provide information on:
• Nature and scope of data breach
• Harmful effects of the infringement
• Required effort for recovery actions
• The Cbp’s name is changed to Autoriteit Persoonsgegevens and is authorized supervisor of the Telecommunications Act
Wet Persoons-
Registratie
(WPR)
1989
Wet
Bescherming
Persoonsgegevens
(Wbp)
2001
+ Meldplicht
Datalekken &
Uitbreiding
Boetebevoegdheid
2016
EU General
Data
Protection
Regulation
2016 (exp.)
Legal & regulatory
requirements
20
Cyber risk is driven and managed
by more than technology
The drivers of inherent Cyber risk include the threats, your vulnerabilities, your assets and the regulatory and
business environment in which you operate.
This inherent risk can be mitigated by deploying controls and having response capability and plans. In
the worst case, resiliency and contingency planning will reduce the impact of significant cyber
incidents.
The readiness of technical systems to protect, detect and react to an attack is important but in many
organisations the people are the weakest link but can become the greatest asset for defence if properly informed
and trained.
Threats Regulations VulnerabilitiesBusiness drivers
Assets
Threat ActorActor
CapabilityAttack
ImmediacyPeople Process Technology
Information Assets
Systems Applications
Business Resilience and
contingency
Protect and Defend
Technical Controls
Behavioural Controls
Respond
Immediate Incident
ResponseInvestigations
21
Lessons learned: how to mitigate the risks?
Protect & Defend
Technical Controls
Behavioural Controls
Respond
Immediate Incident
ResponseInvestigations
Human factor is
weakest link,
unless…
Cooperation is
required
ISAC, Sector,
NCSC, (IT-)
partners
Shift from
prevent only to
prevent, detect
& respond
How to react if
you are hacked
(and you will)…
PROTECT YOUR
“CROWN JEWELS”
22
Five Steps to Minimize your Exposure
Perform a cyber maturity assessment to look at areas such as Leadership and
Governance, Human Factors, Information Risk Management, Business Continuity
and Crisis Management.
Identify your critical assets but remember that what you consider to be of no value,
may be considered valuable to an attacker. Take a look at the lifecycle of your
critical information assets from creation all the way to destruction.
Based on your assessment and your critical assets, select your defenses. Know
what threats you are going to defend against – trying to prevent them all gets very
expensive
Everyone in the organization – from the boardroom to the mailroom – must
understand the value and sensitivity of the information they possess and, more
importantly, how to protect it.
Being able to adequately respond to a security incident through established tested
processes should not be taken lightly. Supported by a security monitoring platform
and good threat intelligence, you can get a better grip on monitoring and
responding to cyber crime.
ASSESS YOUR READINESS
TO RESPOND / RESILIENCE1
HONE IN ON YOUR CRITICAL
ASSETS2
SELECT YOUR DEFENSE3
BOOST YOUR SECURITY
AWARENESS AND
EDUCATION4
ENHANCE MONITORING &
INCIDENT RESPONSE 5
23
John Hermans
Partner
John Hermans
Partner
KPMG Advisory N.V.
Laan van Langerhuize 1
1186DS Amstelveen
Hermasn.john@kpmg.nl
Function and specialization
• Cyber Security Lead Partner, Advisory KPMG
The Netherlands
• EMA Cyber Security Lead Partner and Member
of KPMG global Cyber Security leadership
Education, licenses and certifications
• Bachelor degree in Information Management
• Post Graduate EDP Auditing - Certifications as
chartered IT auditor (RE).
Background
John is partner of the Amstelveen practice of KPMG IT Advisory and member of
KPMG’s Global Leadership on Cyber Security. In his current position he is
heading the Cyber Security Services of KPMG in the Netherlands and, covering
the following services:
• Security Strategy Services / Cyber Security In the Board Room
• IT Governance, Risk and Compliance
• Technical Security Services
• Cyber Security Services
• Identity & Access Management
• Business Continuity Services
• Data Privacy Services
Furthermore, John is leading KPMG’s Strategic Growth Initiative on Cyber
Security services within the Netherlands as well in Europe, Middle East and
Africa, and member of KPMG’s global Cyber Security Leadership.
Professional experience
John worked for numerous International and National organisations in most
industry sectors, such as Financial Services, Oil & Gas, Retail and Government
and is considered as one of the leaders in his field of expertise. John was
involved in more than 100 national and international information security
projects across the world. John’s major involvements were in advising and
supporting our clients in developing, defining and implementing their overall
Information Security strategy, building the required business cases for
Executive Boards as well as Supervisory Boards, and performing multiple
program management activities as well as executing quality assurance
assignments.
Next to being involved in many information security and cyber security programs
and projects, John is involved in multiple Cloud Computing projects in both the
private and public sector. John’s major involvements relate to advising and
supporting our clients in developing, defining and implementing their cloud
computing strategy as well as advising on cloud security/assurance advisory
topics.
Industry experience
• Financials Services: Insurance, Mortgages and Banking
• Oil & Gas
• Telecommunications
• Government
• Health Technologies
24
© 2016 KPMG N.V., registered with the trade register in the Netherlands under number 34153857, is a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks of KPMG International.
John HermansPartner, Risk Consulting
Laan van Langerhuize 1
1186 DS Amstelveen
Tel: +31 20 656 8394
Mob: + 31 6 51 366 389
Email: hermans.john@kpmg.nl