Staying Connected: Interior Communications Aboard Enterprise
Personal and Enterprise Security in a Connected World · Personal and Enterprise Security in a...
Transcript of Personal and Enterprise Security in a Connected World · Personal and Enterprise Security in a...
PROFESSIONAL DEVELOPMENT PROGRAM
Personal and Enterprise Security in a Connected World
COPYRIGHT © PWC
All rights reserved. No part of this publication/course material may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (photocopying, electronic, mechanical, recording or otherwise) without the prior written permission of the copyright holder and publisher.
DISCLAIMER
This course material deals with complex matters and may not apply to particular facts and circumstances. As well, the course material and references contained therein reflect laws and practices which are subject to change. For these reasons, the course material should not be relied upon as a substitute for specialized professional advice in connection with any particular matter.
Although the course material has been carefully prepared, neither the Chartered Professional Accountants of British Columbia, the course author and/or firm, nor any persons involved in the preparation and/or instruction of the material accepts legal responsibility for its contents or for any consequence arising from its use.
FALL | WINTER 2016
Personal and Enterprise Security in a Connected World
© pwc 1
Protecting the enterprise and yourself: Cybersecurity
October 2016
www.pwc.com/cybersecurity
PwC
Craig Coughlan
Manager, PwC
Your speaker today
Personal and Enterprise Security in a Connected World
© pwc 2
PwC
Our perspectives
3
• Developed based on our interactions with CISOs, CIOs, Corporate Suite Leadership, and Boards of Directors
• Shaped through knowledge and experience of developing strategies, implementing solutions and executing programs, and responding to security crises
• Supported and enhanced by years of federal law enforcement, national intelligence and industry experience
PwC
Agenda
4
• The new reality – understanding the threats
• Adapting to the new reality
• Protecting your yourselves
• Protecting your children
Personal and Enterprise Security in a Connected World
© pwc 3
PwC
Cybersecurity: The new reality
PwC 6
What is cybersecurity?
• Cybersecurity represents many things to many different people• Key characteristics and attributes of cybersecurity:
─ Broader than just information technology and extends beyond the enterprise ─ Increasingly vulnerable due to technology connectivity and dependency─ An ‘outside-in view’ of the threats and business impact facing an organization─ Shared responsibility that requires cross functional disciplines in order to plan, protect,
defend, react and respond
It is no longer just an IT challenge – it is a business imperative!
Personal and Enterprise Security in a Connected World
© pwc 4
PwC
The cyber challenge now extends beyond the enterprise
7
Global Business Ecosystem
Pressures and changes which create opportunity and risk
Traditional boundaries have shifted; companies operate in a dynamic environment that is increasingly interconnected, integrated, and interdependent.
• The ecosystem is built around a model of open collaboration and trust—the very attributes being exploited by an increasing number of global adversaries.
• Constant information flow is the lifeblood of the business ecosystem. Data is distributed and dispersed throughout the ecosystem, expanding the domain requiring protection.
• Adversaries are actively targeting critical assets throughout the ecosystem—significantly increasing the exposure and impact to businesses.
Years of underinvestment in security has impacted organizations’ ability to adapt and respond to evolving, dynamic cyber risks.
PwC 8
Scope of cybersecurity – Technology domain convergence
InformationTechnology
Computing resources and connectivity for processing and managing data to support organizational functions and transactions
Operational Technology
Systems and related automation assets for the purpose of monitoring and controlling physical processes and events or supporting the creation and delivery of products and services
Consumer (Products and Services)
Technology
Computing resources and connectivity integrated with or supporting external end-user focused products and services
Cybersecurity encompasses all three technology types
Personal and Enterprise Security in a Connected World
© pwc 5
PwC
Evolving business risks……impacting brand, competitive advantage, and stakeholder value
9
Advancements in and evolving use of technology – adoption of cloud-enabled services; Internet of Things (“IoT”) security implications; BYOD usage
Value chain collaboration and information sharing – persistent ‘third party’ integration; tiered partner access requirements; usage and storage of critical assets throughout ecosystem
Operational fragility – Real-time operations; product manufacturing; service delivery; customer experience
Business objectives and initiatives –M&A transactions; emerging market expansion; sensitive activities of interest toadversaries
Historical headlines have primarily been driven by compliance and disclosure requirements
Cybersecurity must be viewed as a strategic business imperative in order to protect brand, competitive advantage, and stakeholder value
Unmanaged risks with
potential long-term, strategic implications
However, the real impact is often not recognized, appreciated, or reported
Highlights of activities impacting risk:
PwC
The actors and the information they target
Adversary
10
Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.
Emerging technologies
Energy data
Advanced materials and manufacturing techniques
Healthcare, pharmaceuticals, and related technologies
Business deals information
What’s most at risk?
Nation State
Organized Crime
Insiders
Hacktivists
Health records and other personal data
Industrial Control Systems (SCADA)
R&D and / or product design data
Payment card and related information / financial markets
Information and communication technology and data
Motives and tactics evolve and what adversaries target vary depending on the organization and the products and services they provide.
Personal and Enterprise Security in a Connected World
© pwc 6
PwC
HistoricalIT Security
Perspectives
Today’s Leading Cybersecurity
Insights
Scope of the challenge • Limited to your “four walls” and the extended enterprise
• Spans your interconnected global business ecosystem
Ownership and accountability
• IT led and operated • Business-aligned and owned; CEO and board accountable
Adversaries’ characteristics
• One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain
• Organized, funded and targeted; motivated by economic, monetary and political gain
Information asset protection
• One-size-fits-all approach • Prioritize and protect your “crown jewels”
Defence posture • Protect the perimeter; respond if attacked
• Plan, monitor, and rapidly respond when attacked
Security intelligence and information sharing
• Keep to yourself • Public/private partnerships; collaboration with industry working groups
11
Evolving perspectivesConsiderations for businesses adapting to the new reality
PwC
Adapting to the new reality
Personal and Enterprise Security in a Connected World
© pwc 7
PwC
2016 Canadian insights at a glance
13
160% increase in detected incidents in Canada (over 2014)
Incidents attributed to foreign nation-states increased the most ( up 67% over 2014) while employees continue to be the most cited source of incidents (66%)
Average financial loss due to detected incidents is $1M(18% decrease from 2014)
Attacks on IoTdevices and systems are on the rise
Customer records continue to be the most targeted data (36%)
Security spending increased by 82%over 2014, currently at 5% of IT spend
Canadian Insights – The Global State of Information Security® Survey 2016
PwC
Business Alignment and Enablement
Ris
k a
nd
Im
pa
ct E
va
lua
tio
n
Board, Audit Committee, and Executive Leadership
Security Program, Resources and Capabilities
Investment Activities
Projects and InitiativesFunctions and Services
Security Strategy and Roadmap
Re
sou
rce P
rioritiza
tion
Keeping pace with the new reality – Key considerations
14
Engage and commit with the business
• Leadership, ownership, awareness and accountability for addressing the cyber risks that threaten the business
• Alignment and enablement of business objectives
Transform and execute the security program
• New and enhanced capabilities are needed to meet the ever changing cybersecurity challenges
• A comprehensive program must be built on a strong foundation and include proactive coordination and collaboration with the business
• The security implications related to the convergence of Information Technology, Operational Technology and Company Products and Services are addressed
Rationalize and prioritize investments
• Critical assets are constantly evaluated given they are fundamental to the brand, business growth and competitive advantage
• Threats and impact to the business are considered as investment activities are contemplated
Operating in the global business ecosystem requires you to think differentlyabout your security program and investments.
Personal and Enterprise Security in a Connected World
© pwc 8
PwC
Why organizations have not kept pace
15
Years of underinvestment in certain areas has left organizations unable toadequately adapt and respond to dynamic cyber risks.
Product & Service Security
PhysicalSecurity
Operational Technology
Security
Public/PrivateInformation
Sharing
ThreatModeling
& Scenario Planning
TechnologyAdoption andEnablement
Ecosystem &Supply Chain
Security
GlobalSecurity
Operations
Breach Investigationand Response
Notificationand
Disclosure
Privileged AccessManagement
SecurityTechnology
Rationalization
Patch & ConfigurationManagement
consecteturadipiscing elit
InsiderThreat
UserAdministration
TechnologyDebt
Management
Secure Mobileand CloudComputing
Security Strategy and Roadmap
Board, Audit Committee, and Executive Leadership Engagement
Business Alignment and Enablement
Process and Technology
Fundamentals
Threat Intelligence
Incident and Crisis
Management
Ris
k a
nd
Im
pa
ct E
va
lua
tio
nR
eso
urce
Prio
ritizatio
n
Security Program, Functions, Resources and Capabilities
Compliance Remediation
Security Culture and Mindset
Monitoring and Detection
Critical Asset Identification and
Protection
PwC
Product & Service Security
PhysicalSecurity
Operational Technology
Security
Public/PrivateInformation
Sharing
ThreatModeling
& Scenario Planning
TechnologyAdoption andEnablement
Ecosystem &Supply Chain
Security
GlobalSecurity
Operations
Breach Investigationand Response
Notificationand
Disclosure
Privileged AccessManagement
SecurityTechnology
Rationalization
Patch & ConfigurationManagement
consecteturadipiscing elit
InsiderThreat
UserAdministration
TechnologyDebt
Management
Secure Mobileand CloudComputing
Security Strategy and Roadmap
Board, Audit Committee, and Executive Leadership Engagement
Business Alignment and Enablement
Ris
k a
nd
Im
pa
ct E
va
lua
tio
nR
eso
urce
Prio
ritizatio
n
Security Program, Functions, Resources and Capabilities
Compliance Remediation
Have you kept pace?
16
Questions to consider when evaluating your ability to respond to thenew challenges.
Security Culture and Mindset
Process and Technology
Fundamentals
Threat Intelligence
Monitoring and Detection
Critical Asset Identification and
Protection
Incident and Crisis
Management
Develop a cross-functional incident response plan for effective crisis management
• Have your business leaders undertaken cyberattack scenario planning?
• Do you have a defined cross functional structure, process and capability to respond?
• Are you enhancing and aligning your plan to ongoing business changes?
Evaluate and improve effectiveness of existing processes and technologies
• Have you patched and upgraded your core platforms and technology?
• How are you securing new technology adoption and managing vulnerability with your legacy technology?
• Have you evolved your security architecture and associated processes?
Enhance situational awareness to detect and respond to security events
• How are you gaining visibility into internal and external security events and activities?
• Are you applying correlation and analytics to identify patterns or exceptions?
• How do you timely and efficiently determine when to take action?
Identify, prioritize, and protect the assets most essential to the business
• Have you identified your most critical assets and know where they are stored and transmitted?
• How do you evaluate their value and impact to the business if compromised?
• Do you prioritize the protection of your crown jewels differently than other information assets?
Establish values and behaviors to create and promote security effectiveness
• How is leadership engaged and committed to addressing cyber risks facing the business?
• What sustained activities are in place to improve awareness and sensitivity to cyber risks?
• How have your business practices evolved to address the threats to your business?
Understand the threats to your industry and your business
• Who are your adversaries and what are their motivations?
• What information are they targeting and what tactics are they using?
• How are you anticipating and adapting your strategy and controls?
Personal and Enterprise Security in a Connected World
© pwc 9
PwC
Information & Privacy Protection
Incident & Crisis
Management
Identity & Access
Management
Threat, Intelligence
& Vulnerability Management
Security Architecture
& Services
Strategy, Governance & Management
Risk & Compliance Management
Emerging Technologies
& Market Trends
Security Functional Domains
17
Cybersecurity program enhancements
Enhanced Identity & Access
Management
Insider Threat
Management
AdvancedAnalytics & Detection
ActiveDefence & Response
Advanced Counter-measures
CriticalAsset
Identification
StrategicThreat
Management
Threat Intelligence
Fusion
Incremental Program Enhancements
Once an organization has established stable and effective foundational securitypractices, incremental cybersecurity capabilities and solutions shouldbe pursued.
SecurityFoundation
Elements
Governance& Structure
Strategy& Roadmap
Resources & Capabilities
Solutions& Delivery
Culture & Awareness
Security Program and Capabilities
PwC
Key lessons learned from recent breaches
• Attack Method - organized and coordinated efforts to exploit a known technical vulnerability in the core infrastructure
• Awareness - adversaries tested and enhanced their approach over the course of months before executing their campaign; intelligence sources communicated threat elements
• Detection - technical indicators were undetected during the attack sequence; additionally, as is often the case, third parties (e.g. law enforcement or the banks) detect the compromise, not the company
• Security Posture - known companies compromised were assumed to be compliantwith industry standards (e.g. PCI DSS) -- compliance does not equal security
• Industry Exposure – attacks are often not limited to a single company; many companies within an industry sector share the same / similar profile and it is highly likely there are other targets and victims
18
Personal and Enterprise Security in a Connected World
© pwc 10
PwC
Recap of key points to consider
19
The global business ecosystem has changed
the risk landscape
Business models have evolved, creating a dynamic environment that is increasingly interconnected, integrated, and interdependent -necessitating the transformation of your security practices to keep pace.
1
Focus on securing high value information and
protecting what matters most
Rather than treating everything equally, you should identify and enhance the protection of your “crown jewels” while maintaining a consistent security baseline within their environment.
2
Know your adversary – motives, means, and methods
Sophisticated adversaries are actively exploiting cyber weaknesses in the business ecosystem for economic, monetary or political gain – requiring threat intelligence, proactive monitoring and deep response capabilities.
3
Embed cybersecurity into board oversight and executive-level
decision making
Creating an integrated, business aligned security strategy and program requires awareness and commitment from the highest executive levels of the organization – in order to apply the appropriate resources and investments.
4
PwC
Protecting yourself:tips
Personal and Enterprise Security in a Connected World
© pwc 11
Expert VS Non-Expert Top 5 Security Practices
September 2015
Software Updates vs Anti-Virus
September 2015Experts’ VS Non-Experts’ Security Practices
Personal and Enterprise Security in a Connected World
© pwc 12
Anti-virus vs Windows Updates
Windows Security updates harden your OS by patching vulnerabilities and potentially exploitable loopholes.
Antivirus software protect your computer by scanning files that have been written to your C drive
The effectiveness of the Anti-virus depends on how recent the virus definitions are that recognize virus signatures. In order for Anti-virus to be effective, it MUST be up-to-date.
September 2015Expert VS Non-Expert Security Practices
PwC
Protecting yourself:Passwords & Privacy
Personal and Enterprise Security in a Connected World
© pwc 13
Which of the following best describes the reason your password is easy to remember:
A. Based on Common Dictionary Words
B. Based on Common Names
C. Based on User/Account Name
D. Is Short (under 6 characters)
E. None of the Above
Quick Quiz
Personal and Enterprise Security in a Connected World
© pwc 14
Your Identity and Privacy are at risk
Your Identity and Privacy are at risk
Unfortunately,– the characteristic you have selected also
makes your password vulnerable to attack thus putting your Identity and Privacy at risk
– you are not alone
Lets take a look at a few more characteristics and practices that make a password vulnerable to attack …
Characteristics of weak passwords
• Weak Passwords– based on common dictionary words
• Including dictionary words that have been altered:– Reversed (e.g., “terces”)– Mixed case (e.g., SeCreT)– Character/Symbol replacement (e.g., “$ecret”)– Words with vowels removed (e.g., “scrt”)
– based on common names– based on user/account identifier– short (under 6 characters)– based on keyboard patterns (e.g., “qwerty”)– composed of single symbol type (e.g., all characters)– resemble license plate values– are difficult for you to remember
Personal and Enterprise Security in a Connected World
© pwc 15
Weak password practices
• Weak Password practices– recycling passwords– recording (writing down) passwords– use of previously recorded passwords
(combination of above practices)– use of password on two or more
systems/contexts• Especially risky when passwords are reused in
low-trust systems (e.g., online gaming) since increased exposure
Characteristics of strong passwords
• Strong Passwords– contain at least one of each of the following:
• digit (0..9)• letter (a..Z)• punctuation symbol (e.g., !)• control character (e.g., ^s, Ctrl-s)
– are based on a verse (e.g., passphrase) from an obscure work where the password is formed from the characters in the verse
• e.g., “ypyiyp” derived from the title of this module• sometimes referred to as a virtual password
– are easily remembered by you but very difficult (preferably impossible) for others to guess
Personal and Enterprise Security in a Connected World
© pwc 16
Strong password practices
• Strong Password Practices– never recycle passwords– never record a password anywhere
• exceptions include use of encrypted password “vaults”– use a different password for each system/context– be aware Trojan horse programs can masquerade as login prompts so always
reset the system as appropriate to obtain a trusted login prompt– check for keyboard buffer devices/software that intercept keystrokes (including
password capture)– change password occasionally– change your password immediately if you suspect it has been “stolen”– “passwords should be protected in a manner that is consistent with the damage
that could be caused by their compromise.” (From a USA Dept of Defense Guideline)
– monitor for possible eavesdroppers during entry of password– do not use the "Remember Password" feature of applications (e.g., Microsoft®
Internet Explorer®). – inquire about proactive password checking measures with your system
administration (see next item)
Strong Password Demo
https://howsecureismypassword.net/http://www.passwordmeter.com/
Personal and Enterprise Security in a Connected World
© pwc 17
Password Attacks
• Most successful attacks are based on:– Dictionary attacks
• “The guessing [often automated] of a password by repeated trial and error.”
– Social engineering• “Social engineering is the process of using social
skills to convince people to reveal access credentials or other valuable information to the attacker.”
Dictionary Attacks
• Most hackers utilize widely available password cracking dictionaries to uncover
passwords
• Ways to reduce Your risk:– Create and use passwords
Personal and Enterprise Security in a Connected World
© pwc 18
Social Engineering
• Perhaps the most notorious social engineer Kevin Mitnick once stated, “one foot in the door is all it takes”
• Ways to reduce Your risk:– Be aware that your password keystrokes may be
observed by others– Confirm authorization and establish trust before
releasing any important information
Passwords in the Context of Your Identity and Privacy
• What is a password?
– “A password is information associated with an entity that confirms the entity’s identity.”
• Why are passwords needed?
– Passwords are used for authentication
• Authentication can be thought of as the act of linking yourself to your electronic identity within the system you are connecting to
– Your password is used to verify to the system that you are the legitimate owner of the user/account identifier
• Commonly referred to as “logging in”
Personal and Enterprise Security in a Connected World
© pwc 19
Passwords in the Context of Your Identity and Privacy
• Passwords/Identity/Privacy
– Attackers who obtain your password can authenticate themselves on various systems and in turn …
Access your personal information(invade Your Privacy)
Impersonate you by acting on your behalf(steal Your Identity)
Password Facts Worth Remembering
• Protection of Your Identity and Privacy in the information age hinges on sound password knowledge and practice
• Those who do not use strong passwords and password practices are often their own worst enemy
• If you feel you have too many passwords to remember then consider using a password vault (e.g.,
)
• The risks are real, they affect you either directly or indirectly and they can be diminished by using strongpasswords and password practices
Personal and Enterprise Security in a Connected World
© pwc 20
Public Computers
Do you log into work (or banking online) from that computer in the hotel lobby or from a cyber cafe?
Re-use
Use different passwords for different types of accounts. Your work password should be different then your personal passwords. Your personal banking passwords should be different then your personal fun accounts
Personal and Enterprise Security in a Connected World
© pwc 21
Questions – for password resets
Password resets are really nothing more then another password. If they are answering personal questions with information that can be found on Facebook, LinkedIn or Google they do not have secure passwords
Writing Passwords Down
How am I supposed to remember my 100+ passwords if I do not write them down? The key is explaining to people how to do it securely. Yes sticky notes are bad, but give people secure alternatives. There are security programs that can securely store their passwords, or if they are written down have them in a secured safe.
Personal and Enterprise Security in a Connected World
© pwc 22
Review
– Agree that strong passwords and password practices contribute to protection of identity and privacy
– Discriminate passwords as weak or strong– Recognize the role of passwords in
authentication– Recognize the relationship between
authentication and both identity and privacy– Identify a tool helpful to those who have
many passwords to maintain
PwC
Protecting yourself:Social media & Cell phones
Personal and Enterprise Security in a Connected World
© pwc 23
PwC
Geotagging and Cell PhonesCould you fall victim to crime by geotagging your pictures?Global Positioning System satellite technology (better known as GPS) is embedded into so many of the devices we use today for location purposes, that we sometimes take it for granted.
One use of GPS is geotagging, which is the process of attaching location information to content such as a photograph or video.
It is a great way to remember where you took a photo or posted a tweet.
However…
What if you posted a pic of your house or family?
Later you post a photo of yourself or family on vacation?
Could a motivated criminal using free software find your house and break in while you are on vacation? Could a cyberstalker build a more detailed profile of you, your family and your children?
PwC
Geotagging and Cell PhonesCould you fall victim to crime by geotagging your pictures?Yes they could and it has been done before:
Personal and Enterprise Security in a Connected World
© pwc 24
GeotaggingThis may occur two ways. Your phone may ask you to access your location or you may have to alter your preferences/permissions.
PwC
Personal and Enterprise Security in a Connected World
© pwc 25
PwC
Supplemental Slides
PwC
The Global State of Information Security® Survey 2016
Respondents
• 51% C-suite level
• 15% Director level
• 34% Other (e.g. Manager, Analyst, etc.)
• 39% Business and 61% IT (18% increase compared to 2014)
10,040 17Industries represented
Top 5
• 22% Technology
• 10% Financial Services
• 8% Consulting/Prof. Services
• 7% Engineering/ Construction
• 7% Consumer Products & Retail
Reported annual revenues
• 34% at least US$1B
• 48% US$25 to $999M
• 26% less than US$100M
• 3% non-profit
50
Personal and Enterprise Security in a Connected World
© pwc 26
PwC
Cybersecurity is linked to the Five Global Megatrends as each offers opportunity and risk to society, consumers, employees, organizations and governments as adversaries seek to gain access to a wide variety of critical assets.
Accelerating urbanization
Demographicshifts
Shift in global economic power
Climate change and resource scarcity
Technologicalbreakthroughs
Technology Breakthroughs – Perhaps the most important business driver, organizations will continue to invest significantly in R&D as a means for gaining a strategic / competitive advantage over the competition.
Resource scarcity and climate change – As resources become constrained or limited in different geographic locations, significant R&D and increased innovation will be required to create new resources and assets needed to combat the change.
Accelerating urbanization – As cities and governments grow, connectivity, automation and reliance on technology will only increase.
Shift in global economic power – As economies grow and wealth is accumulated technology will be adopted and used as a means to connect at a pace never before seen.
Demographic shifts – As the population changes, consumers and the next generation workforce will interact with and rely on technology in new and unique ways that are hard to anticipate.
PwC 52