Transcript KPMG Screen template

New “Vectors” of Threats are Accelerating the Concern
YESTERDAY…
Bad “Actors”
Isolated criminals
“Script Kiddies”
Targets
“Target of
Opportunity”
Identity Theft
Self Promotion
Opportunities
Theft of Services
TODAY…
Bad “Actors”
Organized criminals
Foreign States
Targets
“Target of Choice”
Hactivists
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Intellectual Property
Financial Information
Strategic Access
0
Costs
Average dollar loss per breach
$5,900,000
(US)
$5,800,000
Average dollar loss per
record stolen
$205
(US)
$5,700,000
$200
$5,600,000
$195
$5,500,000
$190
$5,400,000
$5,300,000
$185
$5,200,000
$5,100,000
$180
*Ponemon Institute 2014
2014
2013
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
*Ponemon Institute 2014
2014
2013
1
Cyber Threat Landscape
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
2
Impacts for Boards
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
3
Attack Vectors
ADVANCED PERSISTENT THREATS (APT’s)
•
TERM COINED BY THE US AIR FORCE IN 2006
•
STATE SPONSORED
•
COMPLICIT OR PERMISSIVE STATES
•
TACTICAL HACKING GROUPS
•
STEALTHY (PACKET CRAFTING TO AVOID IDS – IPS)
•
ADVANCED IN NATURE
•
PATIENT (SUPPLY CHAIN INFECTIONS)
•
CUSTOM MADE TOOLS AND EXPLOITS
•
INTRODUCED THROUGH SOCIAL ENGINEERNIG AS WELL AS TRADITIONAL ATTACK
SURFACES
•
ONGOING PRESENCE (14 MONTHS UNTIL DISCOVERY)
•
EXFILTRATION PLAN
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
4
Underground Forums
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
5
What are hackers talking about?
• Exploit Tools
• Ddos Tools
• Keyloggers
• Traffic Generators
• RATs
• Brute Force
• Crypters
• Malware
• POS malware
• Mobile Malware
• ATM Skimmers
• System Vulnerability Disclosure
• SQL
• XSS and other vulnerabilities
• Black Market
• Remote access to POS systems
• Hijacked Network Traffic
• Hacking Services
• Bulletproof Hosting
• Stolen Credit Card credentials
• Compromised user accounts
• Email addresses and Passwords
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
6
Tactical Teams - Customer Service
Proliferation of Do It Yourself Kits
Malware offered for $249 with a service
level agreement (SLA) and replacement
warranty if the creation is detected by
any antivirus within 9 months
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
8
Scenario: A Cyber Breach is “Suspected”
Your organization is notified by an external partner that they believe your
company may have been “hacked” and your customer data may be at risk.
What do you do?
• Prepare to conduct an investigation.
• Should it be done internal/external? Who should be notified? Who should lead the
investigation?
• Contact Law Enforcement.
• Which agency? Who has jurisdiction? Do you have relationships?
• Prepare Communication Strategy.
• Who should we tell? When? What should be shared?
• Conduct Immediate Impact Assessment.
• What data could be a risk? What’s the worst case scenario? Should transactions stop?
• Determine Preliminary Legal Approach.
• Seek prosecution, civil action? Reduce disruption?
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
FOR INTERNAL USE ONLY
5
Scenario: A Cyber Breach is “Confirmed”
You have now confirmed that an unauthorized individual or team has gained
access to your systems and data. You’re not sure exactly what was accessed
or what may have been lost. What next?
• Continue the investigation.
• Any shift in investigation structure? Should external experts be brought in? Is everything
under Attorney privilege?
• Contact Law Enforcement.
• Should be priority and working closely at this point.
• Approve Communication Strategy.
• When should we start? What should be said? Any unintended messaging?
• Update Impact Assessment.
• What data could be a risk? What’s the worst case scenario? Should transactions stop?
• Finalize Legal Approach Strategy.
• Collect evidence in a forensically sound way. Prepare litigation/penalty strategy.
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
FOR INTERNAL USE ONLY
6
Scenario: Data Loss is Validated
You now know, with some degree of certainty, what data has been lost and who
is likely impacted. The methods and approaches are understood and have been
tactically remediated. How do you respond?
• Prepare notification approach.
• Determine audience. Customers/employees/business partners? What protection is
expected?
• Execute Communication Strategy.
• How will this impact business? Customer support ramp up? Website updates? Marketing
shifts?
• Enter Business Resumption Mode.
• How to regain Business-As-Usual momentum? What strategies are impacted? What
changes are expected?
• Establish Proactive Legal PMO.
• Establish inquiry & subpoena list. Determine key exposures. Understand insurance
coverage.
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
FOR INTERNAL USE ONLY
7
Scenario: How to Regain Stakeholder Trust
You have completed your obligations under various Data Breach notifications.
Security vulnerabilities have been remediated. How do you regain trust of
customers and regain market momentum?
• Provide Transparency.
• Continue to communicate with key stakeholders. Address questions openly and
transparently as possible.
• Establish Ongoing Security Improvement Plan.
• Business and technology works together to ensure this does not repeat. Introduce new
controls.
• Establish Executive & Board Priorities.
• Influence on other business objectives? Prioritization? Funding?
• Conduct a Post Mortem.
• What lessons were learned? What should be changed/modified? Cyber Insurance
changes? SEC Disclosure?
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
FOR INTERNAL USE ONLY
8
Stages of Response after a Cyber Breach
RESPOND
TRANSFORM
SUSTAIN
Understand the issue
Address key concerns
and gaps
Change organizational
perspectives
Create sustainable
approaches
30-60 Days
3 Months
6 - 12 Months
Ongoing
REACT
Phase
Focus
Timeline
Key
Activities
• Legal evaluation for
impact
• Forensic investigation
• Discovery and
evidence preservation
• Define governance for
tactical remediation and
future response
• Understand the control
environment
• Validation of data
• People
• Report on findings
• Process
• Communications to
customers, internal
stakeholders, and key
business partners
• Technology
• Build a tactical plan
• Ensure root cause is
addressed
• Impacted by regulatory
and legal expectations
• Plan to remediate all
known gaps
• Written notice and
disclosure as required
•
Key
Participants
Incident Response Team,
Exec Team, Key
Customers & Vendors, IT
Mgmt., Legal, Public/
Investor Relations, Corp.
Communications
•
Incident Response Team,
IT Management, Vendors,
Legal, Business
Stakeholders,
Information Security,
Internal Audit
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
FOR INTERNAL USE ONLY
• Define the control
framework
• Regulatory
• Business Expectations
• Update policies and
procedures
• Implement awareness
campaigns
• Classify data and map
regulations to data
elements
• Deploy technical control
solutions
• Encryption
• Access Control
• Security event mgmt
• Data loss prevention
• GRC
• Clearly align
responsibilities and
accountability to
performance needs
•
• Information Security, IT
Team, Business
Stakeholders, Internal
Audit
Information Security, IT
Team, Executive
Management, Business
Stakeholders, Vendors,
Internal Audit
• Implement metrics and
key performance
indicators
• Create a monitoring
program to ensure
adherence
• Review reports
• Review the program at
specified intervals
9
Legislation
On 7/28/2014, the US House of Representatives passed The National Cybersecurity and
Critical Infrastructure Protection Act of 2014 (H.R. 3696), sending the measure to the
Senate.
 Section 202 of would amend the DHS SAFETY Act to extend liability protections from
“acts of terrorism” to include “qualifying cybersecurity incidents”.
 Qualifying incidents are defined as something that “disrupts or imminently jeopardizes
the integrity, operation, confidentiality, or availability of programmable electronic
devices, communication networks, including hardware, software and data that are
essential to their reliable operation, electronic storage devices, or any other
information system, or the information that system controls, processes, stores, or
transmits.”
 Private and commercial data that is stolen, misappropriated, corrupted, disrupted, or
adversely affected will qualify for protection under this proposed law.
 Organizations can voluntarily submit their cybersecurity procedures to the
DHS SAFETY Act office to gain additional liability protections in the event of an act of
terrorism or a qualifying cyber incident.
Corporate liability protection and relief will be assessed based upon,
“Qualifying safety act technologies”
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
14
PCII 3.0
“It’s a serious problem – more than 868 million records with sensitive information have
been breached between January 2005 and June 2014, according to PrivacyRights.org. As
you are a key participant in payment card transactions, it is imperative that you use
standard security procedures and technologies to thwart theft of cardholder data.”
www.pcisecuritystandards.org
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
15