HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands

Size: px

Start display at page:

Download "HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands"

Homer Stone
6 years ago
Views:

1 HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands

2 HOW SAFE IS YOUR DATA? 16 November 2017 kpmg.ky

3 Agenda Introduction Cyber Security presentation Q&A 3

4 Why this presentation? 4

5 The CIA Triad - the balancing act Data Conf. Integrity Availability 5

Cyber Security has become a conversation in every boardroom May 2017 Over 400,000

Source: AviationWeek August 2015 Thousands of users email addresses and passwords

6 Terabytes of client data is leaked to the media.

6 Cyber Security has become a conversation in every boardroom May 2017 Over 400,000 systems compromised Source: Wired Jan 2017 Hackers steal 55M$ from Boeing supplier. Source: AviationWeek August 2015 Thousands of users addresses and passwords compromised. Source: Cayman Compass April Terabytes of client data is leaked to the media. Source: The Guardian October 2017 Suffered second card breach in two years Source: KrebsOnSecurity February 2016 Data affected by Ransomware. Paid 17,000$ to regain access. Source: PRI 6

7 Regulators will be asking 7

8 SEC findings Inspections Informal practices for verifying customers identities in order to proceed with requests to transfer funds ; Failure to remediate high risk observations from security tests; Many had policies requiring Employee IT Awareness training; many did not apply them. Source: SEC : Observations from Cybersecurity examinations. August

9 Regulators in the mix Source: ZDNet. Sept

10 Cyber Security Governance Are you asking the tough questions? Who is responsible for Information Security? Third party: Are they mandated to do so? Do we know where our Crown Jewels are located? Are we testing sufficiently and do we have the necessary skills? Why you should! 10

11 New vectors of threats are accelerating the concern YESTERDAY TODAY Bad Actors Isolated criminals Script Kiddies Target of Opportunity Bad Actors Organized criminals Foreign States Hactivists Target of Choice Targets Identity Theft Self Promotion Opportunities Theft of Services Targets Intellectual Property Financial Information Strategic Access 11

12 Missing the basics Did not install a simple security fix on an overlooked server 12

13 Missing the basics 13

14 Weak passwords Source: Cayman Compass Popular passwords Cayman Password Cayman Password1 Ecaytade 14

15 New vectors Our audit of threats approach are accelerating the concern HACKTIVISM PRIVATE & CONFIDENTIAL THE THREAT ACTORS WHO ARE THEY? ORGANISED CRIME THE INSIDER STATE-SPONSORED 15

16 Hacktivism Hacktivism Will attack companies, organizations and individuals who are seen as being unethical or not doing the right thing Hacking for fun seriously! Entire nations can be taken down (Estonia) 16

Ukraine) Common attacks: Theft of PII for

of denial of service attacks to companies

17 Organised Crime Traditionally based in former Soviet Republics (Russia, Belarus, Ukraine) Common attacks: Theft of PII for resale and misuse or resources for hosting of illicit material Occasionally employ blackmail in terms of availability (Threats of denial of service attacks to companies and threats of exposing individuals to embarrassment) 17

18 State Sponsored Nations where commercial and state interests are very aligned Military or Intelligence assets deployed in commercial environments Main aim to achieve competitive advantage for business Theft of commercial secrets (Bid information, M&A details) 18

19 The Insider as a fraudster PRIVATE & CONFIDENTIAL 19

20 The Insider Any user with access to valuable assets can act maliciously Source: Prism Magazine Who has access to what? Recent finds: Administrator passwords, payroll, passports & databases! Access to the CEO s desktop PC 20

21 Free WiFi PRIVATE & CONFIDENTIAL Source: CNBC Source: Gizmodo.com 21

22 Free WiFi who fell for it? 22

23 Social engineering The art of manipulating people into performing actions or divulging confidential information. PRIVATE & CONFIDENTIAL 23

24 Social engineering four elements PRIVATE & CONFIDENTIAL Four elements used in combination Impersonation & persuasion Internet & e- mail spoofing Unauthorized physical access Sanitation reconnaissance 24

25 Social Engineer The Cycle Research & Reconnaissance 25

26 Vulnerability databases help social engineers 26

27 Social engineering real world example Attack 27

28 TypoSquatting 28

29 Do you go Phishing with your staff? Sample scenarios: - Payroll issue (sent the day before pay!) - Contest - Speeding ticket / late payment 29

30 Physical security It s underrated! 30

31 Physical security Tailgating 31

32 Security while traveling Source: CNN.com Source: ABCNews

33 Security testing frequency Activity Internal Network scanning External Vulnerability Scanning External Penetration testing Source: NIST Frequency Semi-Annually Semi-Annually Annually For minor changes (e.g.: minor code/configuration changes, new desktop PC s etc.) security testing is generally not required. Think version to For medium changes (e.g.: new network devices, change in network structure, server upgrades, new system functionalities, etc.) testing may be required and should evaluated by management. Think version to version 2.1 For large changes (e.g.: Major changes to network structure, multiple server upgrades and/or migrations, new operating systems or key information systems, significant code changes, etc.) a new full test is recommended. Think version to version 3. 33

34 Final thoughts Cyber Security is an increasingly Top of House issue that is being discussed in the Boardroom and the C-Suite. It is *NOT* simply a technology issue. When it is a technology issue, it often comes down to the basics. Employee training and awareness is an essential part of organizational Cyber Security. 34

35 Wrap up Micho Schumann Principal, Cyber Security Services KPMG in the Cayman Islands

36 Thank you kpmg.ky The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG, a Cayman Islands partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. kpmg.com/socialmedia kpmg.com/app 36

Cyber Security. It s not just about technology. May 2017

Cyber Security. It s not just about technology. May 2017 Cyber Security It s not just about technology May 2017 Introduction The Internet has opened a new frontier in warfare: everything is networked and anything networked can be hacked. - World Economic Forum