Governance Ideas Exchange

Transcription

1 Anatomy of a Hack Governance Ideas Exchange Robert Di Pietro October 2018

2 Cyber Security Anatomy of a Hack Cyber Security Introduction Who are the bad guys? Profiling the victim Insights from s Global Survey The Cyber Kill Chain Demo Anatomy of a Hack 2

3 Putting Cyber Security into perspective Cybersecurity represents many things to many different people Key characteristics and attributes of cybersecurity: - Broader than just information technology and not limited to just the enterprise - Increasing attack surface due to technology connectivity and convergence - An outside-in view of the threats and potential impact facing an organization - Shared responsibility that requires cross functional disciplines in order to plan, protect, defend and respond February

4 The Cyber challenge now extends beyond the enterprise Global Business Ecosystem Traditional boundaries have shifted; companies operate in a dynamic environment that is increasingly interconnected, integrated, and interdependent. The ecosystem is built around a model of open collaboration and trust the very attributes being exploited by an increasing number of global adversaries. Constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection. Adversaries are actively targeting critical assets throughout the ecosystem significantly increasing the exposure and impact to businesses. Years of underinvestment in security has impacted organizations ability to adapt and respond to evolving, dynamic cyber risks. 4

5 Cyber Security isn t just about technology People Technology Process Defending against cyber attacks requires getting all three right 5

6 Online Banking 6

7 Online Banking Malicious Version Can you spot the difference? 7

8 Who are the bad guys? Nation State Motivated by economic, political, and/or military advantage. Target trade secrets, sensitive business information, emerging technologies, and critical infrastructure. Organised Crime Motivated by financial gain. Target financial / payment systems, personally identifiable information, payment card information, and protected health information. Hactivists Motivated by pressuring businesses to change their practices through political influence and social change. Target corporate secrets, sensitive business information, information related to key executives, employees, customers, and business partners. Insider Threat Motivated by personal advantage, monetary gain, professional revenge, and/or patriotism. Target sales, deals, market strategies, corporate secrets, IP, R&D, business operations, and personnel information. 8

9 Social Networking Facebook hosts 4 times more phishing attacks and Personally Identifiable Information as the other social networks 1 Limit the amount of personal information you post. Be aware what your connections are posting about you. Once information is on the Internet it is there forever. Confirm website privacy settings. Information from multiple social network sites used together can be enough for an attacker to impersonate you. This includes educating family members to the risks of social networking. 1. Nexgate: 2013 State of Social Media Spam Research Report 9

10 Social Engineering Building a profile by connecting the dots Banking Conference AcmeCorp, Head of Finance Published paper on rising interest rates Attended Banking conference 10

11 Social Engineering Passwords once thought to be complex enough to make cracking improbable are now able to be reversed in hours or days 3 This password would be cracked instantly. Password1 is still the most common password used by global businesses 4. This password is weak can be cracked within a few hours using a desktop PC. Even though this password has increased complexity, it is still able to be cracked in a matter of days. This is a strong password as it maintains complexity and is difficult to guess or crack. 3. Trustwave: 2013 Global Security Report 4. Trustwave: 2013 Global Security Report 11

12 compromise continues to be the top business impact of incidents Recently, cyber extortion, where a cyber criminal threatens to publically embarrass or threaten a company to secure large sums of money, has become an increasingly common approach taken by threat actors as evidenced in the case of film/television production and distribution companies and a number of hospitals. Thus, financial losses as a business impact of an incident may begin to climb. Business impacts of security incidents 30% 20% 17% 17% 22% 23% 24% 28% 10% 0% Theft of "hard" intellectual property Brand / reputation compromised Financial losses Theft of "soft" intellectual property Business compromise Cite mobile device exploitation as the cause of security incidents, overtaking phishing attacks as the top threat vector Question 22: How was your organization impacted by the security incidents? Question 19: How did the security incident(s) occur? 12

13 Current employees are still the number one source of security incidents Incidents attributed to outsiders, such as hackers and competitors, declined while those attributed to insiders such as third parties and employees stayed about the same or inched up. Estimated likely source of incidents 35% % 25% 20% 20% 19% 23% 20% 26% 23% 28% 26% 29% 30% 19% 15% 10% 5% 0% Current third parties* Competitors Unknown hacker Former employees Current employees Of incidents are attributed to organized crime *Current third parties include suppliers, consultants and contractors Question 21: Estimated likely source of incidents (Not all factors shown.) 13

14 The Cyber Kill Chain 14

15 Demo 15

16 ASD Essential 8 Cyber Mitigation Strategies The Strategies to Mitigate Cyber Security Incidents is a prioritised list of mitigation strategies to assist organisations in protecting their systems against a range of cyber threats. The mitigation strategies can be customised based on each organisation s risk profile and the cyber threats they are most concerned about. 1. Application whitelisting 2. Patch applications 3. Configure Microsoft Office macro settings 4. User application hardening 5. Restrict administrative privileges 6. Patch operating systems 7. Multi-factor authentication 8. Daily backups 16

17 Questions Robert Di Pietro Partner, Cyber Security Robert.di.pietro@pwc.com 2018 PricewaterhouseCoopers Consulting (Australia) Pty Limited. All rights reserved. refers to PricewaterhouseCoopers Consulting (Australia) Pty Limited, and may sometimes refer to the network. Each member firm is a separate legal entity. Please see for further details. Liability limited by a scheme approved under Professional Standards Legislation