HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands

Similar documents
Cyber Security. It s not just about technology. May 2017

Governance Ideas Exchange

Cyber Insurance: What is your bank doing to manage risk? presented by

Personal Cybersecurity

Cyber Security for audit committees

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

OPSEC and defense agains social engineering for devels, execs, and sart-ups

Cyber security and awareness for non-financial services. 24/25 May 2017

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

How Cyber-Criminals Steal and Profit from your Data

The Cyber War on Small Business

Ahead of the next curve

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Cyber Security Issues

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Cyber Risk for Maritime

Cyber Security: Threat and Prevention

Cyber-Threats and Countermeasures in Financial Sector

EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS

DeMystifying Data Breaches and Information Security Compliance

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Strengthening your fraud and cyber-crime protection controls. March 2017

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

SHARE Session Protecting Critical Data on a z/os Mainframe: A New Attitude

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

A new approach to Cyber Security

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Caribbean Cyber Security: Not Only Government s Responsibility

Art of Performing Risk Assessments

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

From Russia With Love

Hacking and Cyber Espionage

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Protecting your next investment: The importance of cybersecurity due diligence

The Cyber Threat. Bob Gourley, Partner, Cognitio June 22, How we think. 1

A practical guide to IT security

Clarity on Cyber Security. Media conference 29 May 2018

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Cyber Risk in the Marine Transportation System

IT Audit Auditing IT General Controls

Cyber fraud and its impact on the NHS: How organisations can manage the risk

mhealth SECURITY: STATS AND SOLUTIONS

2015 VORMETRIC INSIDER THREAT REPORT

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Cybersecurity and Nonprofit

Security Awareness Training Courses

Cybersecurity, safety and resilience - Airline perspective

Cyber Risks in the Boardroom Conference

Understanding the Changing Cybersecurity Problem

Effective Strategies for Managing Cybersecurity Risks

Ethical Hacking and Countermeasures: Attack Phases, Second Edition. Chapter 1 Introduction to Ethical Hacking

Cybersecurity The Evolving Landscape

Background FAST FACTS

Combating Cyber Risk in the Supply Chain

Evolution of Spear Phishing. White Paper

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

Cyber Fraud What can you do about it?

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

External Supplier Control Obligations. Cyber Security

ISACA West Florida Chapter - Cybersecurity Event

How Breaches Really Happen

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cyberspace : Privacy and Security Issues

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Real estate predictions 2017 What changes lie ahead?

Physical security advisory services Securing your organisation s future

What is ISO ISMS? Business Beam

Department of Management Services REQUEST FOR INFORMATION

Position Title: IT Security Specialist

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Cyber Threat Landscape April 2013

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

716 West Ave Austin, TX USA

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Cyber Security. Building and assuring defence in depth

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Cyber Security Updates and Trends Affecting the Real Estate Industry

The GDPR Are you ready?


Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

ANATOMY OF AN ATTACK!

Dr. Stephanie Carter CISM, CISSP, CISA

Dissecting Data Breaches. What Keeps Going Wrong?

A Forensic Accountant in Cyber Security

CYBER SECURITY AND MITIGATING RISKS

Introduction to Ethical Hacking. Chapter 1

Security & Phishing

Cyber Security Risk Management and Identity Theft

The emerging battle between Cyber Defense and Cybercrime: How Technology is changing to keep Company and HR data safe

Building a Resilient Security Posture for Effective Breach Prevention

Nine Steps to Smart Security for Small Businesses

Recognizing Fraud Staying Safe 2018 Information/Cyber Security Training

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

Internet of Things (IoT) Securing the Connected Ecosystem

Transcription:

HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands

HOW SAFE IS YOUR DATA? 16 November 2017 kpmg.ky

Agenda Introduction Cyber Security presentation Q&A 3

Why this presentation? 4

The CIA Triad - the balancing act Data Conf. Integrity Availability 5

Cyber Security has become a conversation in every boardroom May 2017 Over 400,000 systems compromised Source: Wired Jan 2017 Hackers steal 55M$ from Boeing supplier. Source: AviationWeek August 2015 Thousands of users email addresses and passwords compromised. Source: Cayman Compass April 2016 2.6 Terabytes of client data is leaked to the media. Source: The Guardian October 2017 Suffered second card breach in two years Source: KrebsOnSecurity February 2016 Data affected by Ransomware. Paid 17,000$ to regain access. Source: PRI 6

Regulators will be asking 7

SEC findings Inspections 2014-2017 Informal practices for verifying customers identities in order to proceed with requests to transfer funds ; Failure to remediate high risk observations from security tests; Many had policies requiring Employee IT Awareness training; many did not apply them. Source: SEC : Observations from Cybersecurity examinations. August 2017. 8

Regulators in the mix Source: ZDNet. Sept 2015 9

Cyber Security Governance Are you asking the tough questions? Who is responsible for Information Security? Third party: Are they mandated to do so? Do we know where our Crown Jewels are located? Are we testing sufficiently and do we have the necessary skills? Why you should! 10

New vectors of threats are accelerating the concern YESTERDAY TODAY Bad Actors Isolated criminals Script Kiddies Target of Opportunity Bad Actors Organized criminals Foreign States Hactivists Target of Choice Targets Identity Theft Self Promotion Opportunities Theft of Services Targets Intellectual Property Financial Information Strategic Access 11

Missing the basics Did not install a simple security fix on an overlooked server 12

Missing the basics 13

Weak passwords Source: Cayman Compass Popular passwords 0 111111 Cayman 123456 Password Cayman1 1234567 Password1 Ecaytade 14

New vectors Our audit of threats approach are accelerating the concern HACKTIVISM PRIVATE & CONFIDENTIAL THE THREAT ACTORS WHO ARE THEY? ORGANISED CRIME THE INSIDER STATE-SPONSORED 15

Hacktivism Hacktivism Will attack companies, organizations and individuals who are seen as being unethical or not doing the right thing Hacking for fun seriously! Entire nations can be taken down (Estonia) 16

Organised Crime Traditionally based in former Soviet Republics (Russia, Belarus, Ukraine) Common attacks: Theft of PII for resale and misuse or resources for hosting of illicit material Occasionally employ blackmail in terms of availability (Threats of denial of service attacks to companies and threats of exposing individuals to embarrassment) 17

State Sponsored Nations where commercial and state interests are very aligned Military or Intelligence assets deployed in commercial environments Main aim to achieve competitive advantage for business Theft of commercial secrets (Bid information, M&A details) 18

The Insider as a fraudster PRIVATE & CONFIDENTIAL 19

The Insider Any user with access to valuable assets can act maliciously Source: Prism Magazine Who has access to what? Recent finds: Administrator passwords, payroll, passports & databases! Access to the CEO s desktop PC 20

Free WiFi PRIVATE & CONFIDENTIAL Source: CNBC Source: Gizmodo.com 21

Free WiFi who fell for it? 22

Social engineering The art of manipulating people into performing actions or divulging confidential information. PRIVATE & CONFIDENTIAL 23

Social engineering four elements PRIVATE & CONFIDENTIAL Four elements used in combination Impersonation & persuasion Internet & e- mail spoofing Unauthorized physical access Sanitation reconnaissance 24

Social Engineer The Cycle Research & Reconnaissance 25

Vulnerability databases help social engineers 26

Social engineering real world example Attack 27

TypoSquatting 28

Do you go Phishing with your staff? Sample scenarios: - Payroll issue (sent the day before pay!) - Contest - Speeding ticket / late payment 29

Physical security It s underrated! 30

Physical security Tailgating 31

Security while traveling Source: CNN.com Source: ABCNews. 2012 32

Security testing frequency Activity Internal Network scanning External Vulnerability Scanning External Penetration testing Source: NIST http:www.itl.nist.gov/lab/bulletns/bltnnov03.htm Frequency Semi-Annually Semi-Annually Annually For minor changes (e.g.: minor code/configuration changes, new desktop PC s etc.) security testing is generally not required. Think version 2.0.5 to 2.0.6 For medium changes (e.g.: new network devices, change in network structure, server upgrades, new system functionalities, etc.) testing may be required and should evaluated by management. Think version 2.0.6 to version 2.1 For large changes (e.g.: Major changes to network structure, multiple server upgrades and/or migrations, new operating systems or key information systems, significant code changes, etc.) a new full test is recommended. Think version 2.0.6 to version 3. 33

Final thoughts Cyber Security is an increasingly Top of House issue that is being discussed in the Boardroom and the C-Suite. It is *NOT* simply a technology issue. When it is a technology issue, it often comes down to the basics. Employee training and awareness is an essential part of organizational Cyber Security. 34

Wrap up Micho Schumann Principal, Cyber Security Services KPMG in the Cayman Islands + 1 345 815 2636 michoschumann@kpmg.ky @MichoSchumann 35

Thank you kpmg.ky The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2016 KPMG, a Cayman Islands partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. kpmg.com/socialmedia kpmg.com/app 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback