HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands
HOW SAFE IS YOUR DATA? 16 November 2017 kpmg.ky
Agenda Introduction Cyber Security presentation Q&A 3
Why this presentation? 4
The CIA Triad - the balancing act Data Conf. Integrity Availability 5
Cyber Security has become a conversation in every boardroom May 2017 Over 400,000 systems compromised Source: Wired Jan 2017 Hackers steal 55M$ from Boeing supplier. Source: AviationWeek August 2015 Thousands of users email addresses and passwords compromised. Source: Cayman Compass April 2016 2.6 Terabytes of client data is leaked to the media. Source: The Guardian October 2017 Suffered second card breach in two years Source: KrebsOnSecurity February 2016 Data affected by Ransomware. Paid 17,000$ to regain access. Source: PRI 6
Regulators will be asking 7
SEC findings Inspections 2014-2017 Informal practices for verifying customers identities in order to proceed with requests to transfer funds ; Failure to remediate high risk observations from security tests; Many had policies requiring Employee IT Awareness training; many did not apply them. Source: SEC : Observations from Cybersecurity examinations. August 2017. 8
Regulators in the mix Source: ZDNet. Sept 2015 9
Cyber Security Governance Are you asking the tough questions? Who is responsible for Information Security? Third party: Are they mandated to do so? Do we know where our Crown Jewels are located? Are we testing sufficiently and do we have the necessary skills? Why you should! 10
New vectors of threats are accelerating the concern YESTERDAY TODAY Bad Actors Isolated criminals Script Kiddies Target of Opportunity Bad Actors Organized criminals Foreign States Hactivists Target of Choice Targets Identity Theft Self Promotion Opportunities Theft of Services Targets Intellectual Property Financial Information Strategic Access 11
Missing the basics Did not install a simple security fix on an overlooked server 12
Missing the basics 13
Weak passwords Source: Cayman Compass Popular passwords 0 111111 Cayman 123456 Password Cayman1 1234567 Password1 Ecaytade 14
New vectors Our audit of threats approach are accelerating the concern HACKTIVISM PRIVATE & CONFIDENTIAL THE THREAT ACTORS WHO ARE THEY? ORGANISED CRIME THE INSIDER STATE-SPONSORED 15
Hacktivism Hacktivism Will attack companies, organizations and individuals who are seen as being unethical or not doing the right thing Hacking for fun seriously! Entire nations can be taken down (Estonia) 16
Organised Crime Traditionally based in former Soviet Republics (Russia, Belarus, Ukraine) Common attacks: Theft of PII for resale and misuse or resources for hosting of illicit material Occasionally employ blackmail in terms of availability (Threats of denial of service attacks to companies and threats of exposing individuals to embarrassment) 17
State Sponsored Nations where commercial and state interests are very aligned Military or Intelligence assets deployed in commercial environments Main aim to achieve competitive advantage for business Theft of commercial secrets (Bid information, M&A details) 18
The Insider as a fraudster PRIVATE & CONFIDENTIAL 19
The Insider Any user with access to valuable assets can act maliciously Source: Prism Magazine Who has access to what? Recent finds: Administrator passwords, payroll, passports & databases! Access to the CEO s desktop PC 20
Free WiFi PRIVATE & CONFIDENTIAL Source: CNBC Source: Gizmodo.com 21
Free WiFi who fell for it? 22
Social engineering The art of manipulating people into performing actions or divulging confidential information. PRIVATE & CONFIDENTIAL 23
Social engineering four elements PRIVATE & CONFIDENTIAL Four elements used in combination Impersonation & persuasion Internet & e- mail spoofing Unauthorized physical access Sanitation reconnaissance 24
Social Engineer The Cycle Research & Reconnaissance 25
Vulnerability databases help social engineers 26
Social engineering real world example Attack 27
TypoSquatting 28
Do you go Phishing with your staff? Sample scenarios: - Payroll issue (sent the day before pay!) - Contest - Speeding ticket / late payment 29
Physical security It s underrated! 30
Physical security Tailgating 31
Security while traveling Source: CNN.com Source: ABCNews. 2012 32
Security testing frequency Activity Internal Network scanning External Vulnerability Scanning External Penetration testing Source: NIST http:www.itl.nist.gov/lab/bulletns/bltnnov03.htm Frequency Semi-Annually Semi-Annually Annually For minor changes (e.g.: minor code/configuration changes, new desktop PC s etc.) security testing is generally not required. Think version 2.0.5 to 2.0.6 For medium changes (e.g.: new network devices, change in network structure, server upgrades, new system functionalities, etc.) testing may be required and should evaluated by management. Think version 2.0.6 to version 2.1 For large changes (e.g.: Major changes to network structure, multiple server upgrades and/or migrations, new operating systems or key information systems, significant code changes, etc.) a new full test is recommended. Think version 2.0.6 to version 3. 33
Final thoughts Cyber Security is an increasingly Top of House issue that is being discussed in the Boardroom and the C-Suite. It is *NOT* simply a technology issue. When it is a technology issue, it often comes down to the basics. Employee training and awareness is an essential part of organizational Cyber Security. 34
Wrap up Micho Schumann Principal, Cyber Security Services KPMG in the Cayman Islands + 1 345 815 2636 michoschumann@kpmg.ky @MichoSchumann 35
Thank you kpmg.ky The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2016 KPMG, a Cayman Islands partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. kpmg.com/socialmedia kpmg.com/app 36