Upload
anonymous-wu14iv9dq
View
216
Download
0
Embed Size (px)
Citation preview
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
1/25
Cyber Security Presentation
www.pwc.com/me
LSEC11 March 2013
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
2/25
Agenda
1 Cyber security global problem
2 Cyber security attacks and threats in the utilities/energy sector
3 The Saudi Aramco case
4 Questions & Answers
Confidential & Proprietary All Rights Reserved
PwC 2013
2
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
3/25
Cyber security is a global problem
2000 2001 2002 2007 2010 2012
s
Cyber security is a global problem nowadays. The purpose of today's advanced cyber attacks istwo-fold: steal the target data and maintain access to the environment for as long as possible .
Confidential & Proprietary All Rights Reserved
PwC 2013
CyberAttack
The I Love
You warminfectedmillions ofcomputers
worldwide.
The Code Red
wormswidespreadinfection caused
billions of dollarsin damage.
shatterattack
is a process bywhichWindowssecurity can be
bypassed.
Announcement
of at least 45.7millionconsumer creditand debit cardsnumbers stolen.
Stuxnet malware,with the purpose oftargeting Iransnuclear programme,is discovered.
Several cyberattackstargeted theMiddle East.
Formation of organized cyber attacks andhacking groups (e.g. anonymous).
Foreign governments heavilyinvested in malicious codesdevelopment.
X
X
X
XX
XDifferent organizationsand countries wereaffected.
3
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
4/25
Attackers and motivation
Different organizations often have their own specific way of categorizing cyber threats. In our view, there arefive main types of cyber attacks, each with its own distinct though sometimes overlapping methods andobjectives. Those are:
FinancialCrime &
Fraud
This involves criminals often highly organized and well-funded using technology as a tool to steal money and other
assets.1
Espionage
Theft of IP is a persistent threat carried out by commercial
competitors or state intelligence services seeking to use the IP to2
Attacks in Middle East Recent attacks
against the MiddleEast are believed to
be originated fromregional
Confidential & Proprietary All Rights Reserved
PwC 2013
advance their R&D or gain business intelligence.
WarfareThis can take place between states, or may involve statesattacking private sectors organizations, especially criticalnational infrastructure such as energy & telecoms.
3
ActivismAgain this may overlap with some other categories, but theattacks are undertaken by supporters of an idealisticcause most recently the supporters of WikiLeaks.
5
TerrorismThis threat overlaps with warfare. Attacks are undertaken by(possibly state-backed) terrorist groups, again targeting
either state or private assets.
4
countrieswith anobjective of causingdamage and/orstealing sensitiveinformation
Some attacks wereperformed bysupporters of
regimes orrevolutionaries Other attacks
targeted thefinancial sector
4
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
5/25
Financial impact of cyber security breaches
Cyber Security breaches can have many different types of impact
Direct costs, such as downtime and effort to remediate, are easy to estimate
Indirect costs are harder to determine
PwC analysed the results of the information security breaches survey carried out in Europe in 2012. Resultshave shown that:
Confidential & Proprietary All Rights Reserved
PwC 2013
of large organizations had a
security breach during 2012.
attacks by an unauthorized outsider on each largeorganization in Europe in 2012.
67% of large organizations expectmore security breaches next year.
80% of large organizations do notevaluate ROI on their security expenditure.
$9m - $21m is the average financial loss of large organizations (250 - 500 employees)in 2012.
considering 54 attacks per year.
5
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
6/25
Many critical cyber security incidents were recentlyreported
Saudi Aramco, Saudi Arabias nationaloil company and the largest in the
world, has confirmed that is has beenhit by a cyber attack that resulted inmalware infecting around 30,000 user
workstations.Security Week
In Au ust 2012 the information
In 2011, someone hacked into theCurran-Gardner Water Districtnetwork in Illinois and manipulatedthe supervisory control and dataacquisition (SCADA) network resultingin destroying one of the pumps.
Business Insider
Online attackers successfull
Confidential & Proprietary All Rights Reserved
PwC 2013
technology systems of RasGas wereseriously damaged by cyber attacks.The attacks damaged the website andcommunications networks; however,they failed to harm the organizationsproduction systems and capabilities.
Reuters
The Arabic website of news networkAl-Jazeera has been defaced,apparently by pro-Syrian hackers.
BBC News
penetrated the Department of Energy(DOE) network in the middle ofJanuary 2013 and obtained copies ofpersonally identifiable information(PII) pertaining to several hundred ofthe agency's employees and contractorsin preparation for further attacks..
U.S. officials said that Iranian hackersrenewed a campaign of cyber attacksagainst U.S. banks, targeting CapitalOne Financial Corp. and BB&T Corp.
Washington
informationweek
6
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
7/25
Many critical cyber security incidents were recentlyreported
Sony suffered a massive breach in itsvideo game online network that led tothe theft of names, addresses andpossibly credit card data belonging to77 million user accounts in what is oneof the largest-ever Internet security
break-ins. Reuters
Securit ex erts have uncovered a
Google became the target of aphishing campaign originating inJinan, China, and aimed at gainingaccess to the accounts of seniorofficials in the U.S., Korea and othergovernments, as well as those ofChinese activists The Wall Street Journal
A uarter of a million Twitter users
Confidential & Proprietary All Rights Reserved
PwC 2013
new computer virus designed to stealinformation from banks in the MiddleEast. The virus has infected more that2,500 computers, mainly in Lebanon,according to the Russian security firmKaspersky Lab The Telegraph
The computer security vendor RSAannounced on March 17, 2011 that itsnetwork had been hacked by an
Advanced Persistent Threat (APT) by ahighly skilled, well-funded group witha specific agenda.
Business Insider
have had their accounts hacked in thelatest in a string of high-profile security
breaches at internet firms.
In January 2012 hackers from theMiddle East began a cyber exchange
that resulted in the release of personaldata for tens of thousands of individuals and damage to the cyberinfrastructures of several regionalfinancial institutions. Reuters
The Guardian
Middle East
7
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
8/25
Cyber incidents in SCADA & industrial control systemsenvironments in 2012
Transportation; 5; 2%
Nuclear; 6; 3%
IT; 1; 0%
Health Care; 5; 3%
Food; 2; 1%
Government; 7; 4%
Cyber Incidents
The energy sectorwas targeted by
41% of the cyberattacks against the
ICS
environment in
Confidential & Proprietary All Rights Reserved
PwC 2013
Energy, 82, 41%
Commercial,19, 10%
Critical Manuf; 8; 4%Dams; 1; 0%
Communications;4; 2%
Chemical; 7; 4%
Banking & Finance; 1;0%
Water, 29, 14%
Internet-Facing,21, 10%
2012.
Source: Industrial Control systems CyberEmergency Response Team US Department ofHomeland Security
8
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
9/25
Common cyber security vulnerabilities in SCADA &industrial control systems in 2011
42%
47%
40%
50%Improper input validation (e.g. SQLInjection, Cross Site Scripting) and
credentials managementare the key cybersecurity threats in the ICS environments in
2011.
Confidential & Proprietary All Rights Reserved
PwC 2013
20%
6%5%
21%
3%
15%
12%11%
15%
6%
18%
5%
0%
10%
20%
30%
ICS-CERT PublishedVulnerabilities
2009-2010 CSSP ICSProduct Assessments
2004-2008 CSSP ICSAssessments
Improper Input Validation
ICS Security Configuration &Maintenance
Credentials Management
Improper Authentication
Permissions, Privileges and AccessControls
Source: Common Cybersecurity Vulnerabilities inIndustrial control Systems, May 2011 USDepartment of Homeland Security
9
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
10/25
Attackers use different entry points to attack utilitiesand energy companies
Preparing for the attacks may take months where hackers silently install Trojans and gain control overinternal networks. Hackers use various entry points to gain control over internal networks and prepare fortheir attacks and data thefts.
Hackers
Social Media Personal information
Wireless & MobileUnauthorized access to
internal network
Confidential & Proprietary All Rights Reserved
PwC 2013
Having gained access to internal systems, hackers can attack SCADA systems and damage power generation,transmission, and distribution systems leading to damage to engines, transmission systems and causing massivepower outages.
Trojans
Disgruntled Employee
Vendors
Installed on internal computers
Default configuration
Facilitate access to
intruders
Removable MediaInstallation of malicious
code on the private
network
10
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
11/25
Potential cyber attacks scenarios against utilities andenergy companies
Hacker may utilize theconnectivitybetween the vendorand the isolated
SCADA network to
Confidential & Proprietary All Rights Reserved
PwC 2013
get access over it andcontrol thegeneration,transport anddistributioncomponents which
may lead to wideelectricity outage andpower failure.
11
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
12/25
Potential cyber attacks scenarios against utilities andenergy companies
Hacker may sendmalicious code intoone of the internal SECusers which uses hislaptop or
Confidential & Proprietary All Rights Reserved
PwC 2013
removable mediainside SCADAnetwork.
Such action may resultin spreading the
malicious codeinside the SCADAnetwork.
12
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
13/25
The Saudi Aramco Case
Saudi Aramco is the Saudi government-owned oil company. It has the world's largest daily production of oil and an annual output of about 8bn barrels. It is estimated to be worth about $781bn, more than twice as much as Apple or Exxon, the most
valuable public companies.
Saudi Aramco provides various services to its employees, the community, government agencies andprivate companies:
Confidential & Proprietary All Rights Reserved
PwC 2013
13
March 2013LSEC
Traffic safety and fire prevention Private security force (Elite Security)Air transport (private fleet and airports) Education and development (graduate, Master, PhD)Healthcare (SAMSO)
Saudi Aramco Medical Services Organization (SAMSO) is a network of private hospitals,supporting health-care excellence and helping to give communities access to world-class medicalfacilities.In 2011, 82 medical facilities received development support from SAMSO.
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
14/25
Saudi Aramco The incident
Saudi Aramco computers wereattacked on 15th August 2012
15th
AugAs first response, Aramcoisolated its computernetwork and issued a publicannouncement, creating lots
On Wednesday, Aug.15, 2012, an official at Saudi Aramco confirmed that the
company has isolated all its electronic systems from outside access as an earlyprecautionary measure that was taken following a sudden disruption that affected
some of the sectors of its electronic network.
The disruption was suspected to be the result of a virus that had infected personal
workstations without affecting the primary components of the network.Saudi Aramco confirmed the integrity of all of its electronic network that manages its
core business and that the interruption has had no impact whatsoever on any of thecompany's production operations.
The company employs a series of precautionary procedures and multiple redundantsystems within its advanced and complex system that are used to protect its
operational and database systems.
Saudi Aramco IT experts anticipate resuming normal operations of its network soon.
16th
Aug
17th
Confidential & Proprietary All Rights Reserved
PwC 2013
March 2013LSEC
14
o uzz n e me a.
Production was not affected.
Saudi Aramco issued an statement on 26thAugust 2012, announcing that main internalnetwork services had been re-established. 30.000 workstations had been affected. As a
precaution, remote Internet access to online resources was restricted.
ug
The company issued a follow-up report on the 10th September 2012, announcing that itselectronic network was functioning normally following a complete and thorough scanning.
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
15/25
The attack was performed using the Shamoon malware.
Destructive malware Collects files from specific locations on the system. Erase the files and send information to the attacker Spread to other computers on the network. Overwrites the master boot record.
Saudi Aramco Aftermath analysis
Between 30k and 55kcomputers were
affected.
Confidential & Proprietary All Rights Reserved
PwC 2013
And why?
March 2013LSEC
15
Who did it?
First claims indicated Islamic groups. Controversy around the code professional or amateur? State-sponsored , lone wolf, disgruntled insider?
FinancialCrime &
Fraud
1Espionage
2Warfare
3
Activism5
Terrorism4
unsure aboutwhat information
was stolen
unsure aboutwhat information
was lost
completeisolation for
+10 days
Stagedapproach
towards normalsituation
Massive loss ofdata records
(HR , EPR)
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
16/25
End-User Experience in SAMSO
A nurse/doctor goes to work as usual.At the start of the shift, the IT systems are not available.
No patient status No patient history No medication register
Complete disruption leading to a life-threatening situation. Emergency protocols activated Patient prioritization.
Patients need to be identified:
Who are the ?
Information gathering
Manual checks re uired.
Confidential & Proprietary All Rights Reserved
PwC 2013
16
March 2013LSEC
Where they are? What do they have?
Manual book-keeping.
Once identified, they can be treated but
No communication systems No way to order medicines No patient history check is possible
Alternative communication methods Mobilization of technical and humanresources.
This situation lasted for the +10 days of complete isolation A selection of Electronic Patient Records (EPR) were recovered 2-3 weeks after the startof the incident
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
17/25
Questions & Answers
Thank ou
Confidential & Proprietary All Rights Reserved
PwC 2013
We look forward to working with you
17
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
18/25
We add value
pwc.com/me
This document contains information that is proprietary and confidential to PwC, As such, the addressee should not disclose this document or any
attachments in whole or in part to any third party without the prior written consent of PwC.
The addressee also acknowledges that information shared here within is the intellectual property of PwC and is subject to a non disclosure agreement as
recognised by the copyright and intellectual property regulations.
2013 PricewaterhouseCoopers. All rights reserved.
"PricewaterhouseCoopers" and PwC refer to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL). Each member
firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not
responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any
way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another member firms
professional judgment or bind another member firm or PwCIL in any way.
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
19/25
Backup Slides
Confidential & Proprietary All Rights Reserved
PwC 2013
19
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
20/25
Global cyber threats require a global team
PwC has significant experience in helping organizations from different industries including utilities,financial sector, government and national security agencies to solve their cyber security issues.
Our firm has:
Performed cyber security assessments and/orimplementations at 78% of the Fortune 500.
1
Provided cyber security services to regionalgovernment entities in the Middle East.
2
Perform over 100 cyber security assessmentannually
3
Received recognition by market influencers asa leader in Security solutions
4
Confidential & Proprietary All Rights Reserved
PwC 2013
Strategic Alliances & Partnerships
with Security Vendors
PwC was one of the establisher of the ISF(International Security Forum) and ismanaging ISF on behalf of its members, wehave a long tradition of contributing to and makinguse of the ISF material.
20
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
21/25
PwC cyber security core services
1 Security StrategySetting directionSecurity strategy development, organization design, management reporting.
Managing Exposure
2Security Governance& Control
Creating sound framework of controlRisk, policy and privacy review, regulatory compliance assessment, data lossprevention, awareness programs.
Confidential & Proprietary All Rights Reserved
PwC 2013
3 Management Penetration testing, vulnerability scanning and remediation, continuous andglobal threat monitoring.
4Architecture,Network Security &Identity
Building secure systems and infrastructuresSecurity architecture, network security, cloud computing security, identityand access management solutions and ERP Security.
5Incident Response& Forensic
Investigation
Managing IncidentsIncident response review, Corporate and regulatory investigations, forensic
investigations and readiness and curses response.
6Business ContinuityManagement
Building in ResilienceBusiness continuity management, disaster recovery and crises management.
21
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
22/25
PwC cyber security point of viewCyber Security is an evolution of risk management
Most large organizations have well-established traditional risk strategies which support clear lines ofresponsibility up to the board-level. This can often lull senior executives into a false sense of security. Astraditional risks converge with the new risks, organizations are often exposed to security and risk gapsthat are not being managed. This is principally because business functions are operating in silos and focusing onensuring their area of responsibility is secure or protected (the not in my back-yard mentality) or because theyare unaware of such risks.
Convergence of Security Risks Cyber Resilience: Brand & reputational resilience
Confidential & Proprietary All Rights Reserved
PwC 2013
Data Loss
Fraud
Industrial Espionage
Social Engineering
Threats to People
Physical Theft
Brand Infringement
protect on Intelligence based risk
management Security as a competitive
advantage
Protecting information assets: Information Security
Information Risk Management
Strategicrisk
Value
22
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
23/25
Key expected recommendations
1Leadership realizing the strategic importance of managing cyber risks.This may require the creation of new roles at boardroom level
Clarify roles &responsibilities fromthe top down
2Upgrading existing security capabilities to address cyber securitythreats.
Reassess securityfunctions readiness forcyber world
Confidential & Proprietary All Rights Reserved
PwC 2013
3 n ers an e rea es o e cy er wor or we - n orme anprioritized cyber security actions & processes.
c eve 3 0- egreesituational awareness
4A well-functioning cyber incident response team means an incident inthe business will be tracked, risk-assessed & escalated.
Create a cyber incidentresponse team
5 Invest more in cyber skills.Nurture and share
skills
6Adopting a more active stance towards attackers & pursuing themmore actively through legal means.
Take a more active andtransparent stancetowards threats
23
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
24/25
PwC cyber security point of view
berResilience
Enterprise CrisisManagement
Threat Intelligence
TransformCyber Securit
Resilience
Confidential & Proprietary All Rights Reserved
PwC 2013
Info
rmationSecurity
C
Security Ready Organization Cyber Security ReadyOrganization
Cyber SecurityResilient Organization
Threat &VulnerabilityManagement
EnterpriseSecurity
Architecture andGovernance
Identity andAccess
Management
Cyber SecurityResilience
Protect
Manage
Cyber Security
Resilience
Ddqdqdqd
Dqdqdq
dqddqdq
24
March 2013LSEC
8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013
25/25
What does it take to protect you
Organisation, Strategyand Governance
Data Centric Security
1
2
Effective governance, clear accountability & connections inthe territory and across the global network need to reflectthat cyber security is a global issue.
Within the organization, it becomes important to identify andappropriately secure the data that matters most.
The abilit to res ond to inevitable incidents uickl and
Confidential & Proprietary All Rights Reserved
PwC 2013
CyberSecurity
ResiliencyReadiness
AssessmentSecurity Culture andBehaviours
Threat Intelligence
y er nc ent esponse& Crisis Management
Monitoring andDetection
3
4
5
6
The cyber threat landscape is changing at an alarming rate.Organizations need the capability to acquire and act on threat
intelligence.
effectively and in a way which protects the global brandbecomes crucial.
A security conscious culture, accountability and associatedbehavior is one of the most important aspects of improvingsecurity.
As perimeters become more porous, attackers moresophisticated and compromises inevitable, monitoring &detection become arguably the most effective defence.
25
March 2013LSEC