Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Cyber Risk
A Different Perspective
Stan Gallo and Heather Hicks
1
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
THE
THREATACTORS
HACKTIVISMHACKING INSPIRED BY IDEOLOGY
MOTIVATION: SHIFTING ALLEGIANCES – DYNAMIC, UNPREDICTABLEIMPACT TO BUSINESS: PUBLIC DISTRIBUTION, REPUTATION LOSS
ORGANISED CRIMEGLOBAL, DIFFICULT TO TRACE AND PROSECUTE
MOTIVATION: FINANCIAL ADVANTAGEIMPACT TO BUSINESS: THEFT OF INFORMATION
THE INSIDERINTENTIONAL OR UNINTENTIONAL?
MOTIVATION: GRUDGE, FINANCIAL GAINIMPACT TO BUSINESS: DISTRIBUTION OR DESTRUCTION, THEFT OF
INFORMATION, REPUTATION LOSS
STATE-SPONSOREDESPIONAGE AND SABOTAGE
MOTIVATION: POLITICAL ADVANTAGE, ECONOMIC ADVANTAGE, MILITARY ADVANTAGE
IMPACT TO BUSINESS: DISRUPTION OR DESTRUCTION, THEFT OF INFORMATION, REPUTATIONAL LOSS
9
2
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
Source: http://www.thelastamericanvagabond.com
3
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
Examples of Cyber Crime
Information Risk Management Regime
■ Hacking - This is a type of crime wherein a person’s computer is broken into so that his personal or sensitive information can be accessed.
■ DDoS - Distributed Denial-of-Service attack is an attempt to make a machine or network resource unavailable to its intended users.
■ Malware - Malicious Software (Virus, Trojan, Worm), is software used to disrupt computer operation, gather sensitive information, or gain access to private
computer systems.
■ Identity Theft - This has become a major problem with people using the Internet for cash transactions and banking services.
■ Phishing – This is the common name given to a prolific scam wherein a fraudster or scam artist sends an e-mail purporting to be from a financial institution or other
organisation.
4
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
A Commercial Approach
What about Australia?
6
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
7
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
This is how the subverted communication occurred
Normal Company A - Chinese CompanyEmail Communications
Hijacked Compay A – Chinese CompanyEmail Communications
Company A Employee Chinese
Company Employee
The Bad Guy
8
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
This lasted for 2 Months
9
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
99
How much should I spend
on security?
Is this really worth the money?
What is the link between
risk and $ spent?
How effective are my security
controls?
What risks am I running?
Have I got the right balance of
controls?
What really makes their life difficult?
What would make an attacker look elsewhere?
How much will the attacker
spend?
Do other parts of the business
understand their incident response
role?
Managing cyber risk is not straight forward
10
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
‘89% of CIOs globally believe that digital business models are creating new levels of risk for their organization and 69% believed that current risk management techniques
are inadequate to address this increased risk in a digital world.’
- Gartner "Flipping to Digital Leadership: The 2015 CIO Agenda"
SOURCE: https://home.kpmg.com/content/dam/kpmg/pdf/2016/01/cyber-security-2015-au-findings.pdf
• Working in an Hyper connected world, operating in an outside-in architecture • The business relies on technology like never before
• Business and Digital strategies are intertwined• Digital brings opportunities but opens up new risk and threats
• Technology & Cyber risk is a board level topic
4
Risk convergence – Keeping CEO’s awake at night
11
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
• Cyber security often focusses on the technical – malware, indicators of compromise, anomalous flows
• Cyber Security is a people problem• Cyber intelligence isn’t really
intelligence about cyberspace… it should be about what people do
• Controls evolve but breaches continue – what are we doing wrong?
• Behaviour Based Safety• Bringing the disciplines together – very
different views• Tone from the top is critical
• It matters… because criminals are getting more creative…
Intent centric security – or more of the same?
"Cyber-security is about people, processes and technology, and
organisations need to bolster the weakest link - which invariably is
the human element.”
- Kevin Mitnick
12
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
UNAWARE AWARENESS CRISIS TACTICAL RESPONSE ADAPTIVEEVOLUTION
RISK
SECURITY CAPABILITY
CONSUMER GOODS PHARMACEUTICALS
MINING
OIL & GAS
RETAIL BANKING
INVESTMENT BANKING
AEROSPACEDEFENCE
The Evolutionary Journey
GOVERNMENT
13
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
The six dimensions of cyber maturity
Leadership and governanceIs the board demonstrating due
diligence, ownership, and effective management of risk?
Human factorsWhat is the level and integration of a
security culture that empowers and helps ensure the right people, skills,
culture, and knowledge?
Information risk managementHow robust is the approach to achieve
comprehensive and effective risk management of information throughout
the organization and its delivery and supply partners?
Business continuityAre we prepared for a security event with the ability to prevent or lower the impact through successful crisis and
stakeholder management?
Operations and technologyWhat is the level of control
measures implemented to address identified risks and lower the
impact of compromise?
Legal and complianceAre we complying with relevant
regulatory and international certification standards?
Six key dimensions together provide an in-depth view of an organization’s cyber maturity.
14
Document Classification: KPMG Confidential
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
14
1DO CURRENT RISK
MANAGEMENT PROCESSES ADEQUATELY HIGHLIGHT
CYBER RISK TO THE BOARD? 2IS THE CORPORATE
VALUE OF INFORMATION ASSETS CLEARLY UNDERSTOOD?
3IS THE CORPORATE IMPACT CLEARLY UNDERSTOOD IF
INFORMATION ASSETS ARE STOLEN, CORRUPTED OR
DESTROYED?4
DOES THE ORGANISATION’S RISK
APPETITE TAKE ACCOUNT OF CYBER RISK?
5WHAT FUTURE STEPS ARE MANAGEMENT PLANNING TO STAY ON TOP OF CYBER RISK COST EFFECTIVELY? 6
IS THERE AN APPRECIATION OF THE
BUSINESS BENEFITS OF PROACTIVELY MANAGING
CYBER RISK?
Questions for the Board of Directors to ask
Thank youStan Gallo, KPMG Forensic
Tel: (07) 3233 3209M: 0414 507 742
[email protected] information contained in this document is of a general nature and is not intended to address the objectives, financial situation or needs of any particular individual or entity. It is provided for information purposes only and does not constitute, nor should it be regarded in any manner whatsoever, as advice and is not intended to influence a person in making a decision, including, if applicable, in relation to any financial product or an interest in a financial product. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
To the extent permissible by law, KPMG and its associated entities shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss or damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise).
Liability limited by a scheme approved under Professional Standards Legislation.
Heather HicksKPMG
Tel: (03) 6230 4077M: 0423 779363