Cybersecurity – How to protect...» Cyber awareness is very low for both management & employees » 85% of cyber incidents we have dealt with have been ransomware » 98% of victim

Sandy Boucher, Barry Kuang, Grant Thornton LLP

December 7, 2016

Cybersecurity –How to protectyourself and yourcompany?

Grant Thornton Canada

2© 2016 Grant Thornton Corporate Finance Inc. A Canadian Member of Grant Thornton International Ltd. All rights reserved.

$597millionin revenue

over

2,700professionals

378 partners/principalsand

CanadiansnapshotReported combined 2015 statisticsfor Grant Thornton LLP andRaymond Chabot Grant Thornton,who together form Grant Thorntonin Canada, the Canadian memberfirms of Grant ThorntonInternational Ltd.

9 consecutive years (2008-2016)

143over

Canadianoffices

Three areas of focus for today

INTRODUCTION


Update on current cybersecurity risks and trends

Overview of two recent data breach scenarios

Overview of what companies need to do to

Our latest research reveals that cyber attacksare taking a serious toll on business

CYBERSECURITY RISKS & TRENDS

4© 2016 Grant Thornton LLP. A Canadian Member of Grant Thornton International Ltd. All rights reserved.

The Grant Thornton International Business Report (IBR), a globalsurvey of 2,500 business leaders in 35 economies

Our latest research reveals that cyber attacksare taking a serious toll on business



Nearly half of firms areputting themselves in the

firing line with nocomprehensive strategyto prevent digital crime.

Who and what is out there?



The whyFinancialIdeologicalRevenge

The whoCriminal enterpriseCyber insiderScript kiddiesHacktivistTerroristNation state

Criminal hackersNation state – defence &

commercial IP, any relevantintelligenceLarge syndicates – custom built

malware, targeted at significantenterprises. Seeking PII, financialand banking infoLower level groups/individualsfinancial gain, ransomwarefun/challenge

Employee Enabled Threats



The howSocial engineering

Clickbait: link or attachment

Drive by downloads

Watering hole attacks

Social networking attacks

Phishing

Spear phishing

Ransomware

CFO Fraud/whaling/BEC

Mobile malware

What are they After?

Financial gain

Personal Identifying Information

Financial/banking information

Intellectual property

Competitive intelligence

Clickbait



SymantecOperationShady RAT



SymantecOperation

Shady RAT

2006 – 2011

intrusionslasted from

1 – 28months



Carbanak bank attack



Sample AlphaBay (a dark web marketplace)









DyreMalware



DyreMalware



Ransomware & other tools are cheap



Ransomware & Extortion



Employee Response Rate to Cyber Attack byEmail



https://www.nomoreransom.org/



Case Studies

DATA BREACH CASE STUDIES


Ransomware Attack – 2016 Canada



1. Client server is hit by a ransomware employee clicked on anemail attachment

2. No AV system present

3. "Backup system" was on an external USB drive – attached at thetime of the attack and encrypted

4. Did not pay ransom before due date had to rebuild files frompaper documents

RansomwareAttack –2016 Canada



Ransomware Attack – 2016 Canada



RansomwareAttack -Canada



Ransomware Attack - Canada












Server breach case - Canada

HOW TO PROTECT YOUR ORGANIZATION


1. Client server is hit by a ransomware. mention of earlier "bot net"problem that was fixed by their IT.

2. External IT support is a travel agent away on a 2 month trip

3. Available logs went back to 2015-10-8 (6 months before thediscovery)

4. The victim struggled to get rid of the problem by installingmultiple anti-virus solutions.

5. Breached by multiple IP addresses from around the world

6. Server was used to buy and sell online gaming equipment

Serverbreachcase-Canada












Server breach case - Canada



» System breached through remote desktop service, used by clientfor smaller office

» Router was not properly configured AND no proper firewall used

» Multiple hackers able to breach security with brute force attack

» Initial breach symptoms not properly understood by management

» Eventually lost all their data over their busiest time of the yearAND required a complete rebuild

» Unable to access any systems including payroll, email, clientmanagement software etc.

What we are seeing



» Cyber awareness is very low for both management & employees

» 85% of cyber incidents we have dealt with have been ransomware

» 98% of victim organizations did not have commercial AVsoftware

» 99% of victim organizations did not have sufficient data backup

» 100% of victims used outsourced IT contractors

» 99% of infected computers were Windows based

» In more sophisticated hacks, time to discovery is months or longer

» Low level of knowledge on cyber insurance

What we are seeing



Network Perimeter Security



Traditional responses to cyber threats havebeen IT based and focused on what we canbuild to protect our systems and the datathey contain. Network Perimeter Security

Recently the focus has changed to a morecomprehensive approach – cyber threats are abusiness issue, not an IT issue.

Forward thinking organizations tend to view theproblem differently.

What is out there that we should worry about?

What information and data assets do we have thatneed protecting?

Where are the weaknesses in our system?

Where should we focus our resources tomaximize the impact?

Network Perimeter Security



Perimeter defence is obsolete

Defence in depth or layered defence

Awareness

Staff training – the human firewall

Adequate backups (offline & physical)

Risk assessment

Resilience

Cyber insurance

Cybersecurity Functions and Elements



Governance Policies Risk assessmentand system

reviews

Data privacy Incident responseand

investigations

Digitaltechnology

security

Payment security Businessresilience

Third-partyassurance

Identity andaccess

management

Security trainingand professional

development

Number points


Managementawareness. what data &systems are vulnerable

Risk assessment – whatare your key digitalassets, vulnerabilities?

Train employees, cybersecurity awareness bestpractices

Ensure AV, firewalland backups areadequate

Assume a breach willhappen and planaccordingly

Have a cyber incidentresponse plan. Who, what,how, remediation,recovery, communication

Audit • Tax • Advisory© 2016 Grant Thornton Corporate Finance Inc. A Canadian Member of Grant Thornton International Ltd. All rights reserved.

www.grantthornton.ca

Sandy Boucher,Senior Investigator, GrantThornton LLPT +1 416 369 7027E [email protected]

Documents

Cybersecurity – How to protect...» Cyber awareness is very low for both management & employees » 85% of cyber incidents we have dealt with have been ransomware » 98% of victim