Cybersecurity: Mitigating Business Risk IT.CAN 2014 18 th Annual Conference October 20 th 2014

Cybersecurity: Mitigating Business Risk

IT.CAN 201418th Annual Conference

October 20th 2014

© 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL.

2

Panelist – Benoit-Luc St-Pierre, KPMG

Benoit-Luc St-Pierre, CISA, CISSPDirecteur / ManagerManagement et Gestion des risques / Management and Risk ConsultingKPMG [email protected]


3

2. What are the most challenges pertaining to security risks when IT contracting?

1. Data location risks• Make sure that the party you are dealing with does not store and/or outsource the

work – implicitly your data – to a third party in foreign countries or to an external organization with poor cyber security practices.

2. Proper due diligence • It is a good security practice to ensure proper background checks have been done on

external contractors that will have privileged access to your data prior beginning of the work. Federal Canadian Government clearance requirement such as the “Reliability Status” and “Secret” levels for individual is very common.

• Depending on the risks involved, ensuring that the 3rd party has a cyber insurance with adequate coverage.

3. Addressing 3rd party cyber security risks• New 3rd party vendor access to the network could introduce new risks and threat

source to data integrity and confidentiality.• Depending on the nature of the service delivered by the 3rd party, it could be a good

practice to ensure that 3rd party vendor have implemented sound security practices. It is very common for outsourcing IT companies to perform independent IT controls and security audits


4

3. What is the most important cybersecurity technical development and why?

Cybersecurity Framework for Critiqua Infrastructure

Cyber Security Questionnaire

Issuer (Country) NIST (US) OSFI (Canada)

Issue date February 12, 2014 October 28, 2013

Industry Power and water utilities, gas and oil transportation*

Federally Regulated Financial Institutions (Banks, Trusts, some Credit Unions, Insurance Companies)*

Highlights Controls are divided in 5 sections (functions):1. Identify (Governance, assets and

risk mgmt, etc..)2. Protect (access control, data

security, protective tech, etc..) 3. Detect (Security monitoring, etc..)4. Respond (Communications,

analysis, Mitigations, etc,,)5. Recover (Recovery planning, etc..)

Self-assessment questionnaire on cyber security practices designed to assess the maturity level (5 levels) of the organization.

Divided in 6 sections:1. Organization and Resources2. Cyber Risk and Control Assessment3. Situational Awareness4. Threat and Vulnerability Risk

Management5. Cyber Security Incident Management6. Cyber Security Governance

*Can be adapted or used in any type of industry


5

Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Action on Objectives

The “Cyber Kill Chain” methodology developed by Lockheed Martin in 2011, is gaining traction in organizations which are constantly under pressure of advance persistence Threat (APT). Developed in response to the increasing threat of APTs across the globe, this methodology breakdown an attack in 7 chained steps. An attacker must have successfully executed all steps to “win” while the defender has to block the attacker in any one of the steps to stop the attack.

5

RE

CO

N

01

LU

RE

02R

ED

IRE

CT

03

EX

PL

OIT

KIT

04

DR

OP

PE

RF

ILE

05

CA

LL

HO

ME

06

DA

TAT

HE

FT

07

3. What is the most important cybersecurity technical development and why?


6

4. What is one of the most useful practice when addressing cybersecurity risks?

1 - Test the effectiveness of your cyber security controls and your incident response process. Knowing that your security is good is better than just thinking / assuming it is good.

2 - Security monitoring / analytics is crucial for rapid breach detection and response actions. Failure to act upon security alerts could be disastrous. For example, malware detection alerts were sent to Target security team but they did not act in a timely manner to stop the attack.

3 - Performing an independent assessment of your cyber defenses (firewalls, IDS/IPS, WAF, anti-virus, anti-spam, DLP, etc..). This can materialized in many forms such as:

• Network penetration testing (at least once a year);

• Web application security testing (common attack vector for data breaches);

• Social engineering testing (common attack vectior for APTs);

• Physical testing (building & server room access, card security, piggy backing);

• System security configuration audits : servers, workstations, firewall rules, databases, etc..


7

5. What is one of the most important best practice when dealing with data breaches?

1. Have a plan ready for external communications. Customers, shareholders and regulators are now very demanding on organizations to respond quickly.

2. Have a cybersecurity incident response team with experienced people.

3. Have data breach containment procedures well documented and tested.

4. Maturity of the forensic shop is an important factor, it must be competent and fast. For large incident it a good practice to engage an independent party to secure the evidences and perform the investigation.


8

6. What do you consider as being the biggest impact triggered by Edward Snowden’s revelations?

• NDAs and personnel security vetting does not suffice for organizations to protect against internal threat. The application of a very structured and global cybersecurity framework should be implemented by organizations.


9

7. CYBER INSURANCE: What are some of the key consideration for companies considering cyber insurance or seeking to improve coverage in a renewal?

1 - Good understanding of cybersecurity risks and their mitigating controls in place before buying cyber security insurance.

2 - Cybersecurity maturity level of the organization. It is important that companies assess themselves or by a third party before buying cyber security insurance.

3 - Have well designed and effective security controls in place. The weaker in terms of cyber security risks is the IT environment the more likely are the premium fees to be higher.

4 - Companies may have to disclose to an insurer their cyber security risks and demonstrate mitigating controls through self-questionnaire or 3rd party audit on behalf of the insurer.

5 - Choose cyber insurance product with the best added value for the organization. Chubb, for example, offers some customers a form of no-loss deductible on some cyber policies where – if no claims are made in a given year – part of the deductible is returned to the customer in order to be used on enhancing their level of security (i.e.: performing external penetration tests, etc..).

Extra slides


11

Threat awareness | The cyber criminals

Petty Criminals Hacktivists / Terrorists

Organized Criminals State sponsored

…

Motives: Financial gain Motives: Political support

Motives: Financial gain Motives: State agenda

http://www.youtube.com/watch?v=t65WaPxPa1s


12

Data Breaches in the News 2004-2014

Data source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


13

Lesson learned from Target data breach – Highlights

1. Having sufficient cyber insurance coverage – The data breach cost them at least $235 million dollars so far and they were only able to recoup $90 million from their cyber insurance policy coverage. Hackers stole the financial and personal information of 110 million customers.

2. Third party can be a potential data breach source – The root cause of the breach was identified to be from a small Pennsylvania HVAC company compromised remote access account. Hackers targeted the third party company first. Then they managed to obtain vendor remote access VPN credentials and access Target’s network. Third party vendor remote access was for electronic billing, contract submission and project management.

3. Act upon alerts received – Malware detection alerts were sent to Target security team but they did not act in a timely manner to stop the attack.

4. Network segregation is important – It appears that hackers were successful at accessing POS systems from a less sensitive network area. PCI regulation is very strict about POS network access controls.

5. Data breaches impact shareholders as well – Stock price lost 11.3% of its value in the first 3 months after public disclosure. Also CEO Gregg Steinhafel was removed by the Board of Directors on May 5 2013. On May 28, Institutional Shareholder Services (ISS) recommended that Target shareholders vote out seven of its 10 board members including members of the Audit and Corporate Responsibilities committees.


14

Lesson learned from Target data breach – Stock price don’t like bad publicity

Stock price lost 11.3% of its value in the first 3 months

Thank you

Presentation by Benoit-Luc St-Pierre

KPMG CONFIDENTIAL

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

Documents

Cybersecurity: Mitigating Business Risk IT.CAN 2014 18 th Annual Conference October 20 th 2014