Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
ISACA Kenya Annual Conference- Secure Kenya II
Data Protection, Privacy and Cyber Security
SONY ANTHONY
RISK CONSULTING
July 2015
1© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextCyber Security and Technology
How many of you Bank Online ?
How many of you receive Banking Statements on Email ?
What file format do you Most Trust ? (EXE, PDF, JPG, Doc, JPG)
2© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextCentral Bank of India….Sending me an Email….Wow.
3© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextA little digging….Banker, Professor, Therapist..?
4© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextInitiate a Scan and a Pop-Up for Credentials Appear – But No RISK
5© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextMaybe my Antivirus is old, Lets Update – Still No Risk…(Properties)
6© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextLets focus on the Email Properties.
7© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextCyber Security and Technology
At this Point
My Gut feel: I am hacked..!!
My Latest Updated Antivirus Says : I am Safe..!!
What do you think…??
8© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextDigging further…
The Front end Unsuspecting Word Document.
The Back end Embedded evil code that will steal all data from the victim
9© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextAn EXE that copies, multiplies and renames itself….Aaaarrrggghhh
Code Stored Location at victim computer
Evil code disguised and executed by word macro ….
10© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextCyber Security and Technology
Status:
Victim has been completely compromised by just opening a word document.
And is under complete control of the attacker….
11© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextOn the Attacker Screen – Multiple people like me across geographies.
BOTS waiting for Commands and you are one of them
Attacker sees what users are currently doing on their systems
12© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextCyber Security and Technology
Attacker obtains access to all shares of the victim’s computer.
13© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextCyber Security and Technology
Attacker is able to search for files on victim’s computer remotely..
14© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextSmile Please….and Clear your Voice….Your on Stage
Attacker is able to take control of victim’s camera and view the victim without his/her knowledge
Attacker is able to listen and record all voice calls (Skype) from the victim’s mic or sound card.
15© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextCyber Security and Technology
Attacker is able to extract all passwords stored in browser and cookie files.
Attacker is able to install key loggers for all or transactions, chats, emails, document or xls edits.
16© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextCyber Security and Technology
Attacker is able take control of the victim’s screen when victim is not in front of the computer.
17© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextCyber Security and Technology
Attacker is able to attack other systems on the network.
Attacker is able to extract network shares and compromise other machines via the Victim computer.
18© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextCyber Security and Technology
Attacker is able to shutdown and conduct other maintenance activity on the victim computer.
Attacker is able to remotely update and upgrade the evil code for continuous and undetected access.
19© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextMalware detected (Day 1 and Day 30)
The CRYPTER: Crypters can be used to encrypt viruses, RAT ,key loggers , spywares etc to make them undetectable from antiviruses.
When these exe files are encrypted with Fud crypters they become undetectable with antiviruses
20© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextThe Service on the Internet are Growing and So are Hack Attacks
21© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextThe Service on the Internet are Growing and So are Hack Attacks
22© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextThe Service on the Internet are Growing and So are Hack Attacks
• It is a media library that processes several popular media formats.
• Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS.
• A fully weaponized successful attack could even delete the message before you see it. You will only see the notification (and that can be masked too,if required)
23© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextThe Service on the Internet are Growing and So are Hack Attacks
24© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextThe Service on the Internet are Growing and So are Hack Attacks
25© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextCyber Security and Technology
26© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security- Leader Ship – Brewery Case study
27© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security- Human Resourcing – Banking Case study
.
28© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security- Third Party / Suppliers– Retail Case study
.
29© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security- Business Continuity & Management – Product Case
Product Release
delayed…!!!
30© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security- Operations and Technology – Telecom Customer Data Network
•Identify Rogue Websites such as Phishing sites, scam sites, etc.•Cybersquatting domains and websites detection Site takedown
Rogue Website Detection
•Monitoring of various App stores for detection of counterfeit software / scam apps hampering the brand.•Use of unauthorized brand name and or logos, company goodwill, reputation.
App Store Monitoring
•Detection of Private, confidential or any secret information shared over social media platform•Sharing of threats against facilities, employees or any information leading to corporate security compromise
Social Media Listening / Monitoring
•Monitoring of products and brand in various marketplace including but not limited to gray market, unauthorized product distribution channels.•Maintain compliance and trust with distribution partners
Anti-counterfeit
•Detect IPR Data and Documents shared over public domains and sharing sites.
•Detection of Unauthorized sharing of confidential information by vendors and or employees over public domains
•Detection of leakage Informational assets such as Financial details, Network diagrams, Technological data, etc.
IPR / Informational Asset Leakage Detection
31© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security- Regulations/ Compliance
Sony executives bowed in apology today for a security breach in the company's PlayStation Network that caused the loss of personal data of some 77 million accounts on the online service.
32© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber SecurityHow KPMG can Assist ?
We believe Cyber Security should be about
What you can do – not what you can’t
Principles of our Approach1. Driven by Business Aspirations2. Razor Sharp Insight3. Shoulder to Shoulder
Boards today are required to have enhanced roles and responsibilities that focus on (a) providing confidence to investors(b) adhering to regulators (c) working with insurers and (d) working towards minimizing potential litigants
33© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG Global Cyber Maturity FrameworkCyber Security – SIX Domains
Within this Cyber Maturity framework, a strong communication plan is focussed on the details and complexity of ongoing communication and directions between the board and the management. This helps achieve a reliable flow of information among a broad mix of stakeholders. It is not only the frequency of communication that needs to be reassessed, but also, improving the appropriate and efficient quality of communication when addressing risks.This framework keeps in mind that security is as strongly as your weakest link – and the weakest link most often is people, whether due to someone on the inside, human error, or another human factor.
Our transformative framework, with a proactive approach, helps shape proper dialogue and overall, improves the information flow to become more transparent and sustainable – thus, closing the loop.
34© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security TransformationOverview
THREAT INTELLIGENCE
PrepareHelp clients understand their vulnerabilities and improve their preparedness against cyber attack.
Integrate
Embed cyber security in the culture and decision making of client organizations
ProtectHelp clients design and implement their cyber defense infrastructure.
Detect & RespondHelp clients respond to and investigate cyber attacks.
Cyber TransformationHelp clients design and deliver a wholesale program of change to improve cyber security capability.
Help clients implement and use intelligence as a springboard for delivering effective cyber security.
Threat Intelligence
Overview of Our Cyber Transformation Approach
35© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security TransformationOur Core Service Offerings Within Each Phase
THREAT INTELLIGEN
CE
Help clients understand their vulnerabilities and improve their preparedness against cyber attack.
Understanding the value of critical assets, cyber maturity and setting the cyber security strategy
Cyber Maturity Assessment – rapid assessment of your organization’s readiness to prevent, detect, contain and respond to cyber threats
Prepare1
Cyber Security Strategy – assist in designing and implementing cyber security strategies and aid Governance, Risk and Compliance
36© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security TransformationOur Core Service Offerings Within Each Phase
THREAT INTELLIGEN
CE Help clients understand their vulnerabilities and improve their preparedness against cyber attack.
Understanding the value of critical assets, cyber maturity and setting the cyber security strategy
Protect2
Security and technology assessments – test and improve all elements of security and technology infrastructure – including penetration and vulnerability testing
Application security assurance – understand, assess and address the critical application risks
Information Management and Privacy - rapid assessment of your current privacy and records management practices to identify / address issues that may result in non-compliance
Certification services – certification against international information security standards (ISO27x, NIST)Identity and access management – enterprise system access is aligned to roles / privileges
37© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security TransformationOur Core Service Offerings Within Each Phase
THREAT INTELLIGEN
CE
Help clients respond to and investigate cyber attacks.
Understanding the value of critical assets, cyber maturity and setting the cyber security strategy
Detect and Respond3
Cyber attack detection – assist in deployment of monitoring and sophisticated data analytics on client’s networks
Rapid response teams – assist to contain, manage and recover from current cyber attacks
Forensic evidence recovery and investigation – provide advanced digital forensics capability to gather, preserve and interpret large data sets, deleted or ephemeral data in order to prove a chain of events
Advanced training and cyber response capability development
38© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security TransformationOur Core Service Offerings Within Each Phase
THREAT INTELLIGEN
CE Embed cyber security in the culture and decision making of client organizations
Integrating cyber into the enterprise risk framework and wider business operations.
Integrate4
Board training – awareness and scenario based training
Enterprise risk management policy - design and implementation
Business continuity planning – reduce exposure, build plans, build capability
Behavioral change management
39© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Security TransformationOur Core Service Offerings Within Each Phase
Build capability to make intelligence-based decisions and deploy organization-wide cyber security
THREAT INTELLIGEN
CE
Threat Intelligence5 Cyber
Transformation6
Help clients implement and use intelligence as a springboard for
delivering effective cyber security.
Help clients design and deliver a wholesale program of change to improve cyber security capability.
Threat intelligence operating models – Assist in development and implementation of threat models across people, process and technology required to make intelligence-led decisions
Security Operations CentersAssist in design and implementation
Cyber security transformation programs – assist in design and delivery of organization-wide cyber security transformation programs
40© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Setting The ContextCyber Security Threats/ Events in the Region
Cyber Security Realities in the Region
Uganda 2012-2013 annual Police crime and traffic report Mobile money and Automated Teller Machine (ATM) fraud was responsible for the loss of about USH 1.5 billion*
Cybercrime is said to have cost nearly KES 2 billion (USD 23 million) to the Kenyan economy in 2013**
Kenya Cyber Security Report 2014Ranked Kenya among the top countries for most incidents of cybercrime, alongside the United States (US), Brazil, China and South Korea
The African Union (AU) has adopted the “African Union Convention
on Cyberspace Security and Protection of Personal Data” in
July, 2014
The Northern Corridor Integration Project member states (the Republics of Kenya Rwanda, South Sudan and Uganda) have developed a Memorandum of Understanding on Cyber Security Framework for cooperation and corroboration in prevention and responding to evolving cyber security threats.(The memorandum is scheduled for signing in mid May 2015 during the next Northern Corridor Integration Summit in Kampala)
Ministry of Information Communication and Technology Government of Kenya developed – Cyber security Strategy – Feb 2014
Kenya is drafting Cyber-Crime and Computer Related Offences Bill to tackle cyber crime and data breaches
Bank of Tanzania (BoT) statistics
TZS 1.3bn has been stolen across the country through cyber fraud*
Source :
* Kenya Cyber Security Report 2014** http://www.article19.org/resources.php/resource/37652/en/kenya:-cybercrime-and-computer-related-crimes-bill#sthash.NjxkxbMI.dpuf
41© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG Global Cyber Maturity FrameworkBoard Oversight and Engagement
• Define ownership and governance structure
• Identify sensitive data assets and critical infrastructure
• Inventory third party supplier relationships
• Perform assessment of current capabilities
• Define a strategy and approach
• Educate the board and executive management
• Understand governance structure and have open dialogue with executive leadership team
• Review output of capability assessment
• Review and approve of strategy and funding requests
• Participate in general board education
• Request periodic updates of program
Direction
Communication
How should boards engage?
What should management do?
I. LEADERSHIP AND GOVERNANCE
• Define culture and expectations
• Implement general training and awareness programs
• Implement personal security measures
• Define talent management and career architecture
• Develop specific learning paths for key personnel
• Set the tone for the culture
• Review patterns/ trends of personal issues
• Understand training and awareness protocols
Direction
Communication
How should boards engage?
What should management do?
II. HUMAN FACTORS
• Develop risk management approach and policies
• Identify risk tolerance and communicate
• Link risks to sensitive data assets
• Perform risk assessments and measures
• Perform third-party supplier accreditation
• Report relevant metrics
• Understand risk management approach and linkage to enterprise risk
• Review and approve risk tolerance
• Understand third party supplier program
• Review and question program metrics
Direction
Communication
How should boards engage?
What should management do?
III. INFORMATION RISK MANAGEMENTManagement demonstrating due diligence, ownership and effective management of risk
The level and integration of security culture that empowers and helps to ensure the right people, skills, culture and knowledge
The approach to achieve thorough and effective risk management of information throughout the organization and its delivery and supply partners
42© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
• Assess current ability to manage cyber events
• Perform analysis of risks and financial requirements
• Develop robust plans
• Assign resources and develop training
• Integrate with corporate communications
• Perform testing of plans
• Understand current responses capability
• Review status of overall plan maturity
• Meet with communication personnel
• Participate in table-top exercises
Direction
Communication
How should boards engage?
What should management do?
IV. BUSINESS CONTINUITY AND CRISIS MANAGEMENT
• Understand current maturity of control structure
• Review relevancy of selected control framework
• Review relevant incident trend metrics
• Meet with CIO or equivalent to understand integration of cyber and information technology trends
• Understand current maturity of control structure
• Review relevancy of selected control framework
• Review relevant incident trend metrics
• Meet with CIO or equivalent to understand integration of cyber and information technology trends
Direction
Communication
How should boards engage?
What should management do?
V. OPERATIONS AND TECHNOLOGY
• Catalog all relevant compliance metrics
• Link compliance requirements to control framework
• Formalize the role of the audit committee
• Identify risk tolerance and communicate
• Develop litigation inventory and trending
• Analyze and recommend need for cyber insurance
• Understand the regulatory landscape impacting the organization
• Clarify audit committee requirements for Cyber
• Review litigating inventory trends
• Review and approve cyber insurance funding (if relevant)
Direction
Communication
How should boards engage?
What should management do?
VI. LEGAL AND COMPLAINCE
Preparation for a security event and ability to prevent or reduce the impact through successful crisis and stakeholder management
The level of control measures implemented to address identified risks and reduce the impact of compromise
Regulatory and international certification standards as relevant
KPMG Global Cyber Maturity FrameworkBoard Oversight and Engagement
43© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG Global Cyber Maturity FrameworkKPMG Cyber Security Maturity Assessment – Maturity Levels
The Client Overall Maturity RatingRecommended Maturity Rating for The Client
Financial Services Sector Average Maturity RatingInsurance Sector Average Maturity Rating
Client Maturity
0
1
2
3
4
INITIALAd-hoc, unpredictable, poorly controlled, reactive
REPEATABLEBasic processes management, repeatable tasks
DEFINEDDefined & documented processes, proactive
MANAGEDProcesses integrated, measured and controlled
OPTIMISEDContinual improvement, organisational alignment
0
1
2
3
4
Level Description Cyber Security Requirements
• No clear understanding and ownership of the cyber risks within the leadership team.
• Cyber security approach is not risk based and very ad-hoc in nature
• Basic technical capability: perimeter security like firewalls, and endpoint security like antivirus
• The leadership team has an understanding of how the cyber risks can impact their business and Risk appetite is defined.
• Enterprise wide, co-ordinated approach to security.
• Mid tier technical capability: Operating system hardening, application hardening and other relevant preventive controls.
• The leadership team has directed and resourced work needed to address cyber security risks.
• A well defined security architecture that meets the business needs.
• Effective information risk management processes in place.
• Enhanced technical capability: Defence in depth architecture with logging enabled.
• Governance framework to monitor the embedding information security within the culture of the organisation.
• Security controls are implemented in a co-ordinated manner to ensure compliance with the defined security architecture.
• Extended technical capability: Capability of correlating events to identify and pre-empt malicious activities.
• The need to protect information assets owned by both the internal and external stakeholders of an organisation as key business assets is embedded within the culture of the organisation.
• The information and cyber security program is subject to a continuous improvement regime.
• Leading edge security solutions: Big data based security analytics
KPMG will compile a report that provides a breakdown of maturity against the six key dimensions.
Thank You
© 2015 KPMG India, a Indian Partnership and a memberfirm of the KPMG network of independent memberfirms affiliated with KPMG International Cooperative(‘KPMG International’), a Swiss entity. All rightsreserved.
The KPMG name, logo and "cutting throughcomplexity" are registered trademarks or trademarksof KPMG International Cooperative ("KPMGInternational").
Sony Anthony
Director
KPMG India
+91 9845565222