Data Protection, Privacy and Cyber Security · Cyber Security - Regulations/ Compliance. Sony executives bowed in apology today for a security breach in the company's PlayStation

ISACA Kenya Annual Conference- Secure Kenya II

Data Protection, Privacy and Cyber Security

SONY ANTHONY

RISK CONSULTING

July 2015

1© 2015 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Setting The ContextCyber Security and Technology

How many of you Bank Online ?

How many of you receive Banking Statements on Email ?

What file format do you Most Trust ? (EXE, PDF, JPG, Doc, JPG)


Setting The ContextCentral Bank of India….Sending me an Email….Wow.


Setting The ContextA little digging….Banker, Professor, Therapist..?


Setting The ContextInitiate a Scan and a Pop-Up for Credentials Appear – But No RISK


Setting The ContextMaybe my Antivirus is old, Lets Update – Still No Risk…(Properties)


Setting The ContextLets focus on the Email Properties.



At this Point

My Gut feel: I am hacked..!!

My Latest Updated Antivirus Says : I am Safe..!!

What do you think…??


Setting The ContextDigging further…

The Front end Unsuspecting Word Document.

The Back end Embedded evil code that will steal all data from the victim


Setting The ContextAn EXE that copies, multiplies and renames itself….Aaaarrrggghhh

Code Stored Location at victim computer

Evil code disguised and executed by word macro ….



Status:

Victim has been completely compromised by just opening a word document.

And is under complete control of the attacker….


Setting The ContextOn the Attacker Screen – Multiple people like me across geographies.

BOTS waiting for Commands and you are one of them

Attacker sees what users are currently doing on their systems



Attacker obtains access to all shares of the victim’s computer.



Attacker is able to search for files on victim’s computer remotely..


Setting The ContextSmile Please….and Clear your Voice….Your on Stage

Attacker is able to take control of victim’s camera and view the victim without his/her knowledge

Attacker is able to listen and record all voice calls (Skype) from the victim’s mic or sound card.



Attacker is able to extract all passwords stored in browser and cookie files.

Attacker is able to install key loggers for all or transactions, chats, emails, document or xls edits.



Attacker is able take control of the victim’s screen when victim is not in front of the computer.



Attacker is able to attack other systems on the network.

Attacker is able to extract network shares and compromise other machines via the Victim computer.



Attacker is able to shutdown and conduct other maintenance activity on the victim computer.

Attacker is able to remotely update and upgrade the evil code for continuous and undetected access.


Setting The ContextMalware detected (Day 1 and Day 30)

The CRYPTER: Crypters can be used to encrypt viruses, RAT ,key loggers , spywares etc to make them undetectable from antiviruses.

When these exe files are encrypted with Fud crypters they become undetectable with antiviruses


Setting The ContextThe Service on the Internet are Growing and So are Hack Attacks





• It is a media library that processes several popular media formats.

• Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS.

• A fully weaponized successful attack could even delete the message before you see it. You will only see the notification (and that can be masked too,if required)








Cyber Security- Leader Ship – Brewery Case study


Cyber Security- Human Resourcing – Banking Case study

.


Cyber Security- Third Party / Suppliers– Retail Case study

.


Cyber Security- Business Continuity & Management – Product Case

Product Release

delayed…!!!


Cyber Security- Operations and Technology – Telecom Customer Data Network

•Identify Rogue Websites such as Phishing sites, scam sites, etc.•Cybersquatting domains and websites detection Site takedown

Rogue Website Detection

•Monitoring of various App stores for detection of counterfeit software / scam apps hampering the brand.•Use of unauthorized brand name and or logos, company goodwill, reputation.

App Store Monitoring

•Detection of Private, confidential or any secret information shared over social media platform•Sharing of threats against facilities, employees or any information leading to corporate security compromise

Social Media Listening / Monitoring

•Monitoring of products and brand in various marketplace including but not limited to gray market, unauthorized product distribution channels.•Maintain compliance and trust with distribution partners

Anti-counterfeit

•Detect IPR Data and Documents shared over public domains and sharing sites.

•Detection of Unauthorized sharing of confidential information by vendors and or employees over public domains

•Detection of leakage Informational assets such as Financial details, Network diagrams, Technological data, etc.

IPR / Informational Asset Leakage Detection


Cyber Security- Regulations/ Compliance

Sony executives bowed in apology today for a security breach in the company's PlayStation Network that caused the loss of personal data of some 77 million accounts on the online service.


Cyber SecurityHow KPMG can Assist ?

We believe Cyber Security should be about

What you can do – not what you can’t

Principles of our Approach1. Driven by Business Aspirations2. Razor Sharp Insight3. Shoulder to Shoulder

Boards today are required to have enhanced roles and responsibilities that focus on (a) providing confidence to investors(b) adhering to regulators (c) working with insurers and (d) working towards minimizing potential litigants


KPMG Global Cyber Maturity FrameworkCyber Security – SIX Domains

Within this Cyber Maturity framework, a strong communication plan is focussed on the details and complexity of ongoing communication and directions between the board and the management. This helps achieve a reliable flow of information among a broad mix of stakeholders. It is not only the frequency of communication that needs to be reassessed, but also, improving the appropriate and efficient quality of communication when addressing risks.This framework keeps in mind that security is as strongly as your weakest link – and the weakest link most often is people, whether due to someone on the inside, human error, or another human factor.

Our transformative framework, with a proactive approach, helps shape proper dialogue and overall, improves the information flow to become more transparent and sustainable – thus, closing the loop.


Cyber Security TransformationOverview

THREAT INTELLIGENCE

PrepareHelp clients understand their vulnerabilities and improve their preparedness against cyber attack.

Integrate

Embed cyber security in the culture and decision making of client organizations

ProtectHelp clients design and implement their cyber defense infrastructure.

Detect & RespondHelp clients respond to and investigate cyber attacks.

Cyber TransformationHelp clients design and deliver a wholesale program of change to improve cyber security capability.

Help clients implement and use intelligence as a springboard for delivering effective cyber security.

Threat Intelligence

Overview of Our Cyber Transformation Approach


Cyber Security TransformationOur Core Service Offerings Within Each Phase

THREAT INTELLIGEN

CE

Help clients understand their vulnerabilities and improve their preparedness against cyber attack.

Understanding the value of critical assets, cyber maturity and setting the cyber security strategy

Cyber Maturity Assessment – rapid assessment of your organization’s readiness to prevent, detect, contain and respond to cyber threats

Prepare1

Cyber Security Strategy – assist in designing and implementing cyber security strategies and aid Governance, Risk and Compliance



THREAT INTELLIGEN

CE Help clients understand their vulnerabilities and improve their preparedness against cyber attack.


Protect2

Security and technology assessments – test and improve all elements of security and technology infrastructure – including penetration and vulnerability testing

Application security assurance – understand, assess and address the critical application risks

Information Management and Privacy - rapid assessment of your current privacy and records management practices to identify / address issues that may result in non-compliance

Certification services – certification against international information security standards (ISO27x, NIST)Identity and access management – enterprise system access is aligned to roles / privileges



THREAT INTELLIGEN

CE

Help clients respond to and investigate cyber attacks.


Detect and Respond3

Cyber attack detection – assist in deployment of monitoring and sophisticated data analytics on client’s networks

Rapid response teams – assist to contain, manage and recover from current cyber attacks

Forensic evidence recovery and investigation – provide advanced digital forensics capability to gather, preserve and interpret large data sets, deleted or ephemeral data in order to prove a chain of events

Advanced training and cyber response capability development



THREAT INTELLIGEN

CE Embed cyber security in the culture and decision making of client organizations

Integrating cyber into the enterprise risk framework and wider business operations.

Integrate4

Board training – awareness and scenario based training

Enterprise risk management policy - design and implementation

Business continuity planning – reduce exposure, build plans, build capability

Behavioral change management



Build capability to make intelligence-based decisions and deploy organization-wide cyber security

THREAT INTELLIGEN

CE

Threat Intelligence5 Cyber

Transformation6

Help clients implement and use intelligence as a springboard for

delivering effective cyber security.

Help clients design and deliver a wholesale program of change to improve cyber security capability.

Threat intelligence operating models – Assist in development and implementation of threat models across people, process and technology required to make intelligence-led decisions

Security Operations CentersAssist in design and implementation

Cyber security transformation programs – assist in design and delivery of organization-wide cyber security transformation programs


Setting The ContextCyber Security Threats/ Events in the Region

Cyber Security Realities in the Region

Uganda 2012-2013 annual Police crime and traffic report Mobile money and Automated Teller Machine (ATM) fraud was responsible for the loss of about USH 1.5 billion*

Cybercrime is said to have cost nearly KES 2 billion (USD 23 million) to the Kenyan economy in 2013**

Kenya Cyber Security Report 2014Ranked Kenya among the top countries for most incidents of cybercrime, alongside the United States (US), Brazil, China and South Korea

The African Union (AU) has adopted the “African Union Convention

on Cyberspace Security and Protection of Personal Data” in

July, 2014

The Northern Corridor Integration Project member states (the Republics of Kenya Rwanda, South Sudan and Uganda) have developed a Memorandum of Understanding on Cyber Security Framework for cooperation and corroboration in prevention and responding to evolving cyber security threats.(The memorandum is scheduled for signing in mid May 2015 during the next Northern Corridor Integration Summit in Kampala)

Ministry of Information Communication and Technology Government of Kenya developed – Cyber security Strategy – Feb 2014

Kenya is drafting Cyber-Crime and Computer Related Offences Bill to tackle cyber crime and data breaches

Bank of Tanzania (BoT) statistics

TZS 1.3bn has been stolen across the country through cyber fraud*

Source :

* Kenya Cyber Security Report 2014** http://www.article19.org/resources.php/resource/37652/en/kenya:-cybercrime-and-computer-related-crimes-bill#sthash.NjxkxbMI.dpuf


KPMG Global Cyber Maturity FrameworkBoard Oversight and Engagement

• Define ownership and governance structure

• Identify sensitive data assets and critical infrastructure

• Inventory third party supplier relationships

• Perform assessment of current capabilities

• Define a strategy and approach

• Educate the board and executive management

• Understand governance structure and have open dialogue with executive leadership team

• Review output of capability assessment

• Review and approve of strategy and funding requests

• Participate in general board education

• Request periodic updates of program

Direction

Communication

How should boards engage?

What should management do?

I. LEADERSHIP AND GOVERNANCE

• Define culture and expectations

• Implement general training and awareness programs

• Implement personal security measures

• Define talent management and career architecture

• Develop specific learning paths for key personnel

• Set the tone for the culture

• Review patterns/ trends of personal issues

• Understand training and awareness protocols

Direction

Communication



II. HUMAN FACTORS

• Develop risk management approach and policies

• Identify risk tolerance and communicate

• Link risks to sensitive data assets

• Perform risk assessments and measures

• Perform third-party supplier accreditation

• Report relevant metrics

• Understand risk management approach and linkage to enterprise risk

• Review and approve risk tolerance

• Understand third party supplier program

• Review and question program metrics

Direction

Communication



III. INFORMATION RISK MANAGEMENTManagement demonstrating due diligence, ownership and effective management of risk

The level and integration of security culture that empowers and helps to ensure the right people, skills, culture and knowledge

The approach to achieve thorough and effective risk management of information throughout the organization and its delivery and supply partners


• Assess current ability to manage cyber events

• Perform analysis of risks and financial requirements

• Develop robust plans

• Assign resources and develop training

• Integrate with corporate communications

• Perform testing of plans

• Understand current responses capability

• Review status of overall plan maturity

• Meet with communication personnel

• Participate in table-top exercises

Direction

Communication



IV. BUSINESS CONTINUITY AND CRISIS MANAGEMENT

• Understand current maturity of control structure

• Review relevancy of selected control framework

• Review relevant incident trend metrics

• Meet with CIO or equivalent to understand integration of cyber and information technology trends

• Understand current maturity of control structure

• Review relevancy of selected control framework

• Review relevant incident trend metrics

• Meet with CIO or equivalent to understand integration of cyber and information technology trends

Direction

Communication



V. OPERATIONS AND TECHNOLOGY

• Catalog all relevant compliance metrics

• Link compliance requirements to control framework

• Formalize the role of the audit committee

• Identify risk tolerance and communicate

• Develop litigation inventory and trending

• Analyze and recommend need for cyber insurance

• Understand the regulatory landscape impacting the organization

• Clarify audit committee requirements for Cyber

• Review litigating inventory trends

• Review and approve cyber insurance funding (if relevant)

Direction

Communication



VI. LEGAL AND COMPLAINCE

Preparation for a security event and ability to prevent or reduce the impact through successful crisis and stakeholder management

The level of control measures implemented to address identified risks and reduce the impact of compromise

Regulatory and international certification standards as relevant

KPMG Global Cyber Maturity FrameworkBoard Oversight and Engagement


KPMG Global Cyber Maturity FrameworkKPMG Cyber Security Maturity Assessment – Maturity Levels

The Client Overall Maturity RatingRecommended Maturity Rating for The Client

Financial Services Sector Average Maturity RatingInsurance Sector Average Maturity Rating

Client Maturity

0

1

2

3

4

INITIALAd-hoc, unpredictable, poorly controlled, reactive

REPEATABLEBasic processes management, repeatable tasks

DEFINEDDefined & documented processes, proactive

MANAGEDProcesses integrated, measured and controlled

OPTIMISEDContinual improvement, organisational alignment

0

1

2

3

4

Level Description Cyber Security Requirements

• No clear understanding and ownership of the cyber risks within the leadership team.

• Cyber security approach is not risk based and very ad-hoc in nature

• Basic technical capability: perimeter security like firewalls, and endpoint security like antivirus

• The leadership team has an understanding of how the cyber risks can impact their business and Risk appetite is defined.

• Enterprise wide, co-ordinated approach to security.

• Mid tier technical capability: Operating system hardening, application hardening and other relevant preventive controls.

• The leadership team has directed and resourced work needed to address cyber security risks.

• A well defined security architecture that meets the business needs.

• Effective information risk management processes in place.

• Enhanced technical capability: Defence in depth architecture with logging enabled.

• Governance framework to monitor the embedding information security within the culture of the organisation.

• Security controls are implemented in a co-ordinated manner to ensure compliance with the defined security architecture.

• Extended technical capability: Capability of correlating events to identify and pre-empt malicious activities.

• The need to protect information assets owned by both the internal and external stakeholders of an organisation as key business assets is embedded within the culture of the organisation.

• The information and cyber security program is subject to a continuous improvement regime.

• Leading edge security solutions: Big data based security analytics

KPMG will compile a report that provides a breakdown of maturity against the six key dimensions.

Thank You

© 2015 KPMG India, a Indian Partnership and a memberfirm of the KPMG network of independent memberfirms affiliated with KPMG International Cooperative(‘KPMG International’), a Swiss entity. All rightsreserved.

The KPMG name, logo and "cutting throughcomplexity" are registered trademarks or trademarksof KPMG International Cooperative ("KPMGInternational").

Sony Anthony

Director

KPMG India

[email protected]

+91 9845565222

mailto:[email protected]