Personal and Enterprise Security in a Connected World · Personal and Enterprise Security in a Connected World. PwC. 1. PwC. Personal and Enterprise Security in a Connected World

PROFESSIONAL DEVELOPMENT PROGRAM

Personal and Enterprise Security in a Connected World

COPYRIGHT © PWC

All rights reserved. No part of this publication/course material may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (photocopying, electronic, mechanical, recording or otherwise) without the prior written permission of the copyright holder and publisher.

DISCLAIMER

This course material deals with complex matters and may not apply to particular facts and circumstances. As well, the course material and references contained therein reflect laws and practices which are subject to change. For these reasons, the course material should not be relied upon as a substitute for specialized professional advice in connection with any particular matter.

Although the course material has been carefully prepared, neither the Chartered Professional Accountants of British Columbia, the course author and/or firm, nor any persons involved in the preparation and/or instruction of the material accepts legal responsibility for its contents or for any consequence arising from its use.

FALL | WINTER 2016


© pwc 1

Protecting the enterprise and yourself: Cybersecurity

October 2016

www.pwc.com/cybersecurity

PwC

Craig Coughlan

Manager, PwC

Your speaker today


© pwc 2

PwC

Our perspectives

3

• Developed based on our interactions with CISOs, CIOs, Corporate Suite Leadership, and Boards of Directors

• Shaped through knowledge and experience of developing strategies, implementing solutions and executing programs, and responding to security crises

• Supported and enhanced by years of federal law enforcement, national intelligence and industry experience

PwC

Agenda

4

• The new reality – understanding the threats

• Adapting to the new reality

• Protecting your yourselves

• Protecting your children


© pwc 3

PwC

Cybersecurity: The new reality

PwC 6

What is cybersecurity?

• Cybersecurity represents many things to many different people• Key characteristics and attributes of cybersecurity:

─ Broader than just information technology and extends beyond the enterprise ─ Increasingly vulnerable due to technology connectivity and dependency─ An ‘outside-in view’ of the threats and business impact facing an organization─ Shared responsibility that requires cross functional disciplines in order to plan, protect,

defend, react and respond

It is no longer just an IT challenge – it is a business imperative!


© pwc 4

PwC

The cyber challenge now extends beyond the enterprise

7

Global Business Ecosystem

Pressures and changes which create opportunity and risk

Traditional boundaries have shifted; companies operate in a dynamic environment that is increasingly interconnected, integrated, and interdependent.

• The ecosystem is built around a model of open collaboration and trust—the very attributes being exploited by an increasing number of global adversaries.

• Constant information flow is the lifeblood of the business ecosystem. Data is distributed and dispersed throughout the ecosystem, expanding the domain requiring protection.

• Adversaries are actively targeting critical assets throughout the ecosystem—significantly increasing the exposure and impact to businesses.

Years of underinvestment in security has impacted organizations’ ability to adapt and respond to evolving, dynamic cyber risks.

PwC 8

Scope of cybersecurity – Technology domain convergence

InformationTechnology

Computing resources and connectivity for processing and managing data to support organizational functions and transactions

Operational Technology

Systems and related automation assets for the purpose of monitoring and controlling physical processes and events or supporting the creation and delivery of products and services

Consumer (Products and Services)

Technology

Computing resources and connectivity integrated with or supporting external end-user focused products and services

Cybersecurity encompasses all three technology types


© pwc 5

PwC

Evolving business risks……impacting brand, competitive advantage, and stakeholder value

9

Advancements in and evolving use of technology – adoption of cloud-enabled services; Internet of Things (“IoT”) security implications; BYOD usage

Value chain collaboration and information sharing – persistent ‘third party’ integration; tiered partner access requirements; usage and storage of critical assets throughout ecosystem

Operational fragility – Real-time operations; product manufacturing; service delivery; customer experience

Business objectives and initiatives –M&A transactions; emerging market expansion; sensitive activities of interest toadversaries

Historical headlines have primarily been driven by compliance and disclosure requirements

Cybersecurity must be viewed as a strategic business imperative in order to protect brand, competitive advantage, and stakeholder value

Unmanaged risks with

potential long-term, strategic implications

However, the real impact is often not recognized, appreciated, or reported

Highlights of activities impacting risk:

PwC

The actors and the information they target

Adversary

10

Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.

Emerging technologies

Energy data

Advanced materials and manufacturing techniques

Healthcare, pharmaceuticals, and related technologies

Business deals information

What’s most at risk?

Nation State

Organized Crime

Insiders

Hacktivists

Health records and other personal data

Industrial Control Systems (SCADA)

R&D and / or product design data

Payment card and related information / financial markets

Information and communication technology and data

Motives and tactics evolve and what adversaries target vary depending on the organization and the products and services they provide.


© pwc 6

PwC

HistoricalIT Security

Perspectives

Today’s Leading Cybersecurity

Insights

Scope of the challenge • Limited to your “four walls” and the extended enterprise

• Spans your interconnected global business ecosystem

Ownership and accountability

• IT led and operated • Business-aligned and owned; CEO and board accountable

Adversaries’ characteristics

• One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain

• Organized, funded and targeted; motivated by economic, monetary and political gain

Information asset protection

• One-size-fits-all approach • Prioritize and protect your “crown jewels”

Defence posture • Protect the perimeter; respond if attacked

• Plan, monitor, and rapidly respond when attacked

Security intelligence and information sharing

• Keep to yourself • Public/private partnerships; collaboration with industry working groups

11

Evolving perspectivesConsiderations for businesses adapting to the new reality

PwC

Adapting to the new reality


© pwc 7

PwC

2016 Canadian insights at a glance

13

160% increase in detected incidents in Canada (over 2014)

Incidents attributed to foreign nation-states increased the most ( up 67% over 2014) while employees continue to be the most cited source of incidents (66%)

Average financial loss due to detected incidents is $1M(18% decrease from 2014)

Attacks on IoTdevices and systems are on the rise

Customer records continue to be the most targeted data (36%)

Security spending increased by 82%over 2014, currently at 5% of IT spend

Canadian Insights – The Global State of Information Security® Survey 2016

PwC

Business Alignment and Enablement

Ris

k a

nd

Im

pa

ct E

va

lua

tio

n

Board, Audit Committee, and Executive Leadership

Security Program, Resources and Capabilities

Investment Activities

Projects and InitiativesFunctions and Services

Security Strategy and Roadmap

Re

sou

rce P

rioritiza

tion

Keeping pace with the new reality – Key considerations

14

Engage and commit with the business

• Leadership, ownership, awareness and accountability for addressing the cyber risks that threaten the business

• Alignment and enablement of business objectives

Transform and execute the security program

• New and enhanced capabilities are needed to meet the ever changing cybersecurity challenges

• A comprehensive program must be built on a strong foundation and include proactive coordination and collaboration with the business

• The security implications related to the convergence of Information Technology, Operational Technology and Company Products and Services are addressed

Rationalize and prioritize investments

• Critical assets are constantly evaluated given they are fundamental to the brand, business growth and competitive advantage

• Threats and impact to the business are considered as investment activities are contemplated

Operating in the global business ecosystem requires you to think differentlyabout your security program and investments.


© pwc 8

PwC

Why organizations have not kept pace

15

Years of underinvestment in certain areas has left organizations unable toadequately adapt and respond to dynamic cyber risks.

Product & Service Security

PhysicalSecurity


Security

Public/PrivateInformation

Sharing

ThreatModeling

& Scenario Planning

TechnologyAdoption andEnablement

Ecosystem &Supply Chain

Security

GlobalSecurity

Operations

Breach Investigationand Response

Notificationand

Disclosure

Privileged AccessManagement

SecurityTechnology

Rationalization

Patch & ConfigurationManagement

consecteturadipiscing elit

InsiderThreat

UserAdministration

TechnologyDebt

Management

Secure Mobileand CloudComputing


Board, Audit Committee, and Executive Leadership Engagement


Process and Technology

Fundamentals

Threat Intelligence

Incident and Crisis

Management

Ris

k a

nd

Im

pa

ct E

va

lua

tio

nR

eso

urce

Prio

ritizatio

n

Security Program, Functions, Resources and Capabilities

Compliance Remediation

Security Culture and Mindset

Monitoring and Detection

Critical Asset Identification and

Protection

PwC

Product & Service Security

PhysicalSecurity


Security

Public/PrivateInformation

Sharing

ThreatModeling

& Scenario Planning

TechnologyAdoption andEnablement

Ecosystem &Supply Chain

Security

GlobalSecurity

Operations

Breach Investigationand Response

Notificationand

Disclosure

Privileged AccessManagement

SecurityTechnology

Rationalization

Patch & ConfigurationManagement

consecteturadipiscing elit

InsiderThreat

UserAdministration

TechnologyDebt

Management

Secure Mobileand CloudComputing


Board, Audit Committee, and Executive Leadership Engagement


Ris

k a

nd

Im

pa

ct E

va

lua

tio

nR

eso

urce

Prio

ritizatio

n

Security Program, Functions, Resources and Capabilities

Compliance Remediation

Have you kept pace?

16

Questions to consider when evaluating your ability to respond to thenew challenges.

Security Culture and Mindset

Process and Technology

Fundamentals

Threat Intelligence

Monitoring and Detection

Critical Asset Identification and

Protection

Incident and Crisis

Management

Develop a cross-functional incident response plan for effective crisis management

• Have your business leaders undertaken cyberattack scenario planning?

• Do you have a defined cross functional structure, process and capability to respond?

• Are you enhancing and aligning your plan to ongoing business changes?

Evaluate and improve effectiveness of existing processes and technologies

• Have you patched and upgraded your core platforms and technology?

• How are you securing new technology adoption and managing vulnerability with your legacy technology?

• Have you evolved your security architecture and associated processes?

Enhance situational awareness to detect and respond to security events

• How are you gaining visibility into internal and external security events and activities?

• Are you applying correlation and analytics to identify patterns or exceptions?

• How do you timely and efficiently determine when to take action?

Identify, prioritize, and protect the assets most essential to the business

• Have you identified your most critical assets and know where they are stored and transmitted?

• How do you evaluate their value and impact to the business if compromised?

• Do you prioritize the protection of your crown jewels differently than other information assets?

Establish values and behaviors to create and promote security effectiveness

• How is leadership engaged and committed to addressing cyber risks facing the business?

• What sustained activities are in place to improve awareness and sensitivity to cyber risks?

• How have your business practices evolved to address the threats to your business?

Understand the threats to your industry and your business

• Who are your adversaries and what are their motivations?

• What information are they targeting and what tactics are they using?

• How are you anticipating and adapting your strategy and controls?


© pwc 9

PwC

Information & Privacy Protection

Incident & Crisis

Management

Identity & Access

Management

Threat, Intelligence

& Vulnerability Management

Security Architecture

& Services

Strategy, Governance & Management

Risk & Compliance Management

Emerging Technologies

& Market Trends

Security Functional Domains

17

Cybersecurity program enhancements

Enhanced Identity & Access

Management

Insider Threat

Management

AdvancedAnalytics & Detection

ActiveDefence & Response

Advanced Counter-measures

CriticalAsset

Identification

StrategicThreat

Management

Threat Intelligence

Fusion

Incremental Program Enhancements

Once an organization has established stable and effective foundational securitypractices, incremental cybersecurity capabilities and solutions shouldbe pursued.

SecurityFoundation

Elements

Governance& Structure

Strategy& Roadmap

Resources & Capabilities

Solutions& Delivery

Culture & Awareness

Security Program and Capabilities

PwC

Key lessons learned from recent breaches

• Attack Method - organized and coordinated efforts to exploit a known technical vulnerability in the core infrastructure

• Awareness - adversaries tested and enhanced their approach over the course of months before executing their campaign; intelligence sources communicated threat elements

• Detection - technical indicators were undetected during the attack sequence; additionally, as is often the case, third parties (e.g. law enforcement or the banks) detect the compromise, not the company

• Security Posture - known companies compromised were assumed to be compliantwith industry standards (e.g. PCI DSS) -- compliance does not equal security

• Industry Exposure – attacks are often not limited to a single company; many companies within an industry sector share the same / similar profile and it is highly likely there are other targets and victims

18


© pwc 10

PwC

Recap of key points to consider

19

The global business ecosystem has changed

the risk landscape

Business models have evolved, creating a dynamic environment that is increasingly interconnected, integrated, and interdependent -necessitating the transformation of your security practices to keep pace.

1

Focus on securing high value information and

protecting what matters most

Rather than treating everything equally, you should identify and enhance the protection of your “crown jewels” while maintaining a consistent security baseline within their environment.

2

Know your adversary – motives, means, and methods

Sophisticated adversaries are actively exploiting cyber weaknesses in the business ecosystem for economic, monetary or political gain – requiring threat intelligence, proactive monitoring and deep response capabilities.

3

Embed cybersecurity into board oversight and executive-level

decision making

Creating an integrated, business aligned security strategy and program requires awareness and commitment from the highest executive levels of the organization – in order to apply the appropriate resources and investments.

4

PwC

Protecting yourself:tips


© pwc 11

Expert VS Non-Expert Top 5 Security Practices

September 2015

Software Updates vs Anti-Virus

September 2015Experts’ VS Non-Experts’ Security Practices


© pwc 12

Anti-virus vs Windows Updates

Windows Security updates harden your OS by patching vulnerabilities and potentially exploitable loopholes.

Antivirus software protect your computer by scanning files that have been written to your C drive

The effectiveness of the Anti-virus depends on how recent the virus definitions are that recognize virus signatures. In order for Anti-virus to be effective, it MUST be up-to-date.

September 2015Expert VS Non-Expert Security Practices

PwC

Protecting yourself:Passwords & Privacy


© pwc 13

Which of the following best describes the reason your password is easy to remember:

A. Based on Common Dictionary Words

B. Based on Common Names

C. Based on User/Account Name

D. Is Short (under 6 characters)

E. None of the Above

Quick Quiz


© pwc 14

Your Identity and Privacy are at risk

Your Identity and Privacy are at risk

Unfortunately,– the characteristic you have selected also

makes your password vulnerable to attack thus putting your Identity and Privacy at risk

– you are not alone

Lets take a look at a few more characteristics and practices that make a password vulnerable to attack …

Characteristics of weak passwords

• Weak Passwords– based on common dictionary words

• Including dictionary words that have been altered:– Reversed (e.g., “terces”)– Mixed case (e.g., SeCreT)– Character/Symbol replacement (e.g., “$ecret”)– Words with vowels removed (e.g., “scrt”)

– based on common names– based on user/account identifier– short (under 6 characters)– based on keyboard patterns (e.g., “qwerty”)– composed of single symbol type (e.g., all characters)– resemble license plate values– are difficult for you to remember


© pwc 15

Weak password practices

• Weak Password practices– recycling passwords– recording (writing down) passwords– use of previously recorded passwords

(combination of above practices)– use of password on two or more

systems/contexts• Especially risky when passwords are reused in

low-trust systems (e.g., online gaming) since increased exposure

Characteristics of strong passwords

• Strong Passwords– contain at least one of each of the following:

• digit (0..9)• letter (a..Z)• punctuation symbol (e.g., !)• control character (e.g., ^s, Ctrl-s)

– are based on a verse (e.g., passphrase) from an obscure work where the password is formed from the characters in the verse

• e.g., “ypyiyp” derived from the title of this module• sometimes referred to as a virtual password

– are easily remembered by you but very difficult (preferably impossible) for others to guess


© pwc 16

Strong password practices

• Strong Password Practices– never recycle passwords– never record a password anywhere

• exceptions include use of encrypted password “vaults”– use a different password for each system/context– be aware Trojan horse programs can masquerade as login prompts so always

reset the system as appropriate to obtain a trusted login prompt– check for keyboard buffer devices/software that intercept keystrokes (including

password capture)– change password occasionally– change your password immediately if you suspect it has been “stolen”– “passwords should be protected in a manner that is consistent with the damage

that could be caused by their compromise.” (From a USA Dept of Defense Guideline)

– monitor for possible eavesdroppers during entry of password– do not use the "Remember Password" feature of applications (e.g., Microsoft®

Internet Explorer®). – inquire about proactive password checking measures with your system

administration (see next item)

Strong Password Demo

https://howsecureismypassword.net/http://www.passwordmeter.com/


© pwc 17

Password Attacks

• Most successful attacks are based on:– Dictionary attacks

• “The guessing [often automated] of a password by repeated trial and error.”

– Social engineering• “Social engineering is the process of using social

skills to convince people to reveal access credentials or other valuable information to the attacker.”

Dictionary Attacks

• Most hackers utilize widely available password cracking dictionaries to uncover

passwords

• Ways to reduce Your risk:– Create and use passwords


© pwc 18

Social Engineering

• Perhaps the most notorious social engineer Kevin Mitnick once stated, “one foot in the door is all it takes”

• Ways to reduce Your risk:– Be aware that your password keystrokes may be

observed by others– Confirm authorization and establish trust before

releasing any important information

Passwords in the Context of Your Identity and Privacy

• What is a password?

– “A password is information associated with an entity that confirms the entity’s identity.”

• Why are passwords needed?

– Passwords are used for authentication

• Authentication can be thought of as the act of linking yourself to your electronic identity within the system you are connecting to

– Your password is used to verify to the system that you are the legitimate owner of the user/account identifier

• Commonly referred to as “logging in”


© pwc 19

Passwords in the Context of Your Identity and Privacy

• Passwords/Identity/Privacy

– Attackers who obtain your password can authenticate themselves on various systems and in turn …

Access your personal information(invade Your Privacy)

Impersonate you by acting on your behalf(steal Your Identity)

Password Facts Worth Remembering

• Protection of Your Identity and Privacy in the information age hinges on sound password knowledge and practice

• Those who do not use strong passwords and password practices are often their own worst enemy

• If you feel you have too many passwords to remember then consider using a password vault (e.g.,

)

• The risks are real, they affect you either directly or indirectly and they can be diminished by using strongpasswords and password practices


© pwc 20

Public Computers

Do you log into work (or banking online) from that computer in the hotel lobby or from a cyber cafe?

Re-use

Use different passwords for different types of accounts. Your work password should be different then your personal passwords. Your personal banking passwords should be different then your personal fun accounts


© pwc 21

Questions – for password resets

Password resets are really nothing more then another password. If they are answering personal questions with information that can be found on Facebook, LinkedIn or Google they do not have secure passwords

Writing Passwords Down

How am I supposed to remember my 100+ passwords if I do not write them down? The key is explaining to people how to do it securely. Yes sticky notes are bad, but give people secure alternatives. There are security programs that can securely store their passwords, or if they are written down have them in a secured safe.


© pwc 22

Review

– Agree that strong passwords and password practices contribute to protection of identity and privacy

– Discriminate passwords as weak or strong– Recognize the role of passwords in

authentication– Recognize the relationship between

authentication and both identity and privacy– Identify a tool helpful to those who have

many passwords to maintain

PwC

Protecting yourself:Social media & Cell phones


© pwc 23

PwC

Geotagging and Cell PhonesCould you fall victim to crime by geotagging your pictures?Global Positioning System satellite technology (better known as GPS) is embedded into so many of the devices we use today for location purposes, that we sometimes take it for granted.

One use of GPS is geotagging, which is the process of attaching location information to content such as a photograph or video.

It is a great way to remember where you took a photo or posted a tweet.

However…

What if you posted a pic of your house or family?

Later you post a photo of yourself or family on vacation?

Could a motivated criminal using free software find your house and break in while you are on vacation? Could a cyberstalker build a more detailed profile of you, your family and your children?

PwC

Geotagging and Cell PhonesCould you fall victim to crime by geotagging your pictures?Yes they could and it has been done before:


© pwc 24

GeotaggingThis may occur two ways. Your phone may ask you to access your location or you may have to alter your preferences/permissions.

PwC


© pwc 25

PwC

Supplemental Slides

PwC

The Global State of Information Security® Survey 2016

Respondents

• 51% C-suite level

• 15% Director level

• 34% Other (e.g. Manager, Analyst, etc.)

• 39% Business and 61% IT (18% increase compared to 2014)

10,040 17Industries represented

Top 5

• 22% Technology

• 10% Financial Services

• 8% Consulting/Prof. Services

• 7% Engineering/ Construction

• 7% Consumer Products & Retail

Reported annual revenues

• 34% at least US$1B

• 48% US$25 to $999M

• 26% less than US$100M

• 3% non-profit

50


© pwc 26

PwC

Cybersecurity is linked to the Five Global Megatrends as each offers opportunity and risk to society, consumers, employees, organizations and governments as adversaries seek to gain access to a wide variety of critical assets.

Accelerating urbanization

Demographicshifts

Shift in global economic power

Climate change and resource scarcity

Technologicalbreakthroughs

Technology Breakthroughs – Perhaps the most important business driver, organizations will continue to invest significantly in R&D as a means for gaining a strategic / competitive advantage over the competition.

Resource scarcity and climate change – As resources become constrained or limited in different geographic locations, significant R&D and increased innovation will be required to create new resources and assets needed to combat the change.

Accelerating urbanization – As cities and governments grow, connectivity, automation and reliance on technology will only increase.

Shift in global economic power – As economies grow and wealth is accumulated technology will be adopted and used as a means to connect at a pace never before seen.

Demographic shifts – As the population changes, consumers and the next generation workforce will interact with and rely on technology in new and unique ways that are hard to anticipate.

PwC 52

Documents

Personal and Enterprise Security in a Connected World · Personal and Enterprise Security in a Connected World. PwC. 1. PwC. Personal and Enterprise Security in a Connected World