The Proactive Approach to Cyber Security

1

Nathan Desfontaines

Removing Fear, Uncertainty and Doubt

2016

The Proactive Approach

to Cyber Security

3

“CYBER-SPACE IS REAL…

SO ARE THE RISKS THAT COME WITH IT.”

PRESIDENT BARACK OBAMA

© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of

independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has

any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG

International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584

4

THE THREAT CONTINUES TO RISE

• Concern over cyber attacks has grown by 7%, with 37% believing

they are a target for cyber attacks.

• 76% have seen increase in the rate of cyber attacks.

• 38% have had to deal with 1 or more

major cyber security incidents

in the last 12 months.

WHAT OUR SURVEYS HAVE FOUND





5

AN EVER-CHANGING THREAT LANDSCAPE

BE IN A DEFENSIBLE POSITION, BE CYBER RESILIENT

Extortion-driven attacks and ransomware attempts will increase

Pressure to disclose data breaches and threat responses will

intensify

Widespread use of mobile devices and IoT brings a parallel

increase in risk

Organisations will make greater use of real-time intelligence

tools to monitor attacks

Organisations will focus much more on risks posed by

third party vendors and suppliers





6

1. Widespread use of new platforms

Three significant reasons as to why cyber security

will remain a key concern for IT managers:

3. Attacks are becoming more sophisticated

and have specific targets

2. Increasingly available and simple to use

exploit kits

CYBER REMAINS A CONCERN FOR IT

NEW THREATS PUT STRAIN ON EXISTING IT SECURITY CONTROLS

NEW PLATFORMS, NEW THREATS

MORE USERS + MORE DEVICES = MORE RISK

Impersonation

• SMS Redirection

• Sending Email Messages

• Posting to Social Media

Financial

• Stealing Transaction Authentication

Numbers (TANs)

• Extortion via Ransomware

• Fake Antivirus

• Premium Calls and SMSs

Data Theft

• Account Details

• Contacts

• Call Logs

• Application Data

Surveillance

• Audio

• Camera

• Call Logs

• Location

• SMS Messages





8

“

”

WHAT IS BEING

STOLEN?Thousands of South Africans have

fallen victim to phishing and other

types of cyber fraud, and financial

institutions have lost in excess of

R80-million and continue to lose

money every day as a result.

Dries Morris, Securicom





9

MOTIVATIONS HAVE CHANGED

FROM “TARGET OF OPPORTUNITY” TO “TARGET OF CHOICE”

Yesterday…

Bad “actors”

Isolated criminals

“Script kiddies”

Targets

Identity theft

Self-promotion

opportunities

Theft of services

“Target of opportunity”

Today…

Bad “actors”

Organized criminals

Nation states

Hactivists

Insiders

Targets

Intellectual property

Financial

information

Strategic access

“Target of choice”

WHAT’S THE WORST THAT CAN HAPPEN





11

RECENT ATTACKS - RANSOMWARE

WHEN ALL YOUR DATA IS ENCRYPTED, RESISTANCE IS FUTILE

Ransomware – Malware that

infects the target host by

encrypting all data thereby holding

the victim hostage

• Looks legitimate to the

unsuspecting user

• The user is extorted for money

• Tactic achieves – Fear,

Uncertainty and Doubt

• The alternative – “in order to

resolve the situation in an

above-mentioned way you

should pay a fine of $300”





12

RECENT ATTACKS - HACKING

CORPORATES UNDER SIEGE

Anonymous – Thousands of South

African websites were hacked in

February 2016. The hacking group

found a vulnerability shared hosting

servers:

• The servers are old and vulnerable

with legacy websites that are out

of date

• Opportunistic attacks are evolving

into targeted attacks

• Advanced Cyber controls are now

a necessity not a leading practice





13

RECENT ATTACKS – DATA BREACH

LIFE IS SHORT, HAVE AN AFFAIR, WHAT’S THE

WORST THAT CAN HAPPEN

In July Ashley Madison, an online

platform for would-be adulterers with

the slogan “Life is short. Have an

Affair” was hacked.

• Data from about 31 million

accounts was breached with

sensitive information about the

users being published

• Data breach led to the resignation

of the website’s CEO

• Ashley Madison is now facing

multiple lawsuits for failing to take

proper security measures to

protect its users’ information





14

RECENT ATTACKS – INDUSTRIAL

NATIONS UNDER SIEGE

BlackEnergy – In December 2015

over 1.4 million people were left

without electricity in Ivano-Frankivsk

region, Ukraine.

• BlackEnergy backdoor plants a

KillDisk component which renders

computers unbootable

• Infection is through Microsoft

Office files containing malicious

macros

• The virus can overwrite its

corresponding executable file on

the hard drive with random data

which makes restoration of the

system more difficult





15

A BIT MORE DETAIL ON BREACHES

EACH YEAR BREACHES CONTINUE TO RISE IN SCALE AND IMPACT

• Sony Pictures – Sony was attacked by Ransomware which resulted ina complete shut down as its computer in New York and around theworld were infiltrated, encrypting workstations & data drives. Thehacker group claimed to have obtained corporate secrets andthreatened to reveal said secrets if Sony didn’t meet their demands.(LA Times, 2014)

• Heartland – Credit card payment processing company Heartland washacked in 2008. This hack affected an estimated 130 million customerswith Heartland having to pay $110 million back to Visa, MasterCardand American Express. This hack is rated as the biggest credit cardhack. (CNN Money, 2014)

• Target – Target holds the title for the biggest retail hack in historylosing 40 million credit card numbers to the hackers who usedMalware to infiltrate the Target systems and capture credit cardnumber at one of the stores busiest times of the year, Thanksgivingand Christmas. Target is facing more than 90 lawsuits from customersand banks for negligence and compensatory damages. (Bloomberg,2014)

WHAT ARE WE MISSING?

16





17

CLOSING THE LOOP

3 KEY PRINCIPLES

1

2

3

What are we trying to protect

and from whom?

Accept the fact that a breach is

inevitable

Focus on early detection and

response

getting an up-to-date, detailed snapshot of the current cyber

threat landscape that is understood by all

whether or not your organisation has doing enough due diligence to

mitigate risks, preparing for a breach is now mandatory

Real-time intelligence solutions, heads-up situational awareness and

proactive “hunting” of incidents is the new status-quo





18

RED TEAM

EXERCISES

Test your processes and

systems in a real-life simulation,

providing assurance on your

ability to respond rather than

prevent.

INTRUSION

TOLERANCE:

ASSUME THAT

INTRUSIONS HAVE

HAPPENED AND

WILL HAPPEN

We must maximize the probability

that we can tolerate the direct

effect of those intrusions, and that

whatever damage is done by the

intruder, the system can continue

to do its job to the extent possible.

DEPLOYMENT OF

SECURITY

INTELLIGENCE

SYSTEMS

Ponemon says, provides a

substantially higher ROI (at 23

percent) than all other

technology categories

surveyed.

THINKING BROADER THAN CIA

APPROACHES TO CYBER SECURITY HAVE CHANGED





19

RED TEAMING + IS INTELLIGENCE LED

UTILISE “ALL SOURCES” TO SUPPORT AN EXHAUSTIVE TEST STRATEGY

Understand your adversaries' and

their tactics, model their attack

vectors, and then test exhaustively to

obtain the necessary intelligence to

adapt your defenses.

“

”

The lion fish has adapted

to ward off threats in the

most challenging and

irregular environments.





20

“

”

ADAPT AND SURVIVE

ANALYTICS AND DATA CAN SAVE US

New behavioural analytics

solutions and threat data

analytics platforms such as

FireEye and DarkTrace

emulate the human

immune system to protect

us – understanding what

belongs and what does not

A combination of protection, early

warning signals and instant

remediation against sophisticated

attacks is a proactive stance.

WHO? WHAT? WHEN? HOW?

21





22

WHO, WHAT, WHEN?

UNDERSTANDING YOUR RISK

Your Organisation

Privileged insider

Trusted insider

Insider Organisation

Group

Nation-state

Capability Motivation

Level 0 X No interest in attacking the system

Level 1 Opportunistic attacks May casually investigate or attack a system if exposed

to it, but not by design

Level 2 Some IT knowledge and resources for basic attacks

(including the use of free malware, non zero type

attacks)

Actor will attempt to attack the system; but one person

attack; part-time

Level 3 Considerable IT knowledge however actors lack the

capability and resources to implement sophisticated

attacks

Focused on the system; full-time attacker; with support

from part-timers

Level 4 Very capable with the resources to execute

sophisticated attacks using zero-day exploits

involving significant customisation

Attack system frequently or constantly; several people;

bribe or coerce

Level 5 Sophisticated attacks, well-funded and resourced. Absolute priority employing detailed research in

conjunction with social engineering, bribery and

coercion





23

“

”

THE ANATOMY OF AN ATTACK

THE LOCKHEED INTRUSION KILL CHAIN

The realm of

digital security is

an open-ended

arms race

between system

defenses on the

one hand and

creative, highly

persistent

attackers on the

other

WE CANNOT CONTINUE TO FOCUS ON PRODUCTION

24





25

What is that holy grail of security?

• IPS/IDS

• ISO 27001

• IAM

• Encryption at rest

• Anti-Virus

• Server isolation

• Strong governance, policies and procedures

• Application whitelisting

• Memory blocking

• Privileged access management

PROTECTION ISN’T ENOUGH

CYBER SECURITY DEMANDS THE FULL MONTY

THE FIVE MOST COMMON CYBER SECURITY MISTAKES





27

Mistake #1:

“We have to

achieve 100 percent

security.”

Reality:

100 percent

security is

neither feasible

nor the

appropriate

goal.

THE 5 COMMON MISTAKES

100% SECURITY IS NOT FEASIBLE NOR APPROPRIATE





28

Mistake #2:

“When we invest in

best-in-class

technical tools, we

are safe.”

Reality:

Effective

cybersecurity

is less

dependent on

technology

than you

think.


TECHNOLOGY IS NOT THE BE ALL AND END ALL





29

Mistake #3:

“Our weapons have

to be better than

those of our

attackers.”

Reality:

The security

policy should

primarily be

determined

by your

goals, not

those of

your attacker


YOU DON’T NEED TO ARM YOURSELF TO THE TEETH





30

Mistake #4:

“Cybersecurity

compliance is all

about effective

monitoring.”

Reality:

The ability to

learn is just as

important as the

ability to

monitor.


BEHAVIOURAL ANALYTICS IS THE FUTURE OF MONITORING





31

Mistake #5:

“We need to recruit

the best

professionals to

defend ourselves

against cybercrime.”

Reality:

Cybersecurity

is not a

department,

but an

attitude.


EVERYONE IS RESPONSIBLE FOR CYBER SECURITY

WHAT’S THE WAY FORWARD?





33

KNOWING ATTACKS WILL OCCUR

PREPARE FOR THE WORST SO

YOU CAN RESPOND AT YOUR

BEST

• Train or outsource the capability to

respond to a potential threat

• Establish a data breach team

• Make sure everybody knows

what their responsibilities are

WHAT EXACTLY AM I PROTECTING

• Understand what you are trying to

protect – you can’t effectively protect

everything (what are your crown

jewels?).

• Make sure the threats and

opportunities are understood are

EARLY DETECTION AND

RESPONSE IS

EVERYTHING

• Traditional monitoring is

no longer effective

• Monitoring is art, don’t

rush it

• Being sure how to

respond is key

BUILD AN ECO-SYSTEM

• This should not be an island

• It should integrate into the business

of IT

• It should integrate across people,

processes and technology

IS THE FIRST STEP TO RECOVERY





34

TAKING AN HOLISTIC APPROACH

KPMG’S CYBER MATURITY MODEL

Nathan Desfontaines

Cyber Security Manager

• 082 719 2426

• [email protected]

The information contained herein is of a general nature and is not

intended to address the circumstances of any particular individual or

entity. Although we endeavour to provide accurate and timely

information, there can be no guarantee that such information is

accurate as of the date it is received or that it will continue to be

accurate in the future. No one should act on such information

without appropriate professional advice after a thorough

examination of the particular situation.

© 2016 KPMG International Cooperative (“KPMG International”), a

Swiss entity. Member firms of the KPMG network of independent

firms are affiliated with KPMG International. KPMG International

provides no client services. No member firm has any authority to

obligate or bind KPMG International or any other member firm vis-à-

vis third parties, nor does KPMG International have any such

authority to obligate or bind any member firm. All rights reserved.

NDPPS 133584

KEEP IN TOUCH

Internet

The Proactive Approach to Cyber Security