Deloittes Synergi Mellem Teknologi

Home , Deloitte

Grab ‘n Go: Session 10 To have or not to have Cyber security kompetencer 30. August 2016 #deloittegng Kim Schlyter Partner, Deloitte [email protected] 30. August 2016 #deloittegng Chapter Zero

Who we are. Deloitte Cyber Risk Services has an enormous global network of Security & Privacy Professionals The Nordic practice already consists of more than 100 dedicated professionals.

Deloitte has approximately 10,000 cyber “Deloitte continually develops, tests, and launches methodologies that security, IT risk management, and privacy reflect a deep understanding of clients’ cyber security and help the firm professionals globally. Many of them are stay ahead of the curve and set the bar in terms of addressing cyber certified ISO, CISA, CISSP, CISM, CEH security consulting needs.”* In order to stay ahead of the game, the or by SAP or Oracle. practice puts greats emphasis on developing talent and certifying its professionals.

Cyber security Region Accreditation Nordic cyber security practice professionals North America > 4,500 ISC2 Over 85 CISSP’s EMEA > 1,600 EC-Council Over 50 CEH’s Asia Pacific > 2,500 ISACA Over 80 CISA’s, over 70 CISM’s Rest of the NOREA Over 15 Registered IT Auditors > 1,300 World IAPP 10 CIPP’s The Nordics > 100 ISO 20 ISO-27001 Lead Auditors United Kingdom > 225 * Source: Kennedy Consulting Research & Advisory; Cyber Security Consulting; Kennedy Consulting Research & Advisory estimates © 2013 Kennedy Information, LLC. Reproduced under license. Deloitte Cyber Risk Services

• Brand Monitoring • Cyber strategy framework • Fake Apps monitoring • Cyber Threat and Risk Planning • Detection of restricted corporate Cyber • Cyber Business Continuity and information outside the office Services Recovery Planning Cyber • Web fraud detection Governance • Cyber Training, Awareness and Watch • Cyber Threats intelligence Services Employee Planning • Anti phishing • Privacy advisory service • Early Cyber Attack warning • CISO aaS / DPO asS • Advanced threat Intelligence • Social Media Analytics Service

• Managed Network/ Email Data • Penetration testing Leakage Detection and Containment • Vulnerability Management • Managed Endpoint Breach • Threat Resiliency Analysis Cyber Cyber Protection • User Awareness Analysis Data • Managed Advanced Threat, Check • Red team, Cyber Simulation and Protect Malware and Malcode Threat War Gaming Management Services • Software Development Lifecycle • Information and Threat Resiliency

• Incident Support and Recovery • Log & compliance management • Incident and Crisis Management • Malware and Emerging Threat • Forensics and Advanced Threat monitoring Cyber Cyber Analysis • Event correlation and incident Incident Monitor notification • Breach Respond and Recovery • Event hunting and Analytics Response • Litigation Support • Threat triage • Response, Eradication, Hardening and Resiliency Key services range from developing a cyber security strategy to security testing and managing security operations Our service portfolio is diverse and ever adapting to our client’s needs. An impression of our different services: CovOps, SCADA and HaaS

Covert Operations SCADA / Industrial Control Systems

A Covert Operations team is a Through hyper connectivity group of highly skilled ethical and technological hackers that assess the security of developments, the exposure an organization. Which is often for industrial organizations to unaware of the existence of the cyber threats is growing bigger. team or the exact assignment.

Such teams provide a more realistic picture of the security Hacking as a Service readiness than exercises, staged role playing, or pre-announced Cyber attacks are daily business in assessments. our continuously changing world. Companies can prepare and arm Covert Operations teams are themselves through regular reporting designed to both capture pre- and security scans for example. With agreed "flags" as well as trigger Hacking as a Service it is possible for active controls and our clients to use all the possibilities countermeasures within a given that the Internet has to offer, while operational environment. their online assets are periodically tested for vulnerabilities. Our teams organize several big events every year

CyberDawn Hacking SAP Event Privacy with a View Hackers that cripple our energy infrastructure or open our SAP is the heart of your organization which Deloitte Cyber Risk Services organizes To be better prepared for such possible cyber incidents, Deloitte makes it vulnerable. Arm yourself against several events around Privacy, such as facilitated the first large-scale cyber exercise for the vulnerabilities and secure your system against privacy round tables and the telecommunications industry in the Netherlands, called them, by getting insight into the vulnerabilities annual recurring event Privacy with a ‘CyberDawn’, where representatives from the different vital of a SAP application and the associated View. industries collaborated. infrastructure. At Deloitte, we care: about our planet, our people and our partners. Hacking for Charity Global Cyberlympics Partnerships

Security Operations Service Line – Master Deck – February 2015 9 Deloitte is a learning organization Cyber Risk Services works in close cooperation with Deloitte Academy.

We believe it is important to share our knowledge with clients and business relations. We offer people the opportunity to participate in a training courses together with our Deloitte Cyber Risk Services professionals.

We also strongly believe that children are the future and they have to be educated about the threats and developments in the cyber landscape. Therefore we organize HackLab Highschool, a one day course in which kids will learn everything about cyber as they play.

Security Operations Service Line – Master Deck – February 2015 Chapter 1 So, what’s the problem. The attack surface is larger and easier (look in your pocket) Attacks are exponential in frequency, complexity and outcome

DoS DDoS HW and SW Credential vulnerabilities Hacking theft

Platform-based attacks Malware Device (web, app, mobile) Attacks on clients (out loss/theft of perimeter) Phishing Information disclosure Executives’ reputation Sensitive information Attacks on intangible Information leakage assets theft Brand’s reputation Attacks on physical Social network Fraud abuse assets or critical infrastructures Supply chain or credit card fraud Third-party or employee fraud VoIP/ Employee / Branch Videoconference manager Video store / ATM surveillance system Computers everywhere!

A modern car involves typical 50 computers

Billions 10

What everybody says: Organized Crime Hactivism Nation States Terror

The real threats: Insiders 3. Party Competition Bad quality “Whoops” Chapter II Welcome to the dark side. Welcome to the Dark side… 5 Minutters Goog’ling

Woops The SONY hack Open Source Intelligence (OSINT)

Jeres virksomheders passwords ligger også på nettet. Eksempler: Deloitte har absolut INTET med lækagen af data fra LinkedIn at gøre! Deloitte benytter udelukkende åbne og frit tilgængelige kilder, til at opnå disse informationer! Deloitte opsamler, gemmer og/eller behandler ikke disse data efter denne præsentation. Alt bliver slettet for forsvarlig vis, og arbejdsmateriale er ikke gemt på disk.

Hvad går man ellers efter?

Penge, Kreditkort

Intellectual property

Personlige oplysninger

Afpresning

Revenge (DDoS osv)

Creepware… Which currency should we use?

Service Price (USD) DDos Service 10 (hours) or 1200 (months) e-mail Spamming 10 - 150 (1,000,000 mails) SMS Spamming 50-200 (100,000 sms’) Call flooding 3 (hours) or 100 (week) Botnet (full control) 200 (2000 bots/day - 40% online) Fake website + deployment 5 - 20 Traffic redirection 10(US) - 60(EU) (50,000 user/day) Dedicated Server 1 (basic) - 2000 (bulletproof 1Gbps) Ransomware (winlocker) 10 (executable) - 100 (source code) Trojan (Banking) 1,000 (executable) – 10,000 (source code) Pay-per-Install 100(RU) - 250(UK) (1000 infected)

• Awareness

• Politikker og procedurer.

• Signerede emails (Digital signatur) Målrettede angreb forbløffende let Online angreb • Phishing / Spoofing • Web-server hacking • Netværk hacking • Falske telefonopkald • Brug af fundne passwords

36 Deloitte Phishing test Phishing attack - eksempel

Results of the simulation are summarized on the chart: Offline angreb • Angreb på/via Wifi. (Farlig pakke) • USB nøgler på P-pladsen • Falsk håndværker Chapter II • Uhyggelig gæst • Falsk medarbejder (cloning af kort)

39 Chapter III

What’s my real challenge? ”Give me something audited and I’ll hack it in 5 minutes” Time is critical – resilience is key The difference is being able to react in minutes - not in hours and days

Customized malware overlook Day 0 0 your company's anti-virus solution

Malware starts to send sensitive Day 1 documents over the Internet

Security monitoring Sensitive information continues to +10min report on abnormal be broadcast over several days Day 7 patterns

Affected machines isolated PR can neither deny or confirm +2 hours and replaced, and data the extent of a security breach Day 8 breach are limited when the media sees the story

Attack method is identified, the +6 hours evidence collected and handed to CEO informed that sensitive the police for pursuing the information is being leaked to Day 9 hackers unknown recipients and that this information cannot be replaced PR is familiar with instances of The rumor spread through social media Day 2 media coverage and about a major security breach. The intelligence shared with peers security team will be notified and are Day 10 investigating the matter Normal operation Reputation is damaged, continues © 2015 Deloitte and heads roll 42 Attack patterns are changing

Attack vectors Attack vectors More intelligent change from are similar to impersonal technology to normal attack people behaviour

Supply More targeted chain/partner attacks "poisoning" The business is concerned Easy questions – difficult answers

Board of Directors: CIO: "How and how “Are we resilient to much should I invest CEO: “I’ve heard these new cyber in our cyber about ransomware – attacks?" protection?" are we in danger?”

1 No industry is immune 2 Cyber damage is not only financial 3 Asymmetrical attacks 4 Traditional controls are necessary, but not sufficient Authorities and governments are key stakeholders 5 with ever-increasing focus

Everything cannot be protected 6 equally General Data Protection Regulation (of personal data) – has now been approved and will be in force early 2018

Foundation no. 1 – one continent, one law with effective penalties: Fines of up to EUR 20m or 4% of the annual global turnover. Foundation no. 2 – non-European companies must follow European data protection legislation, if they operate in the European market. Foundation no. 3 – the right to erasure data. Data authorities and the persons involved must be informed of breaches within 72 hours Foundation no. 4 – "one-stop-shop" for businesses and citizens. Challenges

• Connect the dots on a wide range of topics familiarly grouped under the heading of “cyber.”

• Business executives and security professionals seldom speak the same language

• Integrating multiple competencies to create better business context and insight in the cyber strategies

• Estimation of risks and financial impact associated with cyberattacks

• Traditional approaches to calculating impacts of cyber incidents have focused largely on the direct costs

• Theft of intellectual property, the disruption of core operations, or the destruction of critical infrastructure

• Emphasize the impacts that are visible and easiest to quantify.

Kilde: Verizon/Deloitte Data Breach Investigations Report 2015 Det vi ikke nemt ser - og sjældent offentliggjort

Publicly disclosed information about data breaches only provides a partial view of how cyberattacks can impact an organization’s performance.

To take a deeper look, Deloitte analyzed the financial consequences of two hypothetical cyberattack scenarios

Sikkerhedsbrud

Nedetid / Operationel Stop Bøder Legal

Manglende overholdelse Finansielle tab af compliance krav

Tab of IP

Nedsat / tabte salg Tabt tillid

Omdømmeskade

These stages involve a wide range of business functions in efforts to rebuild operations, improve cybersecurity, and manage customer and third-party relationships, legal matters, investment What’s my real challenge?decisions, and changes in strategic course

Give me the solution then! Hvorfor den traditionelle tilgang til IT- sikkerhed er forældet

Klassisk Sikkerhed

• Fokus på Hardware • Store (dyre) Firewalls • Stort Fokus på Antivirus • Stort fokus på Spam-filter • Fokus på at skifte password ofte • Fokus på oppetid • Alarmer og overvågning • Specialist område IT Sikkerhed anno 2016 = Risikostyring

• Fokus på Risiko frem for Hardware.

• Afklaret risikoappetit (af topledelsen)

• Identifikation af kritiske systemer og aktører. • Integritet, Tilgængelighed, Fortrolighed • Zone-opdeling I Risikozoner • Identificerede økonomiske konsekvenser

• Målbare KPI’er for sikkerhed, forståelig rapportering til ledelsen.

• Fokus på beskyttelse af kritiske komponenter – I stedet for beskyttelse af det hele.

• Erkendelse af, at medarbejderen næsten altid er den største risiko. Overblik er nøglen Cyber threats requires a transformation – capabilities are not enough e ellenc Retail Banks & Energy al Exc eration Military & Defence Providers Op Investment Banks Situational Awareness of Cyber Threats Consumer Business & & Telecom Basic Online Online Brand & Brand Life Sciences Brand Monitoring Social Media Policing Monitoring Absolute n Automated Malware o Ad Hoc System / Automated Electronic E-Discovery & ti Forensics & Munderstandinganual of the a Malware Forensics Discovery & Forensics Forensics rm Electronic Discimportance,overy but have fo

t s n Ad-hoc Threat already very mature a Government / Sector Threat Global Cross-Sector Threat n r Intelligence T Intelligence Sharing

e Intelligence Collaboration Intelligence Sharing with Peers information security Collaboration

m maturity. Looking for e Media & SMEs Commercial & Open Source Criminal / Hacker Baiting & Counter-Threat External Threat g Threat Intelligence Feeds Surveillance leading-edge,Intell igence Intelligence a Greater

n innovative

a understanding of the Network & System Centric Workforce / Cusapproaches.tomer Real -"Smalltime Busin ess Risk Behavioural

M importanceActivity Profil inofg cyber, Behaviour Profiling Analytics & Decision Support Analytics

t world"

a apparent in greater

e Acceptable General Information Security Targeted Intelligence-Based Business Partner Cyber Training & r Usage Policy Training security& Awarenes s Cyber Security Awareness Security Awareness Awareness

h e ranc transformation T Igno ful liss Basic infosec work IT BC & DR IT Cyber Attack Business-Wide Sector-Wide & Supply Chain Cyber Attack e B projects that build on

v Exercises Simulations Cyber Attack Exercises Cyber Attack Exercises Preparation i and, as a rule, limited existing capabilities. t

c budgets and

a Ad Hoc Infrastructure & Enterprise-Wide Infrastructure Identity-Aware Adaptive & Automated Asset Basic Network Protection

o awareness. LowApp lication Protection & Application Protection Information Protection Security Control Updates Protection r

P understanding of the IT Service Desk Security Log Collection 24x7 Technology Centric External & Internal Threat Cross-Channel Malicious Security Event & Whiimportancestleblowing of sec& Ad Hoc Reporting Security Event Reporting Intelligence Correlation Activity Detection Monitoring

Traditional Signature-Based Periodic IT Asset Automated IT Asset Targeted Cross-Platform Tailored & Integrated Internal Threat Security Controls Vulnerability Assessments Vulnerability Monitoring User Activity Monitoring Business Process Monitoring Intelligence Cyber Security Maturity Levels Level 1 Level 2 Level 3 Level 4 Level 5

• First line of defense; Business units and the information technology (IT) function integrate cyber risk management into day-to-day decision making and operations.

• Second line of defense; Information and technology risk management leaders who establish governance and oversight, monitor security operations, and take action as needed, often under the direction of the chief information security officer (CISO).

• Third line of cyber defense: Independent review of security measures and performance by the internal audit function, For internal audit to provide a comprehensive view of cyber security, and avoid providing a false sense of security by only performing targeted audits, a broad approach should be employed Deloitte Cyber Security Capabilities Model Used for Audit

We have grouped 29 cyber security capabilities in 4 domains: • Governance • Prevent • Detect • Respond Cyber Security Maturity Model Comparison to other models

Focuses on • Critical infrastructure within United States Focuses on Cybersecurity Framework Disadvantages • preventive security • Maturity levels are only • Infosec risk assessment defined at a high level • management commitment

Disadvantages • Controls are a checklist, what is Missing from ISO compared to Focuses on the need for a control? Deloitte • Technical controls • Gives limited guidance on APT • Data loss prevention Missing from SANS compared to Deloitte and detect capabilities ( security • Brand protection • Policy & Standards analytics) • Network & system analytics • Sourcing • User behavior analytics • Risk Management & Compliance • Cyber Threat Intelligence • Brand Protection • …

Focuses on Advantages • FSI content pack • Uses existing open standards like ISO • Updated each Quarter with the latest • Detailed maturity guidance 27001 and NIST and combines it with industry experience • Scope encompasses at Deloitte expertise worldwide ISO 27001, NIST and • Has been validated by security Disadvantage SANS controls professionals worldwide • Not an open model • Clients use the Deloitte model for their operational internal control system

61 Understand the business, know your business risk – and risk appetite

Stakeholders (Internal & External)

Target Operating Model

Executive dashboard for managing Cyber Resilience across the organisation

Cyber Threat Model Business Services Cyber Capabilities

Threats Organisational structure

• Gather Information BU1 BU2 BU3 BU4 • External system attack • Gain Physical Access • Business • Business • Business • Business • Targeted malware against workforce service 1 service 1 service 1 service 1 • … • Business • Business • Business • Business service 2 service 2 service 2 service 2 • Business • Business • Business Scenarios service 3 service 3 service 3 • Business service 4

Threat Actors • Competition Communication channels & characteristics • Criminals • Customer • Hackers • Insiders • …

Threat Actors Motives Targeted Assets Possible Impacts

Competition

Criminals

Making a Customers statement • Financial Data • Financial loss

Hackers Gain competitive • Intellectual • Reputation harm advantage Property • Lawsuit Insiders • Sensitive Espionage • Regulatory Operational Organized Crime sanctions Information Disruption Press • Loss of trust • Services • Continuity of Protest Groups Financial Gain • Brand image service

State Agencies

Terrorists

The Deloitte Cyber Threat Model: includes 12 cyber threats, based on CAPEC’s Mechanisms of Attack.

In the threat view (right), these Deloitte cyber threats are mapped according to three dimensions: • Does the organisation focus on preventing the risk or detecting and Supply chain attack (526) responding to it if it occurs? 11 Malware targeted • Is the risk known and understood Spoofing customers (156) 7 to customers (525) (does it relate to a current threat), or unknown with little Spoofing workforce(156) Internal system attack 10 6 Malware targeted or no understanding (a future 3 to workforce (525) threat)? Social engineering (527) 12 • How resilient is our 9 System attack from trusted third party network organisation to these threats 4 and does this differ across the business? External system attack 2 DDOS (119)

Gather Information (118) 1 5

Gain Physical Access (436) 8 Exposure

Low Medium High

In order to define your Cyber Threat Landscape, you need to understand the characteristics of your Business Services and related communication channels:

• Who is using the Business Service?

• Which information is accessible through the Include your organisational structure, Business Service? geographical locations, criticality of • Which connectivity is available (Internet, Managed the business, etc. This organisational IP, internal network)? structure represents what you want to protect against cyber threats. • Which technology is used?

Organisational structure BU1 BU2 BU3 BU4

• Business service 1 • Business service 1 • Business service 1 • Business service 1 • Business service 2 • Business service 2 • Business service 2 • Business service 2 • Business service 3 • Business service 3 • Business service 3 • Business service 3 • Business service 4

Communication channels & characteristics

In the beginning there was the traditional information security headed by the CISO Then, there is new governance required involving executives to understand and manage cyber risks Today, cyber threats require new cyber capabilities in order to mitigate cyber risks

Easily identify those areas which need improvement

Select a specific cyber threat and identify how resilient the different parts of the organization are

state of technology

Detect Prevent

Overview of the different cyber threats and the current level of cyber resilience of a specific part of the organization

Known but not fully Unknown and no Known and understood understood understanding

Horizontal axis shows how well a specific threat is currently understood

Cyber security Eksempel på hvordan vi skaber overblik hos vores kunder. Udvikling fra reaktiv til proaktiv Risk Management Gaps i traditionelle Risk Management Systemer Mange virksomheder har i dag en grundlæggende sikkerheds infrastruktur, der inkorporerer traditionelle detektion kontroller, trusler rapporteringer og Security Event Management. Disse enheder er alle nødvendige, men alene giver de ikke tilstrækkelig beskyttelse mod nutidens trusselniveau. Nedenfor præsenteres Deloittes modenhedsmodel som vi arbejder ud fra for styrkelse af den enkelte kundes proaktive Risk Management styring. Deloittes Managed SIEM løsning Deloittes synergi mellem teknologi, processer og professionelle Cyber security kompetencer I alle aspekter af Deloittes Managed SIEM løsning samt infrastrukturen i Deloittes CyberSOC, er de højeste sikkerhedsstandarder taget i betragtning, kombineret med oplevelsen af supportteamets levering af Managed Security Services.

© 2016 Deloitte Denmark Identificering af Data- Data- Security Indsamling rå Værdiskabende Risikoprofil korrelation berigelse intelligence analyse kunde indsigt logs Normalisering af Identificering af offenses Security Intelligence review Indsamling af rå logs logs Analysering af offenses

Identificering af eksterne krav til Endpoint Detection & logning, fx Monitoring • Persondatalov / Persondata- Vulnerability Data, Kognitiv analyse forordningen • Servers, AV Patch level • Sikkerheds-bekendtgørelsen • Endpoint, AV • Direktiv om net- og • Web informations-sikkerhed, NIS • Client Asset Data Metodisk analyse • Etc. Network Detection & Risikoprofil Monitoring (NDM) Threat Data Cyber trusselbillede IRT, Incident • Identificering af trusselbillede Response team • Firewall • Identificering af kritisk data, • IDS & IPS Månedlig Data personfølsom data og kritiske • Web Filters Breach rapport systemer Konfigurations • Netflow parametre med afsæt i • Identificering af modenheds- kundens niveau for it sikkerhed risikoanalyse Cloud Solutions Identity & Data Løbende Monitoring (NDM) validering af kundens SIEM governance struktur • DNS and DHCP modenheds- • Roller & ansvarsbeskrivelse • Database niveau herunder eskalationsproces • Active Directory • Proces for security incident • Asset & IBM X-Force Configuration håndtering, herunder kategorier Honeypots og ratering Management • Udarbejdelse af Use Cases Systems Deloittes scannings resultater

CISO: "Tell me the critical success factors, then I put them in relation Board of Directors: to our threat and current "What is our risk by protection – and then we establishing us in can discuss how it UK?" matches your appetite."

CEO: “Can we be hit by ransomware?" CISO: "Yes. But we detect it and react quickly, so it will have no impact. ”