Table of Contents !!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”! 1. Introduction 3 2. Cyber Threats as Global Threats 4 3. Perpetrators of Cyber Attacks 6 4. Cyber Security Strategy & PICNICs 7 ! Case Study #1: Social Engineering at the Pentagon 8 5. Gateways of Internet Vulnerability 9 ! Case Study #2: Anonymous versus Booz Allen Hamilton 10 6. Current Top Cyber Threats • Distributed Denial of Service (DDoS) Attacks 11 • BotNets 13 • Viruses 14 ! Case Study #3: Aramco 15 • Worms 16 • Trojan Horses 17 • Logic Bombs 18 • Phishing and Spear Phishing 19 • Exploit Kits 20 • Drive-by Exploits 21 • Code Injection Attacks 22 • Rogueware 23 • Rogue Certificates 24 RBC Enterprise Operational Risk Management 1 Table of Contents !!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”! • Identity Theft 25 • Confidential Information Breaches 26 ! Case Study #4: Hacking the Dalai Lama 27 • Targeted Attacks 29 ! Case Study #5: Stuxnet 30 7. Malware as a Service (MaaS) 33 8. Zero-day Vulnerabilities 34 • Heartbleed 35 • Shellshock / Bash 36 9. The Problem of Attribution 37 10. The Bleeding Edge: Supply Chain Hardware Hacking 38 ! Case Study #6: Android Phone Hardware Hack 39 11. Hackbacks and the Legal Limits of Cyber Self-Defense 40 12. Insurance Against Cyber Threats 41 ! Case Study #7: Target and the Cost of Cyber Attacks 42 13. Comments from the Head of U.S. Cyber Command 43 14. Conclusion 44 15. Contact Information 45 16. Disclaimer 46 RBC Enterprise Operational Risk Management 2 1. Introduction !!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”! The purpose of this presentation is to provide an overview of the current state of Cyber Threats to Operational Risk Managers and other non-technologists. • Cyber Security has always been and will always be primarily the responsibility of IT departments. • As the frequency and severity of incidents has increased, regulators have stressed the need for greater awareness and communication across organizations. • Because of Operational Risk Management’s high level of visibility with senior management, ORM is well positioned to be a positive force for change in an organization in both heightening the awareness of and improving the responses to Cyber Threats. RBC Enterprise Operational Risk Management 3 2. Cyber Threats as Global Threats !!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”! On February 26, 2015, James Clapper, the U.S. Director of National Intelligence, gave his annual “Worldwide Threat Assessment of the US Intelligence Community” to the Senate Select Committee on Intelligence. For the third year in a row, “Cyber Threats” topped the list of Global Threats. RBC Enterprise Operational Risk Management 4 2. Cyber Threats as Global Threats !!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”! Here is the list of “Global Threats,” in the order they were presented in the version of the document that has been made available to the public: " Cyber Threats " Counterintelligence " Terrorism " Weapons of Mass Destruction and Proliferation " Space and Counterspace " Transnational Organized Crime " Economics and Natural Resources " Human Security The “Worldwide Threat Assessment” also discusses specific regional threats in the Middle East, Europe, Asia, Latin America, and sub-Saharan Africa. The unclassified version of the file is available online: http://www.dni.gov/files/documents/Unclassified_2015_ATA_SFR_-_SASC_FINAL.pdf RBC Enterprise Operational Risk Management 5 3. Perpetrators of Cyber Attacks !!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”! According to the report, the major perpetrators of cyber attacks are as follows: • Cybercriminals Cybercriminals are motivated by financial gain. They range from individuals to vast networks that are organized on an international level. • Terrorists Their preferred targets are usually critical infrastructure, such as energy production and telecommunication, and military targets. • Hacktivists Hacktivists are politically motivated. They usually target high profile websites, corporations, intelligence agencies, and military institutions. • Nation States Many nation states have advanced offensive cyber capabilities, and can use them in hostile actions against adversaries, or for general espionage. • Corporations Some corporations and organizations engage in activities like theft of intellectual property to gain competitive advantage over their competitors. • Current or Former Employees Employees have insider knowledge of firm’s systems, resources, and defenses. • Random Individuals RBC Enterprise Operational Risk Management 6 4. Cyber Security Strategy & PICNICs !!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”! Many companies use some version of the following three-pronged approach as the basis of their cyber security strategies: 1. Hunkering down behind industrial strength firewalls. 2. Hardening user computers and workstations with anti-virus software. 3. Limiting computer and network access by restricting the use of Wi-Fi, USB inputs, Remote Access, external hard drives, etc. So, has this three-pronged strategy been effective? • The answer is a qualified “Yes.” While practically all financial services firms have been subject to cyber intrusions of one form or another, the number of firms that have been severely impacted appears to be limited. However, that list is growing. Also, attackers are well acquainted with these strategies, and plan their attacks accordingly. • Almost all cyber security strategies have “PICNIC” vulnerabilities: ! PICNIC = “Problem In Chair, Not In Computer” PICNICs are usually associated with end users. However, PICNICs can also refer to IT departments. • Social Engineering and a basic understanding of Psychology have been used numerous times by attackers to come up with PICNIC exploits that can offset or negate even sophisticated cyber security strategies. [see Case Study #1 on slide #8] RBC Enterprise Operational Risk Management 7 Case Study #1: “Social Engineering” at the Pentagon !!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”! The Pentagon in Arlington, Virginia houses the US Department of Defense. It is one of the largest office buildings in the world, and one of the most secure. The Pentagon has strict rules about the use of USB thumb drives on their computers. One of their IT security areas decided to see how effective their protocols were. So, over the course of several days, they seeded several Pentagon parking lots with thumb drives, to see how many would get used on Pentagon computers. The only software on the thumb drives was a program that called back to a host to say it was plugged in, and the IP of that computer. They found that 20% of the thumb drives got plugged in. A few weeks later, they decided to repeat the experiment, but this time with a Social Engineering component – they branded the drives “CIA,” “FBI,” or “NSA” to make them more enticing. Almost 80% of the falsely branded drives got plugged in. "Cyber!Threats"!|!Neil!Roth!|!11!DeCember!2014! RBC Enterprise Operational Risk Management 8 5. Gateways of Internet Vulnerability !!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”! From it’s earliest incarnations, the internet was designed to facilitate the rapid, accurate, and effective communication of information. Security was never the primary concern. As such, there are several things to keep in mind: 1. Instantaneous Action at a Distance The people attacking your company may be based in countries that don’t even have an extradition treaty with your country, so legal recourse may be difficult or impossible. 2. Anonymity in Cyberspace Cyber criminals who have the requisite skills in hiding or obscuring their activities have a big advantage over their targets. 3. Lack of Borders Nations have at least some degree of control over their physical borders. Controlling internet borders is much more difficult. 4. Asymmetries of Cyberspace A small group of actors can effectively attack large targets. [see Case Study #2 on slide #10] RBC Enterprise Operational Risk Management 9 Case Study #2: “Anonymous” versus Booz Allen Hamilton !!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”! In 2011, the hacktivist group “Anonymous” breached the cyber defenses of US contractor Booz Allen Hamilton, and posted the encrypted passwords of thousands of US military personnel online. After the hack was reported in the media, and confirmed by the Pentagon, Booz Allen Hamilton tweeted that its security policy restricted it from commenting on attacks against its systems. In response, Anonymous tweeted: “You have a security policy? We never noticed. We infiltrated a server that basically had no security measures in place. We were able to run our own shell application, and begin plundering. We were also able to grab 4GB of your source code and wipe it from your system. We are Anonymous. We are AntiSec. Expect us.” RBC Enterprise Operational Risk Management 10 6. Top Cyber Threats: DoS and DDoS Attacks !!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”! “Denial of Service” (DoS) attacks are an attempt to make a resource unavailable to its users. “Distributed Denial of Service” (DDoS) attacks occur when multiple sources launch simultaneous DoS attacks against a single target. The “Low Orbit Ion Cannon” (LOIC) is the most popular application used for DDoS attacks. The LOIC features a user-friendly web-based interface. An attacker simply enters a URL or an IP address, then clicks to commence an attack.