Cyber Security – Advances to the more complex level
-
Upload
others
-
View
2
-
Download
0
Embed Size (px)
Citation preview
Cyber Security – Advances to the more complex levelCyber Security –
Advances to the more complex level Audit Committee Forum
May 2018
2© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
• Audit Committee Roles towards Cyber Security • Cyber Threats In
Focus • Future Technology Disruptors • Building Cyber
Resilience
Agenda
Audit Committee Roles towards Cyber Security
4© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Audit Committee Roles towards Cyber Security
Source: The KPMG 2017 Global Audit Committee Pulse Survey
“Audit Committee should be aware of critical risks, cyber security,
and major threats that the Company are facing while the expectation
of Audit Committee towards Cyber Security are growing”
5© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Audit Committee Roles towards Cyber Security “Audit Committee has
the critical role to play in ensuring that their organizations have
the robust cyber security preparedness program and review the
Company’s internal control system and internal audit system which
has to focus the Company’s key risks beyond financial reporting and
compliance”
Quick Questions to consider asking the management regarding cyber
security:
Have the Management identified cyber security as a threat or risk
to the Company? If not, why?
How do we ensure that the Company have enough safeguard over cyber
security risks? Who is the responsible person?
When was last time the Company assess the cyber security system?
What is the result? Any subsequent development?
Roles of AC have evolved over time far beyond normal financial
reporting, internal controls and compliance
1 AC can liaise with management to set the right level of risk
appetite and tolerance including appropriate control
activities
2 AC oversees internal audit to maximize the value by focusing on
risk management and key risk factors
3 AC can help foster a culture of risk and compliance – Tone at the
top
4 AC can be involved in the risk management process to review and
oversee the company’s risk assessments
Cyber Threats In Focus
7© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
The Global Risks Landscape 2018
Source: Global Risk Report 2018 by The World Economic Forum
8© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus
Cloud technologies
While the potential benefits of cloud computing are compelling, the
use of cloud computing services is driving new risks, security and
privacy concerns, and opportunities that impact all elements of the
business ecosystem.
Internet of Things
The Internet of Things is not just some fancy futuristic world.
It’s here today: a complex world full of connected things ranging
from personal gadgets and household appliances to medical devices
and critical infrastructures that are all networked.
Low hanging fruit
The human factor was, is, and will always be, the weakest link.
Data breaches can often be traced to social engineering and human
error. That's not just a matter of careless users. It's also a
design problem.
9© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Fileless
Malware/Ransomware – An undetectable threat
Source:Emsisoft
True Fileless malware is non-persistent - All traces of it
disappear when the system is rebooted, making forensic
investigation difficult.
10© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Fileless
Malware/Ransomware – An undetectable threat
True Fileless malware is non-persistent - All traces of it
disappear when the system is rebooted, making forensic
investigation difficult.
1. User visit website which store malicious file
2. Malicious content execute
using built-in Windows tool
3. Antivirus could not detect and user computer was
compromised
11© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Fileless Malware calling
Cryptocurrencies Mining
Malicious hackers can target the websites you visit and implement
the Coinhive script. It has happened to more than 4,200 websites in
many countries spanning the globe, including governments,
organizations, and schools.
12© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Fileless Malware calling
Cryptocurrencies Mining
More than a half of the websites engaged in using in-browser
cryptocurrency mining scripts focus on 4 countries : US, India,
Russia and Brazil.
13© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Low hanging fruit Phishing
Bypassing Microsoft's Advanced Threat Protection (ATP) feature
(Safe Links) of Microsoft Office 365 which lead attacker to send
malicious website as secure URLs.
14© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Cloud technologies Shadow Cloud
A large volume of data totaling over 68 million records was
subsequently traded online and included email addresses and salted
hashes of passwords.
15© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Cloud technologies Data breach and
Privacy
A misconfigured cloud-based file repository exposed the names,
addresses, account details, and account personal identification
numbers (PINs) of as many as 14 million US customers of
telecommunications carrier Verizon.
16© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Cloud technologies Data breach and
Privacy
Financial giant Dow Jones & Company has inadvertently leaked
the sensitive personal and financial details of millions of the
company’s customers.
17© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Cloud technologies Data breach and
Privacy
Over 970 million records was lost or stolen since 2013, ONLY 4% of
breaches were “Secure Breaches” where encryption was used and the
stolen data was rendered useless. The new EU General Data
Protection Regulation (GDPR) coming into effect from 25 May 2018,
will require any business that experiences a data breach to report
it to the ICO within 72 hours
Source: Breachlevelindex Administrative fines up to 20 million Euro
or 2-4% of worldwide annual revenue.
18© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Internet of Things Internet of
Things
Critical RCE vulnerability found in over a million GPON Home
Routers by South Korea-based DASAN Zhone Solutions.
Cyber Threats In Focus - Internet of Things Internet of
Things
Mousejacking, caused by a raft of security problems the company
says it’s found in numerous wireless mouse and keyboard
products.
20© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Threats In Focus - Internet of Things Internet of
Things
Mousejacking, caused by a raft of security problems the company
says it’s found in numerous wireless mouse and keyboard
products.
Future Technology Disruptors
22© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Main disruptors and highlights the security risks Technology is
evolving at a rapid pace while this presents opportunities for
innovation, it also spawns potential cyber security risks that need
to be understood, managed and mitigated.
Blockchain
Third Party Risk Assessment
Intelligence
Building Cyber Resilience
24© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Organizations must have
mapping their crown jewels is
key to building a successful
cyber strategy
25© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Where are you on your security journey ? Measuring your
maturity
26© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Security Industry Frameworks
27© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Security Industry Frameworks Cyber Essentials
Basic guidance such as ‘Cyber Essentials’ is an important first
step on the cyber security journey – as its focus is on
establishing core operational security controls that will mitigate
many of the commoditized attacks (such as the WannaCry and NotPetya
ransomware attacks) that have impacted organizations.
The scheme provides organizations with clear guidance on
implementation, as well as offering independent certification for
those who want it.
28© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Security Industry Frameworks Center for Internet Security
(CIS) Critical Security Controls
The CIS Controls are a prioritized set of actions that collectively
form a defense-in-depth set of best practices that mitigate the
most common attacks against systems and networks.
29© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Cyber Security Industry Frameworks NIST Cybersecurity Framework
(CSF)
The NIST Cybersecurity Framework (CSF) provides a model for
measuring the maturity of cybersecurity within organizations. It
should be considered more of “maturity framework” than a “standard”
(e.g., ISO 27000 series or NIST SP 800-53).
30© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Key steps to improve cyber secur ity
Third party management
Cyber security risk
Key Steps
Everyone on the Board needs a level of understanding of the issues
so that they are able to engage in credible discussions. It helps
to either have someone on the Board with technology and security
experience or to have an advisory panel of external experts who can
support the Board.
It is also key to be clear about the organization's cyber security
risk appetite. What tolerance levels are there, for example, around
acceptable downtime for digital channels? Mature organizations make
conscious choices about their tolerance limits, which need
Board-level endorsement and oversight.
It starts with building a culture of security awareness, which has
to come from the top. Basic good behaviors have to be instilled,
such as not sharing passwords or clicking on unknown links which
could lead to Cyber Hygiene. For example, if you run phishing tests
internally, you might have a “Hall of Fame” for members of staff
that have helped identify and report phishing emails.
To do this, you need to know who all of your third parties are,
what access they have to your data, and where their connections are
into your network. You also need to understand who your fourth and
fifth parties are – the organizations that your supply chain relies
on.
Make sure that the right provisions are included in contracts with
suppliers, and that you have an effective on-boarding process for
new ones that includes consideration of cyber security.
No matter how much you invest in your defences, cyber- attacks will
happen. It is therefore crucial that you are able to detect when
you are being attacked, so that you can then respond and recover.
Clearly, you need to be able to respond as quickly as possible to
an incident in order to limit its impact.
Mature organizations have invested in developing a cyber response
framework which contains clear policies in the event of different
forms of cyber-attacks.
Source:
https://assets.kpmg.com/content/dam/kpmg/uk/pdf/2018/04/building-cyber-resilience-in-asset-management.pdf
31© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Treat your passwords l ike your underpants
32© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Action Plan
Allocate accountability for cyber security risk to a Board
member.
Appoint a person into a senior role with responsibility for
managing cyber security.
Develop a cyber security strategy and seek board approval.
Perform regular cyber security risk assessments of your
business.
Educate all staff on their cyber security responsibilities and
train those in high-risk roles.
1
2
3
4
5
33© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved. Printed in Thailand.
Action Plan
Implement logging and monitoring on your network and critical
systems.
Document your cyber incident response plans and perform regular
simulation exercises.
Identify and assess the cyber security risks in your supply
chain.
6
7
8
9
Document Classification: KPMG Confidential
This presentation was produced for the AC Forum at KPMG. The
information contained herein is of a general nature and is not
intended to address the circumstances of any particular individual
or entity. Although we endeavor to provide accurate and timely
information, there can be no guarantee that such information is
accurate as of the date it is received or that it will continue to
be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough
examination of the particular situation
© 2018 KPMG Phoomchai Business Advisory Ltd., a Thai limited
liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International
Cooperative (‘KPMG International’), a Swiss entity. All rights
reserved.
kpmg.com/socialmedia kpmg.com/app
KPMG in Thailand
KPMG in Thailand
Agenda
Cyber Threats In Focus
Cyber Threats In Focus
Cyber Threats In Focus - Cloud technologies
Cyber Threats In Focus - Cloud technologies
Cyber Threats In Focus - Cloud technologies
Cyber Threats In Focus - Cloud technologies
Cyber Threats In Focus - Internet of Things
Cyber Threats In Focus - Internet of Things
Cyber Threats In Focus - Internet of Things
Future Technology Disruptors
Building Cyber Resilience
Slide Number 24
Cyber Security Industry Frameworks
Cyber Security Industry Frameworks
Cyber Security Industry Frameworks
Cyber Security Industry Frameworks
Action Plan
Action Plan