Beruflich Dokumente
Kultur Dokumente
Institute of Internal
Auditors
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 1
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Introduction
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 2
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Cyber Security Defined
Definition by NIST
The ability to protect or defend the use of cyberspace from cyber attacks.
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 4
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Information Protection has Become an Executive Driven
Issue
Top 10 concerns for directors and General Counsel Directors who say their company has a crisis Top Concerns for Audit Committees
general counsel: Data security 55% management plan in place to respond to a cyber
Operational risk 47% attack. Governance, Processes, Controls
Directors
Data security 48% Management of outside and Risk
Operational risk 40% legal fees 38%
Unsure
Company reputation 40% Company reputation 35%
31%
Management
M&A transactions 37% Disaster recovery 35%
Investor relations 30% E-discovery 33% No 27% IT Risk and Emerging Technologies
FCPA 30% Yes 42%
Executive compensation 30%
SEC/regulatory compliance 28% Global business expansion 29% Uncertainty
Disaster recovery 27% Internal controls 26%
Internal controls 26% Executive compensation 26% Information Privacy/
Global business expansion 26% Security/Cyber Security
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 5
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Cyber Attacks – How are they being attacked?
6%
10% Cyber Crime
49% Hacktivism
35%
Cyber Warfare
Cyber Espionage
Source: Hackmaggedon.com
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 6
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Cyber Attacks – What are the Types of Attacks?
New malware distributions Q1 2013
0.79% 0.24%
11.79%
Trojans
Others
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 7
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Cyber Attacks – What are the Types of Attacks?
is an attempt to make a
machine or network resource Handler Handler
unavailable to its intended
users. Although the means
to carry out, motives for, and Zombie Zombie Zombie Zombie Zombie Zombie Zombie Zombie
targets of a DoS attack may
vary, it generally consists of
efforts to temporarily or
indefinitely interrupt or
suspend services of a host
VICTIM
connected to the internet.
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 8
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Cyber Attacks – What are the Types of Attacks?
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 9
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Cyber Attacks – What do attackers want?
Name – 191,447,792
Misc./Unknown – 184,244,196
Address – 180,491,088
Financial Information – 153,792,140
Passwords – 40,065,366
eMail Address – 29,500,807
Credit/Debit Card Information – 29,475,045
Government ID Number – 13,419,571
Date of Birth – 6,754, 341
Account Information – 6,009,819
Medical Records – 2,298,115
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 10
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Cyber Attacks - Which industry sectors are being attacked?
Over the past five years, more than one billion people globally have been
affected by data loss incidents.
Over the last five years, 60% of all incidents reported were due to Hacking.
And, more than half of hacking incidents are reported in business sector
Number of hacking incidents as a % of total
5 year trend (By Sector)
60.0%
50.0% 52.0%
40.0%
% of 30.0%
67.2% incidents of 24.5%
total 20.0%
11.1%
8.3%
10.0%
8.0%
0.0%
2008 2009 2010 2011 2012
Government Medical Education Business
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 11
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Understanding Risk Exposure
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 12
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Dynamic World of Change
BUSINESS DELIVERY “STACK” AREAS OF DYNAMIC CHANGE
KPMG
Approach
BUSINESS LAYER
■ Slow economic recovery
Geopolitical Drivers ■ Driving Growth & Profitability
■ New Products/Services
Industry Leading Practices ■ Mergers/Acquisitions
■ Globalization
Corporate Objectives
■ Strategic Sourcing
Business Process ■ Competitive Differentiation
■ Increased Regulatory Scrutiny
ENABLEMENT LAYER
INFRASTRUCTURE LAYER
■ Virtualization & Cloud Platforms
Servers/Hosts ■ Internetworking/VPNs
■ New Operating Systems
Networks
■ Low cost computing models
Traditional Physical Environment ■ Changing DataCenter models
Approach
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 13
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Key Standard Control Processes
Policies,
Procedures,
Awareness
Source: RSA
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 14
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Cyber Maturity Assessment Methodology
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 15
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Cyber Maturity Assessment Methodology – Areas of
Focus
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 16
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Cyber Attack Countermeasure – How can we fight with
them?
making of an organization
KPMG “Cyber threat intelligence and the lessons from law enforcement”
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 17
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
NIST Cybersecurity Framework
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 18
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Overview of NIST Draft Framework
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 19
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Key Questions to Ask
In addition to the five core functions, there are general governance topics that
cross all of them:
Who is responsible for cyber security and is it positioned appropriately in the
organization?
Do we have enough/the right resources and capabilities?
Do we have enough/right training?
What is the internal audit program in this area?
Do results from internal audits indicate potential weaknesses related to cyber
security risk?
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 20
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Key Questions to Ask
Function: Identify
Question: What is our Risk Level today and how is that measured qualitatively
and quantitatively?
Supporting Do we have an inventory of authorized and unauthorized
Control devices?
Questions: Do we have an inventory of authorized and unauthorized
software?
What is our Risk Appetite?
What is our current Risk Profile?
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 21
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Key Questions to Ask
Function: Protect
Question: Do we have strong policies in place for secure configuration of
applications, databases, and infrastructure and are we complying
with these standards?
Supporting Do we have secure configurations for hardware and software on
Control mobile devices, laptops, workstations, and servers?
Questions: What is the state of our malware defenses?
What is our application software security?
What is our wireless device control?
Do we have secure configurations for network devices, such as
firewalls, routers, and switches?
Do we limit and control network ports, protocols, and services?
Do we/how do we control the use of administrative privileges?
Do we control access based on need to know?
Do we have a robust, secure engineering process to protect
security controls from being circumvented?
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 22
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Key Questions to Ask
Function: Detect
Question: Do we have processes to inform us when we have had a cyber
security attack?
Supporting Do we conduct continuous vulnerability assessment and
Control remediations?
Questions: Do we have processes to maintain, monitor, and analyze audit
logs?
Do we have boundary defense controls that look for attacks and
evidence of compromised machines?
Do we monitor and control accounts to remove timely system or
individual accounts that are not needed?
Do we scrutinize movement of data across network boundaries,
both electronically and physically?
Types of Continuous Vulnerability Assessment and Remediation
Security Account Monitoring and Control
Controls:
Penetration Tests and Red Team Exercises
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 24
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Key Questions to Ask
Function: Respond
Question: What is our incident response plan in the event of a cyber security
attack?
Supporting Do we have such a plan and does it have clearly defined roles
Control and responsibilities?
Questions: Do we conduct simulated attacks (such as penetration tests) to
improve the organization’s readiness?
Types of Security Skills Assessment and Appropriate Training to Fill Gaps
Security Incident Response and Management
Controls:
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 25
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Key Questions to Ask
Function: Recover
Question: What are our processes for recovering if we have experienced an
incident?
Supporting Do we have plan for removing all traces of an attack from our
Control environment?
Questions: Do we have appropriate back-up processes in place to support a
recovery and are they regularly tested?
Types of Data Recovery Capability
Security Data Loss Prevention
Controls:
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 26
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Summary
“Cyber” risks are real – while such risks have existed previously:
Businesses rely more on their IT infrastructure than historically with mobile
devices, etc.
There is greater interdependency due to outsourcing, third party service
providers, cloud computing, etc.
The internet provides additional avenues for cyber attacks
Regulatory expectations of board oversight are increasing and more
regulatory oversight and guidance is likely
Be wary of techno-babble in the board room cyber security should not be
the domain of the “techies”
It is not possible to eliminate the risk-monitoring, and response capabilities
are crucial
Well managed IT departments with a focus on information security are
effective in managing the cyber risk
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent 27
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
NDPPS 259923
Questions/Discussion
Contacts:
Ann Armstrong
Advisory, Managing Director
KPMG LLP
annarmstrong@kpmg.com
Dhawal Thakker
Advisory, Director
KPMG LLP
dthakker@kpmg.com © 2014 KPMG LLP, a Delaware limited liability partnership and the U.S.
member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
Dana Mabes entity. All rights reserved. NDPPS 259923
Advisory, Manager
KPMG LLP The KPMG name, logo and “cutting through complexity” are registered
dmabes@kpmg.com trademarks or trademarks of KPMG International.
www.kpmg.com