ebook img

The five most common cyber security mistakes PDF

16 Pages·2013·1.42 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The five most common cyber security mistakes

AVD Y ROSI The fve most common cyber security mistakes Ms’tn e m e g a n a rep sitc e p v e o n yc reb sruc e ity kpmg.nl © 2013 KPMG Advisory N.V. 2 | TChoen tfinveu omuso satu cdoitminmg oand c ycboenrt insueocursi tmy monisittoarkinegs: The current status and the road ahead © 2013 KPMG Advisory N.V. The fve most common cyber security mistakes | 3 Contents Preface 4 01 Introducton 6 02 The five most common cyber security mistakes 8 03 Customising your approach 11 04 As a manager, how do you assess the cyber capability of your organisation? 12 05 Conclusion 14 © 2013 KPMG Advisory N.V. 4 | The fve most common cyber security mistakes Preface We know that cyber security is an important concern for every organisation. Daily occurrences demonstrate the risk posed by cyber attackers – from individual hackers to professional cyber criminals. The management of any organisation face the task of ensuring that their organisations understand the threat and set the right priorities. This is no easy task in light of the technical jargon involved and the pace of change. Non-specialists can find it difficult to know where to start, to focus on what is important. At the same time, the media contributes to a culture of fear suggesting every organisation is an easy target. Reports often fail to distinguish between opportunistic fraudsters on eBay and organised criminal groups with strategies for systematically stealing intellectual property. Understanding the nature of the attacker is, however, very important in assessing the extent to which organisations are likely to become a target. As outlined above, cyber security is a challenge for the leadership of many organisations. This, however, cannot be an excuse to divest responsibility to the ‘experts’. It is essential that company management take leadership in the following areas: (1) allocation of resources to deal with cyber security, (2) governance and decision-making and (3) building an organisational culture in which everyone is aware of his or her responsibilities. Company management need to be able to navigate through the complexity of cyber security by gaining the confidence to ask the right questions. But how do you do that? This whitepaper provides some advice on getting the basics right. John Hermans Gerben Schreurs KPMG Cyber Security Lead Partner Partner KPMG Forensic © 2013 KPMG Advisory N.V. eh T v� e om s t oc om n yc reb sruce ity im sset ka | 5 What is cyber crime and who is carrying it out? yC reb rc i em is a r egna o f i lagel diig t la itca viit se tra deteg 3 rO inag sde rc i ,em of suc de soylel o n if icnan la iag n ta orinag sita osn i n ordre ot suac e rah .m eh T ret m ilpa se rht o hgu a vra itey o f inah cem ssm rf o m ihp sih gn ot ot a iw d e r egna o f tra steg dna k t ca ta ohtem ds. sile gn sot nel oc ynapm dta ;a dnU re stdna i gn eht otca‘ r , ’ i..e eht rep so n or orinag sita o n 4 Govre stnemn , of suc de o n irpm ovi gn ieht r oeg op il it lac taht is sop sn ori gn or oc dn itcu gn eht sk t ca ta , is se sitne la op siit o n dna / or oc rem ic la iretn se st . of r itce f fe v e d.ecne fe Askt ca t yb seht e dire f f tne otca rs vah e a rebmun o f Aotc rs nac eb dividde iotn of ru ogetac rise : dire f f tne rah c retca isit sc , s h cu sa eht ty ep o f tra ,teg eht k t ca ta ohtem ds dna s elac o f i.tcapm A ilbup itac o n yb 1 A n idn ivid lau re k c a h , rene g yla itca gn ola en dna eht h ctuD yC reb ruceS ity rtneC mu N( ;CSC Nita o lan yC reb om it vdeta yb ieb gn elb a ot soh w tah w s/eh eh nac do; ruceS ity rtneC )e sah rp ovidde ruf reht ylana sis o f eht yc reb sruce ity dnal s epac i n eht Nrehte dnal s , sa le w sa 2 eh T itca vis ,t of suc de o n ria si gn eht rp oif el o f na a dteia del dse rc iitp o n o f vra iosu yc reb otca rs. idoe ol yg or op il it lac viopw e i ,tn o net f yb rc itae gn rae f dna disritpu o;n © 2013 KPMG Advisory N.V. 6 | The fve most common cyber security mistakes 01 rtnI oditcu on yC reb sruce iyt : ehT iht sgn yo u rp oylbab rla dae y onk w The amount of data continues to Criminals and/or criminal organisations need to protect themselves against grow exponentially as does the rate at are, of course, also aware of these cyber attacks and ensure that an which organisations share data through vulnerabilities. Attacks on governments’ appropriate response can be provided. online networks. The Internet of Things and companies’ networks have The three areas of capability – – in which billions of machines, from increased in volume and severity. prevention, detection and response – tablets and smartphones to ATM The motives of cyber criminals are must be in effect to achieve this machines, security installations, oil various, from pure financial gain, to (see frame). fields, environmental control systems espionage or terrorism. Organisations and thermostats, are linked together – has left the realm of science fiction and is becoming reality. Mor e iofn ritam o n is rp ovidde oleb :w The consequence is that, in heavily networked societies, inter-dependencies Prevention increase. Organisations increasingly Prevention begins with governance and organisation. It is about technical open their IT systems to a wide measures, including placing responsibility for dealing with cyber crime range of (mobile) machines and – by within the organisation and awareness training for key staff. definition – lose direct control of data security. Furthermore, business Detection continuity, both in society and within Through monitoring of critical events and central safety incidents, an companies, becomes increasingly organisation can strengthen its technological detection measures. dependent on IT. Disruption to these Monitoring and data mining together form an excellent instrument to core processes can have a major detect strange patterns in data traffic, to find the location on which the impact on service availability. attacks focus and to observe system performance. Response Response refers to activating a plan as soon as an attack occurs. During an attack the organisation should be able to directly deactivate all technology affected. When developing a response and recovery plan, an organisation should perceive (information) security as a continuous process and not as a one-off solution. © 2013 KPMG Advisory N.V. eh T v� e om s t oc om n yc reb sruce ity im sset ka | 7 eh T iht sgn yo u yam on t onk w reneg yla sdetcejbu ot ynam o f eht semeht taht ra e d tlae iw ht rf o m a ris k iicn dstne itnem oden i n eht dem i.a tnemeganam rep sitcep v ,e rrehta naht oY u ra e rp oylbab rla dae y ima f il ra eh T rt htu is om r e decnaun naht eht ieb gn sab de o n na id ae o f iub dl i gn a iw ht tahw sah neb oiltu den so raf , ip ru tc e iap detn yb eht dem i.a eh T rissk sys met taht is 100 % reta w it .thg sa yc reb sruce ity sah riece vde nac eb oc rtn odel . yC reb rc iim slan siing if tnac itnet ta o n i n r tnece yrae s. ra e on t ivn iicn elb ineg su se , dna dae L i gn rf o m iht s , e w ileb ve e taht og vre stnemn dna oc inapm se ra e ynam orinag sita osn den ot egnah c seD ip et eht rep vsa iv e ru tan e o f yc reb elbapac o f if ithg gn yc reb rc i.em ieht r ooltu o k o n yc reb sruce ity. sruce ity , orinag sita osn soh dlu on t tuB e w do vah e ot rilae s e taht 100 % yeh T soh dlu do iht s yb yalp i gn ot ola w smeht vle se ot eb driv ne yb rae f . sruce ity is na isul io ,n dna taht sah c i gn ieht r srt shtgne rrehta naht ieht r rae f s eh T dem i a o net f s h cte k na rala im s t taht 100 % tra teg iw l dael on t oyln ot o f tahw im thg .nepah vnI se tnemt ip ru tc e o f yc reb sruce ity , o en i n ihw h c rf su rt ita o n tub sla o ot a sla f e ssne e o f soh dlu eb decnalab neteb w rissk la orinag sita osn ra e na sae y tra teg sruce ity. dna op itnet la istcapm . of r yc reb rc iim slan . ih T s dael s ot disrp oop rit o etan rae f . A s lam or im d- nI ,tca f e w vah e ot rt tae yc reb sruce ity sidez oc ynapm sah a vre y dire f f tne ris k sa sub‘ isen s sa su ’lau – na ra ae o f ris k rp oif el naht a itlum itan o ,lan of r elpmax e taht riuqe rse eht s ema vel le o f s lam ot im ds- idez oc inapm se ra e on t itnet ta o n sa if r e or rf dua . seh T e ra e Prevention Detection Response Management Aop iitn gn yc reb rc i em snE ru i gn a 2 7/4 stdna yb- sU i gn of rsne i c ylana sis sik sl and rse op sn iib il it se rc( isis ) orinag sita o n organisation Processes yC reb rc i em rse op sn e set st Prodec ru se of r of ol pu- w o f yC reb rc i em rse op sn e nalp s( iitalum osn ) iicn dstne Pre iodi c ssnac dna rtenep ita o n set st Technology snE ru i gn da etauqe dse otk p itnemelpmI gn ol ig gn o f itcaeD vita gn or disoc itn iun gn sruce ity rc iit lac rp osec sse T I sre visec dnu re k t ca ta snE ru i gn oten w r k itnemelpmI gn rtnec la stnemgeita on om in ot ri gn o f sruce ity iicn dstne © 2013 KPMG Advisory N.V. 8 | The fve most common cyber security mistakes 02 The five most common cyber security mistakes To many, cyber security is a bit of a mystery. This is probably one of the reasons why it is not always approached appropriately. From our years of experience, we have identified the five most common cyber security mistakes. These are discussed below. 1 Mistake: “We have to achieve In practice, the emphasis is often be integrated into the technology 100% security” skewed towards prevention (the architecture, but they are not the basis equivalent to building impenetrable of a holistic and robust cyber security Reality: 100% security is neither walls to keep the intruders out). policy and strategy. The investment in feasible nor the appropriate goal Once you understand that perfect technical tools should be the output, security is an illusion and that cyber not the driver, of cyber security Almost every airline company claims security is ‘business as usual’, strategy. that flight safety is their highest priority however, you also understand whilst recognising that there is an immediately that more emphasis must Good security starts with developing inherent risk in flying. The same applies be placed on an adequate detection a robust cyber defence capability. to cyber security. Every large, well- and response. After a cyber crime Although this is generally led by the IT known organisation will unfortunately incident, which may vary from theft department (who should be aware of experience information being either of information to a disruptive attack the importance of cyber security), the stolen privately or stolen and made on core systems, an organisation knowledge and awareness of the end public. must be able to minimise losses and user is critical. The human factor is and resolve vulnerabilities. remains, for both IT professionals and Developing the awareness that 100% the end user, the weakest link in protection against cyber crime is relation to security. Investment in the 2 neither a feasible nor an appropriate best tools will only deliver the return goal is already an important step Mistake: “When we invest in best- when people understand their towards a more effective policy, of-class technical tools, we are safe” responsibilities to keep their networks because it allows you to make safe. Social engineering, in which choices about your defensive posture. Reality: Effective cyber security is hackers manipulate employees to gain A good defence posture is based on less dependent on technology access to systems, is still one of the understanding the threat (i.e. the than you think main risks that organisations face. criminal) relative to organisational vulnerability (prevention), establishing The world of cyber security is Technology cannot help in this regard mechanisms to detect an imminent dominated by specialist suppliers and it is essential that managers take or actual breach (detection) and that sell technical products, for ownership of dealing with this establishing a capability that example products that enable rapid challenge. They have to show genuine immediately deals with incidents detection of intruders. These tools are interest and be willing to study how (response) to minimise loss. essential for basic security, and must best to engage with the workforce © 2013 KPMG Advisory N.V. The fve most common cyber security mistakes | 9 to educate staff and build awareness methods. It is also sensible to adopt a It is therefore important to look at the of the threat from cyber attack. flexible, proactive approach. Managers value of assets from the perspective of 1 As mentioned in the introduction, this need to understand the value of their both the organisation and the criminal . is often about changing the culture information assets and the implication In that respect, we should also realise such that employees are alert to the of any loss on the core business that business and technology have risks and are proactive in raising these (including business continuity), for developed as chains, and therefore with supervisors. example damage to the brand, reduced organisations are co-dependent on income, intellectual property going each other’s security. public. The cyber security policy needs 3 to prioritise investment into these 4 Mistake: “Our weapons have to be areas rather than try and cover all risks. better than those of the hackers” In short, managers should be aware of Mistake: “Cyber security compliance the latest techniques but should not let is all about effective monitoring” Reality: The security policy should this distract them from protecting their primarily be determined by your most important assets. A business Reality: The ability to learn is just as goals, not those of your attackers case for cyber security should form important as the ability to monitor the basis for investment and resource The fight against cyber crime is an allocation. Important questions for Only an organisation that is capable of example of an unwinnable race. managers in this respect include: understanding external developments The attackers keep developing new Do we know to whom we are and incident trends and able to use this methods and technology and the attractive and why? Do we know insight to inform policy and strategy defence is, by definition, always one what risks we are willing to take in will be successful in the long term. step behind. But is this true? And is it this respect (risk appetite)? Do we Practice shows that cyber security useful to keep pursuing attackers and have insight into which systems store is very much driven by compliance. investing in increasingly sophisticated our key assets (and our business’ This is understandable, because many tools to prevent attack? continuity)? organisations have to accommodate a range of laws and legislations. Of course it is important to keep up Regarding that last question, an However, it is counterproductive to to date and to obtain insights into organisation may perceive the value view compliance as the ultimate goal the intention of attackers and their of its assets differently from a criminal. of the cyber security policy. 1 See also “A nuanced vision on cyber crime”, KPMG 2012 © 2013 KPMG Advisory N.V. 10 | eh T v� e om s t oc om n yc reb sruce ity im sset ka itce f fE v e yc reb sruce ity op il yc dna ylana sis o f retx e lan dna iretn lan • rO inag sita osn den ot dve ole p a srt ygeta soh dlu eb sab de o n oc itn oun su ret tap sn i n ordre ot dnu re stdna oc rop r eta ohtem d of r sa sse si gn dna rael in gn dna irpm ov.tneme eht rilae ty o f eht rht tae dna eht rope rit gn yc reb sruce ity rissk . ih T s soh r ,t dem i mu dna ol gn ret m ris k riuqe rse rp oot oc sl ot drete im en ris k ih T s snaem : iilpm itac osn . ih T s isn i thg soh dlu vel sle dna se italac osn , dna ohtem ds elbane orinag sita osn ot ekam of r iuqe ip gn eht ob ra d iw ht isn i thg • rO inag sita osn den ot dnu re stdna ssne i elb sruce ity ivn se tnemt iotn srt igeta c yc reb rissk dna eht oh w rht stae ve ovl e dna oh w ot oh c isec , idulcn i gn ivn se it gn ot sva .e istcapm ot oc r e sub isen s. itna ic etap .meht ih T s rpa o h ca is ofnU ryletanu t , i n rp itca ,ec ynam itlu yletam om r e oc sitce f fe-t v e i n orinag sita osn do on t et ka a srt igeta c 5 eht ol gn ret m naht dve ole ip gn ve re rpa o h ca dna do on t oc tcel dna su e ih rehg sruce ity sla w‘ .’ ih T s og se eht iretn lan dta a va ia elbal ot .meht Mis:et ka “We need to recruit yeb odn eht om in ot ri gn o f the best professionals to defend irfn sa rt ru tcu :e i t is oba tu sram t • rO inag sita osn den ot sne ru e taht ourselves from cyber crime” iicn dstne ra e ve detaula i n s h cu a yaw taht sel sosn nac eb rael den . ilae R ty: Cyber security is not a nI rp itca ,ec oh vew re , itca osn ra e department, but an attitude driv ne yb r lae it em iicn dstne dna o net f ra e on t roce rdde or ve detaula . yC reb sruce ity is o net f s ne sa eht ih T s dse rt oys eht iba il ty o f eht rse op sn iib il ty o f a drape tnemt o f orinag sita o n ot rael n dna tup ret teb sicep ila s t rp ose f sioslan . ih T s im dn s te sruce ity ra rstnemegna i n ecalp i n yam rse tlu i n a sla f e ssne e o f sruce ity eht ru tuf .e dna dael ot eht iw dre orinag sita o n on t tika gn rse op sn iib il ty. • eh T s ema ilpa se ot om in ot ri gn sk t ca ta . nI ynam sac se , eh T r lae egnelah c is ot ekam yc reb orinag sita osn vah e tnelec x e sruce ity a iam sn rt mae rpa o.h ca om in ot ri gn ibapac il it se , tub eht ih T s snaem , of r ,elpmax e taht yc reb if dn isgn ra e on t srah de iw ht eht sruce ity soh dlu oceb em rap t o f RH iw dre orinag sita o.n No sel sosn , or op il yc , ve ne i n so em sac se il dekn ot isn if fu ic tne sel sosn , ra e rael den rrenume ita o.n tI sla o snaem taht yc reb rf o m eht iofn ritam o n riece vde . sruce ity soh dlu vah e a rtnec la ecalp ru F reht om r ,e om in ot ri gn den s ot nehw dve ole ip gn w en T I syssmet , eb dnu re ip den yb na iiletn ecneg dna on ,t sa is o net f eht sac ,e eb ig v ne riuqe r.tneme ylnO i f yo u ra e vre y itnet ta o n oyln ta eht dne o f s h cu rec tia n o f tahw yo u tna w ot om in ot r rp ostcej . dose om in ot ri gn oceb sem na itce f fe v e ot o l ot d tcete sk t ca ta . © 2013 KPMG Advisory N.V.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.