EY wakes up C-Suit personnel to cyber-security threats

By Kiyoshi Berman

Ernst &Young last week held a cyber-security awareness forum themed ‘At the cross-roads of Cyber Security,’ presented by Gerry Chng, Partner- IT Risk and Assurance, Ernst &Young Singapore. 

The program consisted of two sessions; first one with high level awareness for Chief Executive Officers and other with detailed information focusing the Chief Information Officers. Gerry is EY’s ASEAN Cyber security leader based in Singapore. He is a partner running EY’s matured cyber security practice with an expert team of cyber security professionals located across the region.

Cyber security landscape is one of those areas where we are constantly playing catch-up. We come up with ways to defend against cyber criminals while they are rapidly innovating and finding new ways of breaking into the fortifications that we have. If we compare the security measures available with tactics of cyber criminals, you will see that they are a much organised group of people. They share information, tactics, knowhow and technology. The organisations on the other hand, don’t share information or knowhow as they ought to.

If you were under attack, would you ever know?

The first session addressed the question ‘If you were under attack, would you ever know?’

“During the last 18 months, there have been so many data breaches. Every piece of news regarding cyber security highlighted data breaches. Sometime back, Target Corp. a major retailer in the USand a big insurance provider in the US werebreached—these are only two of many examples. The breaches that steal financial information are the mega breaches that happen once in a while. The most common attacks focus on personal information,” Gerry said.

Cyber criminals glean whatever the personal data available from enterprises. Most of the data breaches just contain names, addresses, telephone numbers, email addresses and sometimespasswords to accounts. One might ponder how these personal information can be translated into financial value.

“If you start looking at the entire eco-system of hackers, you will see that this is a very well organised syndication. Personal information is used to launch targeted attacks on individuals. Think of it in context: If I was to send off a very well drafted email that you’re likely to believe, I would use information that resonate something you do— say you’re a certain professional within an organisation who travelsto particular placesand have certain professional affiliations.Skilled hackers wouldn’t be sending the same email to everybody, but to high-rank personnel who have privileged access to systems. If the hacker can trick you to click one link then the access they gain can be used to compromise many systems,” he added.

Third party breaches

Hackers steal information either to use by themselves or to sell it to other criminal groups through the Dark Web. Using sophisticated security mechanisms within an organisation alone does not guarantee security from hackers.

For example, the Target Corporation breach did not take place due to the lack of security mechanisms. They had invested in latest technology at the time and had a Security Operations Centre in Bangalore to do all the monitoring of networks. Despite the fact that Target took all—almost all— precautions they can to defend against cyber-attacks, they still got hit. The attackswere delivered through a heating and ventilation contractor. The hackers leveraged on the vulnerable third party systems and used it as a vehicle to bring malicious software into Target. 

Moreover, Target brought in new technology but didn’t understand its capabilities. Their IT staff were accustomed to the older systems which generated many false positives andconsequently took these alerts lightly, not realising that they had used state-of-the-art technology which was far more accurate. 

“Usually, IT department staff constantly go up to the senior management to convince them for a larger security budget. After the Target breach,the whole perspective of cyber security flipped around. It was the senior management who started going to the technology departments and asking them if such breach could occur in their organisations as well. The CEO and CIO of Target had to resign after the massive breach fallout. This also had to do with the way Target handled the situation. They had no idea about what was happening and they told the media that the breach had nothing to do with the company,” Gerry continued.

In the Sony Pictures breach, it wasn’t one of those cases where systems werestill functioning under the attack. Everything came to a halt. This is another class of attacks where the whole idea is just to disrupt your systems and therefore the entire organisation. 

Panama papers breach is another instance which highlighted that third parties can be a threat to an organisation. 

“Doesn’t it mean that despite all the things I have done [security-wise], as long as I engage with a third party [in the case of Panama papers it was a law firm] to work on the organisation’s behalf it will come back to bite me one day?” Gerry emphasised.

Risk analysis of third parties

Organisations are now starting to do a risk analysis of their third parties of facing a security breach. Stuxnet is another breach that shook up the cyber world. It’s an old case, but the concept of breaking into traditional engineering systems is emerging. 

“There is a lot of technical jargon you hear about hacker attacks. Advanced Persistent threats and zero-day attacks and whatnot. But it actually comes down to the use of insecure software. This could be software thatare not patched. In some cases however, even the vendors do not know if vulnerabilities exist in their software. Either way, it boils down to using software with some sort of vulnerability,” he said.

“It’s important to stay prepared. Hacking is a thriving business with a very well-organised business model. Cyber security is a business issue. Say a potential hacker group can ‘buy’ an exploit to a vulnerability that was never heard before (zero-day vulnerability) using thousand dollars butaiming to steal data worth a million dollars, then they are making profit. You can’t completely be safe from cyber-attacks but if your security is strong enough that a hacker wouldn’t want to invest too much money and time, thenyou could be spared— for some time.”

In today’s threat environment, organisations must focus on efforts to complicate attacks, detect malicious activities, respond to threats and educate organisations to keep operations in sync with business imperatives. 

The Singaporean Government has taken a decision to disconnect all work computers of government servants from the internet, starting from next May. Singaporean government is embarking on the journey towards a Smart Nation. It means there’ll be a lot of BigData from additional sources going through government systems. Therefore, work computers will be isolated. There will be computers to surf the internet but the isolated work computers will be cut off from any data transfers from outside. Some information might go out but nothing can come in. 

Let’s say there’s an unclassified email a user wants to forward, that will be forwarded but if a user clicks on a malicious link on an email, there’s no way a malicious software can come in because the computers are not connected to the internet. Also the need to copy data will be reduced by introducing an efficient BYOD policy.

This difficult decision is meant to address a question many governments ask, ‘how can we be a Smart Nation if we are not secure in the first place?’ This in turn emphasises the Singaporean government’s risk tolerance to cyber-attacks.

Importance of risk and controls

Further explaining the importance of risk and controls, Gerry said: “Risk assessments involving IT audits and penetration tests and so on will tell you the risk involved and then you decide if you can live with identified risks?If not, you put controls in place. But when you have controls in place that has worked in a certain point in time with no trouble, then you assume there’s no risk. This is dangerous. Even if your organisation and third parties comply with your security policies, you cannot assume that there is no risk. Compliance doesn’t necessarily make an organisation secure, it does not wipe out the risk element completely.”

To change the way you look at cyber security, there are things you can do differently. For starters, perform a holistic assessment of security management, elevate cyber security to the enterprise level, define your cyber risk tolerance and build a cyber-risk management framework. 

During the second session, Gerry detailed the same issues with a little more depth.“Everyone can and will be a target. There’s no such thing as small fish,” he underscored.

The concept of perimeter defence needs to go away. This only addresses a very small fraction of the cyber risks you’re facing. 

“Think about your business model today. Does it mean anything at all? For instance, you’re giving your customers access to your e-channels and your systems, how have you factored that in your perimeter defence? Say you’re a bank and your customers click on a phishing email link then their credentials are stolen and the hacker uses that login to access your system.Where is your perimeter? Is it at the firewalls you have set up or is it at the device your customer is using? So this whole of the traditional mindset of building a perimeter— keep the good things in and the bad things out— that model doesn’t work anymore. There’s no physical perimeter or geographical boundary that can be attacked,” Gerry explained. 

“The modus operandi of cyber-attacks is said to be highly sophisticated and advanced that there’s no way you would have known about it— this concept is not entirely true. We need to understand this industry is driven by fear, uncertainty and doubt. There are security vendors who try to sell you on solutions to a problem that has not been addressed in your organisation. These vendors point out what happened to other organisations who apparently did not have enough security controls. Then they use a lot of jargon like Advanced Persistent Threat and Zero-day, to try and create the uncertainty. Then you go through the process and implement the security systems. But if you’re not sure what you’re trying to protect in the first place that could be very tricky and ineffective.”

Therefore, it’s important to understand the modus operandi of cyber-attacks and the top five information assets that is crucialto your business and would hurt your business the most, if compromised. If you have these two questions answered and put together, then you will know where to put your defences. 

Ransomware

“Another threat that is gaining popularity is Ransomware. Instead of stealing your data, the hackers will encrypt your system and hold you for ransom. In some cases your backups may not work either because hackers will monitor your backing up procedure and encrypt the data that goes into the backups as well. Once your data is all encrypted and you realise you have no way out, criminals will demand for ransom to be paid in Bitcoins (anonymous payment system),” he explained. 

The attack landscape has transformed dramatically over the past few years and as a result, companies are under more scrutiny than ever for the security of their financial systems. 

To find solutions, you need to know how prepared you are. Some of the things you can do afterwards is to have aCyber Program Management, understand where your peers are. Perform a Cyber CompromiseAssessment and Risk Profile Reporting— where the cyber threats are interpreted in business terms for the senior management. 

Gerry concluded the session reminding the audience that cyber security is the responsibility of the whole board and it’shigh time that companies think differently.

 

-Pix by Lasantha Kumara