1_tomas_sanchez_pwc_ehealth_20130311 - cyber security presentation lsec 11-03-2013

8/22/2019 1_Tomas_Sanchez_PWC_eHealth_20130311 - Cyber Security Presentation LSEC 11-03-2013

1/25

Cyber Security Presentation

www.pwc.com/me

LSEC11 March 2013


2/25

Agenda

1 Cyber security global problem

2 Cyber security attacks and threats in the utilities/energy sector

3 The Saudi Aramco case

4 Questions & Answers

Confidential & Proprietary All Rights Reserved

PwC 2013

2

March 2013LSEC


3/25

Cyber security is a global problem

2000 2001 2002 2007 2010 2012

s

Cyber security is a global problem nowadays. The purpose of today's advanced cyber attacks istwo-fold: steal the target data and maintain access to the environment for as long as possible .


PwC 2013

CyberAttack

The I Love

You warminfectedmillions ofcomputers

worldwide.

The Code Red

wormswidespreadinfection caused

billions of dollarsin damage.

shatterattack

is a process bywhichWindowssecurity can be

bypassed.

Announcement

of at least 45.7millionconsumer creditand debit cardsnumbers stolen.

Stuxnet malware,with the purpose oftargeting Iransnuclear programme,is discovered.

Several cyberattackstargeted theMiddle East.

Formation of organized cyber attacks andhacking groups (e.g. anonymous).

Foreign governments heavilyinvested in malicious codesdevelopment.

X

X

X

XX

XDifferent organizationsand countries wereaffected.

3

March 2013LSEC


4/25

Attackers and motivation

Different organizations often have their own specific way of categorizing cyber threats. In our view, there arefive main types of cyber attacks, each with its own distinct though sometimes overlapping methods andobjectives. Those are:

FinancialCrime &

Fraud

This involves criminals often highly organized and well-funded using technology as a tool to steal money and other

assets.1

Espionage

Theft of IP is a persistent threat carried out by commercial

competitors or state intelligence services seeking to use the IP to2

Attacks in Middle East Recent attacks

against the MiddleEast are believed to

be originated fromregional


PwC 2013

advance their R&D or gain business intelligence.

WarfareThis can take place between states, or may involve statesattacking private sectors organizations, especially criticalnational infrastructure such as energy & telecoms.

3

ActivismAgain this may overlap with some other categories, but theattacks are undertaken by supporters of an idealisticcause most recently the supporters of WikiLeaks.

5

TerrorismThis threat overlaps with warfare. Attacks are undertaken by(possibly state-backed) terrorist groups, again targeting

either state or private assets.

4

countrieswith anobjective of causingdamage and/orstealing sensitiveinformation

Some attacks wereperformed bysupporters of

regimes orrevolutionaries Other attacks

targeted thefinancial sector

4

March 2013LSEC


5/25

Financial impact of cyber security breaches

Cyber Security breaches can have many different types of impact

Direct costs, such as downtime and effort to remediate, are easy to estimate

Indirect costs are harder to determine

PwC analysed the results of the information security breaches survey carried out in Europe in 2012. Resultshave shown that:


PwC 2013

of large organizations had a

security breach during 2012.

attacks by an unauthorized outsider on each largeorganization in Europe in 2012.

67% of large organizations expectmore security breaches next year.

80% of large organizations do notevaluate ROI on their security expenditure.

$9m - $21m is the average financial loss of large organizations (250 - 500 employees)in 2012.

considering 54 attacks per year.

5

March 2013LSEC


6/25

Many critical cyber security incidents were recentlyreported

Saudi Aramco, Saudi Arabias nationaloil company and the largest in the

world, has confirmed that is has beenhit by a cyber attack that resulted inmalware infecting around 30,000 user

workstations.Security Week

In Au ust 2012 the information

In 2011, someone hacked into theCurran-Gardner Water Districtnetwork in Illinois and manipulatedthe supervisory control and dataacquisition (SCADA) network resultingin destroying one of the pumps.

Business Insider

Online attackers successfull


PwC 2013

technology systems of RasGas wereseriously damaged by cyber attacks.The attacks damaged the website andcommunications networks; however,they failed to harm the organizationsproduction systems and capabilities.

Reuters

The Arabic website of news networkAl-Jazeera has been defaced,apparently by pro-Syrian hackers.

BBC News

penetrated the Department of Energy(DOE) network in the middle ofJanuary 2013 and obtained copies ofpersonally identifiable information(PII) pertaining to several hundred ofthe agency's employees and contractorsin preparation for further attacks..

U.S. officials said that Iranian hackersrenewed a campaign of cyber attacksagainst U.S. banks, targeting CapitalOne Financial Corp. and BB&T Corp.

Washington

informationweek

6

March 2013LSEC


7/25

Many critical cyber security incidents were recentlyreported

Sony suffered a massive breach in itsvideo game online network that led tothe theft of names, addresses andpossibly credit card data belonging to77 million user accounts in what is oneof the largest-ever Internet security

break-ins. Reuters

Securit ex erts have uncovered a

Google became the target of aphishing campaign originating inJinan, China, and aimed at gainingaccess to the accounts of seniorofficials in the U.S., Korea and othergovernments, as well as those ofChinese activists The Wall Street Journal

A uarter of a million Twitter users


PwC 2013

new computer virus designed to stealinformation from banks in the MiddleEast. The virus has infected more that2,500 computers, mainly in Lebanon,according to the Russian security firmKaspersky Lab The Telegraph

The computer security vendor RSAannounced on March 17, 2011 that itsnetwork had been hacked by an

Advanced Persistent Threat (APT) by ahighly skilled, well-funded group witha specific agenda.

Business Insider

have had their accounts hacked in thelatest in a string of high-profile security

breaches at internet firms.

In January 2012 hackers from theMiddle East began a cyber exchange

that resulted in the release of personaldata for tens of thousands of individuals and damage to the cyberinfrastructures of several regionalfinancial institutions. Reuters

The Guardian

Middle East

7

March 2013LSEC


8/25

Cyber incidents in SCADA & industrial control systemsenvironments in 2012

Transportation; 5; 2%

Nuclear; 6; 3%

IT; 1; 0%

Health Care; 5; 3%

Food; 2; 1%

Government; 7; 4%

Cyber Incidents

The energy sectorwas targeted by

41% of the cyberattacks against the

ICS

environment in


PwC 2013

Energy, 82, 41%

Commercial,19, 10%

Critical Manuf; 8; 4%Dams; 1; 0%

Communications;4; 2%

Chemical; 7; 4%

Banking & Finance; 1;0%

Water, 29, 14%

Internet-Facing,21, 10%

2012.

Source: Industrial Control systems CyberEmergency Response Team US Department ofHomeland Security

8

March 2013LSEC


9/25

Common cyber security vulnerabilities in SCADA &industrial control systems in 2011

42%

47%

40%

50%Improper input validation (e.g. SQLInjection, Cross Site Scripting) and

credentials managementare the key cybersecurity threats in the ICS environments in

2011.


PwC 2013

20%

6%5%

21%

3%

15%

12%11%

15%

6%

18%

5%

0%

10%

20%

30%

ICS-CERT PublishedVulnerabilities

2009-2010 CSSP ICSProduct Assessments

2004-2008 CSSP ICSAssessments

Improper Input Validation

ICS Security Configuration &Maintenance

Credentials Management

Improper Authentication

Permissions, Privileges and AccessControls

Source: Common Cybersecurity Vulnerabilities inIndustrial control Systems, May 2011 USDepartment of Homeland Security

9

March 2013LSEC


10/25

Attackers use different entry points to attack utilitiesand energy companies

Preparing for the attacks may take months where hackers silently install Trojans and gain control overinternal networks. Hackers use various entry points to gain control over internal networks and prepare fortheir attacks and data thefts.

Hackers

Social Media Personal information

Wireless & MobileUnauthorized access to

internal network


PwC 2013

Having gained access to internal systems, hackers can attack SCADA systems and damage power generation,transmission, and distribution systems leading to damage to engines, transmission systems and causing massivepower outages.

Trojans

Disgruntled Employee

Vendors

Installed on internal computers

Default configuration

Facilitate access to

intruders

Removable MediaInstallation of malicious

code on the private

network

10

March 2013LSEC


11/25

Potential cyber attacks scenarios against utilities andenergy companies

Hacker may utilize theconnectivitybetween the vendorand the isolated

SCADA network to


PwC 2013

get access over it andcontrol thegeneration,transport anddistributioncomponents which

may lead to wideelectricity outage andpower failure.

11

March 2013LSEC


12/25

Potential cyber attacks scenarios against utilities andenergy companies

Hacker may sendmalicious code intoone of the internal SECusers which uses hislaptop or


PwC 2013

removable mediainside SCADAnetwork.

Such action may resultin spreading the

malicious codeinside the SCADAnetwork.

12

March 2013LSEC


13/25

The Saudi Aramco Case

Saudi Aramco is the Saudi government-owned oil company. It has the world's largest daily production of oil and an annual output of about 8bn barrels. It is estimated to be worth about $781bn, more than twice as much as Apple or Exxon, the most

valuable public companies.

Saudi Aramco provides various services to its employees, the community, government agencies andprivate companies:


PwC 2013

13

March 2013LSEC

Traffic safety and fire prevention Private security force (Elite Security)Air transport (private fleet and airports) Education and development (graduate, Master, PhD)Healthcare (SAMSO)

Saudi Aramco Medical Services Organization (SAMSO) is a network of private hospitals,supporting health-care excellence and helping to give communities access to world-class medicalfacilities.In 2011, 82 medical facilities received development support from SAMSO.


14/25

Saudi Aramco The incident

Saudi Aramco computers wereattacked on 15th August 2012

15th

AugAs first response, Aramcoisolated its computernetwork and issued a publicannouncement, creating lots

On Wednesday, Aug.15, 2012, an official at Saudi Aramco confirmed that the

company has isolated all its electronic systems from outside access as an earlyprecautionary measure that was taken following a sudden disruption that affected

some of the sectors of its electronic network.

The disruption was suspected to be the result of a virus that had infected personal

workstations without affecting the primary components of the network.Saudi Aramco confirmed the integrity of all of its electronic network that manages its

core business and that the interruption has had no impact whatsoever on any of thecompany's production operations.

The company employs a series of precautionary procedures and multiple redundantsystems within its advanced and complex system that are used to protect its

operational and database systems.

Saudi Aramco IT experts anticipate resuming normal operations of its network soon.

16th

Aug

17th


PwC 2013

March 2013LSEC

14

o uzz n e me a.

Production was not affected.

Saudi Aramco issued an statement on 26thAugust 2012, announcing that main internalnetwork services had been re-established. 30.000 workstations had been affected. As a

precaution, remote Internet access to online resources was restricted.

ug

The company issued a follow-up report on the 10th September 2012, announcing that itselectronic network was functioning normally following a complete and thorough scanning.


15/25

The attack was performed using the Shamoon malware.

Destructive malware Collects files from specific locations on the system. Erase the files and send information to the attacker Spread to other computers on the network. Overwrites the master boot record.

Saudi Aramco Aftermath analysis

Between 30k and 55kcomputers were

affected.


PwC 2013

And why?

March 2013LSEC

15

Who did it?

First claims indicated Islamic groups. Controversy around the code professional or amateur? State-sponsored , lone wolf, disgruntled insider?

FinancialCrime &

Fraud

1Espionage

2Warfare

3

Activism5

Terrorism4

unsure aboutwhat information

was stolen

unsure aboutwhat information

was lost

completeisolation for

+10 days

Stagedapproach

towards normalsituation

Massive loss ofdata records

(HR , EPR)


16/25

End-User Experience in SAMSO

A nurse/doctor goes to work as usual.At the start of the shift, the IT systems are not available.

No patient status No patient history No medication register

Complete disruption leading to a life-threatening situation. Emergency protocols activated Patient prioritization.

Patients need to be identified:

Who are the ?

Information gathering

Manual checks re uired.


PwC 2013

16

March 2013LSEC

Where they are? What do they have?

Manual book-keeping.

Once identified, they can be treated but

No communication systems No way to order medicines No patient history check is possible

Alternative communication methods Mobilization of technical and humanresources.

This situation lasted for the +10 days of complete isolation A selection of Electronic Patient Records (EPR) were recovered 2-3 weeks after the startof the incident


17/25

Questions & Answers

Thank ou


PwC 2013

We look forward to working with you

17

March 2013LSEC


18/25

We add value

pwc.com/me

This document contains information that is proprietary and confidential to PwC, As such, the addressee should not disclose this document or any

attachments in whole or in part to any third party without the prior written consent of PwC.

The addressee also acknowledges that information shared here within is the intellectual property of PwC and is subject to a non disclosure agreement as

recognised by the copyright and intellectual property regulations.

2013 PricewaterhouseCoopers. All rights reserved.

"PricewaterhouseCoopers" and PwC refer to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL). Each member

firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not

responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any

way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another member firms

professional judgment or bind another member firm or PwCIL in any way.


19/25

Backup Slides


PwC 2013

19

March 2013LSEC


20/25

Global cyber threats require a global team

PwC has significant experience in helping organizations from different industries including utilities,financial sector, government and national security agencies to solve their cyber security issues.

Our firm has:

Performed cyber security assessments and/orimplementations at 78% of the Fortune 500.

1

Provided cyber security services to regionalgovernment entities in the Middle East.

2

Perform over 100 cyber security assessmentannually

3

Received recognition by market influencers asa leader in Security solutions

4


PwC 2013

Strategic Alliances & Partnerships

with Security Vendors

PwC was one of the establisher of the ISF(International Security Forum) and ismanaging ISF on behalf of its members, wehave a long tradition of contributing to and makinguse of the ISF material.

20

March 2013LSEC


21/25

PwC cyber security core services

1 Security StrategySetting directionSecurity strategy development, organization design, management reporting.

Managing Exposure

2Security Governance& Control

Creating sound framework of controlRisk, policy and privacy review, regulatory compliance assessment, data lossprevention, awareness programs.


PwC 2013

3 Management Penetration testing, vulnerability scanning and remediation, continuous andglobal threat monitoring.

4Architecture,Network Security &Identity

Building secure systems and infrastructuresSecurity architecture, network security, cloud computing security, identityand access management solutions and ERP Security.

5Incident Response& Forensic

Investigation

Managing IncidentsIncident response review, Corporate and regulatory investigations, forensic

investigations and readiness and curses response.

6Business ContinuityManagement

Building in ResilienceBusiness continuity management, disaster recovery and crises management.

21

March 2013LSEC


22/25

PwC cyber security point of viewCyber Security is an evolution of risk management

Most large organizations have well-established traditional risk strategies which support clear lines ofresponsibility up to the board-level. This can often lull senior executives into a false sense of security. Astraditional risks converge with the new risks, organizations are often exposed to security and risk gapsthat are not being managed. This is principally because business functions are operating in silos and focusing onensuring their area of responsibility is secure or protected (the not in my back-yard mentality) or because theyare unaware of such risks.

Convergence of Security Risks Cyber Resilience: Brand & reputational resilience


PwC 2013

Data Loss

Fraud

Industrial Espionage

Social Engineering

Threats to People

Physical Theft

Brand Infringement

protect on Intelligence based risk

management Security as a competitive

advantage

Protecting information assets: Information Security

Information Risk Management

Strategicrisk

Value

22

March 2013LSEC


23/25

Key expected recommendations

1Leadership realizing the strategic importance of managing cyber risks.This may require the creation of new roles at boardroom level

Clarify roles &responsibilities fromthe top down

2Upgrading existing security capabilities to address cyber securitythreats.

Reassess securityfunctions readiness forcyber world


PwC 2013

3 n ers an e rea es o e cy er wor or we - n orme anprioritized cyber security actions & processes.

c eve 3 0- egreesituational awareness

4A well-functioning cyber incident response team means an incident inthe business will be tracked, risk-assessed & escalated.

Create a cyber incidentresponse team

5 Invest more in cyber skills.Nurture and share

skills

6Adopting a more active stance towards attackers & pursuing themmore actively through legal means.

Take a more active andtransparent stancetowards threats

23

March 2013LSEC


24/25

PwC cyber security point of view

berResilience

Enterprise CrisisManagement

Threat Intelligence

TransformCyber Securit

Resilience


PwC 2013

Info

rmationSecurity

C

Security Ready Organization Cyber Security ReadyOrganization

Cyber SecurityResilient Organization

Threat &VulnerabilityManagement

EnterpriseSecurity

Architecture andGovernance

Identity andAccess

Management

Cyber SecurityResilience

Protect

Manage

Cyber Security

Resilience

Ddqdqdqd

Dqdqdq

dqddqdq

24

March 2013LSEC


25/25

What does it take to protect you

Organisation, Strategyand Governance

Data Centric Security

1

2

Effective governance, clear accountability & connections inthe territory and across the global network need to reflectthat cyber security is a global issue.

Within the organization, it becomes important to identify andappropriately secure the data that matters most.

The abilit to res ond to inevitable incidents uickl and


PwC 2013

CyberSecurity

ResiliencyReadiness

AssessmentSecurity Culture andBehaviours

Threat Intelligence

y er nc ent esponse& Crisis Management

Monitoring andDetection

3

4

5

6

The cyber threat landscape is changing at an alarming rate.Organizations need the capability to acquire and act on threat

intelligence.

effectively and in a way which protects the global brandbecomes crucial.

A security conscious culture, accountability and associatedbehavior is one of the most important aspects of improvingsecurity.

As perimeters become more porous, attackers moresophisticated and compromises inevitable, monitoring &detection become arguably the most effective defence.

25

March 2013LSEC

1_tomas_sanchez_pwc_ehealth_20130311 - cyber security presentation lsec 11-03-2013

Documents