State of cyber security

The state of cyber resilience

Organizations have learned, over decades, to defend themselves and respond better to cybercrime, moving from basic measures and ad hoc responses to sophisticated, robust and formal processes. This need has been affirmed by recent events such as the demonetization drive, coupled with the corresponding push to adopt digital technology, heightened focus on e-governance and digital governance, breach of sensitive defense data and the outburst of cybercrime.

The results of our latest global survey of 1,735 CXOs, out of whom 124 were from India, suggest steps for organizations to enhance their cyber resilience .

Sense

Sense is the ability of organizations topredict and detect cyber threats.Organizations need to use cyber threatintelligence and active defense to predictwhat threats or attacks are heading intheir direction and detect them when theydo, before the attack is successful. Theyneed to know what will happen, and needsophisticated analytics to detect earlywarningsignals.

Resist

Resist mechanisms are basically thecorporate shield to cyber-attacks. Itbegins with assessing an organization’srisk appetite, followed by establishing thefollowing three lines of defense:

  1. First line of defense: Executing control measures in its day-to-day operations.
  2. Second line of defense: Deployingmonitoring functions such as internalcontrols, establishing legal, riskmanagement and cybersecurityprocesses.
  3. Third line of defense: Establishing astrong internal audit department.

React

If Sense fails (the organization did not seethe threat coming) and there is a breakdownin Resist (control measures were not strongenough), organizations need to be ready todeal with the disruption, ready with incidentresponse capabilities and mechanisms tomanage the crisis. They also need to beready to preserve evidence in a forensicallysound way and then investigate the breachin order to satisfy critical stakeholders— customers, regulators, investors, lawenforcement agencies and the public, anyof whom might bring claims for loss or noncompliance.They also need to be preparedto bring the organization back to businessas usual as quickly as possible, learn fromwhat happened, and adapt and reshape theorganization to improve cyber resiliencegoing forward.

EY - The state of cyber resilience

Let us not get blindsided and think that cyber agility automatically results in a positive answer to the main boardroom question of “Are we cyber resilient?”

Sense

A high level of confidence?

Organizations have improved their ‘Sense’ capabilities significantly in recent years. However, our survey indicates that many organizations lack basic cyber security systems and processes. This is evidenced by the below findings:

  • 33% of organizations in India do not have a SOC, compared to 44% globally
  • 55% do not have, or have only an informal, threat intelligence program
  • 44% do not have, or have only an informal, vulnerability identification capability

In addition, there are four specific areas that need special attention:

A breach has occurred, but there appears to be no harm

Of the organizations polled in our survey, 52% would not increase their cybersecurity spending after experiencing a breach which did not appear to do any harm. In most cases, there was harm being done, but there was no immediate evidence found to support that. Cyber criminals often conduct “test attacks,” lie dormant after a breach, or use a breach as a diversionary tactic to throw organizations off the trail of what they are really up to.

Securing your ecosystem

This is a major area of risk that is often overlooked, as evidenced by the following findings:

  • 68% will not increase their cybersecurity spending in the event that a supplier is attacked — even though a supplier is a direct route for an attacker into the organization.
  • 58% will not increase their cybersecurity spending in the event that a major competitor was attacked — although cyber criminals often attack other, similar organizations following a successful cyberattack.
EY - Sense

The impact of the Internet of Things (IoT)

The explosion in the number of connected devices is going to put more pressure on the sense capabilities of an organization:

  • A number of organizations are concerned about their ability to know all their assets (40%), how they are going to keep these devices bug free (37%), how they will be able to patch vulnerabilities fast enough (40%) and about their ability to manage the growth in the number of access points to their organization (29%).
  • Organizations doubt that they are going to be able to continue to identify suspicious traffic over their networks (44%), track who has access to their data (28%) or be able to find hidden and unknown “zero-day attacks” (50%).
  • Many organizations expect difficulties with regard to monitoring the perimeter of their ecosystems (23%).

Information sharing and collaboration are on the rise

Our survey revealed the following:

  • 26% of our responders’ SOCs collaborate and share data with others in the same industry.
  • 44% of our responders’ SOCs collaborate and share data with other public SOCs. While this is a positive development, in absolute terms, this is relatively low number due to the low SOC implementation in India.
EY - Sense

The atmosphere today will lead regulators, stakeholders, business partners and even customers to want to know more about your cybersecurity.

Resist

In our recent survey, more than half (61%) the responders said that their outdated information security controls or architecture were one of the biggest areas of vulnerability. 75% of responders said that their cybersecurity function did not fully meet their organization’s needs. We answer the critical question of where should organizations focus to better resist today’s attacks.

Activate your defenses

Our survey reveals that 35% of responders have had a recent significant cybersecurity incident, which shows that there is still more work to be done to strengthen the corporate shield. Maturity levels are still low in many critical areas.

Percentage of survey respondents who would rate the following information security management processes within their organizations as mature:

  • Software security: 22%
  • Security monitoring: 8%
  • Incident management: 8%
  • Identity and access management: 9%
  • Network security: 11%
EY - Resist

Budgets increase every year, but is it enough?

Cybersecurity budgets have seen year on year increases, with 69% of responders saying that their budgets increased over the last 12 months and 73% saying that their budgets will increase over the coming 12 months. 48% of the responders spent less than INR7 crore per annum in total (which includes people, process and technology) while only 28% claim to be spending between INR7 crore and INR14 crore per annum on cybersecurity.

However, organizations say that more funding is needed, with 40% citing budget constraints as a challenge and 37% of responders saying they need up to 50% increase in budget.

The role of leadership

Our survey has reported that 41% of responders say that there is a lack of executive awareness and support which is challenging the effectiveness of an organization’s cybersecurity mechanisms.

The importance of reporting

Among our survey respondents, 49% say that those responsible for information security do not have a seat on the board. In this scenario, the board has to rely on reporting instead.

  • Only 8% have a mature metrics and reporting management process.
  • Only 30% of reporting processes show where improvements were needed in the organization’s information security.
  • 76% of organizations do not evaluate the financial impact of every significant breach and of those that have had a cyber-incident in the past one year, more than half (57%) have no idea what the financial damage has been or could be.

Despite of the quality of reporting being so low, it is surprising that only 38% of respondents think their boards are not fully knowledgeable about the risks the organization is taking and the measures that are in place.

EY - Resist

Executive leadership and support is critical for effective cyber resilience.

React

Business Continuity Management (BCM) has been at the heart of an organization’s ability to react to a threat, attack or other disruption for many years. Again, this year, 63% of organizations rated it their joint top priority, alongside data leakage/data loss prevention. Security testing (e.g., attack and penetration) and privileged access management were ranked third and fourth, respectively. Security Information and Event Management (SIEM), together with SOCs, were ranked 5th, with 52% of the responders saying that they will spend more in these two areas over the coming 12 months, followed by security awareness and training.

There is also focus on other React capabilities.

Adapt: By looking at the threat horizon and threat actors, the resilient organization needs to be flexible and agile to adapt its business processes and protection mechanisms.

Reshape: This is the re-engineering required to improve both the resilient and operational mechanisms for an increasingly secure and sustainable organization.

When reacting to an attack, the board must show leadership

The key is to communicate and lead the communications before traditional news media and social media take over. Too many organizations are still unprepared in this respect.

  • 32% do not have an agreed upon communications strategy or plan in place in the event of a significant attack

In the first seven days after an attack:

  • 32% say they would make a statement to the media
  • 39% would notify regulators and compliance organizations
  • 46% would not notify customers, even when it is customer data that has been compromised
  • 56% would not notify suppliers, even when it is supplier data that has been compromised
EY - React

Leading the recovery of the organization

  • Only 3% of responders have made a significant change to their organization’s strategy and plans after a cyber-risk assessment
  • Only 22% say that they have fully considered the information security implications of their organization’s current strategy and plans

Asking tougher questions and closing the gaps

Our survey revealed how much organizations like to rely upon themselves to test or manage their own cybersecurity. In the recovery phase, it may be worthwhile to consider whether this should continue. Currently, the following is true:

  • 82% conduct self-phishing assessments
  • 42% do their own vulnerability assessment
  • 71% conduct their own incident investigation
  • 72% do their own threat intelligence analysis

Overall, considerable improvement is still needed from a React perspective

Our survey also found gaps that need to be addressed. Despite careless employees, phishing and malware being such major and known threats, only 26% have an incident response plan that would help them recover from malware and employee misbehavior.

EY - React

Read More
admin February 4, 2019 0 Comments

Cyber Security Predictions: 2019 and Beyond

As you think about how to deploy in advance of a new year of cyber threats, here are the trends and activities most likely to affect your organization

In anticipating the major cyber security and privacy trends for the coming year, you can find plenty of clues in the events of the past 12 months. Among the now familiar forms of attack, cyber hacks of major corporate systems and websites continued in 2018 and will inevitably be part of the 2019 cyber security scene. Many well-known organizations around the world suffered significant breaches this year. The single largest potential data leak, affecting marketing and data aggregation firm Exactis, involved the exposure of a database that contained nearly 340 million personal information records.

Beyond all-too-common corporate attacks, 2018 saw accelerated threat activity across a diverse range of targets and victims. In the social networking realm, Facebook estimated that hackers stole user information from nearly 30 million people. A growing assortment of nation-states used cyber probes and attacks to access everything from corporate secrets to sensitive government and infrastructure systems. At the personal level, a breach into Under Armour’s MyFitnessPal health tracker accounts resulted in the theft of private data from an estimated 150 million people.

So, what can we expect on the cyber security front in the coming year? Here are some of the trends and activities most likely to affect organizations, governments, and individuals in 2019 and beyond.

Attackers Will Exploit Artificial Intelligence (AI) Systems and Use AI to Aid Assaults

The long-awaited commercial promise of AI has begun to materialize in recent years, with AI-powered systems already in use in many areas of business operations. Even as these systems helpfully automate manual tasks and enhance decision making and other human activities, they also emerge as promising attack targets, as many AI systems are home to massive amounts of data.

In addition, researchers have grown increasingly concerned about the susceptibility of these systems to malicious input that can corrupt their logic and affect their operations. The fragility of some AI technologies will become a growing concern in 2019. In some ways, the emergence of critical AI systems as attack targets will start to mirror the sequence seen 20 years ago with the internet, which rapidly drew the attention of cyber criminals and hackers, especially following the explosion of internet-based eCommerce. 

Attackers won’t just target AI systems, they will enlist AI techniques themselves to supercharge their own criminal activities. Automated systems powered by AI could probe networks and systems searching for undiscovered vulnerabilities that could be exploited.AI could also be used to make phishing and other social engineering attacks even more sophisticated by creating extremely realistic video and audio or well-crafted emails designed to fool targeted individuals.  AI could also be used to launch realistic disinformation campaigns.  For example, imagine a fake AI-created, realistic video of a company CEO announcing a large financial loss, a major security breach, or other major news.  Widespread release of such a fake video could have a significant impact on the company before the true facts are understood.

And just as we see attack toolkits available for sale online, making it relatively easy for attackers to generate new threats, we’re certain to eventually see AI-powered attack tools that can give even petty criminals the ability to launch sophisticated targeted attacks. With such tools automating the creation of highly personalized attacks–attacks that have been labor-intensive and costly in the past–such AI-powered toolkits could make the marginal cost of crafting each additional targeted attack essentially be zero.

Attackers won’t just target AI systems, they will enlist AI techniques themselves to supercharge their own criminal activities.

Defenders Will Depend Increasingly on AI to Counter Attacks and Identify Vulnerabilities

The AI security story also has a bright side. Threat identification systems already use machine learning techniques to identify entirely new threats. And, it isn’t just attackers that can use AI systems to probe for open vulnerabilities; defenders can use AI to better harden their environments from attacks. For example, AI-powered systems could launch a series of simulated attacks on an enterprise network over time in the hope that an attack iteration will stumble across a vulnerability that can be closed before it’s discovered by attackers.

Closer to home, AI and other technologies are also likely to start helping individuals better protect their own digital security and privacy. AI could be embedded into mobile phones to help warn users if certain actions are risky. For example, when you set up a new email account your phone might automatically warn you to set up two-factor authentication. Over time, such security-based AI could also help people better understand the tradeoffs involved when they give up personal information in exchange for the use of an application or other ancillary benefit.

Growing 5G Deployment and Adoption Will Begin to Expand the Attack Surface Area

A number of 5G network infrastructure deployments kicked off this year, and 2019 is shaping up to be a year of accelerating 5G activity. While it will take time for 5G networks and 5G-capable phones and other devices to become broadly deployed, growth will occur rapidly. IDG, for example, calls 2019 “a seminal year” on the 5G front, and predicts that the market for 5G and 5G-related network infrastructure will grow from approximately $528 million in 2018 to $26 billion in 2022, exhibiting a compound annual growth rate of 118 percent.

Although smart phones are the focus of much 5G interest, the number of 5G-capable phones islikely to be limited in the coming year. As a stepping stone to broad deployment of 5G cellular networks, some carriers are offering fixed 5G mobile hotspots and 5G-equipped routers for homes. Given the peak data rate of 5G networks is 10 Gbps, compared to 4G’s 1 Gbps, the shift to 5G will catalyze new operational models, new architectures, and–consequently–new vulnerabilities. 

Over time, more 5G IoT devices will connect directly to the 5G network rather than via a Wi-Fi router. This trend will make those devices more vulnerable to direct attack. For home users, it will also make it more difficult to monitor all IoT devices since they bypass a central router. More broadly, the ability to back-up or transmit massive volumes of data easily to cloud-based storage will give attackers rich new targets to breach. 

IoT-Based Events Will Move Beyond Massive DDoS Assaults to New, More Dangerous Forms of Attack

In recent years, massive botnet-powered distributed denial of service (DDoS) attacks have exploited tens of thousands of infected IoT devices to send crippling volumes of traffic to victims’ websites. Such attacks haven’t received much media attention of late, but they continue to occur and will remain threats in coming years. At the same time, we can expect to see poorly secured IoT devices targeted for other harmful purposes. Among the most troubling will be attacks against IoT devices that bridge the digital and physical worlds. Some of these IoT enabled objects are kinetic, such as cars and other vehicles, while others control critical systems. We expect to see growing numbers of attacks against IoT devices that control critical infrastructure such as power distribution and communications networks. And as home-based IoT devices become more ubiquitous, there will likely be future attempts to weaponize them–say, by one nation shutting down home thermostats in an enemy state during a harsh winter.

Attackers Will Increasingly Capture Data in Transit

We’re likely to see attackers exploit home-based Wi-Fi routers and other poorly secured consumer IoT devices in new ways. One exploit already occurring is marshalling IoT devices to launch massive cryptojacking efforts to mine cryptocurrencies.

In 2019 and beyond, we can expect increasing attempts to gain access to home routers and other IoT hubs to capture some of the data passing through them. Malware inserted into such a router could, for example, steal banking credentials, capture credit card numbers, or display spoofed, malicious web pages to the user to compromise confidential information. Such sensitive data tends to be better secured when it is at rest today. For example, eCommerce merchants do not store credit card CVV numbers, making it more difficult for attackers to steal credit cards from eCommerce databases. Attackers will undoubtedly continue to evolve their techniques to steal consumer data when it is in transit.

On the enterprise side, there were numerous examples of data-in-transit compromises in 2018. The attack group Magecart stole credit card numbers and other sensitive consumer information on eCommerce sites by embedding malicious scripts either directly on targeted websites or by compromising third-party suppliers used by the site. Such “formjacking” attacks have recently impacted the websites of numerous global companies. In another attack targeting enterprise data in transit, the VPNFilter malware also infected a range of routers and network-attached storage devices, allowing it to steal credentials, alter network traffic, decrypt data, and serve a launch point for other malicious activities inside targeted organizations. 

We expect that attackers will continue to focus on network-based enterprise attacks in 2019, as they provide unique visibility into a victim’s operations and infrastructure.

Attacks that Exploit the Supply Chain Will Grow in Frequency and Impact

An increasingly common target of attackers is the software supply chain, with attackers implanting malware into otherwise legitimate software packages at its usual distribution location.  Such attacks could occur during production at the software vendor or at a third-party supplier. The typical attack scenario involves the attacker replacing a legitimate software update with a malicious version in order to distribute it quickly and surreptitiously to intended targets. Any user receiving the software update will automatically have their computer infected, giving the attacker a foothold in their environment.

These types of attacks are increasing in volume and sophistication and we could see attempts to infect the hardware supply chain in the future.  For example, an attacker could compromise or alter a chip or add source code to the firmware of the UEFI/BIOS before such components are shipped out to millions of computers. Such threats would be very difficult to remove, likely persisting even after an impacted computer is rebooted or the hard disk is reformatted. 

The bottom line is that attackers will continue to search for new and more sophisticated opportunities to infiltrate the supply chain of organizations they are targeting.

Growing Security and Privacy Concerns Will Drive Increased Legislative and Regulatory Activity

The European Union’s mid-2018 implementation of the General Data Protection Regulation (GDPR) will likely prove to be just a precursor to various security and privacy initiatives in countries outside the European Union. Canada has already enforced GDPR-like legislation, and Brazil recently passed new privacy legislation similar to GDPR, due to enter into force in 2020. Singapore and India are consulting to adopt breach notification regimes, while Australia has already adopted different notification timelines compared to GDPR. Multiple other countries across the globe have adequacy or are negotiating GDPR adequacy. In the U.S., soon after GDPR arrived, California passed a privacy law considered to be the toughest in the United States to date. We anticipate the full impact of GDPR to become more clear across the globe during the coming year.

At the U.S. federal level, Congress is already wading deeper into security and privacy waters. Such legislation is likely to gain more traction and may materialize in the coming year. Inevitably, there will be a continued and increased focus on election system security as the U.S. 2020 presidential campaign gets underway.  

While we’re almost certain to see upticks in legislative and regulatory actions to address security and privacy needs, there is a potential for some requirements to prove more counterproductive than helpful. For example, overly broad regulations might prohibit security companies from sharing even generic information in their efforts to identify and counter attacks. If poorly conceived, security and privacy regulations could create new vulnerabilities even as they close others.

Read More
admin January 13, 2019 0 Comments