SlideShare ist ein Scribd-Unternehmen logo

Cyber Executive Briefing on Risks and Governance

OCTF Industry Engagement
OCTF Industry Engagement

Presentation by Paul C Dwyer CEO of Cyber Risk International to Retail Excellence Ireland - June 18 2015.

Einzelhandel
1 von 49
Cyber Executive Briefing Presenter: Paul C Dwyer CEO – Cyber Risk International Date: June 18th 2015 Retail Excellence Ireland
Paul C Dwyer Paul C Dwyer is an internationally recognised information security expert with over two decades experience and serves as President of ICTTF International Cyber Threat Task Force and Co Chairman of the UK NCA National Crime Agency Industry Group. A certified industry professional by the International Information Systems Security Certification Consortium (ISC2) and the Information System Audit & Control Association (ISACA) and selected for the IT Governance Expert Panel. Paul is a world leading Cyber Security GRC authority. He has been an advisor to Fortune 500 companies including law enforcement agencies, military (NATO) and recently advised DEFCOM UK at Westminster Parliament. He has worked and trained with organisations such as the US Secret Service, Scotland Yard, FBI, National Counter Terrorism Security Office (MI5), is approved by the National Crime Faculty and is a member of the High Tech Crime Network (HTCN). Paul C Dwyer CEO Cyber Risk International
THE CYBER WORLD AND THE PHYSICAL ARE INTEGRATED
Cyber fronts in the Ukraine! Is it War?
What Are Cyber Threats? Cybercrime Cyber Warfare Cyber Espionage Cyber X Adversary
Cyber Statistics • Cybercrime costs £27 billion a year in the UK • £1,000 a second • 170,000 ID’s are stolen each year – 1 every three seconds • Theft of IP £9.2 billion (pharmaceuticals, biotechnology, electronics, IT and chemicals) Source: UK Cabinet Office
Cybercrime Economy Drivers It’s a business with an excellent economic model. Other reasons, you name it: • Technology • Internet • Recession • “A safe crime” • It’s easy to get involved • Part of Something
Hacktivism? Part of …..
Crimeware Toolkits Copyright - Paul C Dwyer Ltd - All Rights Reserved
Economic Model - the Actors • User – (Account Credentials) • Financial Institution • Supplier • Acquirer/Middlemen • Agents • Carding Forum • Carders • Fraudster (Consumer) • Retailer • Reshipping / drop zone • Money Mule Categories •Wholesalers •Retailers •Independent Contractors
Cybercrime – a Business
“The Daddy” - History TJ/K Max Dark Market & Shadow Crew 2002 ->
Original Crew
A Decade on What Have We Learnt? • Heating/AC Contractors Credentials • Intrusion Months Before Data Theft • Waited for US Thanksgiving Day • Malware KAPTOXA/BlackPOS 7 Months – Average Breach Before Detection 2/3 Cases informed by third party
What do they Want? 17
Retailers Data
Cyber Risks for You • Tangible Costs – Loss of funds – Damage to Systems – Regulatory Fines – Legal Damages – Financial Compensation • Intangible Costs – Loss of competitive advantage (Stolen IP) – Loss of customer and/or partner trust – Loss of integrity (compromised digital assets) – Damage to reputation and brand Quantitative vs. Qualitative 46% Reduction in Profits Following Breach
Bottom Line for Retailers • Arms Race – Cat and Mouse • Top 5 Target Groups – Continuously Attacked • You Spend Less on Cyber Security • Low Risk – High Reward for “Bad Guys” – Established Market for Data Assets • Best Data Assets On the Planet • Compliance is NOT Security
Retail Factors • Data on networked and distributed systems that are accessible to a widening array of entry points • Broad adoption of mobile applications by retailers adds many other new points of vulnerability • Complex supply chains - more access and data is given to vendors and external partners • Global expansion may require retailers to expand distribution of their own information around the world
Door left Open
Some Retailers Doors! • Point-of-sale (POS) terminals in stores • Mobile POS access points • Customer-facing e-commerce websites • Links with each third-party vendor, supply-chain vendor, ecosystem partner and contractor • Employee-facing access points — including those that may utilise employee-owned mobile devices — and the social workplace • Links to connected data centers via the cloud • Links to financial institutions and payment processors • Links to managed service providers • Links to delivery services • Links to all other contractors who are provided with network access • B2B, intranet and extranet portals • In-store wireless routers, kiosks and networks • The expanding “Internet of Things”: IP-based printers, IP-linked surveillance cameras and similar devices
Give me some examples
I’m not joking! Hack the Human!
Reconnaissance Weaponisation Delivery Exploitation C2 Lateral Movement Exfiltration Maintenance Gathers Intelligence About Employee and Assets Targets Individual (Asset)Bad Guy Exploit Run – Comms Established – Command & Control Server Move Laterally Across Network Chooses Weapon from underground forum Exfiltrate Data Protection – Maint Mode
When Harry met Sally
It’s a IT Cyber Security Problem, Right?
29 Legally It’s a Challenge for the Board! NO
Regulatory and Legal EU Data Privacy Directive EU Network Information Security Directive European Convention on Cybercrime PCI DSS plus 400+ Others – 10,000+ Controls – 175 Legal Jurisdictions Your Organisation
Responsibility – Convention Cybercrime All organisations need to be aware of the Convention’s provisions in article 12, paragraph 2: ‘ensure that a legal person can be held liable where the lack of supervision or control by a natural person…has made possible the commission of a criminal offence established in accordance with this Convention’. In other words, directors can be responsible for offences committed by their organisation simply because they failed to adequately exercise their duty of care.
Operational Level Strategic Level Technical Level Cyber is a Strategic Issue 32 Macro Security Micro Security How do cyber attacks affect, policies, industry, business decisions? What kind of policies, procedures and business models do we need? How can we solve our security problems with technology?
•Loss of market share and reputation •Legal ExposureCEO •Audit Failure •Fines and Criminal Charges •Financial Loss CFO/COO •Loss of data confidentiality, integrity and/or availability CIO •Violation of employee privacy CHRO •Loss of customer trust •Loss of brand reputationCMO Board Room Discussion Increasingly companies are appointing CRO’s and CISO’s with a direct line to the audit committee.
Corporate Governance Project Governance Risk Management Cyber Governance Risk Management Cyber Governance Cyber Risk Legal & Compliance Operational Technical
Resilience 36 Recognise: Interdependence Leadership Role Responsibility Integrating Cyber Risk Management
Thank You – Stay Connected www.paulcdwyer.com youtube.com/paulcdwyer mail@paulcdwyer.com +353-(0)85 888 1364 @paulcdwyer WE IDENTIFY, MITIGATE AND MANAGE CYBER RISKS Cyber Risk International Broadmeadow Hall– Applewood Village -Swords – Co Dublin – Ireland +353-(0)1- 905 3260 xxxxxx mail@cyberriskinternational.com www.cyberriskinternational.com
EXTENDED MATERIAL – CRIMEWARE EXAMPLE
Example of Crimeware Tools, Tutorials, Services (Rent & Buy) Spyeye $500
Botnets (Rent or Own) Botnet Herder ProxyProxy Command & Control Server Infected PC Infected PC Infected PC Infected PC Infected PC Infected PC Spam Spam Spam Website DDoS Attack
Spyeye – Toolkit Botnet Herder Proxy Spyeye C & C Server
Install C2
Get CC Info Botnet Herder Proxy Spyeye C & C Server Infected PC Infected PC Infected PC Infected PC Infected PC Infected PC or Upload List
Place Something For Sale Botnet Herder Proxy Spyeye C & C Server Uploads, Renames and Claims Ownership of Software Utility For Sale on a popular download store
Automate Transactions Botnet Herder Proxy Spyeye C & C Server Spyeye automates purchases by form filling at intervals to avoid detection using the stolen credit card information
Clean Money Botnet Herder Proxy Spyeye C & C Server
Billing Hammer Module
Avoid Detection Botnet Herder Proxy Spyeye C & C Server Billing hammer will send the transaction through an infected machine close to the cardholders address to avoid detection

Empfohlen

Cyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counselCyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counselOCTF Industry Engagement
 
PCI Compliance with Tripp Lite Wall Mount Rack Cabinets
PCI Compliance with Tripp Lite Wall Mount Rack CabinetsPCI Compliance with Tripp Lite Wall Mount Rack Cabinets
PCI Compliance with Tripp Lite Wall Mount Rack CabinetsTripp Lite
 
S719a
S719aS719a
S719aecommerce
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in ITAnushka Perera
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebSurfWatch Labs
 
Privacy and E-Commerce
Privacy and E-CommercePrivacy and E-Commerce
Privacy and E-CommerceAleksandr Yampolskiy
 
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPRICCA (International Congress and Convention Association)
 
Legal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology RiskLegal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology RiskWilliam Gamble
 

Empfohlen

Cyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counselCyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counselOCTF Industry Engagement
 
PCI Compliance with Tripp Lite Wall Mount Rack Cabinets
PCI Compliance with Tripp Lite Wall Mount Rack CabinetsPCI Compliance with Tripp Lite Wall Mount Rack Cabinets
PCI Compliance with Tripp Lite Wall Mount Rack CabinetsTripp Lite
 
S719a
S719aS719a
S719aecommerce
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in ITAnushka Perera
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebSurfWatch Labs
 
Privacy and E-Commerce
Privacy and E-CommercePrivacy and E-Commerce
Privacy and E-CommerceAleksandr Yampolskiy
 
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPRICCA (International Congress and Convention Association)
 
Legal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology RiskLegal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology RiskWilliam Gamble
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Kroll
 
Gathering Intel from the Dark Web to Identify and Prioritize Critical Risks
Gathering Intel from the Dark Web to Identify and Prioritize Critical RisksGathering Intel from the Dark Web to Identify and Prioritize Critical Risks
Gathering Intel from the Dark Web to Identify and Prioritize Critical RisksSurfWatch Labs
 
Cyber Liability Insurance And Protecting SMEs
Cyber Liability Insurance And Protecting SMEsCyber Liability Insurance And Protecting SMEs
Cyber Liability Insurance And Protecting SMEsE Radar
 
Online terms & conditions
Online terms & conditionsOnline terms & conditions
Online terms & conditionsProf. Jacques Folon (Ph.D)
 
Do I really need cyber liability insurance?
Do I really need cyber liability insurance?Do I really need cyber liability insurance?
Do I really need cyber liability insurance?Crafted
 
GDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsGDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsCharlie Pownall
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?PECB
 
IoT PPT Deck
IoT PPT DeckIoT PPT Deck
IoT PPT DeckJohn Yates
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
Baretzky & Associates Presentation.
Baretzky & Associates Presentation.Baretzky & Associates Presentation.
Baretzky & Associates Presentation.Ricardo Bn. Baretzky
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
Cyber security
Cyber securityCyber security
Cyber securityPerfect Training Center
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
 
Twitter for Consumer Businesses: Overview of Twitter Business Uses & Trends
Twitter for Consumer Businesses: Overview of Twitter Business Uses & TrendsTwitter for Consumer Businesses: Overview of Twitter Business Uses & Trends
Twitter for Consumer Businesses: Overview of Twitter Business Uses & TrendsAdam Schoenfeld
 
World Economic Forum Global Risks 2014
World Economic Forum Global Risks 2014World Economic Forum Global Risks 2014
World Economic Forum Global Risks 2014haemmerle-consulting
 
I går, i dag og i morgen - Security Systems Roadmap, Chris Mallon, IBM US
I går, i dag og i morgen - Security Systems Roadmap, Chris Mallon, IBM USI går, i dag og i morgen - Security Systems Roadmap, Chris Mallon, IBM US
I går, i dag og i morgen - Security Systems Roadmap, Chris Mallon, IBM USIBM Danmark
 

Weitere ähnliche Inhalte

Was ist angesagt?

Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Kroll
 
Gathering Intel from the Dark Web to Identify and Prioritize Critical Risks
Gathering Intel from the Dark Web to Identify and Prioritize Critical RisksGathering Intel from the Dark Web to Identify and Prioritize Critical Risks
Gathering Intel from the Dark Web to Identify and Prioritize Critical RisksSurfWatch Labs
 
Cyber Liability Insurance And Protecting SMEs
Cyber Liability Insurance And Protecting SMEsCyber Liability Insurance And Protecting SMEs
Cyber Liability Insurance And Protecting SMEsE Radar
 
Do I really need cyber liability insurance?
Do I really need cyber liability insurance?Do I really need cyber liability insurance?
Do I really need cyber liability insurance?Crafted
 
GDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsGDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsCharlie Pownall
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?PECB
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
Baretzky & Associates Presentation.
Baretzky & Associates Presentation.Baretzky & Associates Presentation.
Baretzky & Associates Presentation.Ricardo Bn. Baretzky
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
 

Was ist angesagt? (19)

Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
 
Gathering Intel from the Dark Web to Identify and Prioritize Critical Risks
Gathering Intel from the Dark Web to Identify and Prioritize Critical RisksGathering Intel from the Dark Web to Identify and Prioritize Critical Risks
Gathering Intel from the Dark Web to Identify and Prioritize Critical Risks
 
Cyber Liability Insurance And Protecting SMEs
Cyber Liability Insurance And Protecting SMEsCyber Liability Insurance And Protecting SMEs
Cyber Liability Insurance And Protecting SMEs
 
Online terms & conditions
Online terms & conditionsOnline terms & conditions
Online terms & conditions
 
Do I really need cyber liability insurance?
Do I really need cyber liability insurance?Do I really need cyber liability insurance?
Do I really need cyber liability insurance?
 
GDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsGDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and Communications
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policies
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability Presentation
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breach
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?
 
IoT PPT Deck
IoT PPT DeckIoT PPT Deck
IoT PPT Deck
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
 
Baretzky & Associates Presentation.
Baretzky & Associates Presentation.Baretzky & Associates Presentation.
Baretzky & Associates Presentation.
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
 
Cyber security
Cyber securityCyber security
Cyber security
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
 

Andere mochten auch

Twitter for Consumer Businesses: Overview of Twitter Business Uses & Trends
Twitter for Consumer Businesses: Overview of Twitter Business Uses & TrendsTwitter for Consumer Businesses: Overview of Twitter Business Uses & Trends
Twitter for Consumer Businesses: Overview of Twitter Business Uses & TrendsAdam Schoenfeld
 
World Economic Forum Global Risks 2014
World Economic Forum Global Risks 2014World Economic Forum Global Risks 2014
World Economic Forum Global Risks 2014haemmerle-consulting
 
I går, i dag og i morgen - Security Systems Roadmap, Chris Mallon, IBM US
I går, i dag og i morgen - Security Systems Roadmap, Chris Mallon, IBM USI går, i dag og i morgen - Security Systems Roadmap, Chris Mallon, IBM US
I går, i dag og i morgen - Security Systems Roadmap, Chris Mallon, IBM USIBM Danmark
 
Administering windows xp
Administering windows xpAdministering windows xp
Administering windows xpSamaja
 
Global Risks Report 2014
Global Risks Report 2014Global Risks Report 2014
Global Risks Report 2014ngocjos
 
Aon Retail & Wholesale Update 2016
Aon Retail & Wholesale Update 2016Aon Retail & Wholesale Update 2016
Aon Retail & Wholesale Update 2016Graeme Cross
 
Direct Line Case Study
Direct Line Case StudyDirect Line Case Study
Direct Line Case StudyMikekholt
 
Ibm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckIbm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckArrow ECS UK
 
UK food and drink market update 2016
UK food and drink market update 2016UK food and drink market update 2016
UK food and drink market update 2016Graeme Cross
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secureLYRASIS
 
Salesforce1 PlatformアーキテクチャWebinar
Salesforce1 PlatformアーキテクチャWebinarSalesforce1 PlatformアーキテクチャWebinar
Salesforce1 PlatformアーキテクチャWebinarSalesforce Developers Japan
 
Human-Rights-Report_2015
Human-Rights-Report_2015Human-Rights-Report_2015
Human-Rights-Report_2015Cam Chau
 
How to hack stuff for cash
How to hack stuff for cashHow to hack stuff for cash
How to hack stuff for cashMarco Schuster
 
Illinois Poison Center 2008 Annual Report
Illinois Poison Center 2008 Annual ReportIllinois Poison Center 2008 Annual Report
Illinois Poison Center 2008 Annual ReportIllinois Poison Center
 

Andere mochten auch (18)

Twitter for Consumer Businesses: Overview of Twitter Business Uses & Trends
Twitter for Consumer Businesses: Overview of Twitter Business Uses & TrendsTwitter for Consumer Businesses: Overview of Twitter Business Uses & Trends
Twitter for Consumer Businesses: Overview of Twitter Business Uses & Trends
 
World Economic Forum Global Risks 2014
World Economic Forum Global Risks 2014World Economic Forum Global Risks 2014
World Economic Forum Global Risks 2014
 
I går, i dag og i morgen - Security Systems Roadmap, Chris Mallon, IBM US
I går, i dag og i morgen - Security Systems Roadmap, Chris Mallon, IBM USI går, i dag og i morgen - Security Systems Roadmap, Chris Mallon, IBM US
I går, i dag og i morgen - Security Systems Roadmap, Chris Mallon, IBM US
 
Insurance Fraud Whitepaper
Insurance Fraud WhitepaperInsurance Fraud Whitepaper
Insurance Fraud Whitepaper
 
Administering windows xp
Administering windows xpAdministering windows xp
Administering windows xp
 
CRI Retail Cyber Threats
CRI Retail Cyber ThreatsCRI Retail Cyber Threats
CRI Retail Cyber Threats
 
Global Risks Report 2014
Global Risks Report 2014Global Risks Report 2014
Global Risks Report 2014
 
Aon Retail & Wholesale Update 2016
Aon Retail & Wholesale Update 2016Aon Retail & Wholesale Update 2016
Aon Retail & Wholesale Update 2016
 
Direct Line Case Study
Direct Line Case StudyDirect Line Case Study
Direct Line Case Study
 
Ibm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckIbm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deck
 
UK food and drink market update 2016
UK food and drink market update 2016UK food and drink market update 2016
UK food and drink market update 2016
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secure
 
4. Centos Administration
4. Centos Administration4. Centos Administration
4. Centos Administration
 
CIM Digital Summit 2015 - Direct Line Group: Ash Root's Presentation
CIM Digital Summit 2015 - Direct Line Group: Ash Root's PresentationCIM Digital Summit 2015 - Direct Line Group: Ash Root's Presentation
CIM Digital Summit 2015 - Direct Line Group: Ash Root's Presentation
 
Salesforce1 PlatformアーキテクチャWebinar
Salesforce1 PlatformアーキテクチャWebinarSalesforce1 PlatformアーキテクチャWebinar
Salesforce1 PlatformアーキテクチャWebinar
 
Human-Rights-Report_2015
Human-Rights-Report_2015Human-Rights-Report_2015
Human-Rights-Report_2015
 
How to hack stuff for cash
How to hack stuff for cashHow to hack stuff for cash
How to hack stuff for cash
 
Illinois Poison Center 2008 Annual Report
Illinois Poison Center 2008 Annual ReportIllinois Poison Center 2008 Annual Report
Illinois Poison Center 2008 Annual Report
 

Ähnlich wie Cyber Executive Briefing on Risks and Governance

CRI Extract from "Cyber Lessons from the Front lines"
CRI Extract from "Cyber Lessons from the Front lines"CRI Extract from "Cyber Lessons from the Front lines"
CRI Extract from "Cyber Lessons from the Front lines"OCTF Industry Engagement
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin OCTF Industry Engagement
 
Blockchains : Risk or Mitigation?
Blockchains : Risk or Mitigation?Blockchains : Risk or Mitigation?
Blockchains : Risk or Mitigation?ITU
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016FERMA
 
Torbay Business Forum with the South West Cyber Security Cluster
Torbay Business Forum with the South West Cyber Security ClusterTorbay Business Forum with the South West Cyber Security Cluster
Torbay Business Forum with the South West Cyber Security ClusterPeter Jones
 
Cyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessCyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessLucy Denver
 
Using Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital RiskUsing Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital RiskSurfWatch Labs
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRCharlie Pownall
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and ComplianceBankingdotcom
 
Cyberteq - Cyber Security for Telecom.pdf
Cyberteq - Cyber Security for Telecom.pdfCyberteq - Cyber Security for Telecom.pdf
Cyberteq - Cyber Security for Telecom.pdfssuser8717cc
 
NextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingNextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingJoe Nathans
 
Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2Donald Malloy
 
Strong Authentication - Open Source
Strong Authentication - Open SourceStrong Authentication - Open Source
Strong Authentication - Open SourceDonald Malloy
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachUlf Mattsson
 
IT Security Essentials
IT Security EssentialsIT Security Essentials
IT Security EssentialsSkoda Minotti
 

Ähnlich wie Cyber Executive Briefing on Risks and Governance (20)

CRI Extract from "Cyber Lessons from the Front lines"
CRI Extract from "Cyber Lessons from the Front lines"CRI Extract from "Cyber Lessons from the Front lines"
CRI Extract from "Cyber Lessons from the Front lines"
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
 
Blockchains : Risk or Mitigation?
Blockchains : Risk or Mitigation?Blockchains : Risk or Mitigation?
Blockchains : Risk or Mitigation?
 
nerfslides.pptx
nerfslides.pptxnerfslides.pptx
nerfslides.pptx
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
Torbay Business Forum with the South West Cyber Security Cluster
Torbay Business Forum with the South West Cyber Security ClusterTorbay Business Forum with the South West Cyber Security Cluster
Torbay Business Forum with the South West Cyber Security Cluster
 
Cyber Security and the Impact on your Business
Cyber Security and the Impact on your BusinessCyber Security and the Impact on your Business
Cyber Security and the Impact on your Business
 
Using Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital RiskUsing Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital Risk
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
Compliance & Identity access management
Compliance & Identity access management Compliance & Identity access management
Compliance & Identity access management
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPR
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
Cyberteq - Cyber Security for Telecom.pdf
Cyberteq - Cyber Security for Telecom.pdfCyberteq - Cyber Security for Telecom.pdf
Cyberteq - Cyber Security for Telecom.pdf
 
NextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingNextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive Briefing
 
Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2Oath appsec sf 2015 dem rev. 2
Oath appsec sf 2015 dem rev. 2
 
Strong Authentication - Open Source
Strong Authentication - Open SourceStrong Authentication - Open Source
Strong Authentication - Open Source
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breach
 
IT Security Essentials
IT Security EssentialsIT Security Essentials
IT Security Essentials
 

Mehr von OCTF Industry Engagement

Cyberpol ISIS Threats Presentation - Redacted
Cyberpol ISIS Threats Presentation - RedactedCyberpol ISIS Threats Presentation - Redacted
Cyberpol ISIS Threats Presentation - RedactedOCTF Industry Engagement
 

Mehr von OCTF Industry Engagement (7)

Cyber999 Brochure
Cyber999 BrochureCyber999 Brochure
Cyber999 Brochure
 
Judgement Day - Slovakia
Judgement Day - SlovakiaJudgement Day - Slovakia
Judgement Day - Slovakia
 
Cyberpol ISIS Threats Presentation - Redacted
Cyberpol ISIS Threats Presentation - RedactedCyberpol ISIS Threats Presentation - Redacted
Cyberpol ISIS Threats Presentation - Redacted
 
Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)
 
CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)
 
CRI-Corporate-Profile (1)
CRI-Corporate-Profile (1)CRI-Corporate-Profile (1)
CRI-Corporate-Profile (1)
 
KidSafe - Parental Training Presentation
KidSafe - Parental Training PresentationKidSafe - Parental Training Presentation
KidSafe - Parental Training Presentation
 

Cyber Executive Briefing on Risks and Governance

  • 1. Cyber Executive Briefing Presenter: Paul C Dwyer CEO – Cyber Risk International Date: June 18th 2015 Retail Excellence Ireland
  • 2. Paul C Dwyer Paul C Dwyer is an internationally recognised information security expert with over two decades experience and serves as President of ICTTF International Cyber Threat Task Force and Co Chairman of the UK NCA National Crime Agency Industry Group. A certified industry professional by the International Information Systems Security Certification Consortium (ISC2) and the Information System Audit & Control Association (ISACA) and selected for the IT Governance Expert Panel. Paul is a world leading Cyber Security GRC authority. He has been an advisor to Fortune 500 companies including law enforcement agencies, military (NATO) and recently advised DEFCOM UK at Westminster Parliament. He has worked and trained with organisations such as the US Secret Service, Scotland Yard, FBI, National Counter Terrorism Security Office (MI5), is approved by the National Crime Faculty and is a member of the High Tech Crime Network (HTCN). Paul C Dwyer CEO Cyber Risk International
  • 3. THE CYBER WORLD AND THE PHYSICAL ARE INTEGRATED
  • 4. Cyber fronts in the Ukraine! Is it War?
  • 5.
  • 6. What Are Cyber Threats? Cybercrime Cyber Warfare Cyber Espionage Cyber X Adversary
  • 7.
  • 8. Cyber Statistics • Cybercrime costs £27 billion a year in the UK • £1,000 a second • 170,000 ID’s are stolen each year – 1 every three seconds • Theft of IP £9.2 billion (pharmaceuticals, biotechnology, electronics, IT and chemicals) Source: UK Cabinet Office
  • 9. Cybercrime Economy Drivers It’s a business with an excellent economic model. Other reasons, you name it: • Technology • Internet • Recession • “A safe crime” • It’s easy to get involved • Part of Something
  • 11. Crimeware Toolkits Copyright - Paul C Dwyer Ltd - All Rights Reserved
  • 12. Economic Model - the Actors • User – (Account Credentials) • Financial Institution • Supplier • Acquirer/Middlemen • Agents • Carding Forum • Carders • Fraudster (Consumer) • Retailer • Reshipping / drop zone • Money Mule Categories •Wholesalers •Retailers •Independent Contractors
  • 13. Cybercrime – a Business
  • 14. “The Daddy” - History TJ/K Max Dark Market & Shadow Crew 2002 ->
  • 16. A Decade on What Have We Learnt? • Heating/AC Contractors Credentials • Intrusion Months Before Data Theft • Waited for US Thanksgiving Day • Malware KAPTOXA/BlackPOS 7 Months – Average Breach Before Detection 2/3 Cases informed by third party
  • 17. What do they Want? 17
  • 19. Cyber Risks for You • Tangible Costs – Loss of funds – Damage to Systems – Regulatory Fines – Legal Damages – Financial Compensation • Intangible Costs – Loss of competitive advantage (Stolen IP) – Loss of customer and/or partner trust – Loss of integrity (compromised digital assets) – Damage to reputation and brand Quantitative vs. Qualitative 46% Reduction in Profits Following Breach
  • 20. Bottom Line for Retailers • Arms Race – Cat and Mouse • Top 5 Target Groups – Continuously Attacked • You Spend Less on Cyber Security • Low Risk – High Reward for “Bad Guys” – Established Market for Data Assets • Best Data Assets On the Planet • Compliance is NOT Security
  • 21. Retail Factors • Data on networked and distributed systems that are accessible to a widening array of entry points • Broad adoption of mobile applications by retailers adds many other new points of vulnerability • Complex supply chains - more access and data is given to vendors and external partners • Global expansion may require retailers to expand distribution of their own information around the world
  • 23. Some Retailers Doors! • Point-of-sale (POS) terminals in stores • Mobile POS access points • Customer-facing e-commerce websites • Links with each third-party vendor, supply-chain vendor, ecosystem partner and contractor • Employee-facing access points — including those that may utilise employee-owned mobile devices — and the social workplace • Links to connected data centers via the cloud • Links to financial institutions and payment processors • Links to managed service providers • Links to delivery services • Links to all other contractors who are provided with network access • B2B, intranet and extranet portals • In-store wireless routers, kiosks and networks • The expanding “Internet of Things”: IP-based printers, IP-linked surveillance cameras and similar devices
  • 24. Give me some examples
  • 26. Reconnaissance Weaponisation Delivery Exploitation C2 Lateral Movement Exfiltration Maintenance Gathers Intelligence About Employee and Assets Targets Individual (Asset)Bad Guy Exploit Run – Comms Established – Command & Control Server Move Laterally Across Network Chooses Weapon from underground forum Exfiltrate Data Protection – Maint Mode
  • 27. When Harry met Sally
  • 28. It’s a IT Cyber Security Problem, Right?
  • 29. 29 Legally It’s a Challenge for the Board! NO
  • 30. Regulatory and Legal EU Data Privacy Directive EU Network Information Security Directive European Convention on Cybercrime PCI DSS plus 400+ Others – 10,000+ Controls – 175 Legal Jurisdictions Your Organisation
  • 31. Responsibility – Convention Cybercrime All organisations need to be aware of the Convention’s provisions in article 12, paragraph 2: ‘ensure that a legal person can be held liable where the lack of supervision or control by a natural person…has made possible the commission of a criminal offence established in accordance with this Convention’. In other words, directors can be responsible for offences committed by their organisation simply because they failed to adequately exercise their duty of care.
  • 32. Operational Level Strategic Level Technical Level Cyber is a Strategic Issue 32 Macro Security Micro Security How do cyber attacks affect, policies, industry, business decisions? What kind of policies, procedures and business models do we need? How can we solve our security problems with technology?
  • 33. •Loss of market share and reputation •Legal ExposureCEO •Audit Failure •Fines and Criminal Charges •Financial Loss CFO/COO •Loss of data confidentiality, integrity and/or availability CIO •Violation of employee privacy CHRO •Loss of customer trust •Loss of brand reputationCMO Board Room Discussion Increasingly companies are appointing CRO’s and CISO’s with a direct line to the audit committee.
  • 35.
  • 37.
  • 38. Thank You – Stay Connected www.paulcdwyer.com youtube.com/paulcdwyer mail@paulcdwyer.com +353-(0)85 888 1364 @paulcdwyer WE IDENTIFY, MITIGATE AND MANAGE CYBER RISKS Cyber Risk International Broadmeadow Hall– Applewood Village -Swords – Co Dublin – Ireland +353-(0)1- 905 3260 xxxxxx mail@cyberriskinternational.com www.cyberriskinternational.com
  • 39. EXTENDED MATERIAL – CRIMEWARE EXAMPLE
  • 40. Example of Crimeware Tools, Tutorials, Services (Rent & Buy) Spyeye $500
  • 41. Botnets (Rent or Own) Botnet Herder ProxyProxy Command & Control Server Infected PC Infected PC Infected PC Infected PC Infected PC Infected PC Spam Spam Spam Website DDoS Attack
  • 42. Spyeye – Toolkit Botnet Herder Proxy Spyeye C & C Server
  • 44. Get CC Info Botnet Herder Proxy Spyeye C & C Server Infected PC Infected PC Infected PC Infected PC Infected PC Infected PC or Upload List
  • 45. Place Something For Sale Botnet Herder Proxy Spyeye C & C Server Uploads, Renames and Claims Ownership of Software Utility For Sale on a popular download store
  • 46. Automate Transactions Botnet Herder Proxy Spyeye C & C Server Spyeye automates purchases by form filling at intervals to avoid detection using the stolen credit card information
  • 47. Clean Money Botnet Herder Proxy Spyeye C & C Server
  • 49. Avoid Detection Botnet Herder Proxy Spyeye C & C Server Billing hammer will send the transaction through an infected machine close to the cardholders address to avoid detection