Spire was honored to be invited as a guest speaker at the LGA Cybersecurity event held in Singapore.

1. 1
Cybersecurity: What’s
at Stake?
22 July 2015
Prepared by: Spire Research and Consulting
Presented by: Leon Perera, CEO
Spire Research and Consulting Group

2. 2
Presentation Outline:
1. The evolution of cyber threats
2. Imminent risks to businesses
3. Why CEOs and senior management need to invest
seriously in a cyber strategy– and how to measure ROI
Cyber Insecurity

3. 3
Spire Research and Consulting
The leading research-based consultancy in emerging markets
We were founded in the year 2000.
We have 100 employees in eight full-service offices.
We serve Global Fortune 1000 firms, governments and other
leading organizations.
Our opinions frequently appear in print, television and radio
media.
We provide a broad spectrum of research and consulting
solutions for market growth and entry.

4. 4
Cyber threat evolution
Advanced threats exist today that were unknown in the 1990s and
2000s
In the past, antivirus was the main weapon of defense needed
Hacking was uncommon, and centralized data was not nearly as
abundant and critical
Mission-critical systems were not as developed, business was not as
dependent on IT as it is today
Business was not as networked and less vulnerable to cyber crimes

5. 5
What are the risks?
What are significant risks today?
Data theft, e.g. through more sophisticated phishing and hacking
Malware that destroys data and renders systems unworkable, e.g. Stuxnet
Denial of service attacks, e.g. through zombie agents
Reputational attacks, e.g. defacing or rerouting public websites
Risks can come from external or internal sources

6. 6
What are the risks?
What is at stake with these risks?
Confidentiality: could erode market share & brand equity as well as trigger
litigation and fines
Integrity: compromising the completeness of information needed to make
business decisions
Availability: continuity of core business processes
Reputation: which affects customer and employee loyalty

7. 7
Change in cyber crime tactics
Why has the landscape changed?
More networked organizations and larger, unregulated cross-border
cyberspaces make cyber-crime more lucrative
Cyber crime is increasingly easy and cheap to commit
An effective botnet can be established for as little as USD700, or can be rented for
just USD535 per week
TOR rooms and other platforms to help link buyers and sellers of threats
Organized syndicates have emerged, e.g. DefCon, Darknet.org.uk
State actors sponsor some activity in this area

8. 8
Statistics on Incidence of Risk:
42.8 Million cyber security attacks in 2014 were detected and reported.
That comes out to an average of 117,339 incoming attacks every day, or a
48 percent increase from 2013. (PWC 2015)
65% attacks come from the Inside: With 35% coming from current
employees and 30% from past employees, internal threats are by far the
leading cause for concern. (PWC 2015)
On average there are 5,768 daily malware attacks on Android Google’s
operating system alone, as measured over a six-month period, (CYREN’s
Security Report 2013.)
Cyber Insecurity

9. 9
Cyber Insecurity
How are businesses vulnerable?

10. 10
What is at stake?
Cyber-threats can be devastating for a company’s finances, reputation
and employee confidence
Case Study #1: As strong as your weakest link
In October 2014, JP Morgan’s account data for 76 million individuals and
7 million small businesses was stolen
The bank had been spending USD250 million a year on cybersecurity
However, the failure arose due to the bank’s negligence in upgrading one
server, which was part of a company that JP Morgan had acquired
This single-point-of-failure created the perfect weakness for the hackers to
exploit

11. 11
What is at stake?
Case Study #2: Denial of services cripples the bottom
line today just as work stoppages did in the 20th century
In the evening on 11 May 2015, NetEase, a Chinese Internet company was
attacked causing several of its internet products to be unable to connect
to the server.
By the next morning (12 May 2015) all affected products recovered
Lost revenues do its game products alone caused a loss of ~USD 2.5 million
to NetEase over that one night of outage.
NetEase claimed the reason was its backbone network had been attacked
by hacker(s)

12. 12
Cyber Insecurity
What are the types of security threats?

13. 13
Types of security threats
Hacking:
Hackers exploit weaknesses in a computer system or network
First, hackers obtain information about their intended target
Then, they identify weaknesses and potential attack approaches
Finally, they execute on the attack plan
For example:
• In recent years, several movies from Sony Pictures have been stolen in
cyber attacks, including "Fury“, "Annie" and “Still Alice.” These movies
appeared on file-sharing sites prior to their box office release dates.
• In June & July 2015, private information of 21.5 million people were stolen
via two hacks at the Office of Personnel Management of the Obama
administration, leading to the resignation of its Director on 10 July.
• In 2013 a British hacker accessed information on current and former
employees of the US Department of Energy

14. 14
Types of security threats
Phishing:
Phishers try to acquire sensitive information such as usernames,
passwords, credit card details and intellectual property; and to
impair the operations of a website or service
They do this by masquerading as a trustworthy entity in an electronic
communication
For example:
Scoular Co. has international business interests and uses wire transfers
frequently. Scoular did not raise a red flag when it’s controller received
three emails to wire a total of USD17.2 million to a Chinese bank- Shanghai
Pudong Development Bank in June 2014. The emails purportedly were sent
by the CEO (they were actually not). During the investigation of the affair,
the controller told the FBI that he ‘was not suspicious of the three wire
transfer requests’ because there was an element of truth to all of it.”

15. 15
Types of security threats
MITM:
‘Man in the middle attack’ where a middleman impersonates each
endpoint and is thus able to manipulate both victims.
For Example:
Customers of a major financial services firm have been targeted with a
man-in-the-middle attack (a variant of Zeus) that will install malware
designed to intercept passcodes sent to BlackBerry and Symbian devices
via SMS as part of a two-factor authentication scheme.

16. 16
Types of security threats
Malware that destroys systems:
Cyber criminals operate remotely in what is called ‘automation at a
distance’ using various means of attack. These include:
Viruses
Worms
Spyware/Adware
Trojans
For Example:
The Stuxnet worm, reportedly a joint US-Israeli project, is said to have destroyed a fifth
of Iran’s nuclear centrifuges. It was delivered into Iran’s Natanz nuclear plant via an
employee’s thumb drive.
The United States government has warned iPhone and iPad users about the "Masque
Attack" vulnerability, a security flaw that can allow malicious third-party iOS apps to
masquerade as legitimate apps via iOS enterprise provision profiles.

17. 17
Types of security threats
Botnets that slow systems down:
The term “bot” in the phrase BOT networks is the short form for robot
When a computer is infected with BOT malware, it performs automated
tasks over the internet without the owners’ knowledge or consent
For example:
Many high-profile targets such as Citigroup, the US Senate, the International
Monetary Fund, Sony, Northrup Grumman, Lockheed Martin and RSA have
all been victims of botnet attacks
The source code for the builder and control panel of ZeusVM version 2.0.0.0
was leaked in June 2015, according to malware research agency MMD.
This could cause a surge in botnets in the months ahead.

18. 18
Types of security threats
Denial of service (DoS):
The purposeful overload of a device, with the aim of making the device or
a service provided by that device unavailable to users.
A DoS usually originates from large numbers of bots or zombie PCs which
are under the control of a botnet
For example:
Stacheldraht is a typical Denial-of-Service agent
The attacker uses a client program to connect to compromised
systems that issue commands to the zombie agents
Agents in turn facilitate the DoS attack

19. 19
Types of security threats
Reputational risk attacks – website defacement, rerouting
For example:
In October and November 2013, several Singapore government
websites were hacked and defaced by “The Messiah”, including
websites of the Istana, the PCF and Ang Mo Kio Town Council.

20. 20
Types of security threats
The new risk landscape with the Internet of Things (IoT):
Physical devices become connected through the Internet of Things (IoT)
Internet of Things (IoT) devices are riddled with basic security flaws, such as
weak passwords, unencrypted network services, insecure interfaces and
cross-site scripting risks
Many devices collect personal information such as name, address, date of
birth, health information and even credit card numbers
Concerns about security and privacy are multiplied when you add in cloud
services and mobile applications that work alongside the device
For example:
Cisco, a technology company, predicts that 50 billion connected devices
will be in circulation by the end of the decade, up from 11 billion last year

21. 21
Cyber Insecurity
Cybersecurity management practices

22. 22
Managing cybersecurity threats
ROI measurement for investing:
Calculating ROI is critical to analyze IT security’s value to the company
Be clear about how and where money is being spent on security
Funding for a specific project can be identified but funding for on-going security
is often scattered throughout programs
Many Security Tools have a short Half-Life; choose those less prone to
countermeasures
Eliminating Software Vulnerabilities Leads to Major Cost Reductions

23. 23
Managing cybersecurity threats
Do’s and don’ts
Senior management should provide ultimate leadership on cybersecurity,
not the IT department
Sensible cost-benefit analysis is key – don’t just let the fox run the henhouse
Ensure silo-less co-operation and decision-making in an emergency
Engage external auditors to “stress-test” security infrastructure
Ensure emergency preparedness and contingency planning with real drills
Ensure timely notification to central authority of any data leaks or break-ins
Investing in the Workforce leads to less cost over time

24. 24
Tel: (65) 6838 5355
Fax: (65) 6838 5855
78 Shenton Way #20-01
Singapore 079120
sg.info@spireresearch.com
www.spireresearch.com