Switzerland targeted in sustained global cyber campaign

PwC and BAE Systems have recently concluded an intensive investigation into an espionage network dubbed APT10. Our Advanced Cyber Defense team in Switzerland has been involved in the detection, response and remediation of the attack in multiple sectors where Swiss based clients have fallen victim to this campaign.

Over the last year we have seen sustained targeted attacks against major organisations in Switzerland. The attacks have specifically targeted managed IT service providers (MSPs) and used these networks to reach MSPs customers. This potentially gave unprecedented global access to the intellectual property and sensitive data of those MSPs and their clients.
As part of the investigations carried out by our Swiss, UK and global teams, we have linked these activities to similar attacks in more than 14 countries. PwC has gone public with this because although we have already seen several companies compromised, there may be many other organisations affected. We recommend performing a cybersecurity breach assessment to detect whether your organisation has been previously compromised, and to use tailored threat intelligence to manage risk effectively.

World-wide, the campaign has targeted many Japanese state entities, and in the US, defence-related as well as telecommunication companies. The construction, retail and consumer, energy and mining, technology, professional services, metals, industrial manufacturing, and public sector were also targeted.

What is APT10?

APT10 has targeted “managed IT service providers” and has used them as a springboard to crawl through networks. The group behind the campaign has been using a wide variety of malware which has evolved over time. This has included: RedLeaves, PlugX, Poison Ivy, EvilGrab, and mimikatz. These tools used as part of the campaign have been around for quite some while and passed around within criminal circles.

The campaign uses an impressive network of command-and-control servers. PwC assesses the energy and resources invested into the campaign as high and sustained.

Attribution

PwC was successful in attributing the attack to the campaign by seeking analytical conclusions from a variety of disciplines and perspectives, all pointing to the same conclusion. Reverse engineering of the malware revealed a command-and-control infrastructure as well as recognisable characteristics. Additional folders and file conventions and paths further shed light on associated techniques, tools, and procedures (TTPs). Robust intelligence corroborated with similar indicators and activities across related victims. Lastly, the modus operandi, targeted information and temporal analysis of activities when compared to similar activities at the time and in the industry reinforced PwC’s conclusions.

Several indicators point to the instigators being located in East Asia. Most strikingly, the timestamps of registration of domains for the important network of command-and-control servers as well as the compilation time would appear to make sense for an actor based within this region. Many of these indicators could be faked to induce investigators to draw the wrong conclusions. However, to do so consistently across several types of evidence, and without hinting at another geographical location would be rather exceptional.

Further investigations are still being carried out to try to determine more exactly who could be behind the attacks. Attribution is a lengthy investigative process, but we believe that the report needed to come out quickly to help organisations protect their networks as much as possible.

What to do

The report includes a long list of Indicators-of-Compromise. It is advisable to upload these into your systems to protect against future possible attacks. Furthermore, for organisations in targeted sectors with high value intellectual property we recommend conducting a threat hunt into your network to identify whether you have been targeted by the attacks.

PwC also recommends at a minimum two factor authentication for jump posts where managed service providers (MSP) enter client networks. The compromise and data exfiltration is done via system and MSP administrator accounts so having stronger controls around these entry points are key. Additionally, increasing visibility across the enterprise through a holistic logging policy would further assist.

Should you need any help to conduct such assessment, PwC would gladly assist you in any way we can. Don’t hesitate to get in touch with us: PwC Swiss Breach Aid Team

The report and the technical indicators can be found here
 

Reto Häni
Cyber Security Leader
+41 79 345 01 24
reto.haeni@ch.pwc.com

Lessons from a hack

What links spies, hackers, cookies and a grey Aston Martin DBS? The answer can be found in the indictment against four suspects that the U.S. Department of Justice published last week. The four individuals are accused of breaching into the networks of a large telecommunication company in 2014 and of stealing large amounts of client data. Despite the legal jargon (albeit with a few sparks of technical details), the reading of the document reveals some interesting aspects in regard to cyber security.

The blurring line between cyber crime and cyber espionage

Cyber security experts have repeatedly pointed out that intelligence services are keen on taking advantage of the abilities of cyber criminals by hiring and mandating them for penetrating into their targets’ networks and siphon out sensitive data. The indictment confirms this practice. Two of the defendants are allegedly officers of a foreign intelligence service and have been accused of “[directing] criminal hackers, […], to gain unauthorized access to computers of companies”.

The increasingly blurring line between cyber crime and cyber espionage makes the attribution of cyber incidents more complex. As cyber criminals offer their services and tools on underground markets of the dark web, a same tool can be used in several campaigns and by different threat actors, even intelligence agencies. Hence, the approach for declaring the instigators of a cyber attack needs to go beyond the mere technical details (i.e., the so-called indicator of compromise [IOC], such as the signature of malware used or the IP addresses of command and control servers). The attribution process must take into account nontechnical aspects such as the nature of the target and the type of the information stolen. These elements are then to be interpreted within a geopolitical framework.

Tools, techniques and procedures

The indictment gives an interesting insight into the techniques used by criminals to gain unauthorized access to a system. The methods listed by the Department of Justice include advanced techniques such as spear phishing and cookies minting. In the first case, the hackers had sent ad hoc tailored e-mails designed to resemble messages from a trustworthy source luring the recipients to either open an attachment carrying a malware or to click on a malicious link. In the latter, the suspects had forged session cookies to gain unauthorized access to the e-mail accounts of the victim. Furthermore, in order to make the task of the investigators more difficult and to “reduce the likelihood of detection”, the criminals had covered their tracks by leasing servers in different countries and using VPN. Once inside the system of the breached company, they also had run log cleaners to erase their traces.

The indictment does not report either the malware used or any IOC, it however highlights the high skills and versatility of cyber criminals these days. They are professionals able to use a large set of tools and to combine different techniques ranging from social engineering to the use of malware. When defending your company’s network, you have to be aware of this and consequently implement a comprehensive security infrastructure without neglecting employees’ awareness training.

Collateral damage

The victim of the breach is a well-known e-mail provider with millions of users and even more e-mail accounts. By breaching the company’s network, the hackers had gained access to thousands of e-mail accounts. According to the charges, the suspects had had access to accounts of journalists, politicians, government officials, sales managers and even to the ones belonging to a Chief Technology Officer. Among the victims there were also 14 employees of a Swiss Bitcoin wallet and banking firm.

The intelligence officers were more interested in personal information about specific political targets; on the other hand, the hackers rather sought financial data for their personal enrichment. Apparently, the business activity was somewhat lucrative as the list of the forfeited goods mentions a grey Aston Martin DBS.

As widely reported in the media, the breached company was in the process of being acquired. In the aftermath of this very disclosure and of another previous one, the price of the deal was reduced by $300 million. Also, taking responsibility for the breach, the company’s CEO decided to renounce her annual bonus. Yes, a security breach can have heavy and real repercussions for the company and its employees.

Recommendations

This breach showcases the importance of not having your personal and business data on a single webmail without protecting it. We strongly recommend using encrypted communication for any sensitive information. Moreover, the criminals reused the stolen passwords to log into other accounts belonging to the users. As a good security reflex, you should never reuse your password across different services.

PwC strongly believes in a holistic approach to cyber security by offering a wide variety of services covering all the phases of the cyber lifecycle: from strategy and policy development to its implementation and to incident response. PwC cyber security services can help your company improve its security posture to face old and new threats.

Contact us if you would like to discuss this topic.

Reto Haeni
Cyber Security Leader
+41 79 345 01 24
reto.haeni@ch.pwc.com

Mark Barwinski
Director, Cyber Security
+41 58 792 20 89
mark.barwinski@ch.pwc.com

Cybersecurity: A peek into the nuts and bolts of a state cyber apparatus

WikiLeaks, the platform that has in the past released thousands of classified US diplomatic cables and, more recently, emails from the Democratic National Committee, has now published leaked documents which it claims came from the CIA. The documents detail tools the intelligence agency uses for surveillance. This includes notably kits to penetrate computers (from Windows to OS X), mobile phones (iOS, Android) and many other devices.

Why is this relevant?

It has been known for some years that intelligence services also launch cyber attacks. In so doing, they add new malware and create new “threats” to the security landscape. The secret way services operate has contributed to certain expectations, at times exaggerated, as to what their capabilities are. The leak offers us a peek into what a state intelligence service does and how it operates to breach systems. For cyber security specialists, this is in a way a boon to learn how they can make their network more resilient – provided that they are in measure to correctly digest the information.

Furthermore, because of their sometimes sizeable budget, a few intelligence services can set the tone as to what is the most sophisticated way to perform successful and stealthy attacks. The leaks provide, however, a slightly different perspective.

Should we be worried?

One of the stories to make the headlines concerned spying via Smart TV. It is, however, much less scary than it may sound. The TVs were not hacked remotely, but malware was introduced physically into them.

Many intelligence services go after specific targets. The way they operate means that they will seek to obtain further information about what a specific person is up to because the agency will already have received a hint from another source that the person is involved in terrorist activities, nuclear or chemical weapons proliferation, or organised crime for instance. The agency then works its way through to have surveillance in place – be it through remote cyber means or through human intelligence (HUMINT) and up-close support by a network of assets (recruits).

What the leaks show is that agencies, logically, can use their strongest assets to put such surveillance systems into place, humans: either they physically go in themselves or utilise these recruits to inject malware via up-close support. Regardless of an organisation’s cyber security, it is very likely that the agency will be able to circumvent it this way. For an intelligence service to use a Smart TV as a bugging device is in the end not so different than if they had installed their own in-house-developed listening device after breaking into a target’s home.

Therefore, if an organisation comes into the crosshair of an intelligence service, it may have bigger problems to worry about than only to know whether it is under surveillance.

Similarly and in addition, up-close physical contact is commonly utilised by such intelligence agencies in a broad set of countries to gain persistence into mobile devices. Such activities often take place in hotel rooms where unsuspecting users sometimes may leave telephones, iPads, and laptops unattended for a few hours at a time. It may only take a matter of seconds for a trained operative to equip a personal device with new software or hardware. If successful, these agencies may harvest a treasure trove of information, which could include all email communications, as well as the ability to monitor live sound and video, banking transactions, and geolocation coordinates and much more – essentially a complete pattern of life. (Patterns of life are akin to human fingerprints making it possible for intelligence agencies to maintain detail awareness of a target’s actions.) It is therefore wise to maintain awareness of the location of all personal devices during business trips to foreign destinations in order to minimise access to such devices by unauthorised individuals.

If there is a point on which to rejoice is that in this latest apparent tool release, a few commonly known communication applications, which use encryption to keep people’s conversations private, seem to be genuinely safe to use. As the leaks appear to indicate, state intelligence services utilise Trojans to penetrate targets’ cell phones, highlighting that they probably have not been able to crack the encryption algorithms. Users may find comfort in that their private sphere may very well remain protected in some circumstance and for some mobile device models.

What are the largest takeaways?

The toolkit exposed is less sophisticated and impressive than others, which would stem from a signal intelligence agency. This is probably because certain agencies can use other “human” means to gain an entry point into a network.

All intelligence agencies are not alike and many within the same countries operate under different mandates, authorities, and areas of specialisation. Such is the case for this most recent release of tools associated with an agency focused on the collection of foreign intelligence through highly targeted activities and sometimes via up-close tactical operations – mass surveillance is generally not considered associated with the operating principles of an agency not focussing on signal intelligence, in other words.

As a consequence, the released information does not contain zero-days, and shows that intelligence services can reuse portion of codes garnered on the internet or already deployed by criminals and other intelligence services. Albeit from being practical, this also adds to the confusion for whoever tries to attribute the attacks honouring the principles of deception and plausible deniability.

A second point which follows is that many of the leaks showcase that the agency merely makes good use of unpatched systems. Some of the released information may well be quite old – such as a document concerning the rapid copying of 3.5 inches disk – but it seems in accordance with PwC’s views that many unpatched systems still leave the door open as much to criminals as to intelligence services.

Open questions

The US intelligence community has been very much in the spotlight for the past couple of months – and the timing for the release of the leaks could not be more awkward. It comes at a time when intelligence agencies have likely been tasked to take action against those responsible for influencing the democratic electoral process in the country. The timing hence raises the question whether there are motives behind the leaks other than the obvious ones. If we are to accept recent reports of such activities, then such a release of tools may signal a pre-emptive action designed to hinder retaliation. This should incite us to be cautious as to how we interpret them and not to take information at face value, especially as some of it may also not be genuine.

Once more, the leaks appear to seek to damage the organisation at least in two ways: it will have to rebuild tools to ensure that it can continue its surveillance of terrorists and others; and it will have to double its efforts to ensure to its international partners that information they give to the agency will remain confidential.

Threat intelligence?

Now that this information about a state’s capabilities lies in the open, it makes sense to integrate it into an organisation’s security posture: professional criminals are likely to seek to reuse what they can perceive as top-notched hacking tips. To do so requires understanding the context of the information (of the leaks but also of the functioning agencies behind the leaks) and having appropriate technical systems in place.

PwC is a global leader in security services and has multiple threat intelligence teams globally including in Switzerland. Furthermore, PwC built one of the world leading threat detection and intelligence platforms “Secure Terrain”. The platform is based upon the most advanced analytics technology to pull information out of large amounts of data that traditional methods would not be able to digest. Combined with our threat intelligence, PwC can provide the tools, methods and (if needed) people to detect, and respond to, advanced attacks in an intelligence-driven way.

Contact us if you would like to discuss this topic.

Reto Haeni
Cyber Security Leader
+41 79 345 01 24
reto.haeni@ch.pwc.com

Mark Barwinski
Director, Cyber Security
+41 58 792 20 89
mark.barwinski@ch.pwc.com

Gozi’s Activity in Switzerland

Recent media reports have highlighted once again that a large number of organisations are vulnerable to cyber threats and at risk of significant losses, and this in Switzerland as well.

Last week, it emerged that two medium sized Swiss companies have fallen victim to a theft perpetrated via cyber attacks totalling almost CHF1.6 million; CHF338,000 could still not be retrieved to this day. In both cases, the malicious transfers did not occur because of stolen e-banking credentials – the more common way – but rather through a third party payment processing software. The software works as a one-password manager and makes life easier for companies to send payments to and receive such from contractors. Yet, it also opens new ways for criminals to steal money. A well-known malware also played a role in the heists: Gozi.

What is Gozi?

Gozi is an old acquaintance for cyber security experts. It first appeared in 2007 with the main feature of stealthily stealing online banking credentials through web injection attacks. In a nutshell, e-banking malwares function as follow: after infecting the user’s systems, they modify the content of the webpages of e-banking sessions. They record the user’s activity as well as all its inputs and communicate them to the crooks. With the stolen information, the criminals are able to connect to the user’s banking account and make illicit payments.

Throughout the years, the Gozi malware family has grown so much that many major financial institutions around the world have fallen to it. Even if its authors were arrested and sentenced in the US, the malware’s activity would not cease. Its source code was leaked on two occasions, allowing other cyber criminals to reuse it. The charges against the authors reveal that Gozi was sold online on underground forums with a professional cybercrime-as-a service business model. The authors sold a customised version of the malware meeting the customer’s needs and they provided the necessary infrastructure for running it.

Last year, cyber security researchers spotted a new variant of the malware targeting the users of the web browser “Edge” in Windows 10. Furthermore, several worldwide campaigns against banks in Spain, Poland, Japan, Canada, Italy and Austria were brought to light. These findings were aligned with the ones of another security vendor. During the last year, this vendor observed a resurgence in attacks related to banking Trojans and especially the spreading of the Gozi malwares making them a worrisome threat for e-banking customers.

Recommendations

A few third party payment processing software solutions already implement a 4-to-6 eyes principle depending on the amounts to be transferred. However, issues arise when this principle can be circumvented with the help of a malware such as Gozi, or more generally, when the whole Enterprise Resource Planning (ERP) system is bypassed. In other words, fraudulent payment instructions can then be processed directly into the banking software.

Hence, a reasonable advice against this is to put such software within systems which malware could not easily reach. The security perimeter around such third party payment processing software should be strengthened in comparison with the rest of the network. This means:

  • enforcing high encryption standards with credible authentication;
  • if supported, minimum two-factor authentication within the bank application before payments are executed;
  • multifactor authentication for access to the bank application;
  • implementing role based controls based on individual staff roles and responsibilities;
  • if possible, implementing application white listing on those most sensitive systems hosting payment software;
  • reviewing the security of all systems that are involved in the banking process as one weak link could enable a successful compromise;
  • securing the endpoints as they are one of the most easily reachable entry points for attackers: this implies protecting endpoints by restricting access rights and prevent executables and scripts from being invoked as well as carrying out awareness training to foil phishing attacks;
  • assuming that the network is already compromised and not reusing passwords for the banking systems. Taking network hygiene seriously by segregating the network is also a must-do.

In addition, it would be prudent for businesses and their corresponding banks to discuss and establish procedural safeguards, such as restricting transactions or increased scrutiny around transactions destined to individuals or to organisations in high-risk countries. For example, if your business does not transact internationally, fund transfers to organisations in suspicious countries should be immediately flagged. Therefore, controls can include:

  • restrictions on payments to certain countries (or “white listing” of allowed countries if that is possible);
  • limit payment amounts to specific groups of suppliers and payees (that is to say, specific “white listing” of specific payees where higher value payments are allowed);
  • manually validate large amounts;
  • manually check especially first new payees;
  • limit individual’s competencies;
  • segregation of duties (creating the invoices separated from executing the very payment);
  • and lastly, additional validation of SWIFT payment codes against an independently held master file copy of authorised payees.

A caveat would still remain: many of these aforementioned recommendations can still be overridden to some extent if the attackers have inside knowledge, or if they manage to obtain credentials to the system which would allow them to read internal documents describing processes. Therefore, mitigating actions should be handled with the sensitivity they deserve. Limited dissemination of the information and “need to know” practices would further safeguard the integrity of the payment systems.

Download this blog post in PDF-format.

Contact us if you would like to discuss this topic.

Reto Haeni
Cyber Security Leader
+41 79 345 01 24
reto.haeni@ch.pwc.com

Mark Barwinski
Director, Cyber Security
+41 58 792 20 89
mark.barwinski@ch.pwc.com

Switzerland’s CRYPTO VALLEY ASSOCIATION Founded To Build World’s Leading Blockchain and Cryptographic Ecosystem

Crypto Valley Association, the Swiss-based not-for-profit association supporting the development of Blockchain and cryptographic related technologies and businesses, today launched with a number of leading companies and startups as members, including ConsenSys, UBS, PwC, Thomson Reuters, Luxoft, Canton of Zug, and Lucerne University.

Switzerland has established itself as one of the world’s leading countries for digital innovation. Home to hundreds of multinational enterprises, technology companies, and financial institutions, the country boasts world-leading infrastructure, a sophisticated workforce, and one of the world’s most decentralized, stable and neutral political systems.

Headquartered in the Swiss canton of Zug, Crypto Valley Association is the independent, government-supported association established to take full advantage of Switzerland’s strengths to build the world’s leading blockchain and cryptographic ecosystem, working with government to foster the development of pioneering digital technologies in Switzerland and internationally. The association will support startups and established enterprises through policy recommendations, initiating and enabling research projects, and organizing conferences, hackathons, and other industry events.

“Emerging technology such as Blockchain and Crypto-technologies are at the heart of the digital transformation of Financial Services. PwC have explicitly made digital one of our key priorities and support a number of initiatives around the world to foster innovation. By supporting and being part of the Crypto Valley in Switzerland, we engage with a rapidly growing ecosystem and contribute our expertise and perspectives on how to leverage technology for positive change in society,” said Manoj Kashyap, Global FinTech Leader for PwC.

Read more about the Crypto Valley Association.

The Chinese Cybersecurity Law has been finalised – what is it about?

China’s Cybersecurity Law enforces the cybersecurity rights and obligations of the government, network operators and users.

Compliance with the new law is ushering in a range of new challenges for both government and business. In order to protect the rights of all stakeholders, it will be essential to ensure appropriate network operations, encourage network innovation, identify security risks and comply with regulatory requirements.

Highlights

  • China’s top legislature adopted its cybersecurity Law on Nov 7, 2016. After a third reading at the National People’s Congress (NPC) Standing Committee, it is now set to take effect on June 1, 2017.
  • The law defines the scope of critical infrastructure, and sets the foundations for enforcing penalties on overseas organisations and individuals who attack or break the nation’s critical infrastructure.
  • The law puts more emphasis on personal information security, cybercrime, network product and service security, obligations of network operators, and sovereignty rights over cyberspace.

All organisations collecting “personal information” and “critical data” in China could be impacted, including:

  1. Network operators. The law enforces the security obligations of network operators, which are widely defined to include owners, administrators and network service providers. This includes, but is not limited to, telecommunication operators, network information service providers, and important information system operators.
  2. Network product and service provider. Organisations which provide information through networks or provide services for the purpose of obtaining information, including users, network service providers and non-profit organisations which provide network tools, devices, information, media, access, etc.
  3. Critical infrastructure. The law specifies requirements related to the operational security of critical infrastructure, and stresses the importance of protecting the critical infrastructure for public communication, media, energy, transportation, water conservation, financial services, public services and e-government industries.
  4. Overseas organisations and individuals. Includes, but is not limited to, foreign trade enterprises, organisations, groups and individuals.

What is the impact for other countries?

  • With the new cybersecurity law taking effect on 1st June 2017, transferring/storing of personal data outside China, and using network and password equipment not certified by the government will be prohibited.
  • More stringent regulations and requirements will be applied; for instance, the requirement of security assessment prior to the cross-border transfer of personal, sensitive data by enterprises.
  • Foreign organisations and individuals found guilty of attacking China’s critical infrastructure are subject to punishment specified by the law.

What penalties might be incurred?

Organisations found violating the law will be liable to fines, with the responsible managers subject to imprisonment and banned from taking network security and operation management positions in the future.

How PwC can help

As a multidisciplinary company, we are the ideal partner to help you adapt to the new regulatory environment. Our regulatory team includes cross-border initiatives and compliance specialists, IT auditors, lawyers and strategy consultants. They are globally oriented and have local expertise.

If you are interested in this topic or if you have any questions, please feel free to contact me.

Management of cyber risks for hospitals

Context

The European Union Agency for Network and Information Security (ENISA) is a network of security expertise. It provides assistance to member states of the Union European both in the private and public sectors to increase infrastructure security resilience and compliance with EU legislation.

ENISA has just released a study about the shift for hospitals from the “traditional hospital” model towards a “smart hospital” one. A hospital becomes “smart” when more and more Internet of things (IoT) devices are used and connected to the network in the hospital.

While this new way of working offers undeniable benefits, it also brings new security challenges. As such dependency on IT is increasing ant the risks need to be managed appropriately as do cybersecurity and resilience considerations.

Goal and methodology

The study aims at reviewing the threats and vulnerabilities associated with smart hospitals and upcoming digitalisation. It takes a separate look at the technical and organisational measures that must be set up to reduce these risks to an acceptable level.

To get a global understanding, the process involved the participation of more than 30 security professionals in senior positions from either the hospitals, the health industry, or policy-making agencies. The study summarizes nine main gaps that need to be addressed by hospitals in order to be ready to adapt to IoT devices and move forward in the digital transformation.

 Highlights

 The following conclusions were reached by ENISA:

  1.  The top two threats perceived by respondents are caused by human errors (first) and malicious activities (second). These threats can also cause maximum damage to hospitals (77% for malicious actions and 70% for human errors)
  2. Respondents clearly identified infrastructure as the most critical asset for small hospitals (please refer to chart 1)
  3. Respondents considered that among deployed measures, only few are actually effective and most of these are technical (please refer to chart 2).

hospital study

hospital study2

Conclusion of the ENISA study

Hospitals are not ready for the digital future and smart devices because

  • IT assets are not managed in a central inventory – the study offers a categorisation schema to do so
  • Threats and risks are not assessed and consequently managed – the study offers a taxonomy of threats applicable to smart hospitals
  • Identification of good practice and the gaps in good practice in a hospital are not identified and closed in a timely manner – the study identified nine major gaps which are seen in most hospitals

How PwC can help

The question is no longer whether a hospital can be the target of a cyberattack but when.

Based on our experience, both as auditors and cybersecurity consultants, we have developed an approach which helps to enhance the security stance of hospitals. Our approach comprises the assessment of three aspects: people, processes and technology.

An appropriate level of cybersecurity, compliance and privacy requires a structured approach balancing governance, processes and technology. It includes:

  1. A strategy for how to address cyberthreats, manage risks and establish governance
  2. Identifying the IT assets, the risks and responsible roles in and for the organisation
  3. Protecting IT assets and data appropriately
  4. Detecting cyberattacks, data exfiltration and human errors early and efficiently
  5. Responding effectively to IT security incidents and
  6. Recovering according to defined time objectives to minimize business impact

By the end of the assessment, you will be aware of any gaps with respect to regulatory requirements and of how your security programme lies compared to industry good practices.

strategy hospital

bild health

If you have any questions or remarks, please do not hesitate to contact me.

Details of Cyber Attacks: Sharing is Caring

On 29 December 2016, the US government entered a new round in its fight against malicious cyber attackers. It released a 13-page report, accompanied by a much more detailed listing of almost 1,000 technical indicators. The goal of the report was to help companies detect, block and eradicate cyber attacks on their networks.

The move followed a rough year where not only the Democratic National Committee suffered a consequential and highly mediatized breach, but also think tanks, universities, critical infrastructure and many more. Fears that further attacks are coming appear well-grounded.

The US government’s report is important and relevant for many businesses, also here in Switzerland, for at least three reasons:

Aligned with private companies
Firstly, it confirms what private companies – including PwC – have been saying for a couple of years. The released information is a mixture of yet-unseen declassified technical indicators with a few also coming from the private sector. Private cyber security companies have therefore been doing quite a good job at gaining visibility and tracking what attackers have been up to. The investigative methods of private companies appear to match the ones the US government is using.

Overview on known attacking methods
Secondly, the report strongly highlights current state-of-the-art ways of attacking networks. Attackers send e-mails with malicious content enticing users to click on them. Once in a network they try to gain access to even more protected valuable resources (so-called “lateral movement” aimed at “escalating privileges”). The e-mails need not be precisely targeted: despite the hype over “spear phishing” e-mails, many rather resemble spam being sent to thousands of recipients at a time.

How to tackle threats
And this leads to the third point. The bulk of the US government’s report focuses on how to tackle such threats. And it notes: “These strategies are common sense to many, but DHS continues to see intrusions because organisations fail to use these basic measures”. This aligns very well with PwC’s experience and conclusions. In other words, many organisations, also in Switzerland, have yet to implement strong cyber security measures to ensure that they cannot easily fall victim to such attacks.

The way forward: sharing more data
Technical reports of this kind are very welcome. They lead the way by stressing that the sharing of information is crucial to defending against cyber attacks, and they contribute to normalising such a practice. Until now, indicators of cyber attacks have been very often looked at as sensitive information, thus there has been a notorious reluctance to share them between oft-ashamed victims. PwC supports the idea of sharing: when companies exchange information about experiences they’ve had with cyber attacks, negative experiences included, companies not only bring benefits to other companies, but also to themselves in the long run. They can get feedback on other companies’ experiences and this way improve their own security mechanisms. Reports like the one from the US government may contribute to changing the current mindset.

We’d also suggest adding even more precision and more details to such reports and not merely mention the many different malware names involved. For example: attackers launch their offensives in stages and use different tools and techniques at each of these stages. To protect different areas of their network, it is useful for companies to know exactly which technique is being used and at which stage. And lastly, many of the indicators provided, such as IP addresses (the address of a machine on a network), may have at times been used for legitimate purposes. To be able to differentiate between what is actually a part of the attack and what is not, it is necessary to know the exact time at which the infrastructure was used, this by means of what are commonly referred to as timestamps.

All in all, companies are well-advised to take a close look at the indicators of compromise that the US Government has provided and to use them as much to detect potential current breaches as to prevent future ones. Investigative work means that one must be ready for false-positives and shouldn’t necessarily take the initial result at face value. But, again, sharing with the rest of the community the difficulties and outcomes of these investigations can only help to strengthen the overall state of cyber security.

The aforementioned report and indicators are available here.

Download the article here.

EU-GDPR: Are you ready?

Stricter EU data protection rules adopted

  • On May 2016, the General Data Protection Regulation (GDPR) entered into force. This new regulatory framework harmonises data protection laws across the 28 European Union (EU) member states and replaces the former EU Data
    Protection Directive.
  • The GDPR will be apply directly by May 2018. There are many new and significantly enhanced requirements that need action before the deadline.
  • As a multi-disciplinary practice, we are uniquely placed to help our
    clients adjust to the new environment. Our Data Protection team
    comprises lawyers, consultants, auditors, risk specialists, forensics
    experts and strategists. Our team is truly global and has on-the-ground
    expertise in all the major EU economies.

Are Swiss companies impacted?

  • The GDPR is much wider in its scope than the previous EU Data
    Protection Directive and that means that the new law applies directly
    to more organisations. Any organisations that are active in Europe
    will need to comply with the GDPR. This includes those organisations
    with no business facilities in the EU but that are targeting goods
    and services at people in the EU or are monitoring people there. For
    example, a Swiss retailer that has no business facilities in the EU but
    directs the markets products to customers based in the EU will need to
    comply with the GDPR.eu-gdpr

Are you ready? Take our GDPR Readiness Assessment

Read more…

SMEs – Digital Champions?

Most SMEs are focusing on the digitisation of their internal processes. The change is largely driven by individuals. Digital champions are making this transformation a priority of senior management. They are bold and they are adapting their entire business strategy to the digital age. These are the results of a study by PwC Switzerland, Google Switzerland GmbH and «digitalswitzerland».

The level of digitisation at Swiss SMEs varies. The bigger the company and the younger the senior management, the more a company has done to embrace the digital age. It also depends on the industry: companies in the telecommunications and media sectors are – not surprisingly – leaders in the area of digitisation. 80 percent of the study respondents expect that the market will undergo a fundamental change in the next five years due to digitisation. These are the results of the survey of 300 Swiss SMEs.

Digital, but not everywhere
The companies that took part in the study are focusing on the digitisation of internal processes as well as on websites and e-commerce solutions. Clients and their experience are seldom the point of focus. Only 42 percent of the SMEs surveyed include clients in their business processes. Companies that have embraced the digital transition believe that the financial commitment was worth it.

Prioritise digitisation in senior Management
“The success stories coming out of Swiss companies show that digitisation fundamentally changes a company. It’s a topic that should be on the agenda of the managing director, CEO and members of the board,” said Patrick Warnking, Country Director of Google Switzerland. “Human resources are a major factor in the success of digitisation. You need people who can make your plan come alive every day,” added Holger Greif, Leader Digital Transformation at PwC Switzerland. 2

A plan for champions
Based on findings from the study, Norbert Kühnis, Leader Family Businesses and SMEs, PwC Switzerland, recommends that business leaders be bold and take a careful look at their market: “It often takes a courageous decision for a successful major step. I recommend that Swiss SMEs observe the market and look at digital possibilities as opportunities. A champion uses digitisation to expand their relationship with clients and to doggedly go after client needs.”

More information
Download the study