Cybersecurity

Strategy and Governance

Failure stories

CP3415 Cybersecurity Strategy and Governance

1
Modules & SLOs of CP3415
CP3415
Subject Learning Outcomes

SLO1: Define and implement Cybersecurity

models and strategies to support different
Governance business needs and requirements
Corporate Strategic risk Success/fail
Introduction globally and
governance management stories
nationally

SLO2: Analyse and design frameworks to

handle risk-based information security and
Frameworks Risk-based NIST success service-continuity
Definitions Approaches
and standards approaches stories

SLO3: Compare different widely used

international standards (e.g. ISO 27001,
Importance of PCI-DISS, NIST CSF etc.) and understand
Survey across Service SEC
strategy & ICANN & ITU
governance
sectors continuity intervention strengths and weaknesses of each

SLO4: Analyse and design different

Relationship approaches to continuously monitor assets
CP2424 to risk Certificate Lessons
management Authorities learned
and performance in a typical business
course setting
CP3415 Cybersecurity Strategy and Governance

Each lecture will highlight the aspects of the roadmap, as well as the Subject Learning
Outcomes (SLOs), that it covers.

2
Survey
Learning by (bad) example

CP3415 Cybersecurity Strategy and Governance

3
In this lecture
• We analyse four examples of governance failures, looking at:
• What happened?
• What were the consequences?
• What went wrong with strategy/governance?
• What have we learned on CP3415 that could have been applied to each example?

Yahoo data SolarWinds Equifax OCBC

leak hack breach phishing

CP3415 Cybersecurity Strategy and Governance

4
Remember
Lecture 1?
Bloomberg Quicktake, “The SEC is
Reportedly Investigating Yahoo
Hacks”, 2017. Via YouTube.
The video to the right is from a
news broadcast about the SEC
investigating Yahoo.

• What was Yahoo accused of

doing wrong?
• Why does the SEC care?

CP3415 Cybersecurity Strategy and Governance 5

5
What happened?
Yahoo! suffered multiple data breaches

• Over 1bn users accounts affected in multiple breaches in 2013 and 2014

Company seeking acquisition by Verizon

• A deal worth over $4bn

• Negotiations announced in July 2016, closing in March 2017

Breaches were unnoticed, or undeclared for a long time

• September 2016: The 2014 breach was declared by Yahoo!

• December 2016: The 2013 breach was acknowledged
• October 2017: Yahoo! revealed that all 3 billion user accounts had been impacted

Discount?

• The deal with Verizon went ahead, but for $350m less than originally planned. Some assets (never planned to be acquired
by Verizon), were acquired by Alibaba into Altaba.

CP3415 Cybersecurity Strategy and Governance 6

6
Consequences
Political backlash
Yahoo neither admitted nor denied the
• US senators found Yahoo!’s delayed announcements findings in the SEC's order, which
unacceptable requires the company to cease and
• Opined that the company’s cybersecurity defences desist from further violations of
were very weak Sections 17(a)(2) and 17(a)(3) of the
Securities Act of 1933 and Section
SEC investigation 13(a) of the Securities Exchange Act of
1934 and Rules 12b-20, 13a-1, 13a-11,
• To determine if Yahoo! tried to withhold the
13a-13, and 13a-15.
information to protect the value of the Verizon deal

Ruling
• SEC ruled that Yahoo!, now named Altaba, failed to
disclose the breaches in a timely manner. SEC, “Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive
Cybersecurity Breach; Agrees To Pay $35 Million”, April 2018. Press release, online:
• Fined $35 million https://www.sec.gov/news/press-release/2018-71

CP3415 Cybersecurity Strategy and Governance 7

7
 Reminder: Company obligations

10-Q 10-K 8-K

• Quarterly • Annual • Substantial

financial financials developments
reporting • More detailed • Any time

Most likely to contain

• From lecture 4: Three financial reports that public
companies are required to file.
cybersecurity related
• Yahoo missed several scheduled 10-{Q,K} opportunities to matters (but any of
report as well as an 8-K at any time… the three could).
CP3415 Cybersecurity Strategy and Governance

8
 What went wrong
• The SEC findings summarise this for us: Although information relating to
the breach was reported to […]
• https://www.sec.gov/news/press-release/2018-71 senior management […] Yahoo
[…] within days of the December failed to properly investigate the
2014 intrusion, Yahoo’s circumstances of the breach and
information security team learned to adequately consider whether
that Russian hackers had stolen Yahoo’s failure […] ended up the breach needed to be disclosed
what the security team referred to leaving its investors totally in the to investors
internally as the company’s “crown dark about a massive data breach.
jewels”

Yahoo failed to maintain disclosure

Yahoo did not share information controls […] to ensure that reports
Yahoo filed several quarterly and from Yahoo’s information security
regarding the breach with its
annual reports […] failed to team […] were properly and timely
auditors or outside counsel in
disclose the breach assessed for potential disclosure.
order to assess the company’s
disclosure obligations

CP3415 Cybersecurity Strategy and Governance 9

9
 Yahoo! vs SEC

Two perspectives

From an investor & From a Yahoo! user

regulator perspective: perspective:
• What did Yahoo! do
• What did Yahoo! do
wrong?
wrong?
• How did this put users at
• How did this put investors risk?
at risk?

CP3415 Cybersecurity Strategy and Governance 10

10
SolarWinds
Massive attack

CP3415 Cybersecurity Strategy and Governance

11
What’s SolarWinds?
Article:
• Willett, M. (2021). Lessons of the SolarWinds Hack.
Survival (London), 63(2), 7–26.
https://doi.org/10.1080/00396338.2021.1906001
• Used throughout this section, plus other references as
indicated within

SolarWinds software
• “monitor and manage IT networks, including by
aggregating, analysing and visualising large amounts of
data”

Customers
• Tech companies (Microsoft, NVIDIA, Intel, Cisco)
• Cybersecurity companies (FireEye)
• US Government agencies (Treasury, Justice)

CP3415 Cybersecurity Strategy and Governance 12

12
 The attack

Source: Microsoft 365 Defender Research Team. (2020).

Analyzing Solorigate, the compromised DLL file that
started a sophisticated cyberattack, and how Microsoft
Defender helps protect customers. Microsoft Security
Blog
https://www.microsoft.com/en-
us/security/blog/2020/12/18/analyzing-solorigate-the-
compromised-dll-file-that-started-a-sophisticated-
cyberattack-and-how-microsoft-defender-helps-protect/
“The attackers inserted malicious code into
SolarWinds.Orion.Core.BusinessLayer.dll,
a code library belonging to the SolarWinds Orion
Platform.”

CP3415 Cybersecurity Strategy and Governance 13

13
Discovery
“FireEye, a top US cyber-security company
FireEye got hacked
involved in many major investigations and
• They discovered their own hacking tools had responsible for publicly identifying the
been accessed perpetrators of numerous attacks […] had
• Traced the intrusion back to SolarWinds been hacked […]. Its own ‘red-team’ tools –
They analysed it developed by FireEye to test client
defences based on previously detected
• Identified that many other companies were capabilities – had been accessed. FireEye
also affected further discovered that the vector used by
Months of revelations the hackers was the IT company
SolarWinds and that there were many
• Initial discovery in Dec 2020 other victims.”
• US government released interim statement in
Feb 2021, continuing investigations
Willet, M. (2021).
CP3415 Cybersecurity Strategy and Governance 14

14
Consequences

The SEC, again

• “The SEC began investigating the
SolarWinds breach in 2021, including
whether some companies failed to
disclose that they were affected by
the breach and allegations of possible
insider trading, according to The
Washington Post.”

CP3415 Cybersecurity Strategy and Governance 15

15
Tough first week on the job…

“The company’s retention

rate was around 90% before
the hack. It took a hit in the
immediate aftermath but is
now back to that level. All
nine of the US government
agencies hit by the attack are
still clients as well.”

CP3415 Cybersecurity Strategy and Governance 16

16
Supply chain

Have you heard of

software supply chain
security?
It might be thanks to the SolarWinds hack that more people are aware of this issue

CP3415 Cybersecurity Strategy and Governance

17
 SolarWinds quiz

Remember the IoT device supply chain…

[IoTSF SAF 21, p. 52].

Could a similar
supply chain
attack be
performed against
IoT devices?

CP3415 Cybersecurity Strategy and Governance 18

18
 Equifax
The checkers got checked

CP3415 Cybersecurity Strategy and Governance

19
Sources
Public perspective
• Novak, A. N., & Vilceanu, M. O. (2019). “The
internet is not pleased”: Twitter and the 2017
Equifax data breach. The Communication Review
(Yverdon, Switzerland), 22(3), 196–221.
https://doi.org/10.1080/10714421.2019.1651595

Regulatory & governance perspective

• Peregrine, M. W. et al. (2019). “The Governance
Implications of the Equifax and Facebook
Settlements”. Harvard Law School Forum on
Corporate Governance.
https://corpgov.law.harvard.edu/2019/08/14/the-
governance-implications-of-the-equifax-and-
facebook-settlements/

CP3415 Cybersecurity Strategy and Governance

20
What’s Equifax?
• A credit checking / reporting
company
• Top three credit agency
• Want a loan or a card?
• They help the lender decide
• Especially in the US
• They maintain detailed
financial information on
hundreds of millions of people
• That information can be used
for or against them

CP3415 Cybersecurity Strategy and Governance

21
What happened
“up to 144.5 million US consumers, representing
virtually every US resident over the age of 18, were
exposed to the risk of identity theft, a risk they will
face for the rest of their lives”

(┛◉Д◉)┛彡┻━┻
CP3415 Cybersecurity Strategy and Governance

22
 More detail

29th July 2017 18th Sept 2017 29th Sept 2017

• Data stolen • Breach • CEO “retires”
• Breach disclosed • Refunds for (gets retired?) • Resume press
discovered • Public apology some services conferences /
video • Free 1yr credit statements
May / June monitoring
7th Sept 2017 26th Sept 2017
2017

Equifax had roughly zero public / press engagement

in this period aside from these three events

Based on Novak (2019)

CP3415 Cybersecurity Strategy and Governance

23
The settlement
Website
• Dedicated to the breach and settlement: https://www.equifaxsecurity2017.com/

Cost
• At least $575mil and up to $700mil relief for affected companies

Governance changes imposed on company and board:

• Designating an employee to oversee the Program;
• Conducting annual assessments of internal and external security risks and implementing safeguards to address potential risks;
• Obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has
complied with the order, including its information security requirements;
• Testing and monitoring the effectiveness of the security safeguards; and
• Ensuring service providers with access to personal information stored by Equifax also implement adequate safeguards to protect
such

Others should take note

• Per the opinion of Peregrine (2019), such enforcement action shouldn’t be seen as exceptional. Other companies that fail to
govern cybersecurity properly could face similar repercussions in the event of a privacy breach.
CP3415 Cybersecurity Strategy and Governance

24
 Equifax quiz

Thoughts?

Was the crisis

handled well?

CP3415 Cybersecurity Strategy and Governance

25
 Phishing
Insufficient defenses

CP3415 Cybersecurity Strategy and Governance

26
What happened?
• The news tells all:

CP3415 Cybersecurity Strategy and Governance

27
The event(s)
Phishy SMS

• In December 2021, some OCBC customers received SMS

messages, seemingly from OCBC, claiming problems with their
accounts.
• The messages contained links to follow in order to help fix the
problem.

Customers gave up passwords and OTPs

• Scammers were given access to victims’ accounts in what

appears to have been a phishing real-time attack
• The victims may not have realised they were phished

Money goes missing

• Account transfer limits were raised by the attackers and sums

of money transferred out of accounts
• Some victims lost hundreds of thousands of dollars from their
accounts

CP3415 Cybersecurity Strategy and Governance

28
Consequences
Bad press Refunding customers Regulatory scrutiny

• Customers slamming OCBC online and • Bank gave “goodwill” payouts to • The bank was potentially subject to
in the media victims, eventually supervisory action
• A lot of articles discussing the issues • Created a potential precedent, • Triggered new recommendations for
• This happened around Christmas, impacting itself, other banks, and the account security measures, with more
increasing public sympathy for victims regulator. to follow

CP3415 Cybersecurity Strategy and Governance

29
Failures: Old tech
SMS is ancient and insecure
• Authenticity of a message is almost impossible to prove
• Sender number or ID can easily be spoofed

Cautious customers could still be duped

• Prevailing messaging regarding scams was not to trust
“+65” numbers
• SG local numbers wouldn’t normally need to include
the IDD prefix so may be overseas scammers
• But the spoofed ID meant the messages appeared in the
victim’s message thread for OCBC
• If the victim trusts the apparent sender, and doesn’t
check the validity of the link, they’ll open the phishing
site.

CP3415 Cybersecurity Strategy and Governance

30
Failures: Token registration
Token confusion
• Bank supported physical and mobile (app)
token for OTP
Phish then register
• Victims accounts had a new mobile token
registered, authorised by their physical token,
which was phished

Account control lost

• With attackers in possession of a mobile token
generator, they could then perform privileged
operations like account limit changes for high
value transfers

CP3415 Cybersecurity Strategy and Governance

31
 Failures: Controls
Source: https://www.hsbc.com.sg/ways-to-bank/online/faq/
Too easy to change (not an endorsement)

• Transfer limit changes took effect immediately

• Attackers could start siphoning money very quickly Another bank has special
• OTP allowed too many things to happen “transaction OTPs” that are
only valid when paired with
Unusual behaviour? specific transaction details.
• Limit changes and transfers were not identified as
suspicious Could / should this type of OTP
• No hold was placed on the transactions and no attempt be used more?
to seek additional verification of account integrity
It is too complicated or
Response time obstructive?
• If victims became aware of the attack and tried to stop
it, they struggled to get through to OCBC
• There was no “kill switch” or other emergency process
at their disposal, that they were aware of

CP3415 Cybersecurity Strategy and Governance

32
Reflecting: Governance and strategy
• Phishing is not a problem unique to OCBC
• So, was OCBC an easy target, or just an unlucky one?
• It’s difficult to give a definitive answer to this (at the time of writing)
• Some experts believe other banks could also be attacked with similar ease

CP3415 Cybersecurity Strategy and Governance

33
Monitoring risks and ensuring
defence in depth
Defence in depth SMS OTP Cooling off Customer support Kill switches

• If any one defensive • Security experts have • MAS has required • Potential scam victims • Banks now have a “kill
measure had worked highlighted banks to delay the may benefit from switch” that customers
better, the attacks may vulnerabilities in SMS activation of mobile dedicated response can use to lock their
have failed OTPs for years tokens to give time to teams and processes accounts if they are
• Some regions are notice an attack • Better behavioural worried an attack is in
already moving away monitoring may detect progress.
from them attacks • Could this become a
Denial-of-Service
vector?

• Customer awareness of scams remains important.

• Keeping up to date with new scam techniques is critical
• Should not assume that young/tech-savvy people are safe
• Cannot expect people to be perfect 100% of the time
• Must have adequate safety nets in place
• Even if the victims are arguably at fault, with enough victims, the banks will suffer negative press anyway…

CP3415 Cybersecurity Strategy and Governance

34
WWYD?

What governance and strategy

changes would you recommend for
a bank affected by this kind of
crisis?

CP3415 Cybersecurity Strategy and Governance

35
 OCBC quiz

In 2023…

CP3415 Cybersecurity Strategy and Governance

CNA stories:
- https://www.channelnewsasia.com/singapore/ocbc-app-new-security-feature-
malware-anti-scam-permission-settings-3687336
- https://www.channelnewsasia.com/commentary/ocbc-malware-scam-block-
banking-app-monitor-3703971
Reddit threads:
- https://www.reddit.com/r/singapore/comments/15klkhe/ocbc_app_attempting_t
o_police_your_phone_for_you/
- https://www.reddit.com/r/singapore/comments/15ovq98/ocbc_app_permission_
sus/
AsiaOne story:
- https://www.asiaone.com/singapore/woman-looking-order-tingkat-meals-loses-
over-20k-after-downloading-third-party-app
ST story:
- https://www.straitstimes.com/tech/at-least-2m-in-savings-prevented-from-being-
stolen-in-malware-attacks-after-ocbc-app-security-update

36
Summary
Risk is an ever-
present part of
business

Cybersecurity risk is
present in any IT
system

Managing risk is
necessary

Several approaches
exist (three shown in
this lecture)

Always ensure
business needs and
IT risk are aligned
CP3415 Cybersecurity Strategy and Governance

37
In the tutorial

Scatter{e}g{ulat}ories

Find high impact incidents

Claim the most impactful without somebody else claiming it

CP3415 Cybersecurity Strategy and Governance

38
Next lecture…

Successes
Ending on a high

CP3415 Cybersecurity Strategy and Governance

39