2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
-
Upload
raleigh-issa -
Category
Technology
-
view
183 -
download
2
description
Transcript of 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
Copyright 2010. All Rights Reserved. 1May 18, 2010
Seven THINGS YOUR ITDEPARTMENT IS DOING TO ENABLECYBERCRIME
Daniel J. Molina, CISSPField Marketing, AmericasTuesday, May 18, 2010
Copyright 2010. All Rights Reserved. 2May 18, 2010
Information Security… The Tale of SisyphusPatch
Upgrade
NewVersion
FirewallRulebase
IDSSignatures
Virus
Regulation
Worm
Copyright 2010. All Rights Reserved. 3May 18, 2010
Copyright 2010. All Rights Reserved. 4May 18, 2010
The Past…
Copyright 2010. All Rights Reserved. 5May 18, 2010
The Future…
Subversive Multi-Vector Threats GovernmentSponsorship
Copyright 2010. All Rights Reserved. 6May 18, 2010
Kaspersky’s Global Perception
5/18/20106Copyright 2010. All Rights Reserved.
3,200,000
2,800,000
2,400,000
2,000,000
1,600,000
1,200,000
800,000
400,000
01998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
30,00030,000
3,500+3,500+
1,1151,115
3,312,6823,312,682
New threats per day
New signatures per day
Mobile Malware Signaturesas of December 2009
Total as of December 2009
The Growing Malware Threat
Copyright 2010. All Rights Reserved. 7May 18, 2010
Breaching the Most Secure
Copyright 2010. All Rights Reserved. 8May 18, 2010
Your Business is a Target
Cyber criminals have stolen at leastfrom small to mid-
sized companies across America in asophisticated but increasingly common formof online banking fraud…
— Brian Krebs, Washington Post, 26 October 2009
$100 million
Copyright 2010. All Rights Reserved. 9May 18, 2010
Your Business is a Target
The City of Norfolk, Virginia is reeling from amassive computer meltdown…an unidentified family of malicious codedestroyed data on nearlycitywide.
— krebsonsecurity.com, February, 2010
800 computers
Copyright 2010. All Rights Reserved. 10May 18, 2010
Your Business is a Target
Hillary Machinery lostin fraudulent transfers to cyber-thievesfrom their account at Plains Capital Bank.The bank is now suing Hillary Machinery!
$801,495
— forbes.com, February, 2010
Copyright 2010. All Rights Reserved. 11May 18, 2010
The Sad RealityIT Spend Is Not What It Should Be
Minimal Increase In ITSecurity Software
Spending with LittleThought to Likelihood
Exponential Growth inMalware and Attacks
at the Endpoint
Malware growth IT spend
Copyright 2010. All Rights Reserved. 12May 18, 2010
Seven Things IT Is Doing toEnable Cyber-crime
Copyright 2010. All Rights Reserved. 13May 18, 2010
Seven Things IT is Doing to Enable Cybercrime
1. Allow the Assumption That Data is in the Data Center2.3.4.5.6.7.
Copyright 2010. All Rights Reserved. 14May 18, 2010
Allow the Assumption that Data is in the Data Center
The fleet of smart phones you have deployed to your sales staff enablesthem to be more productive, and to work around the clock, but italso jeopardizes your data.
With the proliferation of laptops, mobile devices, and USB memory sticks,it is now likely that the majority of your data is no longer under the custody of your ITdepartment.
Consider how many copies of emails, PowerPoint presentations, business plans, andother intellectual property are now on devices that are not in your data center.
Copyright 2010. All Rights Reserved. 15May 18, 2010
The Cost of…
The Ponemon Institute states that each customer record lost is worth $179. If youlook at total cost of loss, you can easily get to the point where you lose yourbusiness 3-4 times a day, based on risk analytics!
Any risk model which ignores the lifeblood of your business, grosslyunderestimates your exposure.
Any risk model that ignores reality, is worthless.
Copyright 2010. All Rights Reserved. 16May 18, 2010
1. Allow the Assumption That Data is in the Data Center2. Treating Mobile Devices Based on the Value of the Physical Asset, not
the Data on the Physical Device3.4.5.6.7.
Seven Things IT is Doing to Enable Cybercrime
Copyright 2010. All Rights Reserved. 17May 18, 2010
Treating Mobile Devices Based on the Value of thePhysical Asset, not the Data on the Physical Device
Many IT departments make the sad mistake of considering replacement value forIT assets when developing risk models (if they have them)
•What about all the late nights working on those business plans, boardpresentations, and patents?•The intellectual property on your laptop is worth much morethan the physical device.
Copyright 2010. All Rights Reserved. 18May 18, 2010
The Cost of…
Example –
What if a Coke bottle is only worth the CRV (recycling value)?
What about the contents?
Copyright 2010. All Rights Reserved. 19May 18, 2010
1. Allow the Assumption That Data is in the Data Center2. Treating Mobile Devices Based on the Value of the Physical Asset, not
the Data on the Physical Device3. Treating Mobile Devices as Desktops4.5.6.7.
Seven Things IT is Doing to Enable Cybercrime
Copyright 2010. All Rights Reserved. 20May 18, 2010
Treating Mobile Devices as Desktops
About those Smartphones,
Have you considered that they are as powerfulas your desktops of 5 years ago?
Now let’s consider laptops, USB devices, etc…
Can you really afford to have a myopic IT departmentcreate a single policy for internal assets as well as for mobile assets?
Whether it is laptops or smart phones, sometimes different rules should applywhen you change locations.
Copyright 2010. All Rights Reserved. 21May 18, 2010
The Cost of…
The days of the M&M Model of Perimeter Defense are behind us.
Your approach to security needs to keep up.
Copyright 2010. All Rights Reserved. 22May 18, 2010
"Endpoint . . . solutions arenow a PRIMARY line ofdefense . . .”
Charles KolodgyResearch Director
IDC Security Products Program
The Endpoint Is The Target• Malware On The Desktop Is The Goal
Internet Video
Personal Websites
Business Websites
Social Media
Copyright 2010. All Rights Reserved. 23May 18, 2010
1. Allow the Assumption That Data is in the Data Center2. Treating Mobile Devices based on the Value of the Physical Asset, not
the Data on the Physical Device3. Treating Mobile Devices as Desktops4. Adoption of Social Media Without Proper Protection5.6.7.
Seven Things IT is Doing to Enable Cybercrime
Copyright 2010. All Rights Reserved. 24May 18, 2010
Adoption of Social Media without proper protection.
Web 2.0 has brought user interaction to a whole different level.
Facebook, Twitter, and other social network platforms allow for collaboration,interaction and exchanges of ideas on a many-to-many.
However, aside from being a potential drain on corporate resources, they alsojeopardize the integrity of your data, encourage employees to post potentiallysensitive data without thinking, and empower a new wave of identity theft basedon abuse of trust.
Copyright 2010. All Rights Reserved. 25May 18, 2010
Web 2.0: Bright, Shiny… & Vulnerable
Copyright 2010. All Rights Reserved. 26May 18, 2010
The Cost of…
Outside of your marketing department, and PR…
WHY are employees on social networks during the day?
Facebook is•Email without the controls…•450 million strong…•and zero culture.
They are viruses with legs!
Copyright 2010. All Rights Reserved. 27May 18, 2010
1. Allow the Assumption That Data is in the Data Center2. Treating Mobile Devices based on the Value of the Physical Asset, not
the Data on the Physical Device3. Treating Mobile Devices as Desktops4. Adoption of Social Media Without Proper Protection5. Allowing Apple & Google to Become Your IT / QA Department6.7.
Seven Things IT is Doing to Enable Cybercrime
Copyright 2010. All Rights Reserved. 28May 18, 2010
Allowing Apples and Google to become your IT / QADepartment.
With the evolution of our work platforms, we rely more andmore every day on web based applications, PDFs, andother cloud-based applications
What that means, in reality, is that the QA of your workingplatforms is in the hands of Google, Adobe, Apple, andMicrosoft.
A breach in the foundation of these platforms means abreach in your business processes.
Copyright 2010. All Rights Reserved. 29May 18, 2010
Adobe takes the lead…
Copyright 2010. All Rights Reserved. 30May 18, 2010
The Cost of…
Intel recently had to mention on their SEC filings that theywere part of the 34 companies impacted by OperationAurora.
How is THAT for security as a board level issue?
And if you are considering cloud based services, orSaaS solutions, ensure that the infrastructure is secureand robust.
Copyright 2010. All Rights Reserved. 31May 18, 2010
1. Allow the Assumption That Data is in the Data Center2. Treating Mobile Devices based on the Value of the Physical Asset, not
the Data on the Physical Device3. Treating Mobile Devices as Desktops4. Adoption of Social Media Without Proper Protection5. Allowing Apple & Google to Become Your IT / QA Department6. Focusing on Protection rather than Detection7.
Seven Things IT is Doing to Enable Cybercrime
Copyright 2010. All Rights Reserved. 32May 18, 2010
Focusing on Protection rather than Detection
Who would you rather fight?Stevie Wonder vs. Mohammed Ali
Can’t fight what you can’t see…
Or Is Protection just slightly more important than Detection?
Copyright 2010. All Rights Reserved. 33May 18, 2010
ResponseDetectionPrevention
Lessons From Home Security
• 95% of respondents listed the 12items below
• 95% thought that Prevention waskey
• IT Security spending follows thesame mindset
Where Do You Focus Your Security Investment?
Alarm Motion detectorMonitoring Crime watch
Doors LocksWindows Fence
Dog GunPolice Insurance
How They Break In:
34%
Source: “Data @ Risk” by David H. Stelzl
9%
23%4%
22%2%
Copyright 2010. All Rights Reserved. 34May 18, 2010
“We’ve got itcovered.”
Measuring The RiskWhat Is The Likelihood Of An Attack?
Likelihooddecreases withDetection and
Response
“We had no idea thismalware wasgetting through.”
Impact of Risk HighLow
Low
High
Pro
babi
lity
ofO
ccur
renc
e
Copyright 2010. All Rights Reserved. 35May 18, 2010
The Cost…
Only a comprehensive system allows you to take appropriate action,not merely monitor or inform.
However, we need to put the decisions in the hands of thebusiness process owner, instead of leaving it with IT.
Copyright 2010. All Rights Reserved. 36May 18, 2010
1. Allow the Assumption that Data is in the Data Center2. Treating mobile devices based on the value of the physical asset, not
the data on the physical device3. Treating mobile devices as Desktops4. Adoption of Social Media without proper protection5. Allowing Apple and Google to become your IT / QA Department6. Focusing on Protection rather than Detection7. Assuming everything is OK
Seven Things IT is Doing to Enable Cybercrime
Copyright 2010. All Rights Reserved. 37May 18, 2010
Assuming everything is OK
How many times have you heard your IT team say “We’re covered… We arecompliant”, only to have your expensive external audit firm come in and deliver ascathing report that enumerates thousands of missed items, erroneousconfigurations, and process violations?
Copyright 2010. All Rights Reserved. 38May 18, 2010
The Cost of…
Frankly, what your IT department is losing is credibility…
With you, the business owners.
But keep in mind…
You still must fund the lighthouse!
Copyright 2010. All Rights Reserved. 39May 18, 2010
Michael TysonPhilosopher and Pugilist
In Summary…
“Everyone Has a Plan… Until They Get Hit”
Copyright 2010. All Rights Reserved. 40May 18, 2010
Copyright 2010. All Rights Reserved. 41May 18, 2010
Kaspersky® Technology Inside
• Powers over 130 of the biggest names in security
Copyright 2010. All Rights Reserved. 42May 18, 2010
Layered End-to-End Protection
Copyright 2010. All Rights Reserved. 43May 18, 2010
Rated the Best in Detection
Copyright 2010. All Rights Reserved. 44May 18, 2010
The Kaspersky Advantage
Copyright 2010. All Rights Reserved. 45May 18, 2010
Copyright 2010. All Rights Reserved. 46May 18, 2010
Copyright 2010. All Rights Reserved. 47May 18, 2010
Copyright 2010. All Rights Reserved. 48May 18, 2010
Daniel J. Molina, CISSPField Marketing, [email protected]