2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target

Copyright 2010. All Rights Reserved. 1May 18, 2010

Seven THINGS YOUR ITDEPARTMENT IS DOING TO ENABLECYBERCRIME

Daniel J. Molina, CISSPField Marketing, AmericasTuesday, May 18, 2010


Information Security… The Tale of SisyphusPatch

Upgrade

NewVersion

FirewallRulebase

IDSSignatures

Virus

Regulation

Worm


The Past…


The Future…

Subversive Multi-Vector Threats GovernmentSponsorship


Kaspersky’s Global Perception

5/18/20106Copyright 2010. All Rights Reserved.

3,200,000

2,800,000

2,400,000

2,000,000

1,600,000

1,200,000

800,000

400,000

01998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

30,00030,000

3,500+3,500+

1,1151,115

3,312,6823,312,682

New threats per day

New signatures per day

Mobile Malware Signaturesas of December 2009

Total as of December 2009

The Growing Malware Threat


Breaching the Most Secure


Your Business is a Target

Cyber criminals have stolen at leastfrom small to mid-

sized companies across America in asophisticated but increasingly common formof online banking fraud…

— Brian Krebs, Washington Post, 26 October 2009

$100 million



The City of Norfolk, Virginia is reeling from amassive computer meltdown…an unidentified family of malicious codedestroyed data on nearlycitywide.

— krebsonsecurity.com, February, 2010

800 computers



Hillary Machinery lostin fraudulent transfers to cyber-thievesfrom their account at Plains Capital Bank.The bank is now suing Hillary Machinery!

$801,495

— forbes.com, February, 2010


The Sad RealityIT Spend Is Not What It Should Be

Minimal Increase In ITSecurity Software

Spending with LittleThought to Likelihood

Exponential Growth inMalware and Attacks

at the Endpoint

Malware growth IT spend


Seven Things IT Is Doing toEnable Cyber-crime


Seven Things IT is Doing to Enable Cybercrime

1. Allow the Assumption That Data is in the Data Center2.3.4.5.6.7.


Allow the Assumption that Data is in the Data Center

The fleet of smart phones you have deployed to your sales staff enablesthem to be more productive, and to work around the clock, but italso jeopardizes your data.

With the proliferation of laptops, mobile devices, and USB memory sticks,it is now likely that the majority of your data is no longer under the custody of your ITdepartment.

Consider how many copies of emails, PowerPoint presentations, business plans, andother intellectual property are now on devices that are not in your data center.


The Cost of…

The Ponemon Institute states that each customer record lost is worth $179. If youlook at total cost of loss, you can easily get to the point where you lose yourbusiness 3-4 times a day, based on risk analytics!

Any risk model which ignores the lifeblood of your business, grosslyunderestimates your exposure.

Any risk model that ignores reality, is worthless.


1. Allow the Assumption That Data is in the Data Center2. Treating Mobile Devices Based on the Value of the Physical Asset, not

the Data on the Physical Device3.4.5.6.7.



Treating Mobile Devices Based on the Value of thePhysical Asset, not the Data on the Physical Device

Many IT departments make the sad mistake of considering replacement value forIT assets when developing risk models (if they have them)

•What about all the late nights working on those business plans, boardpresentations, and patents?•The intellectual property on your laptop is worth much morethan the physical device.


The Cost of…

Example –

What if a Coke bottle is only worth the CRV (recycling value)?

What about the contents?


1. Allow the Assumption That Data is in the Data Center2. Treating Mobile Devices Based on the Value of the Physical Asset, not

the Data on the Physical Device3. Treating Mobile Devices as Desktops4.5.6.7.



Treating Mobile Devices as Desktops

About those Smartphones,

Have you considered that they are as powerfulas your desktops of 5 years ago?

Now let’s consider laptops, USB devices, etc…

Can you really afford to have a myopic IT departmentcreate a single policy for internal assets as well as for mobile assets?

Whether it is laptops or smart phones, sometimes different rules should applywhen you change locations.


The Cost of…

The days of the M&M Model of Perimeter Defense are behind us.

Your approach to security needs to keep up.


"Endpoint . . . solutions arenow a PRIMARY line ofdefense . . .”

Charles KolodgyResearch Director

IDC Security Products Program

The Endpoint Is The Target• Malware On The Desktop Is The Goal

Email

Internet Video

Personal Websites

Business Websites

Social Media


1. Allow the Assumption That Data is in the Data Center2. Treating Mobile Devices based on the Value of the Physical Asset, not

the Data on the Physical Device3. Treating Mobile Devices as Desktops4. Adoption of Social Media Without Proper Protection5.6.7.



Adoption of Social Media without proper protection.

Web 2.0 has brought user interaction to a whole different level.

Facebook, Twitter, and other social network platforms allow for collaboration,interaction and exchanges of ideas on a many-to-many.

However, aside from being a potential drain on corporate resources, they alsojeopardize the integrity of your data, encourage employees to post potentiallysensitive data without thinking, and empower a new wave of identity theft basedon abuse of trust.


Web 2.0: Bright, Shiny… & Vulnerable


The Cost of…

Outside of your marketing department, and PR…

WHY are employees on social networks during the day?

Facebook is•Email without the controls…•450 million strong…•and zero culture.

They are viruses with legs!



the Data on the Physical Device3. Treating Mobile Devices as Desktops4. Adoption of Social Media Without Proper Protection5. Allowing Apple & Google to Become Your IT / QA Department6.7.



Allowing Apples and Google to become your IT / QADepartment.

With the evolution of our work platforms, we rely more andmore every day on web based applications, PDFs, andother cloud-based applications

What that means, in reality, is that the QA of your workingplatforms is in the hands of Google, Adobe, Apple, andMicrosoft.

A breach in the foundation of these platforms means abreach in your business processes.


Adobe takes the lead…


The Cost of…

Intel recently had to mention on their SEC filings that theywere part of the 34 companies impacted by OperationAurora.

How is THAT for security as a board level issue?

And if you are considering cloud based services, orSaaS solutions, ensure that the infrastructure is secureand robust.



the Data on the Physical Device3. Treating Mobile Devices as Desktops4. Adoption of Social Media Without Proper Protection5. Allowing Apple & Google to Become Your IT / QA Department6. Focusing on Protection rather than Detection7.



Focusing on Protection rather than Detection

Who would you rather fight?Stevie Wonder vs. Mohammed Ali

Can’t fight what you can’t see…

Or Is Protection just slightly more important than Detection?


ResponseDetectionPrevention

Lessons From Home Security

• 95% of respondents listed the 12items below

• 95% thought that Prevention waskey

• IT Security spending follows thesame mindset

Where Do You Focus Your Security Investment?

Alarm Motion detectorMonitoring Crime watch

Doors LocksWindows Fence

Dog GunPolice Insurance

How They Break In:

34%

Source: “Data @ Risk” by David H. Stelzl

9%

23%4%

22%2%


“We’ve got itcovered.”

Measuring The RiskWhat Is The Likelihood Of An Attack?

Likelihooddecreases withDetection and

Response

“We had no idea thismalware wasgetting through.”

Impact of Risk HighLow

Low

High

Pro

babi

lity

ofO

ccur

renc

e


The Cost…

Only a comprehensive system allows you to take appropriate action,not merely monitor or inform.

However, we need to put the decisions in the hands of thebusiness process owner, instead of leaving it with IT.


1. Allow the Assumption that Data is in the Data Center2. Treating mobile devices based on the value of the physical asset, not

the data on the physical device3. Treating mobile devices as Desktops4. Adoption of Social Media without proper protection5. Allowing Apple and Google to become your IT / QA Department6. Focusing on Protection rather than Detection7. Assuming everything is OK



Assuming everything is OK

How many times have you heard your IT team say “We’re covered… We arecompliant”, only to have your expensive external audit firm come in and deliver ascathing report that enumerates thousands of missed items, erroneousconfigurations, and process violations?


The Cost of…

Frankly, what your IT department is losing is credibility…

With you, the business owners.

But keep in mind…

You still must fund the lighthouse!


Michael TysonPhilosopher and Pugilist

In Summary…

“Everyone Has a Plan… Until They Get Hit”


Kaspersky® Technology Inside

• Powers over 130 of the biggest names in security


Layered End-to-End Protection


Rated the Best in Detection


The Kaspersky Advantage


Daniel J. Molina, CISSPField Marketing, [email protected]

2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target

Technology

Transcript of 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target