Industry Trendsin Information Security
-
Upload
gary-bahadur -
Category
Business
-
view
1.852 -
download
1
description
Transcript of Industry Trendsin Information Security
![Page 1: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/1.jpg)
INDUSTRY TRENDS IN INFORMATION SECURITY
Gary BahadurCEO KRAA Security
www.kraasecurity.com
![Page 2: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/2.jpg)
What Are The Key Trends?
Identity Theft
Mobile security threats
Web application weaknesses
Insider threats
• Social networks
• Regulatory Compliance
• Data Loss Prevention
• Malware
![Page 3: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/3.jpg)
Objectives of Security Threats
1. Information Capture2. Destruction3. Monetary4. Competitive Advantage5. Political Gain6. Activism
Attacks aim to compromise 7. Confidentiality8. Integrity9. Availability
![Page 4: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/4.jpg)
Identity Theft
Weaknesses caused by: Lack of proper data handling
procedures Weak data protection Inadvertent data loss Unencrypted data
Source FTC
![Page 5: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/5.jpg)
Identity Theft - Data Breaches That Could Lead To Identity Theft By Sector
Education, 24%
Retail/wholesale, 6%
Telecommunications, 3%
Military, 3%
Government, 20%Computer software, 2%
Financial, 14%
Biotech/pharmaceutical, 2%
Transportation, 2%
Health care, 16%
Insurance, 1%
Computer hardware, 1%
Other, 4%
Source: Attrition.org
![Page 6: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/6.jpg)
Mobile Security
Weaknesses caused by: Theft of device Unencrypted data on devices No management of devices Unsecure mobile applications No socialization of security on mobiles Spyware and attachments compromise mobiles
Most Risky Mobile Devices – Ponemon Institute
![Page 7: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/7.jpg)
Web Applications
Weaknesses caused by: Poor Coding Not testing enough No protection mechanism on the website No Security Development Lifecycle Model Un-patched servers
Vulnerability by Industry – Source Whitehat
![Page 8: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/8.jpg)
Insider ThreatsWeaknesses caused by: Weak internal controls Unvetted employees Disgruntled employees with excessive access Inadvertent weaknesses introduced
Losses due to insiders - CSI
![Page 9: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/9.jpg)
Social networking Weaknesses caused by: Very un-educated users Insecure social networking applications Ease of development of social applications
![Page 10: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/10.jpg)
Regulatory
Weaknesses caused by: Inability to manage against requirements No consistent assessment process Unable to keep up with new changes No accountability for measurements
Source -E&Y
![Page 11: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/11.jpg)
Data Loss PreventionWeaknesses caused by: Insecure internal data storage Lost data through backup process Application vulnerabilities Excessive user permissions No tracking, monitoring, blocking of data movement
![Page 12: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/12.jpg)
Organizations Attacked Most Often
Source – Breach Security
![Page 13: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/13.jpg)
Malware
Weaknesses caused by: Weakly protected systems Email and Web surfing External device connections Uneducated users
Source McAfee
![Page 14: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/14.jpg)
Malware
![Page 15: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/15.jpg)
2008 CSI Computer Crime and Security Survey
Average reported cost of breach close to $500,000 (for those who experienced financial fraud)
The second-most expensive, was dealing with “bot” computers within the organization’s network, $350,000 per respondent.
Virus incidents occurred most frequently occurring at almost half (49 percent) of the respondent
Insider abuse of networks was second-most frequently occurring, at 44 percent
Third was theft of laptops and other mobile devices (42 percent).
![Page 16: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/16.jpg)
What does data cost in the Underground?
Current Rank
Previous Rank Goods and Services
Current Percentage
Previous Percentage Range of Prices
1 2 Bank accounts 22% 21% $10–$1000
2 1 Credit cards 13% 22% $0.40–$20
3 7 Full identities 9% 6% $1–$15
4 N/AOnline auction site accounts 7% N/A $1–$8
5 8 Scams 7% 6%$2.50/week–$50/week
for hosting, $25 for design
6 4 Mailers 6% 8% $1–$10
7 5 Email addresses 5% 6% $0.83/MB–$10/MB
8 3 Email passwords 5% 8% $4–$30
9 N/A Drop (request or offer) 5% N/A 10%–50% of total drop amount
10 6 Proxies 5% 6% $1.50–$30
Source: Symantec Global internet Security Treat Report XIII
![Page 17: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/17.jpg)
2003 2004 2005 2006 2007 2008
Frequency and Costs of Data Breaches
Data Processors International5 MILLION AFFECTEDMarch 6, 2003
Citigroup30 MILLIONJune 6, 2005
U.S. Department of Veteran Affairs26.5 MILLIONMay 22, 2006
Dai Nippon Printing Company8.6 MILLIONMarch 12, 2007
TD Ameritrade6.3 MILLIONSeptember 14, 2007
America Online30 MILLIONJune 24, 2004
Visa, MasterCard, and American Express40 MILLIONJune 19, 2005
TJX Companies, Inc.94 MILLIONJanuary 17, 2007
Fidelity National Information Services8.5 MILLIONJuly 3, 2007
HM Revenue and Customs25 MILLIONNovember 20, 2007
Source: Attrition Data Loss Archive and Database
10 (+1) Largest Data Breaches Since 2000As more information goes digital, it becomes more important to protect against hackers.
FlowingData
According to Ponemon Institute, an independent information practices research group, data breaches cost businesses an average of $197 per customer record in 2007, up from $182 in 2006. Ponemon also reports the average cost of a data breach in 2007 was $6.3 million, up from $4.8 million in 2006.
GS Caltex11 MILLIONSEPTEMBER 06, 2008
![Page 18: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/18.jpg)
Percentages of Incidents
Source CSI
![Page 19: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/19.jpg)
State Breach Notification Laws
State Security Breach Notification Laws As of July 27, 2009. Forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.
http://www.ncsl.org/Alaska 2008 H.B. 65
Arizona Ariz. Rev. Stat. § 44-7501
Arkansas Ark. Code § 4-110-101 et seq.
California Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.29, 1798.82
Colorado Colo. Rev. Stat. § 6-1-716
Connecticut Conn. Gen Stat. 36a-701(b)
Delaware Del. Code tit. 6, § 12B-101 et seq.
Florida Fla. Stat. § 817.5681
Georgia Ga. Code §§ 10-1-910, -911
![Page 20: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/20.jpg)
How to Address These Trends?
1. Risk Assessment2. Security Policies and Procedures
Processes3. Security Layered Approach4. Data Loss Protection Mechanisms5. Used Security Educations6. Secure Development7. Monitoring
![Page 21: Industry Trendsin Information Security](https://reader036.fdocuments.net/reader036/viewer/2022070304/54b8803f4a7959c9388b4569/html5/thumbnails/21.jpg)
Contact
Gary Bahadurinfo@kraasecurity.comwww.kraasecurity.comblog.kraasecurity.comTwitter.com/kraasecurity888-KRAA-911