The Security Cauldron - MTUG€¦ · Net Misuse Illicit Content Unapproved Workaround # Incidents...

The Security CauldronAlways Brewing,

Ever Changing, Never Tamed

Peter Brown, COO ALIADO IT SECURITY

Management Consulting

Victor Chakravarty State of Maine

CIO Infrastructure

What’s Brewing Today

• Language of Security

•2015 in Review

•A Look into 2016

•What’s Stoking the Fire

•Value of Lost Information

•Big Guys Aren’t the Only Targets

• Immediate Actions to Take Home

Definition of Information Systems Security

Per the U.S. National Information Systems Security Glossary

…the protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.

Three widely accepted elements of information security (mnemonic - "CIA") are:

Confidentiality Integrity Availability

•

IT Security Language

Incident

Breach

Vulnerability

A Treat

A Risk

Phishing

Spear-Phishing

IOT

Malware

Ransomware

DoS

Bot

Botnet

Zombie Army

Fultz

Kitz

Pre-texting email

Data Exfiltration

CVE

C&C

SCADA

The Simmering Pot2015 Incidents and Breaches

Verizon, 2016 Data Breach Investigation Reports, Table 1, Pg. 4. www.VerizonEnterprise.com

Industry Total Small Large Unknown

Accommodation (72) 362 140 79 143

Administrative (56) 44 6 3 35

Agriculture (11) 4 1 0 3

Construction (23) 9 0 4 5

Educational (61) 254 16 29 209

Entertainment (71) 2,707 18 1 2,688

Finance (52) 1,368 29 131 1,208

Healthcare (62) 166 21 25 120

Information (51) 1,028 18 38 972

Management (55) 1 0 1 0

Manufacturing (31-33) 171 7 61 103

Mining (21) 11 1 7 3

Other Services (81) 17 5 3 9

Professional (54) 916 24 9 883

Public (92) 47,237 6 46,973 258

Real Estate (53) 11 3 4 4

Retail (44-45) 159 102 20 37

Trade (42) 15 3 7 5

Transportation (48-49) 31 1 6 24

Utilities (22) 24 0 3 21

Unknown 9,453 113 1 9,339

Total 64,199 521 47,408 16,270

INDUSTRY TOTAL SMALL LARGE UNKNOWN

Healthcare(62) 166 21 25 120

Information(51) 1028 18 38 972

Number of Confirmed Incidents by Victim Industry

http://www.verizonenterprise.com/

https://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart_code=72&search=2012 NAICS Search





















Industry Total Small Large Unknown

Accommodation (72) 282 136 10 136

Administrative (56) 18 6 2 10

Agriculture (11) 1 0 0 1

Construction (23) 4 0 1 3

Educational (61) 29 3 8 18

Entertainment (71) 38 18 1 19

Finance (52) 795 14 94 687

Healthcare (62) 115 18 20 77

Information (51) 194 12 12 170

Management (55) 0 0 0 0

Manufacturing (31-33) 37 5 11 21

Mining (21) 7 0 6 1

Other Services (81) 11 5 2 4

Professional (54) 53 10 4 39

Public (92) 193 4 122 67

Real Estate (53) 5 3 0 2

Retail (44-45) 137 96 12 29

Trade (42) 4 2 2 0

Transportation (48-49) 15 1 3 11

Utilities (22) 7 0 0 7

Unknown 270 109 0 161

Total 2,260 447 312 1501

INDUSTRY TOTAL SMALL LARGE UNKNOWN

Healthcare(62) 115 18 20 77

Information(51) 194 12 12 170

Number of Incidents with Confirmed Data Loss by Industry

http://www.verizonenterprise.com/




















Time to Compromise and Exfiltration

0

200

400

600

800

1000

1200

Seconds Minutes Hours Days Weeks Months

Compromises n=1177 Exfiltration n=326

Compromises Exfiltration

7.1%

11% 81.9%

21.2%

2.5%6%

67.8%

<1% <1%<1%


How many of you have had a breach?

How many of you have had a breach?

If not, the real question to ask yourself is,

When will I?

What’s Stoking the Fire

•Data theft is a Business •Real markets• Tools to enable sales complete with upgrades• Infrastructure

•Attackers aware of relations

• Small organizations fall prey more often

•80% of infections occur from well planned email campaigns- Phishing

What is Phishing?

• The attempt to acquire sensitive personal data (sometimes money) by masquerading as trustworthy source in an electronic communication

Email sent

User clicks

Malware dropped

Foothold gained

Don’t Take the Bait- It takes seconds

• Who is holding the Phishing pole• 89% Organized Crime

• 9% State Affiliates

• In a 2015 study of 9576 phishing occurrences, 916 confirmed data disclosures

• We are becoming more aware• 2015 30% msgs opened 12% clicked & opened

attachment

• 2016 23% msgs opened 11% clicked & openedattachment

Incident Classification Patterns

102

247

534

5334

7951

8886

9630

9701

10490

11347

0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%

PAYMENT CARD SKIMMERS

CYBER ESPIONAGE

POS INTRUSIONS

WEB APP ATTACKS

CRIMEWARE

EVERYTHING ELSE

DENIAL OF SERVICE

PHYSICAL THEFT/LOSS

PRIVILEGE MISUSE

MISCELLANEOUS ERRORS

Percentage and Number of Incidents n=64,199

% of IncidentsVerizon, 2016 Data Breach Investigation Reports, Table 17 , Pg. 22. www.VerizonEnterprise.com

Incident Patterns by Industry- Denial of Service Greatest Impact

Accommodation (72)

Educational (61)

Entertainment (71)

Finance (52)

Healthcare (62)

Information (51)

Manufacturing (31-33)

Professional (54)

Public (92)

Retail (44-45)

Crimeware Cyberespi

onageDenial

of

Service

Everything

Else

Stolen

Assets

Misc.

Errors

Card

Skimmers

Point of

Sale

Privilege

Misuse

Web

Apps

<1% <1% 20% 1% 1% 1% <1% 74% 2% 1%

56% 4% 2% 4% 22% 11%

2% 2% 81% 2% 3% 4% 1% 5%

99% <1% 1% 1%

2% <1% 34% 5% <1% 1% 6% <1% 3% 48%

4% 2% 11% 32% 18% 5% 23% 4%

4% 3% 46% 21% <1% 11% <1% 2% 12%

5% 16% 33% 33% 1% 1% 6% 6%

1% 2% 90% 2% 1% 1% 2% 1%

16% <1% 1% 17% 20% 24% <1% 22% <1%

1% <1% 45% 2% 1% 3% 32% 1% 13%

10% 16% 26% 6% 6% 35% Transportation (48-49)

Administration (56)

Incident Patterns with Data Breaches by Industry- Web AppsCrimeware Cyberespio

nage

Denial of

Service

Everything

Else

Stolen

Assets

Misc.

Errors

Card

Skimmers

Point of

Sale

Privilege

MisuseWeb

Apps

1% <1% 1% <1% 95% 1% 1%

7% 17% 17% 27% 3% 30%

3% 47% 50%

1% <1% <1% 2% <1% 2% 9% 4% 82%

3% 3% 11% 19% 22% 7% 32% 3%

1% 3% 4% 25% 1% 11% 57%

3% 47% 3% 3% 24% 21%

4% 19% 25% 4% 15% 21% 13%

12% 16% 4% 9% 37% 13% 9%

1% 1% 4% 1% 3% 64% 2% 26%

Accommodation (72)

Educational (61)

Entertainment (71)

Finance (52)

Healthcare (62)

Information (51)

Manufacturing (31-33)

Professional (54)

Public (92)

Retail (44-45)

Common Breach Types

Web Application Attacks

Web application is the vector of attack

5334 Incidents 908 Breaches

Point of Sale Intrusions

Remote attacks where card-present transactions occur

534 Incidents 525 Breaches

Interior and Privilege Misuse

Any unapproved or malicious use of organizational resources

10,429 Incidents 172 Breaches

More on next slide

Top Varieties within Insider and Privileged Misuse0 20 40 60 80 100 120 140 160

0 20 40 60 80 100 120 140 160

Privilege Abuse

Data Mishandling

Unapproved Hardware

Unapproved Software

Profession Abuse

Email Misuse

Knowledge Abuse

Net Misuse

Illicit Content

Unapproved Workaround

# Incidents

Our employees, vendors and partners are sometimes unknowingly our greatest security threats

Closer to Home in 2016

Location # Breaches # Records Exposed

Across US 378 11.5M

New England 31 ?

Maine 3 2100Source: Identity Theft Resource Center

The Insider Threat in 2016

•3 types of Insider threats• Malicious• Accidental• Negligence

•54% of incidents direct result of insider behavior

•Mobility has increased Insider threats• Multiple interconnected devices• Changing social norms

How or Why Insider Threats Exist

•Malicious• An organization’s use of trust as a control is no longer

satisfactory; Privileges must be accompanied by technical and managerial controls

•Accidental• Miscellaneous errors occur through mis-delivery, publishing

and improper disposal

•Negligence • Employees often work around policy for ease and time

Ransomware- One of 2016’s Largest Threats

•Malware covertly installed through Spear Phishing or Downloads to a website

•Restricts user access to the infected computer

•Demands ransom by malware operators to remove restriction

•New Ransomware families:• Locky•Petya•Power Ware•KeRanger• Samas

Ransomware’s Impact

•2015- CryptoWall Ransomware•4000 Malware samples• 839 C&C URLs• 400k Infection attempts• 49 campaigns

•2016- Locky is fastest growing

Other Industry Trends Impacting IT Security

•More connectivity (IoT- Internet of Things)

•Patching no longer works

•Denial of Services(DoS) growing

• Shadow IT environments• Unmanaged databases• Shared data repositories• More employees and partners• Increased collaboration

• Engaged employees

Engaged Employees Are a Two Way Sword

•Personal attack surface has grown• Social networks , mobility• Extremely exposed

•Mixing of personal & work life

• Sensitive data is everywhere• 1000s of traditional databases• Shared data repositories• More employees and partners• Increased collaboration

Why is Cyber Crime on the Increase?

•Money, money and more money ($150M in just ransomware)

•Connectivity of things is growing faster than the fixes

•Cyber crime is seen as victimless

•Organized crime has built in infrastructure

How Far and How Fast Can Data Move

• Experiment• When April, 2015• What 1568 fictitious names, social security

numbers, credit card numbers, addresses, and phone numbers loaded in an excel spreadsheet

• Where Loaded anonymously in the cyber crime marketplace on the dark web

• Findings In two weeks, how far had the data traveled?

So Where Do You Think the Data Went?

• # countries

• # continents

• # of times accessed

Cost vs. Value of Your Data

Value of DataTypes and

Sizes of Breaches

Cost to Remediate

How Do Thieves Make Money?

• Selling “quality” and “in bulk”

•Attributes that increase value• Reputation of the seller• Type of credit card (Amex vs. others)• Completeness of data set• Social Security number• Credit line on the card• Geography of where information is sold

What Are You Worth on the Black MarketHacker Service Price

Social Security number $30

Date of Birth $11

Health Insurance credentials $20

Visa or MasterCard credentials $ 4

American Express credentials $ 7

Discover credentials $ 8

Bank account number (bal of $70k-$150k) $300 or less

Full identity ‘Kitz’ $1200-1300

- http://www.bankrate.com/finance/credit/what-your-identity-is-worth-on-black-market.aspx#ixzz492S8hqPD

Why the Medical Industry Is a Target

The payoff is high (10 to 20x the value of a card)

The data has a “long shelf life”

Missing medical data not quickly identified

Medical records usually more complete

Historically medical records have been easier to get

Average Selling Price for a Stolen Card

•Delete this intended slide

•Overkill

•Number variations not large enough to be compelling

Price per payment card record over time

•Delete this slide

• I felt this had little value as a slide as well-

• Speak to it from the shopping list slide if you want to…

The Value of One’s Identity

• This is a different source and it conflicts from your shopping list presented earlier – see slide 31

• That research shows the whole “kilz” at 1200

• This shows the whole “fulz” at 21.35 to 454.05

•Pick one or determine how/why you want to compare…

Your Pot Has Just Boiled Over…

You’ve Been Breached!

1. What do you do?

2. What will it cost?

Immediate Steps After a Breach is Reported

1. Investigate and remediate

2. Assemble the Internal Response Team

3. Contact law enforcement

4. Call in external vendors (Legal, PR, Data Breach Resolution, ALIADO…)

5. Begin the notification process

6. Announce and respond (as required)…Resume

Cost Elements of a Breach

• Single largest factor determines cost of a breach


• Single largest factor determines cost of a breach•Cost to repair damaged systems


• Single largest factor determines cost of a breach• Cost to repair damaged systems

•Rolling systems back to pre-breach state



• Rolling systems back to pre-breach state

•Disruption of daily work




• Disruption of daily work

•Media attention





• Media attention

•Notification





• Media attention

• Notification

•Potential fines





• Media attention

• Notification

• Potential fines

•Customer churn


•Single largest factor determines cost of a breach• Cost to repair damaged systems



• Media attention

• Notification

• Potential fines

• Customer churn

• Loss of reputation, loss of customer confidence

The Numbers- Average Cost per Record

0

200

400

600

800

1,000

20112012201320142015

$1.36 $3.94

$307

$956 $964

NetDiligence® 2015 Cyber Claims Study

The Numbers- Average Claim Payout


0

.5M

1M

1.5M

2M

2.5M

3M

3.5M

4M

$3.6M

$0.94M$0.7M $0.6M

20112012201320142015

$2.4M

The Numbers- Average Records Exposed


0.

0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

1.7M1.4M

2.4M 2.4M

3.2M

20112012201320142015

Steps for Your Organization’s Security Preparedness Plan• Review/Upgrade/reinforce Security Awareness Training

• Patching –keep it current

• Minimize the data you collect and the number of places you keep it

• Encrypt it

• Implement Data activity Monitoring (who is accessing what)

• Monitor Privileged users

• Develop/Review your IT Security Plan

• Create a Breach Response Plan and Team

• Implement Defense in Depth {perimeter, endpoint, data bases, anti-virus)

• Create a Vulnerability Management Plan

The Security Cauldron - MTUG€¦ · Net Misuse Illicit Content Unapproved Workaround # Incidents...

Documents

Transcript of The Security Cauldron - MTUG€¦ · Net Misuse Illicit Content Unapproved Workaround # Incidents...