The Security CauldronAlways Brewing,
Ever Changing, Never Tamed
Peter Brown, COO ALIADO IT SECURITY
Management Consulting
Victor Chakravarty State of Maine
CIO Infrastructure
What’s Brewing Today
• Language of Security
•2015 in Review
•A Look into 2016
•What’s Stoking the Fire
•Value of Lost Information
•Big Guys Aren’t the Only Targets
• Immediate Actions to Take Home
Definition of Information Systems Security
Per the U.S. National Information Systems Security Glossary
…the protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.
Three widely accepted elements of information security (mnemonic - "CIA") are:
Confidentiality Integrity Availability
•
IT Security Language
Incident
Breach
Vulnerability
A Treat
A Risk
Phishing
Spear-Phishing
IOT
Malware
Ransomware
DoS
Bot
Botnet
Zombie Army
Fultz
Kitz
Pre-texting email
Data Exfiltration
CVE
C&C
SCADA
The Simmering Pot2015 Incidents and Breaches
Verizon, 2016 Data Breach Investigation Reports, Table 1, Pg. 4. www.VerizonEnterprise.com
Industry Total Small Large Unknown
Accommodation (72) 362 140 79 143
Administrative (56) 44 6 3 35
Agriculture (11) 4 1 0 3
Construction (23) 9 0 4 5
Educational (61) 254 16 29 209
Entertainment (71) 2,707 18 1 2,688
Finance (52) 1,368 29 131 1,208
Healthcare (62) 166 21 25 120
Information (51) 1,028 18 38 972
Management (55) 1 0 1 0
Manufacturing (31-33) 171 7 61 103
Mining (21) 11 1 7 3
Other Services (81) 17 5 3 9
Professional (54) 916 24 9 883
Public (92) 47,237 6 46,973 258
Real Estate (53) 11 3 4 4
Retail (44-45) 159 102 20 37
Trade (42) 15 3 7 5
Transportation (48-49) 31 1 6 24
Utilities (22) 24 0 3 21
Unknown 9,453 113 1 9,339
Total 64,199 521 47,408 16,270
INDUSTRY TOTAL SMALL LARGE UNKNOWN
Healthcare(62) 166 21 25 120
Information(51) 1028 18 38 972
Number of Confirmed Incidents by Victim Industry
Verizon, 2016 Data Breach Investigation Reports, Table 2, Pg. 5. www.VerizonEnterprise.com
Industry Total Small Large Unknown
Accommodation (72) 282 136 10 136
Administrative (56) 18 6 2 10
Agriculture (11) 1 0 0 1
Construction (23) 4 0 1 3
Educational (61) 29 3 8 18
Entertainment (71) 38 18 1 19
Finance (52) 795 14 94 687
Healthcare (62) 115 18 20 77
Information (51) 194 12 12 170
Management (55) 0 0 0 0
Manufacturing (31-33) 37 5 11 21
Mining (21) 7 0 6 1
Other Services (81) 11 5 2 4
Professional (54) 53 10 4 39
Public (92) 193 4 122 67
Real Estate (53) 5 3 0 2
Retail (44-45) 137 96 12 29
Trade (42) 4 2 2 0
Transportation (48-49) 15 1 3 11
Utilities (22) 7 0 0 7
Unknown 270 109 0 161
Total 2,260 447 312 1501
INDUSTRY TOTAL SMALL LARGE UNKNOWN
Healthcare(62) 115 18 20 77
Information(51) 194 12 12 170
Number of Incidents with Confirmed Data Loss by Industry
Time to Compromise and Exfiltration
0
200
400
600
800
1000
1200
Seconds Minutes Hours Days Weeks Months
Compromises n=1177 Exfiltration n=326
Compromises Exfiltration
7.1%
11% 81.9%
21.2%
2.5%6%
67.8%
<1% <1%<1%
Verizon, 2016 Data Breach Investigation Reports, Table 7, Pg. 10. www.VerizonEnterprise.com
How many of you have had a breach?
How many of you have had a breach?
If not, the real question to ask yourself is,
When will I?
What’s Stoking the Fire
•Data theft is a Business •Real markets• Tools to enable sales complete with upgrades• Infrastructure
•Attackers aware of relations
• Small organizations fall prey more often
•80% of infections occur from well planned email campaigns- Phishing
What is Phishing?
• The attempt to acquire sensitive personal data (sometimes money) by masquerading as trustworthy source in an electronic communication
Email sent
User clicks
Malware dropped
Foothold gained
Don’t Take the Bait- It takes seconds
• Who is holding the Phishing pole• 89% Organized Crime
• 9% State Affiliates
• In a 2015 study of 9576 phishing occurrences, 916 confirmed data disclosures
• We are becoming more aware• 2015 30% msgs opened 12% clicked & opened
attachment
• 2016 23% msgs opened 11% clicked & openedattachment
Incident Classification Patterns
102
247
534
5334
7951
8886
9630
9701
10490
11347
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
PAYMENT CARD SKIMMERS
CYBER ESPIONAGE
POS INTRUSIONS
WEB APP ATTACKS
CRIMEWARE
EVERYTHING ELSE
DENIAL OF SERVICE
PHYSICAL THEFT/LOSS
PRIVILEGE MISUSE
MISCELLANEOUS ERRORS
Percentage and Number of Incidents n=64,199
% of IncidentsVerizon, 2016 Data Breach Investigation Reports, Table 17 , Pg. 22. www.VerizonEnterprise.com
Incident Patterns by Industry- Denial of Service Greatest Impact
Accommodation (72)
Educational (61)
Entertainment (71)
Finance (52)
Healthcare (62)
Information (51)
Manufacturing (31-33)
Professional (54)
Public (92)
Retail (44-45)
Crimeware Cyberespi
onageDenial
of
Service
Everything
Else
Stolen
Assets
Misc.
Errors
Card
Skimmers
Point of
Sale
Privilege
Misuse
Web
Apps
<1% <1% 20% 1% 1% 1% <1% 74% 2% 1%
56% 4% 2% 4% 22% 11%
2% 2% 81% 2% 3% 4% 1% 5%
99% <1% 1% 1%
2% <1% 34% 5% <1% 1% 6% <1% 3% 48%
4% 2% 11% 32% 18% 5% 23% 4%
4% 3% 46% 21% <1% 11% <1% 2% 12%
5% 16% 33% 33% 1% 1% 6% 6%
1% 2% 90% 2% 1% 1% 2% 1%
16% <1% 1% 17% 20% 24% <1% 22% <1%
1% <1% 45% 2% 1% 3% 32% 1% 13%
10% 16% 26% 6% 6% 35% Transportation (48-49)
Administration (56)
Incident Patterns with Data Breaches by Industry- Web AppsCrimeware Cyberespio
nage
Denial of
Service
Everything
Else
Stolen
Assets
Misc.
Errors
Card
Skimmers
Point of
Sale
Privilege
MisuseWeb
Apps
1% <1% 1% <1% 95% 1% 1%
7% 17% 17% 27% 3% 30%
3% 47% 50%
1% <1% <1% 2% <1% 2% 9% 4% 82%
3% 3% 11% 19% 22% 7% 32% 3%
1% 3% 4% 25% 1% 11% 57%
3% 47% 3% 3% 24% 21%
4% 19% 25% 4% 15% 21% 13%
12% 16% 4% 9% 37% 13% 9%
1% 1% 4% 1% 3% 64% 2% 26%
Accommodation (72)
Educational (61)
Entertainment (71)
Finance (52)
Healthcare (62)
Information (51)
Manufacturing (31-33)
Professional (54)
Public (92)
Retail (44-45)
Common Breach Types
Web Application Attacks
Web application is the vector of attack
5334 Incidents 908 Breaches
Point of Sale Intrusions
Remote attacks where card-present transactions occur
534 Incidents 525 Breaches
Interior and Privilege Misuse
Any unapproved or malicious use of organizational resources
10,429 Incidents 172 Breaches
More on next slide
Top Varieties within Insider and Privileged Misuse0 20 40 60 80 100 120 140 160
0 20 40 60 80 100 120 140 160
Privilege Abuse
Data Mishandling
Unapproved Hardware
Unapproved Software
Profession Abuse
Email Misuse
Knowledge Abuse
Net Misuse
Illicit Content
Unapproved Workaround
# Incidents
Our employees, vendors and partners are sometimes unknowingly our greatest security threats
Closer to Home in 2016
Location # Breaches # Records Exposed
Across US 378 11.5M
New England 31 ?
Maine 3 2100Source: Identity Theft Resource Center
The Insider Threat in 2016
•3 types of Insider threats• Malicious• Accidental• Negligence
•54% of incidents direct result of insider behavior
•Mobility has increased Insider threats• Multiple interconnected devices• Changing social norms
How or Why Insider Threats Exist
•Malicious• An organization’s use of trust as a control is no longer
satisfactory; Privileges must be accompanied by technical and managerial controls
•Accidental• Miscellaneous errors occur through mis-delivery, publishing
and improper disposal
•Negligence • Employees often work around policy for ease and time
Ransomware- One of 2016’s Largest Threats
•Malware covertly installed through Spear Phishing or Downloads to a website
•Restricts user access to the infected computer
•Demands ransom by malware operators to remove restriction
•New Ransomware families:• Locky•Petya•Power Ware•KeRanger• Samas
Ransomware’s Impact
•2015- CryptoWall Ransomware•4000 Malware samples• 839 C&C URLs• 400k Infection attempts• 49 campaigns
•2016- Locky is fastest growing
Other Industry Trends Impacting IT Security
•More connectivity (IoT- Internet of Things)
•Patching no longer works
•Denial of Services(DoS) growing
• Shadow IT environments• Unmanaged databases• Shared data repositories• More employees and partners• Increased collaboration
• Engaged employees
Engaged Employees Are a Two Way Sword
•Personal attack surface has grown• Social networks , mobility• Extremely exposed
•Mixing of personal & work life
• Sensitive data is everywhere• 1000s of traditional databases• Shared data repositories• More employees and partners• Increased collaboration
Why is Cyber Crime on the Increase?
•Money, money and more money ($150M in just ransomware)
•Connectivity of things is growing faster than the fixes
•Cyber crime is seen as victimless
•Organized crime has built in infrastructure
How Far and How Fast Can Data Move
• Experiment• When April, 2015• What 1568 fictitious names, social security
numbers, credit card numbers, addresses, and phone numbers loaded in an excel spreadsheet
• Where Loaded anonymously in the cyber crime marketplace on the dark web
• Findings In two weeks, how far had the data traveled?
So Where Do You Think the Data Went?
• # countries
• # continents
• # of times accessed
Cost vs. Value of Your Data
Value of DataTypes and
Sizes of Breaches
Cost to Remediate
How Do Thieves Make Money?
• Selling “quality” and “in bulk”
•Attributes that increase value• Reputation of the seller• Type of credit card (Amex vs. others)• Completeness of data set• Social Security number• Credit line on the card• Geography of where information is sold
What Are You Worth on the Black MarketHacker Service Price
Social Security number $30
Date of Birth $11
Health Insurance credentials $20
Visa or MasterCard credentials $ 4
American Express credentials $ 7
Discover credentials $ 8
Bank account number (bal of $70k-$150k) $300 or less
Full identity ‘Kitz’ $1200-1300
- http://www.bankrate.com/finance/credit/what-your-identity-is-worth-on-black-market.aspx#ixzz492S8hqPD
Why the Medical Industry Is a Target
The payoff is high (10 to 20x the value of a card)
The data has a “long shelf life”
Missing medical data not quickly identified
Medical records usually more complete
Historically medical records have been easier to get
Average Selling Price for a Stolen Card
•Delete this intended slide
•Overkill
•Number variations not large enough to be compelling
Price per payment card record over time
•Delete this slide
• I felt this had little value as a slide as well-
• Speak to it from the shopping list slide if you want to…
The Value of One’s Identity
• This is a different source and it conflicts from your shopping list presented earlier – see slide 31
• That research shows the whole “kilz” at 1200
• This shows the whole “fulz” at 21.35 to 454.05
•Pick one or determine how/why you want to compare…
Your Pot Has Just Boiled Over…
You’ve Been Breached!
1. What do you do?
2. What will it cost?
Immediate Steps After a Breach is Reported
1. Investigate and remediate
2. Assemble the Internal Response Team
3. Contact law enforcement
4. Call in external vendors (Legal, PR, Data Breach Resolution, ALIADO…)
5. Begin the notification process
6. Announce and respond (as required)…Resume
Cost Elements of a Breach
• Single largest factor determines cost of a breach
Cost Elements of a Breach
• Single largest factor determines cost of a breach•Cost to repair damaged systems
Cost Elements of a Breach
• Single largest factor determines cost of a breach• Cost to repair damaged systems
•Rolling systems back to pre-breach state
Cost Elements of a Breach
• Single largest factor determines cost of a breach• Cost to repair damaged systems
• Rolling systems back to pre-breach state
•Disruption of daily work
Cost Elements of a Breach
• Single largest factor determines cost of a breach• Cost to repair damaged systems
• Rolling systems back to pre-breach state
• Disruption of daily work
•Media attention
Cost Elements of a Breach
• Single largest factor determines cost of a breach• Cost to repair damaged systems
• Rolling systems back to pre-breach state
• Disruption of daily work
• Media attention
•Notification
Cost Elements of a Breach
• Single largest factor determines cost of a breach• Cost to repair damaged systems
• Rolling systems back to pre-breach state
• Disruption of daily work
• Media attention
• Notification
•Potential fines
Cost Elements of a Breach
• Single largest factor determines cost of a breach• Cost to repair damaged systems
• Rolling systems back to pre-breach state
• Disruption of daily work
• Media attention
• Notification
• Potential fines
•Customer churn
Cost Elements of a Breach
•Single largest factor determines cost of a breach• Cost to repair damaged systems
• Rolling systems back to pre-breach state
• Disruption of daily work
• Media attention
• Notification
• Potential fines
• Customer churn
• Loss of reputation, loss of customer confidence
The Numbers- Average Cost per Record
0
200
400
600
800
1,000
20112012201320142015
$1.36 $3.94
$307
$956 $964
NetDiligence® 2015 Cyber Claims Study
The Numbers- Average Claim Payout
NetDiligence® 2015 Cyber Claims Study
0
.5M
1M
1.5M
2M
2.5M
3M
3.5M
4M
$3.6M
$0.94M$0.7M $0.6M
20112012201320142015
$2.4M
The Numbers- Average Records Exposed
NetDiligence® 2015 Cyber Claims Study
0.
0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
1.7M1.4M
2.4M 2.4M
3.2M
20112012201320142015
Steps for Your Organization’s Security Preparedness Plan• Review/Upgrade/reinforce Security Awareness Training
• Patching –keep it current
• Minimize the data you collect and the number of places you keep it
• Encrypt it
• Implement Data activity Monitoring (who is accessing what)
• Monitor Privileged users
• Develop/Review your IT Security Plan
• Create a Breach Response Plan and Team
• Implement Defense in Depth {perimeter, endpoint, data bases, anti-virus)
• Create a Vulnerability Management Plan
Top Related