WHITE PAPER SPON. Why It s So Easy to Steal Company Data: 10 Things Businesses Need to Know About and Web Security. Published May 2013

Transcription

1 WHITE PAPER N Company Data: 10 Things Businesses Need to Know About An Osterman Research White Paper Published May 2013 SPONSORED BY sponsored by SPON sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington USA Tel: Fax: info@ostermanresearch.com twitter.com/mosterman

2 EXECUTIVE SUMMARY Robust and Web security, coupled with appropriate user training and security procedures, are absolutely essential to the protection of corporate data, financial and other electronic assets. Without adequate solutions and controls, cybercriminals can exploit gaps in security defenses and cause serious damage to an organization. For example: On Christmas Eve and again on December 26 th, 2012, cybercriminals used malware installed on a local PC at Ascent Builders to transfer US$900,000 from the company s Bank of the West account, following this shortly thereafter by a major distributed denial-of-service (DDoS) attack on the bank, presumably to conceal the theft of funds i. In December 2012, cybercriminals added 11 bogus employees to the payroll of Niles Nursing, Inc. by using the company controller s login credentials. Using ACH payments from Niles bank account, the criminals initially transferred US$58,000 in funds to these individuals who were to wire the funds to contacts in Russia and Ukraine. In total, approximately US$170,000 was stolen from the firm ii. A study conducted for the UK Cabinet Office found that the loss of intellectual property much of it the result of malware and other forms of cybercrime costs British organizations upwards of 9.2 billion annually iii. KEY TAKEAWAYS Organizations must protect themselves from a wide and growing variety of threats perpetrated by cybercriminals. At the same time, they must protect their corporate data and financial assets from an increasing number of venues through which malware and other exploits can operate, including traditional tools like and desktop computers, but also social media tools, cloud-based storage and file-sharing applications, smartphones, tablets, employees home computers, USB drives and the like. At the same time, corporate decision makers must both permit the use of, and protect against threats introduced by, employee-owned endpoints. In short, the threat landscape is becoming more serious and decision makers must focus increasingly on protecting their critical assets through improved training of employees, better security procedures, and improvements in their security technology. The threat landscape is becoming more serious and decision makers must focus increasingly on protecting their critical assets. ABOUT THIS WHITE PAPER This white paper provides an overview of the security threats facing organizations today and offers a number of practical steps that organizations can take to improve their security posture. The paper also provides a brief overview of WebTitan, the sponsor of this document, and their relevant solutions. THREATS ARE INCREASING ON SEVERAL LEVELS APPLICATIONS In addition to the several corporate applications that IT has deployed in the typical organization, Osterman Research has also found widespread use of applications that are deployed by individuals, such as cloud-based storage and file synchronization applications. These are sometimes used with IT s blessing, but more often not. Dropbox, for example, is used in 14% of 1,000+ employee organizations with IT s blessing and in 44% of them without approval, as shown in the following table Osterman Research, Inc. 1

3 Leading Cloud-Based Applications Deployed by Users Based on % of Organizations Up to 99 Employees Employees 1,000+ Employees Application Dropbox Deployed by IT 17.3% 12.2% 5.7% Used with IT s blessing 39.5% 26.3% 13.2% Used w/o IT s blessing 21.0% 31.4% 43.1% Not used 22.2% 30.1% 37.9% Apple icloud Deployed by IT 10.1% 13.5% 7.0% Used with IT s blessing 34.2% 22.4% 21.1% Used w/o IT s blessing 20.3% 23.7% 33.3% Not used 35.4% 40.4% 38.6% Google Drive Deployed by IT 7.7% 6.6% 6.7% Used with IT s blessing 28.2% 20.5% 11.0% Used w/o IT s blessing 20.5% 27.8% 37.8% Not used 43.6% 45.0% 44.5% Google Docs Deployed by IT 7.7% 12.7% 10.6% Used with IT s blessing 25.6% 26.0% 12.9% Used w/o IT s blessing 19.2% 27.3% 38.8% Not used 47.4% 34.0% 37.6% Microsoft SkyDrive Deployed by IT 21.0% 10.7% 10.8% Used with IT s blessing 33.3% 24.8% 10.8% Used w/o IT s blessing 7.4% 17.4% 28.3% Not used 38.3% 47.0% 50.0% Source: Managing BYOD in Corporate Environments, Osterman Research, Inc. Even tools like those that provide geolocation information can be harmful. While the most direct threat can come from criminals who might target individuals, senior executives and the like, seemingly harmless geolocation information can relay to competitors and others the whereabouts of key executives, resulting in the disclosure of sensitive information, such as plans for adding a new retailer or other business partner. DIRECT ATTACKS Direct hacker attacks are an increasingly serious issue for which organizations must be prepared. For example, Prolexic Technologies found that distributed denial-ofservice (DDoS) attacks during the third quarter of 2012 were 88% more common than during the quarter one year earlier. Moreover, while the duration of a typical DDoS attack decreased during this period, the average bandwidth consumed by them increased by 230%, often exceeding 20 Gbps iv. MALWARE Malware is an extremely serious issue and impacts that vast majority of organizations even organizations that are being diligent to protect against it. Phishing attempts, spearphishing attempts, keystroke loggers, password-stealing Trojans and other types of malware put corporate data and finances increasingly at risk. Malware is an extremely serious issue and impacts that vast majority of organizations even organizations that are being diligent to protect against it. The target of malware is typically sensitive content like usernames and passwords, but it can also include login data for banking systems, customer data, trade secrets and other types of confidential information. The increasing end goals of stealing information (both personal and corporate), hijacking systems for a wide range of purposes and launching additional malicious attacks all have serious business implications, in addition to the more traditional impacts to storage, bandwidth, infrastructure and other costs Osterman Research, Inc. 2

4 There have been a number of serious malware incursions during the recent past: In mid-february 2013, Apple Computer was the victim of a malware attack that was able to infect an undisclosed number of Macs within the company. The malware entered the company through a legitimate Web site focused on software development and exploited an unpatched bug in Java v. In early February 2013, Twitter was hacked and information from 250,000 user accounts was exposed, most likely because of the Java exploit noted above vi. In July 2012, Neurocare, a medical equipment manufacturer, was attacked by malware that compromised the company s credentials used to access a third party payroll processor. All Neurocare employees were negatively impacted by the attack. vii In June 2011, the International Monetary Fund (IMF) underwent a spearphishing attack that might have been perpetrated by a rogue state. Although employees were instructed not to open unknown attachments, not to open from unknown senders or not to click on video links, malware in an successfully bypassed IMF defenses and information was stolen from compromised computers viii. In April 2011, phishing attempts to many lower level employees at security firm RSA proved to be successful. These s contained the subject line 2011 Recruitment Plan and had attached an Excel spreadsheet that contained a zeroday flaw aimed at vulnerability in Adobe Flash. Although the s were sent to these users spam quarantines, the s were opened from within the quarantine and a Trojan was installed that was able to harvest credentials from many employee accounts, compromising RSA s SecurID tags ix. Hundreds of organizations have been attacked using the same command and control mechanism, including IBM, Google, Microsoft and about 20% of the Fortune 500 x. In April 2011, a spearphishing attempt directed against the Oak Ridge National Laboratory was able to steal several megabytes of data before IT administrators stopped Internet access. The sent to employees was supposedly from the lab s HR department and included a malicious link. It was opened by 57 of the 530 employees who received it xi. Malware can enter an organization through simple Web surfing if legitimate Web sites have been compromised. LEGITIMATE USE OF THE WEB Malware can enter an organization through simple Web surfing if legitimate Web sites have been compromised. For example, a popular Bulgarian Web site that sells watches had been compromised as of early 2013 and visitors were redirected to a Web site that infects visitors with SMS-based Trojans xii. Common threat vectors include: Cross Site Request Forgery (CSRF) attacks will permit seemingly safe Web sites to generate requests to different sites. CSRF attacks have exploited vulnerabilities in Twitter, enabling site owners to acquire the Twitter profiles of their visitors. Web 2.0 applications that leverage XML, XPath, JavaScript and JSON, Adobe Flash and other rich Internet applications are frequently vulnerable to injection attacks using these environments. These technologies are often used to evade anti-virus defenses, motivating attackers to leverage them. Cross-component attacks can occur when two harmless pieces of malware code appear on the same Web page. Individually, they are harmless and difficult to detect. However, when they appear simultaneously on a single page, they can infect a user s machine with malware Osterman Research, Inc. 3

5 SQL injection attacks occur when SQL commands and meta-characters are inserted into input fields on a Web site, the goal of which is to execute back-end SQL code. Cross-site scripting attacks embed tags in URLs when users click on these links, malicious Javascript code will be executed on their machines. used to be the primary method for distributing malware from the early 2000s to roughly 2009 before it was overtaken by the Web as the primary attack vector. However, continues to be a key method for distributing spam through a variety of venues desktop , mobile phones using SMS/text messaging, etc. More recently however, has been used for blended threats spam messages that contain links to malware-laden sites. Blended threats are a more sophisticated form of attack because they require more security integration by combining traditional and Web security capabilities. While many are now discounting spam as a serious threat vector because volumes are much lower today than they were in late 2010, spam continues to be a serious problem. This is because the typical spam message often used to distribute malware is potentially much more damaging. Moreover, while spam itself is not inherently or directly dangerous from a security perspective, it wastes bandwidth, storage, and employee time, not to mention the cost of deploying systems to deal with identifying and eradicating spam from corporate networks. Spam wastes IT s time, users time and drives up the overall cost of and other IT-managed systems. GROWING USE OF MOBILE PLATFORMS As companies provide users with more mobile platforms and as employees increasingly employ their own mobile devices to access corporate and other data resources as shown in the next two figures the number of ingress points for malware will continue to increase. Penetration of Company-Supplied Mobile Devices, Spam continues to be a serious problem because the typical spam message often used to distribute malware is potentially much more damaging. Source: Osterman Research surveys 2013 Osterman Research, Inc. 4

6 Percentage of Organizations With Mobile Devices in Use Source: Managing BYOD in Corporate Environments, Osterman Research, Inc. SOCIAL MEDIA The use of the Big Three social networks Facebook, Twitter and LinkedIn as well as the 1,000+ social networks in use worldwide, creates serious security problems. Among these problems is the fact that social media tools can be used for ingress of malware. As shown in the following figure, Osterman Research has found that malware has infiltrated 24% of organizations through Facebook and 7% of organizations through Twitter and LinkedIn. More troubling, however, is the fact that a large proportion of organizations simply are not sure whether or not malware has entered through these tools. Infiltration of Malware Through Various Social Media Tools Has malware ever infiltrated your corporate network through the following tools? Malware has infiltrated 24% of organizations through Facebook and 7% of organizations through Twitter and LinkedIn. Source: Why All Organizations Need to Manage and Archive Social Media, Osterman Research, Inc Osterman Research, Inc. 5

7 While traditional anti-virus and anti-malware tools can be somewhat effective at blocking threats introduced by social media tools, a zero-hour threat detection and remediation capability is absolutely essential in order to block malware that can enter through social media. This included threats that can enter through mobile device where a substantial proportion of social media use occurs. THREAT VECTORS ARE BECOMING MORE NUMEROUS AND MORE SERIOUS The bottom line is that threat vectors are becoming more serious as criminals increasingly focus on sophisticated methods of social engineering to trick users into clicking on links and introducing malware into organizations, as they develop improved and stealthier malware, and as the benefits from cybercrime pay larger dividends. SECURITY MUST BE A TOP PRIORITY There are several serious consequences associated with threat infiltration, ranging from the merely annoying to those that can destroy an organization financially, as discussed in the following sections. DRAINING OF CORPORATE FINANCIAL ACCOUNTS A large number of organizations of all sizes and across all industries have been targeted with keystroke loggers and other forms of malware that permit criminals to transfer funds out of corporate financial accounts. There have been many document cases of this type of theft, as well as cases that have not been reported. Although any size of organization can be impacted by malware or direct hacker attacks, smaller organizations tend to be more fruitful targets because they often do not have fulltime IT staff that are well versed in current cybercriminal tactics, and they often lack the sophisticated types of defenses necessary to thwart these attacks. Among the organizations that have suffered financial losses from malware or attacks are the following: Hillary Machinery: US$800,000 (its bank was able to recover only US$600,000 xiii ) The Catholic Diocese of Des Moines: US$600,000 xiv Patco: US $588,000 xv Western Beaver County School District: US$700,000 xvi Experi-Metal, Inc.: US$560,000 xvii Village View Escrow: US$465,000 xviii An unidentified construction company in California: US$447,000 xix Choice Escrow: US$440,000 xx The Government of Bullitt County, Kentucky: US$415,000 xxi The Town of Poughkeepsie, New York: US$378,000 xxii An unidentified solid waste management company in New York: US$150,000 xxiii An unidentified law firm in South Carolina: US$78,421 xxiv Slack Auto Parts: US$75,000 xxv There are several serious consequences associated with threat infiltration, ranging from the merely annoying to those that can destroy an organization financially. LOSS OF INTELLECTUAL PROPERTY Proprietary information like trade secrets, confidential or sensitive information and corporate intellectual property can be lost as a result of poor lax security, hacker attacks, malware and other incursions. These losses can results from something as simple as including sensitive content mistakenly in an or an unencrypted file transfer, data that is lost on an unencrypted mobile device or flash drive, or data that is taken home by employees and stored IT-mandated security controls. COMPLIANCE PROBLEMS If robust security defenses and common sense practices are not maintained, organizations can run afoul of a wide variety of statutes that require sensitive information to be protected. Despite the importance of maintaining compliance with all applicable requirements, one study found that decision makers in one out of five 2013 Osterman Research, Inc. 6

8 organizations do not know which compliance laws apply to their organization xxvi. A small sampling of these statutes but by no means an exhaustive list includes the following: The UK Data Protection Act requires businesses operating in the United Kingdom to protect the security of the personal information they holds. The Personal Information Protection and Electronic Documents Act (PIPEDA), a Canadian privacy law, applies to all companies operating in Canada. Like many other such laws, it mandates that personal information be stored and transmitted securely. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements for protecting the security of consumers and others payment account information. It requires building and maintaining a secure network, encrypting cardholder data when sent over public networks, and assigning unique IDs to each individual that has access to cardholder information. The Gramm-Leach-Bliley Act (GLBA) mandates that financial institutions that hold personal information transmit and store this information in such a way that its integrity is not compromised. GLBA requires financial institutions to comply with a variety of Securities and Exchange Commission and NASD rules. Japan s Personal Data Protection Law is focused on protecting consumers and employees personal information. Among other requirements, it includes rules for ensuring the security and disclosure of databases that contain this information. The first US state law mandating the protection of consumer information was California s SB1386 (the Database Security Breach Notification Act). This is a far reaching law that requires any organization that possesses personal information about a California resident regardless of where they are located to notify each individual whose information may have been compromised in any way unless the data lost or stolen was encrypted. Since California passed this groundbreaking data breach notification law, most other US states have passed similar laws. LESS TANGIBLE CONSEQUENCES While security breaches that result in financial, intellectual property, sensitive data or other losses often have measurable impacts on an organization, there are other consequences that may be more difficult to quantify, but are no less serious. For example, an organization that experiences a significant infiltration of malware or a data breach will almost certainly face a loss of reputation and an erosion of trust as the incident becomes publicized. Some customers will be less likely to do business with a firm that experiences a major security problem for example, the Ponemon Institute s research consistently finds that the largest single cost of a data breach is the loss of customer relationships. Finally, security breaches that cause IT and business decision makers to address the problem as rapidly as possible will be drawn from other work that could result in the delays of other projects, slower time to market for new products, or other problems that could have long-term ramifications. Many decision makers, particularly those in smaller organizations, may not appreciate just how serious the threat landscape has become. THE TOP FIVE ISSUES ON WHICH DECISION MAKERS NEED TO FOCUS 1. UNDERSTAND THE SERIOUSNESS OF THE THREAT LANDSCAPE Many decision makers, particularly those in smaller organizations, may not appreciate just how serious the threat landscape has become. For example, the Verizon 2012 Data Breach Investigations Report (DBIR) xxvii found that in 2011, 2013 Osterman Research, Inc. 7

9 58% of data theft was tied to activist groups, and that 81% of all breaches used some form of hacking to generate the breach findings about which many decision makers may not be aware. Moreover, Verizon s researchers believe that 2013 will see what the organization calls low-and-slow attacks focused on authentication attacks and failures, social engineering and various Web exploits xxviii. It is important to note that the threat landscape is changing rapidly, with hacking and malware offering a much greater likelihood of generating a data breach than was the case when many security systems were deployed. 2. UNDERSTAND THAT CORPORATE DATA AND FINANCIAL ASSETS ARE EXTREMELY VALUABLE Decision makers must also understand just how valuable their data is to a hacker or other cybercriminal. For example, US credit cards sell for US$2 to US$6 on the black market, while credit cards in the UK sell for US$4 to US$6 each xxix. Access to consumer bank accounts will sell for 5% to 10% of the current cash balance xxx. Trade secrets can be worth millions of dollars. The bottom line is that customer data, intellectual property, and access to corporate financial accounts is extremely valuable to cybercriminals the value of these data assets must be taken into consideration when making decisions about how much to spend securing these assets. 3. USERS NEED TO BE TREATED AS THE FIRST LINE OF DEFENSE While much of the discussion around security focuses on the technology and systems that must be deployed to prevent malware infiltration, data breaches, DDoS attacks and the like, decision makers must realize that users are truly the initial line of defense in any security system. Users must be appropriately trained to be suspicious of suspect s or social media posts and not to click on links contained in them unless they are certain of their validity. Users need to be trained not to bring an message out of a spam quarantine unless they are sure that the message was placed there improperly. Users may be trained about the proper use of social media and other tools that could compromise corporate security in some. In short, users are a vital element in any security system. They cannot be the final link in the security chain, since security systems are essential to maintaining an adequate defensive posture, but users are certainly an important part of a sound defense. 4. POLICIES FOR MANAGING USE OF APPLICATIONS AND PLATFORMS ARE OFTEN DEFICIENT All organizations that seek to protect their users, data and networks from malware and other threats must establish detailed and thorough policies about acceptable use of all of their online tools: , social media, other Web 2.0 applications, collaboration tools, instant messaging, smartphones and tablets, flash drives and simple Web surfing. Successfully addressing these issues must begin with an acknowledgement of the threat landscape and the corresponding policies about how tools will be used before technologies are deployed to address the problems. All organizations that seek to protect their users, data and networks from malware and other threats must establish detailed and thorough policies about acceptable use of all of their online tools. That said, most organizations have not created detailed and thorough policies for the various types of messaging and collaboration tools they either have deployed or allow to be used. For example, as shown in the following figure, only onethird or fewer of organizations have established this level of detail in their corporate messaging and collaboration policies Osterman Research, Inc. 8

10 Status of Policies for Various Corporate Capabilities Source: Messaging Policy Market Trends, ; Osterman Research, Inc. 5. DRACONIAN CONTROLS WILL NOT WORK Decision makers must realize that simply imposing prohibitions on the use of any tool not implemented by IT is unlikely to be effective, since many users will employ them anyway this is particularly true for employees who work from home periodically and/or use their own smartphones, tablets or applications to do their work. Even if these controls are effective, they may be counterproductive. For example, a policy prohibiting the use of social media tools like Twitter or Facebook may seriously impact a marketing department s effectiveness at building the corporate brand; similarly, not allowing the use of unauthorized file transfer tools or personal Webmail may prevent users from sending large files to prospects or customers in a timely manner. Decision makers must realize that simply imposing prohibitions on the use of any tool not implemented by IT is unlikely to be effective. THE TOP FIVE RECOMMENDATIONS FOR PROTECTING DATA AND FINANCIAL ASSETS 6. EMBARK ON A CONTINUING PROGRAM OF UNDERSTANDING THE THREAT LANDSCAPE AND MAINTINING SECURITY AWARENESS Closely related to understanding the threat landscape is to stay continually updated on new and emerging threats. For example, despite Java being a wellknown conduit for cyberattacks in 20112, a major new Java vulnerability was discovered on January 10, Windows 8 was released on October 26, 2012 and just five days later a fake anti-virus malware was discovered that is specifically targeted toward the new operating system xxxi. Moreover, some malware and other exploits are targeted toward specific industries, such as Shamoon that is focused on Windows-based computers used in the energy industry xxxii. In short, decision makers must rely on trusted vendors, consultants, analysts and other sources to remain continually up-to-date on new threats that can appear very rapidly Osterman Research, Inc. 9

11 7. IMPLEMENT DETAILED AND GRANULAR POLICIES FOCUSED ON ALL APPLICATIONS AND PLATFORMS Osterman Research recommends that all organizations should develop detailed policies focused on all of the messaging, collaboration and other tools that are or will be used internally, by business partners and by individual users on any device that connects to the corporate network. Moreover, there must be buy-in across the organization in order for policies to be effective as noted above, draconian policies will simply not be followed and/or will be counterproductive in achieving the aims of corporate decision makers and improving security. 8. EVALUATE THE ROI OF AND WEB SECURITY The total cost of ownership (TCO) for an or Web security solution can vary based on a number of factors, including the initial acquisition cost of the solution; the cost of the internal IT labor required to manage the system on an ongoing basis; software licensing and related maintenance costs; the cost of any hardware that is required to run the software; the ability to re-use existing hardware and other factors; and the cost of cloud solutions if that delivery model is selected. Further, the differences in the cost between various solutions will vary based on the features and functions offered in the solution. It is important to evaluate both the Total Cost of Ownership (TCO) and the Total Cost of Acquisition (TCA) for Web security systems, since these can have significant impacts on ROI. In short, solutions with very low TCA may not actually provide as much ROI as more expensive solutions. 9. IMPLEMENT APPROPRIATE TECHNOLOGIES THAT WILL MAINTAIN ACCEPTABLE LEVELS OF SECURITY A robust security capability must protect an organization s data, financial and other assets at an acceptable level, balancing the level of security with the security of the assets being protected. Osterman Research, as well as most other firms, recommends a security solution that provides multiple layers of protection at all levels of an organization s infrastructure at the gateway, server and client level and, increasingly, in the cloud. 10. FOCUS ON NEW APPROACHES TO MANAGING SECURITY The key advantages of the cloud model are that a) no investments in infrastructure are required, b) up-front costs are minimal, c) ongoing costs are predictable, and d) all management and upgrades of the system are managed by the cloud provider. A hybrid approach that combines on-premise with cloud services is an increasingly popular approach. For example, a vendor may provide a spamfiltering appliance on-site, but couple this with a cloud spam-filtering service that acts as a sort of pre-filter ; or they may rely on a cloud-based anti-malware service and desktop anti-virus tools. Many organizations are deploying their own hybrid solutions, mixing and matching various vendors cloud and on-premise offerings into a customized hybrid solution. A robust security capability must protect an organization s data, financial and other assets at an acceptable level, balancing the level of security with the security of the assets being protected. The advantage of this layered, hybrid approach is that the on-premise infrastructure is protected from unanticipated events like spikes in spam traffic or overall increases in the volume of malicious traffic over time. This helps to preserve the on-premise investment and maintain stable performance of the IT infrastructure as measured by metrics like message delivery time or latency in delivering Web pages Osterman Research, Inc. 10

12 ABOUT WEBTITAN SpamTitan, a provider of sophisticated enterprise level and Internet security solutions, is a global company with customers utilizing their software in five continents. Customers range from small businesses with as few as 10 users to organizations with 40,000-plus users. SpamTitan offers small and medium size businesses comprehensive protection from threats, including spam, viruses, Trojans, Phishing, Malware and other unwanted content. SpamTitan s unique approach in utilizing next-generation virtualization software eliminates the need for unwieldy hardware, giving customers unparalleled flexibility, versatility and scalability but at an affordable price. Integrating best-of-breed technologies, SpamTitan provides an easy to install, easy to manage and highly secure gateway. SpamTitan is also used by many Internet Service Providers to offer managed services to their clients. SpamTitan is one of a select few security vendors to have achieved VMware s Certified Virtual Appliance status and was one of the first products to be awarded the certification. WebTitan is a comprehensive gateway Internet monitoring, filtering and reporting solution allowing an organisation to manage internet usage, improve network security and reduce bandwidth demands with flexible reporting and tight firewall integration. Its protects an organization s data and users from malware and other internet threats such as viruses, spyware, and phishing as well as providing user policy browsing tools to ensure corporate internet policy is adhered to in the new world of Web 2.0. WebTitan allows you to block or limit access to designated sites and easily manage the organisations Internet usage Osterman Research, Inc. 11

13 2013 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i ii iii iv v vi vii viii ix x xi xii xiii xiv xv xvi xvii xviii xix xx xxi xxii xxiii xxiv xxv xxvi xxvii xxviii xxix xxx xxxi xxxii intellectual-property-theft-cyber-security Size-Increased-Q Study-Finds shtml Source: PrivacyRights.org Phishing-Attack / theft_of_560_000_ _000_online_theft helped_web_thieves_steal_millions/ Source: Webroot Software, Inc. ct_return=1 verizon-dbir-researchers-debunk-2013-security-predictions-inbox-9-x.html tabid/117/default.aspx Osterman Research, Inc. 12