Cyber Security on the Offense: A Study of IT Security Experts

Transcription

1 Cyber Security on the Offense: A Study of IT Security Experts Co-authored with Radware Independently conducted by Ponemon Institute LLC Publication Date: November 2012 Ponemon Institute Research Report

2 Cyber Security on the Offense: A Study of IT Security Experts Ponemon Institute, November 2012 Part 1. Introduction We are pleased to present the findings of Cyber Security on the Offense: A Study of IT Security Experts authored by Radware and Ponemon Institute. The purpose of the study is to understand organizations recognition of the need to operate on the offense to prevent and detect cyber attacks. Further, the study looks at their ability to deploy offensive tactics such as prevention and counter measures to protect their organizations As cyber attacks grow in sophistication and stealth, organizations are urged to be proactive in addressing the threats. As revealed in this research, a major consequence of not preventing attacks such as DDoS (denial of service) can be costly. On average DDoS attacks are costing companies approximately $3.5 million annually, according to the findings of this research. 1 Other negative consequences include lost intellectual property, declines in productivity, damage to brand and reputation and lost revenue. These findings are corroborated in other Ponemon Institute studies. In this study, we surveyed 705 IT and IT security practitioners. Most report directly to the Chief Information Officer (61 percent) and 21 percent report to the Chief Information Security Officer. Sixty-two percent of respondents are at the supervisor level or higher with an average of more than 11 years experience. All respondents have, to some degree, responsibility for managing their organization s cyber security activities. Some of the most noteworthy findings include the following: Critical Counter Techniques The IT security experts surveyed agree that cyber attacks are more difficult to prevent than detect. That is why in this study they rate technologies that neutralize DDoS attacks, halt the attackers computers and pinpoint the attacker s weak spots as critical to achieving a strong cyber security posture. The majority of organizations (64 percent) say the severity of cyber attacks is on the rise yet less than half say they are vigilant in monitoring attacks. The most negative consequence experienced by organizations in this research as a result of a cyber intrusion is the loss of intellectual property. The average amount of downtime following a DDoS attack is 54 minutes and the average cost for each minute of downtime was about $22,000. However, the cost can range from as little as $1 to more than $100,000 per minute of downtime. Critical to achieving a strong cyber security posture is the ability to have visibility into the motives of the cyber criminal, network infrastructure and applications. Insufficient visibility of people and business processes is most often cited as a barrier to achieving a strong cyber security posture. The majority of respondents give their organizations an average or below rating for the ability to launch or implement a counter technique against hackers and other cyber criminals. Only 29 percent say their organizations are above average. Availability of information and systems to those who need it is the most important cyber security business priority. 1 To determine the average annual cost we used the following calculation: $21,699 (average cost per minute of downtime) x 53.5 minutes (average amount of downtime as a consequence of one DDoS attack) x average number of DDoS attacks in the past 12 months = $3,482, Ponemon Institute Research Report Page 1

3 Part 2. Key Findings Following is an analysis of the key findings in this research. The complete audited findings of this research are presented in the appendix of this report. We have organized the report according to the following themes: Cyber attacks are outpacing many organizations ability to respond. Respondents perceptions about the threats and barriers to achieving an effective offensive approach to cyber risk. Organizations need to build a stronger offense. Cyber attacks are outpacing many organizations ability to respond. Severity of cyber attacks is believed to be on the rise. According to Figure 1, the majority of respondents (64 percent) say the severity of cyber attacks experienced by their organization is on the rise yet only 29 percent agree that they have the in-house expertise to launch counter measures against hackers and other cyber criminals. Figure 1. Current perceptions and response to cyber attacks Strongly agree and agree response combined The severity of cyber attacks is on the rise 64% My organization is vigilant in monitoring cyber attacks Launching a strong offensive against cyber criminals is very important Security budget is sufficient for mitigating most cyber attacks 44% 44% 48% My organization has in-house expertise to launch counter measures against cyber criminals 29% 0% 10% 20% 30% 40% 50% 60% 70% Less than half of organizations say they are vigilant in monitoring attacks (48 percent). Possible reasons holding organizations back in addressing the attacks include lack of sufficient budget and not embracing the importance of launching a strong offensive against hackers and other cyber criminals, (both 44 percent). Ponemon Institute Research Report Page 2

4 Many organizations are lagging behind in their effectiveness to combat attacks and intrusions. Despite the recognition that cyber attacks are on the rise, 36 percent say their effectiveness is not improving but staying the same (Figure 2). Thirty-five percent of respondents say their organizations are less effective in dealing with attacks. Only 29 percent say their organization s cyber security posture is more effective in combating attacks and intrusions. The increase in frequency and severity of cyber attacks could be the reason. When asked what they thought about the current state of cyber risk, 64 percent of respondents say both frequency and severity are increasing and only 10 percent say they are decreasing. Figure 2. Effectiveness in combating cyber attacks The same in terms of its effectiveness in combating attacks and intrusions 36% Less effective in combating attacks and intrusions 35% More effective in combating attacks and intrusions 29% The most negative consequence of a cyber intrusion is the loss of intellectual property. When asked to rank the severity of consequences Figure 3 shows that by far organizations are losing intellectual property (including trade secrets). Other negative consequences are productivity declines and reputation damage. The security layers most vulnerable are the data and application layers. Figure 3. Negative consequences of a cyber attack 8 = most severe to 1 = least severe 0% 5% 10% 15% 20% 25% 30% 35% 40% Lost intellectual property/trade secrets 7.5 Productivity decline 6.8 Reputation damage Lost revenue Customer turnover Stolen or damaged equipment Cost of outside consultants and experts Regulatory actions or lawsuits Ponemon Institute Research Report Page 3

5 Lack of visibility and inability to protect against mobile and negligent insiders is putting organizations at risk. Visibility can be defined as an organization s ability to observe or record what employees are doing when logged onto their business computers, including mobileconnected devices such as laptops, smart phones, notebooks, tablets and other devices. As shown in Figure 4, respondents believe this lack of visibility is the greatest area of potential cyber security risk. Other risks that worry respondents are: mobile/remote employees, negligent insiders and third-party applications. Figure 4. Greatest areas of potential cyber security risk Three responses permitted Lack of system connectivity/visibility Mobile/remote employees Negligent insiders Across 3rd party applications Cloud computing infrastructure and providers Organizational misalignment and complexity Mobile devices such as smart phones Malicious insiders Desktop or laptop computers Network infrastructure environment Removable media and/or media (CDs, DVDs) Virtual computing environments Within operating systems The server environment Data centers 8% 7% 6% 6% 15% 13% 34% 32% 31% 29% 28% 25% 24% 22% 20% 0% 5% 10% 15% 20% 25% 30% 35% 40% Ponemon Institute Research Report Page 4

6 DDoS attacks are costly. Sixty-five percent of organizations represented in this study had an average of three DDoS attacks in the past 12 months. The average amount of downtime that their organization s network or enterprise systems experienced as a result of one DDoS attack was about 54 minutes, as shown in Figure 5. Figure 5. Average downtime after one DDoS attack 25% 22% 20% 16% 15% 10% 5% 10% 13% 11% 9% 5% 4% 10% 0% Less than 1 minute 1 to 10 minutes 11 to 20 minutes 21 to 30 minutes 31 to 60 minutes 1 to 2 hours 3 to 5 hours More than 5 hours Cannot determine Figure 6 shows that the average cost for each minute of downtime, which includes lost traffic, diminished end user productivity and lost revenues, was about $22,000. The cost can range from as little as $1 to more than $100,000 per minute of downtime. We calculated that these attacks average companies more than $3,482, annually. Figure 6. Cost per minute of downtime 25% 21% 20% 15% 12% 15% 15% 11% 10% 5% 1% 8% 7% 5% 5% 0% $1 to $10 $10 to $100 $101 to $1,000 $1,001 to $5,000 $5,001 to $10,000 $10,001 to $25,000 $25,001 to $50,000 $50,001 to More than $100,000 $100,000 Cannot determine Ponemon Institute Research Report Page 5

7 The majority of organizations are using anti-virus/anti-malware and anti-ddos to deal with cyber attacks. Figure 7 reveals the cyber defenses most frequently considered important to protect their organizations from attacks or intrusions are anti-virus/anti-malware, anti-dos/ddos (denial of services) and identity and authentication systems. Figure 7. Cyber defenses most important Very important and important response combined Anti-virus/anti-malware Anti-DoS/DDoS Identity and authentication systems Intrusion prevention systems Intrusion detection systems Secure network gateways Endpoint security systems Security intelligence systems including SIEM Web application firewalls Content aware firewalls 75% 71% 64% 59% 56% 52% 51% 51% 50% 50% 0% 10% 20% 30% 40% 50% 60% 70% 80% The least important cyber defenses are shown in Figure 8. Although respondents are concerned about employees mobile devices, only 26 percent of respondents say mobile device management is important. Also not considered as important are enterprise encryption for data at rest and ID credentialing, including biometrics. Figure 8. Cyber defenses not as important Very important and important response combined Secure coding in the development of new applications Data loss prevention systems 47% 45% Enterprise encryption for data in motion Other crypto technologies including tokenization ID credentialing including biometrics Enterprise encryption for data at rest 39% 38% 36% 32% Mobile device management 26% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Companies are using outside security services providers (MSSP) to help deal with attacks and intrusions. On average, 24 percent of their organizations security defenses are managed outside Ponemon Institute Research Report Page 6

8 and the most typical services are remote perimeter management and penetration and vulnerability testing. Respondents perceptions about the threats and barriers to achieving an effective offensive approach to cyber risks. Respondents are clear about the major threats and barriers they face. We asked respondents to rank specific cyber security threats according to their risk mitigation priority within their organizations. According to Figure 9, organizations are most concerned about addressing denial of service (DoS), server-side injections (SSI) and distributed denial of service (DDoS). The following threats are ranked as a lower priority for risk mitigation: phishing and social engineering, web scrapping and cross-site scripting. Figure 9. Cyber security threats according to risk mitigation priority 10 = highest priority to 1 = lowest priority Denial of service (DoS) Server side injection (SSI) Distributed denial of service (DDoS) Viruses, worms and trojans Malware Botnets Malicious insiders Cross-site scripting Web scrapping Phishing and social engineering Ponemon Institute Research Report Page 7

9 The biggest barrier to achieving a strong cyber security posture is the lack of visibility into the enterprise and user behavior. Critical to achieving a strong cyber security posture is the ability to have visibility into the motives of the cyber criminal, network infrastructure and applications. Figure 10 reveals that respondents believe the biggest barrier to creating a strong security posture is insufficient visibility of people and business processes. Insufficient resources or budget and lack of effective security technology solutions are also major barriers. Only 22 percent say it is the lack of assessment of cyber security risks. Figure 10. Barriers to achieving a strong cyber security posture Two responses permitted Insufficient visibility of people and business processes 44% Insufficient resources or budget Lack of effective security technology solutions 35% 34% Lack of oversight or governance 27% Insufficient assessment of cyber security risks Lack of skilled or expert personnel 19% 22% Complexity of compliance and regulatory requirements Lack of leadership 8% 10% Other 1% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Ponemon Institute Research Report Page 8

10 To reduce cyber risks organizations need to build a strong offense. Availability is the cyber security priority for many organizations. We asked respondents to select the top security objectives in terms of being a business priority within their organization. As shown in Figure 11, availability of information and systems to those who need it is considered most important. Compliance with regulations and laws is a close second. Maintaining the integrity or original state of information is about an average priority. Less important are confidentiality of sensitive and confidential information and interoperability. Figure 11. Ranking of cyber security objectives in terms of a business priority objective 5 = highest priority to 1 = lowest priority Availability Compliance Integrity Confidentiality Interoperability Ponemon Institute Research Report Page 9

11 Cyber attacks are more difficult to prevent than detect. Seventy-five percent say the attacks are difficult to stop and 60 percent say they are difficult to detect. Accordingly, as shown in Figure 12, 67 percent say technology that neutralizes denial of service attacks before they happen is important and 60 percent say it is technology that slows down or even halts the attacker s computers. Figure 12. Counter technique capabilities most important Very important and important response combined 68% 66% 64% 67% 62% 60% 58% 56% 54% 52% Technology that neutralizes denial of service attacks before they happen 60% Technology that slows down or even halts the attacker s computers 58% Technology that pinpoints the attacker s weak spots Network intelligence technologies are considered most promising to deal with cyber threats. Fifty-seven percent of respondents place importance on technologies that provide intelligence about networks and traffic, as shown in Figure 13. This is followed by 33 percent who say it is technologies that provide intelligence about attackers motivation and weak spots and technologies that secure information assets. Least valuable are technologies that secure the perimeter. Figure 13. Technologies most favored Two responses permitted Intelligence about networks and traffic technologies 57% Security of information assets technologies Intelligence about attackers motivation and weak spots technologies Insider threat minimizing technologies 33% 33% 31% Simplifying threat reporting technologies Endpoint security technologies including mobile devices Perimeter security technologies 10% 15% 21% 0% 10% 20% 30% 40% 50% 60% 70% Ponemon Institute Research Report Page 10

12 Counter techniques enable companies to thwart an attacker s offensive maneuvers while maintaining its defensive position. Seventy-one percent of respondents give their organizations an average or below rating for the ability to launch or implement a counter technique against hackers and other cyber criminals (Figure 14). Only 29 percent of respondents say their organizations are above average. Figure 14. Ability to launch a counter technique against a cyber criminal 1 = unable to perform counter technique to 10 = fully capable 20% 18% 16% 14% 12% 10% 8% 6% 4% 2% 0% 16% 19% 17% 11% Figure 15 shows that the main reasons for not being effective in launching a counter measure or technique is the lack of enabling technologies and resources or budget. Also significant is the dearth of expert personnel and the fact that very often counter measures are not a security priority. Figure 15. Reasons for not being fully capable of launching a counter technique More than one response permitted 80% 70% 8% 1 (weak) (strong) 71% 69% 5% 7% 5% 9% 3% 60% 50% 53% 53% 40% 30% 20% 10% 0% Lack of enabling technologies Lack of resources or budget Do not have ample expert personnel Not considered a security-related priority 2% Other Ponemon Institute Research Report Page 11

13 According to Figure 16, if respondents rated their organizations above average, the counter techniques deployed against hackers and other cyber criminals are manual surveillance methods and close examination of logs and configuration settings. Figure 16. Methods for performing counter techniques More than one response permitted 80% 70% 60% 67% 61% 50% 40% 43% 30% 20% 10% 0% Manual surveillance methods Close examination of logs and configuration settings Use of security intelligence tools 2% Other Ponemon Institute Research Report Page 12

14 Comparison of three industries In this section we compare three industry sectors namely, financial service, public sector (government) and health and pharmaceutical organizations. Please note that only these three industries had large enough sub-samples to be culled out of the total sample and analyzed separately. 2 The following bar chart compares three industry sectors according to their average ranking of eight negative consequences that they experienced as a result of a cyber attack or intrusion (wherein 8 is the most severe consequence). As can be seen in Figure 17, productivity declines are considered a very severe consequence among respondents in all three industry sectors. However, reputation damage and lost revenue appears to be less severe for the public sector. In contrast, respondents in financial services rate reputation damage, customer turnover and regulatory action as a more severe consequence of a cyber attack than the other sectors. Finally, organizations in healthcare and pharmaceuticals rate productivity decline, lost revenue, lost intellectual property and regulatory actions as a more severe consequence of a cyber attack than financial services and public sector organizations. Figure 17. Most severe consequences of a cyber attack for three industry sectors 8 = most severe to 1 = least severe Productivity decline Reputation damage Lost revenue Lost intellectual property Customer turnover Regulatory actions or lawsuits Stolen or damaged equipment Cost of consultants and experts Health & pharmaceuticals Public sector Financial services 2 The sample sizes are as follows: financial services (n = 134), public sector (n = 93) and health & pharmaceuticals (n = 78). Ponemon Institute Research Report Page 13

15 Figure 18 reports the average frequency of denial of service attacks experienced by financial service, public sector and health and pharmaceutical companies over the past 12 months. As can be seen, public sector organizations experienced a higher rate of DDoS attacks. Figure 18. Frequency of DDoS attacks experienced for organizations in three industries Financial services Public sector Health & pharmaceuticals Figure 19 summarizes the average amount of downtime that organizations in three industries experienced as a consequence of one DDoS attack. Here again, public sector organizations experience a longer period of downtime than financial service and health and pharmaceutical companies. Figure 19. Average downtime organizations in three industries Minutes of downtime Financial services Public sector Health & pharmaceuticals Ponemon Institute Research Report Page 14

16 Figure 20 reports the extrapolated cost incurred by organizations in three industries each minute of downtime. The estimated cost includes lost traffic, end-user productivity and lost revenues that occur because of denial of service attacks. As can be seen, financial service organizations experienced the highest cost per minute of downtime. In contrast, public sector organizations had a substantially lower cost of downtime estimate as shown below. Figure 20. Estimated cost per minute of downtime for organizations in three industries $35,000 $32,560 $30,000 $25,000 $23,519 $20,000 $15,000 $15,447 $10,000 $5,000 $- Financial services Public sector Health & pharmaceuticals Ponemon Institute Research Report Page 15

17 Part 3. Conclusion and recommendations As is revealed in this research, organizations are lagging behind in their ability to deal with the aggressive and sophisticated tactics of cyber criminals. The IT security experts surveyed give their organizations a below average score in their effectiveness to launch counter measures. To achieve a proactive cyber security posture, organizations should consider the following practices: Create a strategy and plan that puts emphasis on having a strong offense against hackers and other cyber criminals. Ensure internal IT staff as well as such external support as IT vendors and MSSPs are knowledgeable and available to respond to attacks before they take place. Support the strategy with the right technologies to prevent and detect cyber attacks. In this and other Ponemon Institute studies on cyber crimes, the financial and reputational consequences are well documented. Organizations that suffer attacks face real-world consequences. The findings of this research can help organizations make the business case for adopting a more proactive approach to the advanced persistent threats facing them. Ponemon Institute Research Report Page 16

18 Part 4. Methods A random sampling frame of 22,501 IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. As shown in Table 1, 895 respondents completed the survey. Screening removed 139 surveys and an additional 51 surveys that failed reliability checks were removed. The final sample was 705 surveys (or a 3.1 percent response rate). Table 1. Sample response Freq. Pct% Total sampling frame 22, % Total returns % Rejected surveys % Screened surveys % Final sample % As noted in Table 2, the respondents average (mean) experience in IT, IT security or related fields is 11.4 years. Table 2. Other characteristics of respondents Mean Total years of overall experience 11.4 Total years in your current position 6.2 Pie Chart 1 reports the respondents primary industry segments. Nineteen percent of respondents are in financial services and 13 percent are in the public sector. Another eleven percent is in health and pharmaceuticals. Pie Chart 1. Distribution of respondents according to primary industry classification 4% 2% 2% 2% 1% 4% 5% 5% 5% 6% 6% 7% 8% 19% 11% 13% Financial services Public sector Health & pharmaceuticals Retail (conventional) E-commerce Industrial Services Energy & utilities Hospitality Technology & software Consumer products Transportation Communications Education & research Entertainment & media Agriculture & food services Ponemon Institute Research Report Page 17

19 Pie Chart 2 reports the respondent s organizational level within participating organizations. More than half (62 percent) of respondents are at or above the supervisory levels. Pie Chart 2. What organizational level best describes your current position? 4% 1% 2% 1% 17% Senior executive Vice president 33% Director Manager Supervisor 23% Technician Staff Consultant 19% According to Pie Chart 3, 61 percent of respondents report directly to the Chief Information Officer and 21 percent report to the CISO. Pie Chart 3. The primary person you or the IT security leader reports to within the organization 5% 3% 2% 2% 2% 4% Chief Information Officer Chief Information Security Officer 21% 61% Chief Risk Officer General Counsel Chief Financial Officer Compliance Officer Chief Security Officer Other Ponemon Institute Research Report Page 18

20 Forty-one percent of respondents say the CIO is most responsible for managing the cyber security posture and 21 percent say it is the CISO, as shown in Pie Chart 4. Pie Chart 4. The person most responsible for managing the cyber security posture 11% 12% 4% 3% 3% 2% 2% 1% 21% As shown in Pie Chart 5, 65 percent of respondents are from organizations with a global headcount of more than one thousand. Pie Chart 5. Global headcount 41% Chief information officer Chief information security officer No one person has overall responsibility Business unit management Outside managed service provider Chief risk officer Corporate compliance or legal department Chief technology officer Data center management Chief security officer 6% 4% 7% 9% < % 19% 100 to to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 > 75,000 34% Ponemon Institute Research Report Page 19

21 Part 5. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. Ponemon Institute Research Report Page 20

22 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in September Survey response Freq Pct% Total sampling frame 22, % Total returns % Rejections % Screening reductions % Final sample % Part 1. Screening questions S1. How familiar are you with your organization s defense against cyber security attacks? Freq Pct% Very familiar % Familiar % Somewhat familiar % No knowledge (Stop) 90 11% Total % S2. Do you have any responsibility in managing cyber security activities within your organization? Freq Pct% Yes, full responsibility % Yes, some responsibility % Yes, minimum responsibility % No responsibility (Stop) 49 6% Total % Adjusted final sample 705 Part 2. Perceptions about the organization Strongly agree Agree Q1a. My organization is vigilant in monitoring cyber attacks. 22% 26% Q1b. My organization s security budget is sufficient for mitigating most cyber attacks (intrusions). 19% 25% Q1c. The severity of cyber attacks experienced by my organization is on the rise. 33% 31% Q1d. Launching a strong offensive against hackers and other cyber criminals is very important to my organization s security strategy. 17% 27% Q1e. My organization has the in-house expertise to launch counter measures against hackers and other cyber criminals. 11% 18% Part 3. Security environment Q2. Please rank each one of the following five (5) cyber security objectives in terms of a business priority within your organization from 5 = highest priority to 1 = lowest priority. Average rank Rank order Availability Integrity Confidentiality Interoperability Compliance Average 3.5 Ponemon Institute Research Report Page 21

23 Q3. Please rank each one of the following ten (10) cyber security threats in terms of a risk mitigation priority within your organization from 10 = highest priority to 1 = lowest priority. Average rank Rank order Malware Server side injection (SSI) Cross-site scripting Denial of service (DoS) Distributed denial of service (DDoS) Web scrapping Viruses, worms and trojans Botnets Malicious insiders Phishing and social engineering Average 6.2 Q4. Please rank each one of the following eight (8) negative consequences that your organization experienced as a result of a cyber attack or intrusion, from 8 = most severe to 1 = least severe. Average rank Rank order Lost revenue Lost intellectual property (including trade secrets) Stolen or damaged equipment Productivity decline Regulatory actions or lawsuits Reputation damage Customer turnover Cost of outside consultants and experts Total 5.2 Q5. Has the frequency and/or severity of cyber attacks experienced by your organization changed over the past 12 months? Pct% No change 20% Small increase (less than 10%) 25% Moderate increase (between 10% and 25%) 30% Increase Substantial increase (more than 25%) 9% 64% Small decrease (less than 10%) 5% Moderate decrease (between 10% and 25%) 3% Substantial decrease (more than 25%) 2% Decrease Cannot determine 6% 10% Total 100% Q6. What statement best describes changes to your organization s cyber security posture over the past 12 months? Pct% Our organization s cyber security posture is more effective in combating attacks and intrusions. 29% Our organization s cyber security posture is less effective in combating attacks and intrusions. 35% Our organization s cyber security posture remains the same in terms of its effectiveness in combating attacks and intrusions. 36% Total 100% Ponemon Institute Research Report Page 22