Cybercrime: the New Reality of Information Security

Transcription

1 Cybercrime: the New Reality of Information Security Christina Peters, Senior Counsel, Security and Privacy IBM Jack Danahy, Director for Advanced Security, IBM Security Systems Thomas X. Grasso, Jr. Supervisory Special Agent Federal Bureau of Investigation National Cyber-Forensics and Training Alliance

2 Cybersecurity Incidents: This is Not a Drill 540,000,000+: All Records Breached Since 2005 (est.) (privacyrights.org) $6,750,000: Average Cost Per Incident as of 2009 (ponemon.org) Average Cost Per Lost Record as of 2009: $204 (ponemon.org) 2

3 What are privacy professionals asking? What s behind cybercrime? What do cybercriminals do? How can you tell you re a target? What can you do? What are the implications for organizations and for society? What s the future outlook? What are governments doing? 3

4 The Underground Economy and Identity Trafficking Thomas X. Grasso, Jr. Supervisory Special Agent Federal Bureau of Investigation National Cyber-Forensics and Training Alliance 4

5 Cyber Underground A highly organized criminal network based primarily in Eastern Europe Consist of Specialized Cells for Specific Functions Utilize Web Forums to meet, cut deals, and exchange stolen data. Market for things bought/sold and advice 5

6 Cyber Criminal Activities Conduct network intrusion on merchant processors Write Viruses, Trojans and other Malware Use of Spam/Phishing to exploit banks, credit card users, online account holders Escrow and Auction Fraud Use of compromised credit cards and compromised online accounts to conduct reshipping operations 6

7 How They Work Computer Hackers Data Brokers Distribution Activities Counterfeit Document Producers Money Launderers 7

8 The world is becoming more digitized and interconnected DATA EXPLOSION The age of Big Data the explosion of digital information has arrived and is facilitated by the pervasiveness of applications accessed from everywhere CONSUMERIZATION OF IT With the advent of Enterprise 2.0 and social business, the line between personal and professional hours, devices and data has disappeared EVERYTHING IS EVERYWHERE Organizations continue to move to new platforms including cloud, virtualization, mobile, social business and more ATTACK SOPHISTICATION The speed and dexterity of attacks has increased coupled with new actors with new motivations from cyber crime to terrorism to state-sponsored intrusions 8

9 Targeted Attacks Shake Businesses and Governments Attack Type SQL Injection Bethesda Software URL Tampering Spear Phishing Fox News X-Factor Northrop Grumman IMF Italy PM Site 3 rd Party SW DDoS Citigroup Spanish Nat. Police Sega Secure ID Unknown Epsilon Sony Gmail Accounts PBS PBS SOCA Booz Allen Hamilton Vanguard Defense Size of circle estimates relative impact of breach HB Gary RSA L3 Communications Sony BMG Greece Lockheed Martin Malaysian Gov. Site Peru Special Police Nintendo Turkish Government Brazil Gov. AZ Police Monsanto SK Communications Korea US Senate NATO Feb Mar April May June July Aug 9 IBM Security X-Force 2011 Midyear Trend and Risk Report September 2011

10 There is Escalation in Potential for Damaging Impact National Security Espionage, Political Activism Monetary Gain Motive The national cybersecurity agenda is rising in importance Damage / Impact to Life and Property Nation-state actors; targeted attacks (advanced persistent threat) Competitors, hacktivists Organized crime, hackers and crackers with sophisticated tools, expertise and substantial resources Revenge Insiders, using inside information Curiosity Script-kiddies or hackers using tools, web-based how-to s Adversary 10

11 Cyber Security has Become a Board Room Discussion Business results Brand image Supply chain Legal exposure Impact of hacktivism Audit risk Sony estimates potential $1B long term impact $171M / 100 customers* HSBC data breach discloses 24K private banking customers Epsilon breach impacts 100 national brands TJX estimates $150M class action settlement in release of credit / debit card info Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony Zurich Insurance PLc fined 2.275M ($3.8M) for the loss and exposure of 46K customer records 11 *Sources for all breaches shown in speaker notes

12 Security Has Become a Complex Permutation People Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers Data Structured Unstructured At rest In motion Applications Systems applications Web applications Web 2.0 Mobile apps Infrastructure Of Sources, Technologies, and Systems 12

13 Manual Automated Security Must Evolve to an Intelligence View Basic Organizations employ perimeter protection, which regulates access and feeds manual reporting Reactive Proactive Optimized Organizations use predictive and automated security analytics to drive toward security intelligence Proficient Security is layered into the IT fabric and business operations 13

14 Future Outlook Cybercrime trends Legislative and related activity White House Proposal and GOP response now available Various draft legislation in both houses IBM helping to launch ABA task force on legal issues related to cybersecurity Regulatory activity: SEC staff disclosure guidance 14

15 White House Cyber Security Agenda DHS Consolidation and FISMA Reform Data Privacy (PII) 15 Emerging Technologies and Cloud Computing End Game: Reduce Data Breaches

16 Congressional Attention Current bills: Cybersecurity Act of 2012 introduced 2/14/2012 by Sens. Lieberman (I-CT), Collins (R-ME), Rockefeller (D-WV) and Feinstein (D-CA) Lungren Information Sharing: Feinstein bill, also section 7 of Cybersecurity Act Rogers Cyber security often trumped by other pressing priorities Ongoing debate about which agency has priority jurisdiction over cyber security We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control But just as we failed in the past to invest in our physical infrastructure our roads, our bridges and rails we've failed to invest in the security of our digital infrastructure This status quo is no longer acceptable not when there's so much at stake. We can and we must do better. President Obama, May 29, 2009* *Source: FACT SHEET: Cybersecurity Legislative Proposal

17 References 2010/2011 CSI Computer Crime and Security Survey, IBM X-Force Threat Insight Quarterly Report, White House Cybersecurity Legislative Proposal, Recommendations of the House Republican Cybersecurity Task Force, Cybersecurity Act of 2012 (proposed) Cyber Intelligence Sharing and Protection Act of 2011 (Rogers & Ruppersberger) SEC CF Disclosure Guidance: Topic No. 2, 17

18 Contacts Christina Peters (720) Jack Danahy (603) Tom Grasso FBI Cyber Division (412) ext. 258 PGP Fingerprint: EB83 DBB B143 E1A2 A608 DC10 22F9 5ADD 12C5 18