AKAMAI WHITE PAPER. Weighing Risk Against the Total Cost of a Data Breach: Can You Afford a Web Application Layer Attack?

Transcription

1 AKAMAI WHITE PAPER Weighing Risk Against the Total Cost of a Data Breach: Can You Afford a Web Application Layer Attack?

2 Weighing Risk against the Total Cost of a Data Breach: Can You Afford a Web Application Layer Attack? 2 TABLE OF CONTENTS INTRODUCTION 3 WEB APPLICATIONS ARE EASY PREY 3 THE ATTACKER S REAL GOAL: PERSONALLY IDENTIFIABLE INFORMATION (PII) 3 WHO IS RESPONSIBLE 4 THE COST OF A BREACH 4 ADAPTING THE CORPORATE RISK MODEL 5 HOW TO CALCULATE THE POTENTIAL IMPACT OF A DATA BREACH 5 MITIGATION STRATEGIES 6 HOW AKAMAI CAN HELP 6 CONCLUSION 7

3 Weighing Risk against the Total Cost of a Data Breach: Can You Afford a Web Application Layer Attack? 3 Introduction The advent of the Internet has resulted in an ever-expanding data ecosystem. Unfortunately, this has also led to an increase in data breaches and identity theft. While attackers are still motivated by crime (to gain money), politics (to gain power and influence), and espionage (to gain market advantage), they also want to steal your information and resources, change your messaging, and stop or disrupt your online activity. A successful data breach through an attack on web applications is one of the strongest weapons in a cyber-criminal s arsenal. Whether your data is at risk is not the only question. You should also consider how much risk a data breach would pose to your business. How much would it cost to compensate losses, mitigate a web application attack, deploy new mitigation equipment and earn compliance recertification? Most of all, how long would it take to recover from the damage to your reputation and potential loss of customers? This white paper presents a proven, industry-standard approach to determining a company s risk of web application cyber-attacks. Determining that level of risk can help you estimate the total potential financial impact of a data breach. This equation can help you justify the cost of proactively deploying cybersecurity products and services to protect against web application attacks, including those that could lead to data breaches. Web Applications are Easy Prey Data breaches are one of the most complex security issues to mitigate. Even when an organization s departments are aligned and working together efficiently, safeguarding web applications can be complex; considerations have to be made for application type, scalability, operating platforms, user functions and more. In addition, security requirements and implementations can vary widely within an organization. For instance, one web application might require a username and password which enables full access, while another may require detailed role-based access controls and strict authentication mechanisms. The complexities of resulting application stacks, combined with changing or poorly-defined requirements, have resulted in countless vulnerabilities; thousands of vulnerabilities 1 are disclosed each year. The Attacker s Real Goal: Personally Identifiable Information (PII) Applications are used to gather, process, share, and transform data, but when the application is not running, the data often has to be stored for future retrieval and use. How do you do this while implementing reasonable, cost-effective security controls? To provide a base level of security, the data may be stored in an encrypted format. However, the application or even end-users still need to access unencrypted information. Attackers will often try to trick the system into disclosing this data any way they can. Cyber adversaries will target every input, every parameter, every cookie and every request header in search of a viable compromise that allows them to inject malicious payloads. The attacker s hope is that the system will process these inputs and disclose useful tidbits that eventually lead to data exfiltration. What kind of data do attackers seek? User table data is a popular target because people often reuse the same usernames and passwords across multiple websites and applications. In addition to user table data, financial data, such as bank account numbers and credit card numbers, are targeted, but surprisingly these are not the top data targets. Ideally, attackers want personally identifiable information (PII). With the right combination of PII, cyber criminals can create new credit accounts; make purchases on those credit accounts, and even craft new identities. For example, imagine that you are a prominent doctor in Ohio. Your identity and business information are leaked due to a web application data breach at a medical supplier that serves your practice. This information could then be used to create valid, new identification cards in other states. In addition, applications for credit can be processed in your name and criminal charges could be filed against this new identity (in your name). This is just the tip of an identity theft nightmare that can take many years to resolve.

4 Weighing Risk against the Total Cost of a Data Breach: Can You Afford a Web Application Layer Attack? 4 Who is Responsible? Unfortunately the bad guys don t always pay for their crimes. In this case, the victims typically shoulder the responsibility for all losses. Organizations storing PII data can often be held liable for data breaches, especially if they cannot prove that they practiced due diligence when it comes to protecting the unauthorized access to that data. Even in the best case where the affected organization is not legally liable, they can suffer significant loss to brand loyalty, a decline in customer satisfaction and/or damage to the corporate reputation. In almost all cases, the holder of the data is ultimately responsible for its protection. If that data is lost or stolen, the trust established by the data providers is violated. It is costly sometimes impossible to fully recover. Yet even if responsibility is transferred to a third-party data holder, the organization that was targeted with the data breach still suffers damage to its brand and corporate reputation, which can lead to additional financial losses. The Cost of a Breach Data breaches are often fodder for the headlines. Recently, attackers breached a critical system in a well-known organization and stole nearly $10 million using relatively unsophisticated methods and tactics. During the investigation it was determined that the attackers could have gained access via several paths, including an insecure web gateway system, a poorly updated web management system, or the public-facing corporate website. The initial theft of $10 million was a tangible loss to the company, but it had the smallest financial impact. Additional costs and fees for post-attack analysis by third-party response teams, credit protection services, secondary audits and compliance recertification, litigation and ancillary solutions tacked on millions more to the initial $10 million loss. The total cost of the breach was $100 million. The following breakdown explains how it happens: Compensate Losses Due to Fraud: Usually applicable to credit card data theft, these financial losses reimburse customers for fraudulent charges. Be aware that these initial costs are only the beginning of the financial outlay required to fully resolve the data breach and protect against future attacks. External Credit Monitoring Services: Organizations may pay anywhere from $30 to $100 per record for monitoring services. When multiplied by millions of records with PII data, the cost to the organization is staggering. External Incidence Response Team: Due diligence after a data theft usually requires a third-party team to determine what data was lost and to close any security holes that allowed the intruders access. The cost: $3.5 million on average 2, but it can be much higher. External Audit Team Cost: Organizations may lose compliance and other industry certifications due to a data breach. Bringing in an external audit team can raise the total cost of the breach by hundreds of thousands of dollars, or even as much as $1 million. Compliance Recertification: In addition to an audit, compliance recertification costs add hundreds of thousands of dollars more in addition to the recovery costs. New Mitigation Equipment Cost: To protect against future data breaches, organizations must take proactive measures to enhance web security with new mitigation equipment and services. New Specialized Employee Cost: The trend is for IT departments to trim their budgets, but managers may find they need to find additional funds (quickly) to hire engineers who specialize in web security. Potential Litigation Expenses: In many cases, customers who had their PII data stolen or compromised may file suit against the victim organization for sizable monetary damages. Both public and private organizations lose business and customer loyalty when their brand is damaged due to data theft. The public perceives that they are unable to protect customer data. In addition, stock prices may decline after a cyber-attack, due to reduced investor confidence, and companies that have been attacked often experience a sizable dip in expected revenue.

5 Weighing Risk against the Total Cost of a Data Breach: Can You Afford a Web Application Layer Attack? 5 Adapting the Corporate Risk Model Assessing the potential financial impact of web application attacks and the data breaches that can result is an important first step toward building a strong defense against data breaches. However, the vast majority of companies have never calculated the total potential financial loss that could result from a data breach. On the other hand, most companies do have a risk model to support corporate decision-making, and this model can be easily adapted to data breach risk planning. When it comes to corporate risk, there are three main avenues management may choose to take: 1. Accept risk as part of the cost of doing business, if the risk is low enough from a financial perspective. 2. Transfer risk to a third-party who will be financially liable for a portion of the risk. However, transferring to a third-party cannot protect an organization from damage to corporate and brand reputation after a data breach. 3. Purchase insurance against the risk of cyber-attack or data breach. However, the financial risk associated with online business activities is extremely large and consequently, insurance coverage has become nearly impossible to acquire or too expensive to afford. Competitive organizations will take responsibility for proactively determining the financial risk of cyber-attacks and resulting data breaches. The simple risk model below reflects typical categories among global companies today: Low Risk Medium Risk High Risk Potential loss < $25 million Potential loss $25 to $100 million Potential loss > $100 million Although this is an abbreviated risk model and acceptable risk varies from company to company, it illustrates that most companies map risk into buckets. Each bucket typically has a tangible financial risk associated along with some sort of acceptance of risk policy. This allows companies to prioritize budgets according to the largest business risk. Because the risk is associated with the enterprise IT infrastructure, data breaches are almost always in the high-risk bucket and have a high-priority spot in the annual budget. How to Calculate the Potential Impact of a Data Breach There are many factors that can be considered when estimating financial impact of a data breach. In most cases, however, the simplest method will suffice. An easy way to calculate the impact of data breach is to use this formula: Cost per Record X Number of Records = Potential Cost of Breach According to a recent study by the Ponemon Institute 3, the global average cost per record is estimated at $130 to $136. In the US and Germany, the average cost per record for data breaches ranges from $188 to $199. This makes sense due to the high sensitivity of U.S. and German consumers with regard to their personal privacy and financial safety. The estimates from the Ponemon Institute correlate fairly well in the example cited above. If 35,000 records were breached, at a real cost of $10 to $13 each, the full cost of a breach would equate to roughly 10 times the original cost of the information asset. As a rule of thumb, U.S. companies should use the $188 average cost-per-record when calculating the potential cost of a data breach.

6 Weighing Risk against the Total Cost of a Data Breach: Can You Afford a Web Application Layer Attack? 6 Mitigation Strategies IT s goal is to stop attackers before they access PII data. There will never be a solution that completely eliminates all threats to a business. However, by implementing several key mitigation techniques and strategies, companies can significantly reduce the potential impact of an attack leading to a data breach, thus reducing the overall risk to the business. Reduce Attack Surface: Only advertise and allow necessary services and restrict all others. Validate Responders: Validate source and destination responders through methods beyond source and destination IP to prevent route hijacking and man-in-the-middle attacks. Absorb and Deflect Attacks Close to the Attacker: Utilize cloud services that can push the mitigation of application attacks closer to the attack and away from your application. Cloud services will typically have more up-to-date protections than origin-managed devices and services, which will further reduce potentially vulnerable attack surfaces. Defense in Depth: Perform request inspection at multiple points in the inbound request path, ideally in a tiered fashion so that the majority of clearly malicious requests could be denied close to the originating source. Visibility: Inspect request characteristics and feed that data into event management systems. This enables businesses to react quickly to attacks. By enabling this end-to-end request and response view, business have the information to quickly and effectively correlate data and mitigate attacks as soon as they occur. How Akamai Can Help Regardless of the level of risk, the best mitigation strategy against data breaches starts with cyber security protection of the web application layer. Akamai helps customers protect against web application attacks with a scalable and cloud-based web application firewall (WAF) strategy that maintains the performance and integrity of web applications. Akamai s Kona Site Defender is a highly scalable edge defense service architected to detect and mitigate potential attacks against web applications, including distributed denial of service (DDoS) attacks as well as data exfiltration attempts such as SQL injections, as they pass through Akamai s Intelligent Platform to reach origin data centers. Kona Site Defender is designed to scale instantly to preserve performance and filter attack traffic close to the source, protecting an organization s infrastructure and keeping its web applications up and running.

7 Weighing Risk against the Total Cost of a Data Breach: Can You Afford a Web Application Layer Attack? 7 Conclusion The unfortunate truth is that cybercrime is not going away; your customers personal data will always be at risk for theft and misuse. The need for cyber security to protect PII data has never been more critical as organizations collect an ever-increasing volume of personal data about customers and business partners. Organizations must be tenacious about the protection of publicly accessible information access points. Also, depending on the type of data breach, executives must protect themselves from criminal as well as civil penalties. With all the new privacy laws and regulations, executives must understand the personal as well as the financial risk of good enough security strategies. Akamai recommends the following key actions as the foundation of a strong defense against data theft: Protect publicly accessible infrastructure with a scalable web application firewall strategy Layer attack mitigation technologies and continuously update them Keep management apprised of risks and tradeoffs Adjust corporate risk models to account for the number of PII records potentially at risk Most importantly, organizations must be keenly aware of the total potential financial impact of web application layer cyber-attacks and the PII data theft that can result. By using a simple, but industry-accepted cost-of-breach equation, management can easily determine the organization s total financial risk and budget accordingly for the mitigation solution that can protect them against millions or even billions of dollars in losses. Do the math and gain peace of mind that your customers personal data will not fall into the wrong hands.

8 Weighing Risk against the Total Cost of a Data Breach: Can You Afford a Web Application Layer Attack? 8 Sources: 1 National Institute of Standards. NVD - Statistics Search. NVD - Statistics Search. National Institute of Standards, 21 July Web. 21 July < 2 Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis. Retrieved July 30, 2014, from 3 Ponemon Institute: As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company s advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit or blogs.akamai.com, and on Twitter. Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 40 offices around the world. Our services and renowned customer care enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 05/15.