Cyber Security Threats: What s Next and How Do We Reduce the Risks?

Transcription

1 Cyber Security Threats: What s Next and How Do We Reduce the Risks?

2 Agenda Cyber Security: A necessity! What threats exist today? What does the future hold? How do we reduce the risks? Key for Risk Reduction now and going forward Predictions

3 Why? - Motivation, Capability and Intent- C.H.E.W. Cybercrime - the notion that someone is going to attack you with the primary motive being financial Hactivism - attacks motivated by ideological differences. The primary focus of these attacks is not financial gain but rather persuading or dissuading certain actions or voices Espionage - straightforward motive of gaining information on another organization in pursuit of political, financial, capitalistic, market share or some other form of leverage War (Cyber) - the notion of a nation-state or transnational threat to an adversary s centers of power via a cyber-attack. Attacks could focus on non-military critical infrastructure or financial services or more traditional targets, such as the militaryindustrial complex First seen in 2008 with Russian invasion of Georgia

4 Indicative Statements of the Issue! 84% of firms indicate Security is critical and core to business offerings and ability to compete (Forrester Survey March 2015) In 2013, IBM reported that 90% of the world s data was created over the last two years (Big Data: Are you ready for blast-off? BBC News March 2014) Total Global Impact of CyberCrime [has risen to] US $3 Trillion, making it more profitable than the global trade in marijuana, cocaine and heroin combined. (2013 Europol Serious & Organized Threat Assessment) And The impact is still growing!!!

5 Current Status of Information Security Threat Overview % of firms suffered a data breach in the last year (Mimecast) 2014 Attacks last longer and are more continuous average duration one month Bad Guys 45% Outsiders, 55% Insiders (Malicious or Inadvertent) (IBM) The majority of attacks originate (50%) and take place in (59%) the U.S. (IBM) Average economic cost to a company that suffered a security breach in 2014 was $3.5 million a 15% jump over 2013 (Mimecast) Only 4% of the 17,000 weekly alerts get investigated Online criminals rely on users to install malware or help exploit security gaps Many (if not most) users use the same password across their accounts (Symantec)

6 The Human Factor

7 Current Status of Information Security Organizational Overview Less than 50% of organizations use standard tools such as patching and configuration to help prevent security breaches (avg. time-to-patch = 55 days (Symantec)) The average employee sends and receives 110 s per day and spends approximately 2.5 hours using every day (Osterman Research) Mobile devices (smartphones and tablets) are perceived as IT security s weakest link, followed by laptops and social media applications (CyberEdge Group) Malware and phishing give IT security professionals the most headaches (CyberEdge Group) 50 Billion devices will be connected to Internet by 2020 (New Horizons) No one is immune to threats The only positive byproduct from Security Breaches is to raise awareness of both the threats and the potential solutions

8 Threats Criminal Activity Hackers, Malware and Social Engineering (Phishing) Hactivists Nation States Dark Web Technology Cloud Shadow IT IoT (Internet of Things)

9 Cases 1 st Half of 2015 Anthem Nation s Second Largest Health Insurer 80 Million Records Targeted Attack Used external Storage provider for data exfiltration (i.e., Dropbox, Google Cloud or Microsoft One Drive) Premera Blue Cross Health Insurer 11 Million Records Targeted Attack strongly believed to be part of a Chinese APT campaign Five class action lawsuits filed thus far CEO facing questions from U.S. Senator Uber Service to hire cars via a mobile app - Database Breach 50,000 Drivers Occurred May 2014, Noticed Sept 2014, Notified Drivers Feb 2015

10 Cases 1 st Half of 2015 Forbes.com Thought for the Day Website Chinese team (Codoso) used zero day attack to take advantage of a vulnerability in the Web page and plant malicious software (malware) Biggby Coffee Database breach - only profile information stolen (names, addresses etc.) Morgan Stanley Insider Attack 10% of their client base was exposed and hundreds had information posted publicly Damage limited (caught early) Question, How a mid-level employee accessed hundreds of thousands of client records? "Data is the new currency, and employees have easy access to steal sensitive data for profit or to inflict damage. (Eric Chiu Pres. Hytrust)

11 What s on the Horizon? People/Users Targets and Complicit Enablers and sometimes the bad guys = the real issue Living off the land Third Parties Trust but Verify! Have any of your suppliers been breached? Internet of Things Greatly expands the attack vectors and surfaces Cloud Services Where is your data and how is it protected?

12 Reducing Your Risks There is no such thing as 100% security and it is impossible to eliminate all risk and still conduct business! Focus on Monitoring and on Internal Controls Third Party Connections Segmentation/Compartmentalization of Networks Is Essential Awareness is Key more than just one-and-done - Create a Security Culture While prevention is important, detection and response need greater emphasis If you can reduce the time between the initial infection and its discovery and remediation, you reduce your risk of damage Keep yourself educated about the latest threats, and make it part of your company s culture to have the right security procedures and processes in place and followed. What Cyber events are occurring in your industry?

13 Key for Risk Reduction Core Component Greater Engagement by Sr. Management and the Board Do you have sufficient Security Policies, Processes, Procedures and Strategy in place and is your spending appropriate based on the risk to your organization?

14 Predictions Increasing use of Cloud services will be accompanied by increased attempts by hackers to gain access to online systems Nation states will aggressively target western companies for financial gain or financial destruction Banks almost entirely interconnected and online As the Internet of Things (IoT) evolves, and there are more people-less devices on the Internet than people with devices there will be inevitable accidents of potentially great magnitude The industrial Internet will be increasingly targeted Corporations and vendors that are found failing to meet regulatory standards in regards to security and privacy can expect to receive significant fines

15 Important Notes to Remember A strong security posture moderates the cost of cyber attacks (Ponemon) There is no Silver Bullet or One-size-fits-all Solution Need to Integrate Security Solutions (Forrester) Human layer is definitely the most vulnerable Human beings are the most sophisticated detection devices you ve got (Jason Straight Chief Privacy Officer, UnitedLex) If you just cover the basics you eliminate 90% of the threats! (J. Carter)

16 There is No Going Back!

17 How can we help you? Questions?

18 Questions the C-Suite Should be Asking??? What controls do we have in place? How well have they been tested? Do we have a reporting process? How quickly can we detect and remediate the inevitable compromise? Is our response plan complete, up-to-date and tested/practiced? What else should we know? (How will an Information Security Breach affect my organization?)