Cyber Confrontation: Hackers Convincing Victory Over the Security Industry

Transcription

1 Your texte here. Cyber Confrontation: Hackers Convincing Victory Over the Security Industry Ilia Kolochenko, High-Tech Bridge, CEO Regional Cyber Security Summit 20 th of April 2014

2 From where does the claim come? Cost of the global cybercrime is about $300 billion per year - Center Your texte for here Strategic. and International Studies (CSIS) and McAfee (2013). The global price tag of consumer cybercrime is $113 billion annually. Cost per cybercrime victim increased by 50% Symantec (2013). Companies experience in average 2 successful attacks per week - Ponemon Institute and Hewlett-Packard (2013). 86% of all websites have at least one serious vulnerability WhiteHat Security (2013). On average 30,000 new websites are hacked every day to distribute malware to any users passing by - Sophos Labs (2013).

3 What experts are saying (2013)? Your We texte are here not winning. the war on online criminal activity. The threat of a cyber attack to the UK is so serious it is marked as a higher threat than a nuclear attack - Keith Vaz, Chairman of the United Kingdom Home Affairs Select Committee. "Possibly the most alarming is that [ ] organizations are misjudging the severity of risks they face from cyber attacks from a financial, reputational, and regulatory perspective" - Bob Bragdon, Vice President and Publisher, CSO. "There were no significant changes in C-Suite threat awareness, no spikes in spending on cyber-defense, no breakthroughs in the use of technology to combat cybercrime. When organizations fall victim to cyberattacks, only then do they realize the time to take action was yesterday State of Cybercrime Survey by PwC and CSO Magazine.

4 Who are the victims of cybercrime? Your Financial texte here Organizations. and Banks Governments and Governmental Organizations (Stuxnet, Duqu, Flame, Shamoon are just the tip of the iceberg) Large and Multi-National Companies NGOs and Educational Organizations SMBs & Private Persons ORIGINAL Above SWISS datagram: ETHICAL Verizon HACKING 2013 Data Breach Investigations Report

5 But we spend more and more on IT security? Your Yes, texte companies here. and organizations increasingly spend more and more budget on IT security. However, spending more money does not necessarily mean spending more efficiently. Few obligatory security standards (e.g. PCI DSS) force companies to pass paper certification rather than really improving their security. Information security market is flooded with inefficient solutions and products that only cost you money but not make you secure. Many security companies and especially resellers promote their products as 360 security protection claiming to secure everything everywhere. Result is redundant security solutions that serve the same purpose and are actually useless. At the end, companies spend their entire security budget on solutions that they don t really need or that simply do perform their work. Very few companies spend on independent external security testing.

6 Before we continue It is important to highlight that: Your texte here. - Above 90% of high-profile cyber attacks remain unnoticed by the victims or are being detected after successful attack when it is already too late. - Almost all high-profile attacks cannot be investigated due to lack of technical resources, extremely high level of attack sophistication, weak legal base and absence of inter-government collaboration in cybercrime investigation. - Almost all attacks that didn t get to the medias are being silenced by the victims not to harm their business reputation. - Hackers groups have no limits when executing commercial cyber attacks, weather you are a large company, NGO, government or a private person total compromise of your IT infrastructure has a clear price on Black Market. - All your data may be already stolen, sold and purchased (even several times) by your competitors/enemies without your knowledge.

7 Brief classification of cyber attacks: Governments and large companies are becoming victims of: Your texte here. - Economically-motivated attacks: high-profile industrial espionage paid by competition, organized crime or foreign governments to steal your trade secrets, customer data, intellectual property, new technologies, political secrets and personal data of government members. - Political cyberwar: attacks on governmental E-Systems (e-voting, e-government), SCADA systems (telecommunications, electricity, oil and gas plants/factories, water and nuclear stations, air traffic control, satellites), financial markets (forex, stock markets) to paralyze, harm, alter or falsify their work. - Hacktivism: massive and/or high-profile attacks by politically motivated hackers aimed to publicly expose your political secrets, damage your reputation and cause maximum damage to your technical infrastructure/assets.

8 Point of failure: IT security teams Your Security texte teams here. are quite often overloaded with non-security projects, such as passing [quite useless] paper-based security certifications required by law. Many security specialists simply don t have enough skills and experience to fight sophisticated cybercrime that have almost unlimited budget. Large variety of inefficient and poor security products, solutions and services on the market that are being aggressively sold by vendors and resellers. Resellers usually don t even care if you really need the product, making security managers skeptical about the entire security industry. Reactive rather than proactive approach to security (many organizations start thinking about security only after being hacked [several times]. Some don t start even after).

9 Point of failure: managers Your Serious texte underestimation here. of potential consequences of cyber attack by the senior and top management resulting in lack of budget, time and human resources devoted to manage corporate information security. Focus on company performance, competitiveness, profitability with total ignorance of information security aspects. Bureaucracy, complex hierarchy and subordination in companies and organizations. Nobody actually is, and nobody wants to be really responsible for information security. Almost total absence of obligatory, clear and easily-applicable information security regulations in majority of countries.

10 Suggested solutions? Your Security texte awareness, here. trainings, education for management. Not efficient anymore! Each country must adopt clear, comprehensive, reasonable and obligatory cyber security regulations for each type of industry and business, classified by organization type, size, turnover and other applicable parameters. Violation of these security regulations should be penalized, the amount of fine should be much higher than a cost of adherence to the regulation. Compliance should be profitable. Governmental CERTs should have the authority to introduce new obligatory security regulations and to control if they are properly respected in their country. Governments should collaborate more with each other and with private sector to share data and experience, mitigate the risks, develop new industry standards and regulations. A good example is ITU-IMPACT Region s First Cyber Security Drill hosted by Oman CERT.

11 Thank you for your attention Your texte here. Thank you! Any questions are welcome.