Cyber-Security Risk in the Global Organization: Trends, Challenges and Strategies for Effective Management David Childers, CCEP, CIPP CEO, Compli Todd Carroll Assistant Special Agent in Charge, FBI Three Things We Know About Cyber Security 1 2 3 1
Helps to be a little paranoid There is no Data Security 2
There is no patch for stupid Fast Cyber Security Facts: 234,000 computers worldwide infected CryptoLocker. 500 % growth in Ransomware threats. Malware 15 million new samples created during Q1 2014 160,000 new samples daily August 2014 Possibly 1.2 Billion user names & passwords stolen by Russian crooks. BIGGEST BREACH ON RECORD 3
Fast Cyber Security Facts 35% of the incidents 76% of the identities exposed HACKERS 4.7 million the average number of identities exposed per data breach for hacking incidents was approximately Theft or loss of a device.accounted for 27% of data breach incidents CYBER-TERRORIST WEBSITES 1998 Today 12 9,800 Data Breach Costs The average time it took to detect breaches declined slightly from 2012 to 2013, from 243 to 229 days. However, the number of firms that detected their own breaches actually dropped, from 37% to 33%. The total number of breaches in 2013 was 62% greater than in 2012. Eight of the breaches in 2013 exposed more than 10 million identities each. In 2012 only one breach exposed over 10 million identities. = $201 per record lost* (28% increase from 2013) *US Average 2014 Cost of Data Breach Study: United States Benchmark research sponsored by IBM, Independently conducted by Ponemon Institute LLC. May 2014 4
Prevention Pays Prevention Plan Type Pre-Prepared Data Breach Response Strong Security Posture CISO/CPO Savings Per Record $42 $34 $13 XP Vulnerabilities Released in 2001 Most used business software PROBLEM: April 8, 2014 - Microsoft stopped supporting XP McAfee and other virus protection programs don t work any longer And if you think the patch fixes this problem, think again - MS warns not to install the Windows XP security workaround It tricks Windows update into thinking that the XP version is an embedded point-of-sale OS that Redmond supports through 2019. 5
Top Inhibitors to Cyber-Threat Defense Inadequate cyber-security awareness among employees & lack of management support or awareness Lack of budget & inability to justify investment Lack of skilled personnel with too much data to analyze Inadequate or poorly integrated security solutions & limited number of effective solutions on the market Emerging Cyber-Threats 6
Emerging Cyber-Threat Trends The Internet of Things (IoT) IoT devices become the access points for targeted attackers and become bots for cybercriminals. TARGETS: Baby Monitors, Security Cameras & Routers April of 2014: a man hacked an Ohio family s baby monitor and began screaming, WAKE UP BABY into the monitor at midnight. March of 2014: hackers took control of 300,000 home routers in Europe. UP NEXT: Smart Televisions, Automobiles & Medical Equipment Red-button attack on smart TVs anticipate they can be hacked using a $250 transmitter. The burden PREDOMINANT RISK ROUTERS falls on YOU Worms like Linux.Darlloz are making a comeback. Emerging Cyber-Threat Trends Cloud & Mobile Risks MOBILE THREATS: more sophisticated and pervasive. In 2013, there were 58 variants per mobile malware family Android is still the most widespread, and most targeted. 1.4 million malicious and high-risk Android apps are in existence Apple is improving vulnerabilities - Down 68% (Apple s ios7) WI-FI INTENSIFIES SECURITY RISKS: When your employees are working in a public place, who is listening? And what information are they potentially exposing? What policies do you have in place to mitigate your risk? 7
Emerging Cyber-Threat Trends Ransomware Attacks grew by 500 percent in 2013. CryptoLocker was predominant threat; NOW it is CTB-Locker. CTB-Locker is a second-generation threat and much more powerful. Cybercriminals are adopting criminal business models developed for the PC, applying them to new areas and fine-tuning their methods. 3 % of infected users historically paid the ransom Do you have a policy in place for opening emails? Just Paid Cryptolocker - We got infected, found our backups did not work and we had to pay. Cryptolocker SUCKS - This really is the nastiest thing on the web at the moment. Ouch. This stinks - Our Controller opened the attachment, and her PC got infected. The phishing email passed through hosted email filtering. Actual comments from www.knowbe4.com Where Help is Available U.S. Secret Service Electronic Crimes Task Forces Atlanta Baltimore Birmingham Boston Oklahoma Buffalo Charlotte Chicago Cleveland Dallas Houston Las Vegas Los Angeles Louisville Miami Minneapolis New York/New Jersey Orlando Philadelphia Phoenix Pittsburgh San Francisco Seattle South Carolina Washington DC 8
Best Practices IT Guidelines for Businesses 1.Employ defense-in-depth strategies. 2.Monitor for network incursion attempts, vulnerabilities, and brand use. 3.Antivirus on endpoints is not enough. 4.Secure your websites against MITM attacks and malware infection. 5.Protect your private keys. 6.Use encryption to protect sensitive data. 7.Ensure all devices allowed on networks have adequate protections. 8.Implement a removable media policy. 9.Be aggressive in your updating and patching. 10.Enforce an effective password policy. 11.Ensure regular backups are available. 12.Restrict email attachments. 13.Ensure you have infection and incident response procedures in place. 14.Educate users on basic security protocols. Best Practice Guidelines for Businesses, Recommendations + Best Practice Guidelines, Internet Security Threat Report 2014: Volume 19, Symantec Corporation, pg 87, 2014 TOP SIX 1. Educate users on basic security protocols. 2. Employ defense-in-depth strategies. 3. Use encryption to protect sensitive data. 4. Be aggressive in your updating and patching. 5. Enforce an effective password policy. 6. Ensure you have infection and incident response procedures in place. Hottest Cyber-Risk Solutions NGFW (NEXT GENERATION FIREWALL) Application aware, uses deep packet inspection techniques to examine traffic for anomalies and known malware. NAC (NETWORK ACCESS CONTROL) A computer networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network. WORKFORCE AWARENESS TRAINING Creating the Human Firewall 9
Data Breach is Not Just an IT Issue Train employees about the data risks in your organization. Physical Psychological Monitor risks and keep training and awareness up to date. Think like the bad guys. Build from Teachable Moments. Creating the Human Firewall Recognize this is a cultural shift. Think harassment or workplace safety. Expect and promote secondary benefits for employees. Start the change process with people who have disproportionate influence in the organization. Look for ways to get people to experience the harsh realities that make change necessary. Look for ways to redistribute resources toward hot spots activities that require few resources but result in large change. 10
Questions? todd.carroll@ic.fbi.gov david.childers@compli.com 11