1
Cyber-Security Risk in the Global Organization:
Trends, Challenges and Strategies for Effective Management
Todd Carroll
Assistant Special Agent in Charge, FBI
David Childers, CCEP, CIPP
CEO, Compli
Three Things We Know About Cyber Security
1 2 3
2
Helps to be a little paranoid
There is no Data Security
3
There is no “patch” for stupid
Fast Cyber Security Facts:
234,000 computers worldwide infected CryptoLocker.
500 % growth in Ransomware threats.
August 2014 – Possibly 1.2 Billion user names & passwords stolen by Russian crooks. BIGGEST BREACH ON RECORD
Malware • 15 million new samples created during Q1 2014 • 160,000 new samples daily
4
Fast Cyber Security Facts
• 35% of the incidents • 76% of the identities exposed
CYBER-TERRORIST WEBSITES
HACKERS
4.7 millionthe average number of identities exposed per data breach for hacking incidents was approximately Theft or loss of a device….accounted for 27% of data breach incidents
1998 Today
12 9,800
Data Breach Costs
The average time it took to detect breaches declined slightly from 2012 to 2013, from 243 to 229 days.
However, the number of firms that detected their own breaches actually dropped, from 37% to 33%.
The total number of breaches in 2013 was 62% greater than in 2012.
Eight of the breaches in 2013 exposed more than 10 million identities each. In 2012 only one breach exposed over 10 million identities.
*US Average2014 Cost of Data Breach Study: United States Benchmark research sponsored by IBM,
Independently conducted by Ponemon Institute LLC. May 2014
= $201 per record lost*
(28% increase from 2013)
5
“Prevention Pays”
Prevention Plan Type
Savings Per Record
Pre-Prepared Data Breach Response $42
Strong Security Posture $34
CISO/CPO $13
XP Vulnerabilities
PROBLEM:April 8, 2014 - Microsoft stopped supporting XP
McAfee and other virus protection programs don’t work any longer
And if you think the patch fixes this problem, think again -
• MS warns not to install the Windows XP security workaround
• “It tricks Windows update into thinking that the XP version is an embedded point-of-sale OS that Redmond supports through 2019.”
• Released in 2001
• Most used business software
6
Top Inhibitors to Cyber-Threat Defense
Inadequate cyber-security awareness among employees & lack of management support or awareness
Lack of budget & inability to justify investment
Lack of skilled personnel with too much data to analyze
Inadequate or poorly integrated security solutions & limited number of effective solutions on the market
Emerging Cyber-Threats
7
Emerging Cyber-Threat Trends
The Internet of Things (IoT)IoT devices become the access points for targeted attackers and become bots for cybercriminals.
TARGETS: Baby Monitors, Security Cameras & Routers
• April of 2014: a man hacked an Ohio family’s baby monitor and began screaming, “WAKE UP BABY” into the monitor at midnight.
• March of 2014: hackers took control of 300,000 home routers in Europe.
UP NEXT: Smart Televisions, Automobiles & Medical Equipment
• “Red-button” attack on smart TVs – anticipate they can be hacked using a $250 transmitter.
PREDOMINANT RISK ROUTERS
• Worms like Linux.Darlloz are making a comeback.
The burden falls on
YOU
Emerging Cyber-Threat Trends
Cloud & Mobile Risks MOBILE THREATS: more sophisticated and pervasive.
• In 2013, there were 58 variants per mobile malware family
• Android is still the most widespread, and most targeted.
“1.4 million malicious and high-risk Android apps are in existence”
• Apple is improving vulnerabilities - Down 68% (Apple’s iOS7)
WI-FI INTENSIFIES SECURITY RISKS:
When your employees are working in a public place, who is listening? And what information are they potentially exposing?
What policies do you have in place to mitigate your risk?
8
Emerging Cyber-Threat Trends
Ransomware Attacks grew by 500 percent in 2013.
• CryptoLocker was predominant threat; NOW it is CTB-Locker.
• CTB-Locker is a second-generation threat and much more powerful.
“Cybercriminals are adopting criminal business models developed for the PC, applying them to new areas and fine-tuning their methods.”
• 3 % of infected users historically paid the ransom
Do you have a policy in place for opening emails?
“Just Paid Cryptolocker - We got infected, found our backups did not work and we had to pay.”
“Cryptolocker SUCKS - This really is the nastiest thing on the web at the moment.”
“Ouch. This stinks - Our Controller opened the attachment, and her PC got infected. The phishing email passed through hosted email filtering.”
Actual comments from www.knowbe4.com
Where Help is Available
Atlanta
Baltimore
Birmingham
Boston
Oklahoma
Buffalo
Charlotte
Chicago
Cleveland
Dallas
Houston
Las Vegas
Los Angeles
Louisville
Miami
Minneapolis
New York/New Jersey
Orlando
Philadelphia
Phoenix
Pittsburgh
San Francisco
Seattle
South Carolina
Washington DC
U.S. Secret Service Electronic Crimes Task Forces
9
Best Practices IT Guidelines for Businesses1.Employ defense-in-depth strategies.
2.Monitor for network incursion attempts, vulnerabilities, and brand use.
3.Antivirus on endpoints is not enough.
4.Secure your websites against MITM attacks and malware infection.
5.Protect your private keys.
6.Use encryption to protect sensitive data.
7.Ensure all devices allowed on networks have adequate protections.
8.Implement a removable media policy.
9.Be aggressive in your updating and patching.
10.Enforce an effective password policy.
11.Ensure regular backups are available.
12.Restrict email attachments.
13.Ensure you have infection and incident response procedures in place.
14.Educate users on basic security protocols.
Best Practice Guidelines for Businesses, Recommendations + Best Practice Guidelines, Internet Security Threat Report 2014: Volume 19, Symantec Corporation, pg 87, 2014
TOP SIX1. Educate users on basic security protocols.
2. Employ defense-in-depth strategies.
3. Use encryption to protect sensitive data.
4. Be aggressive in your updating and patching.
5. Enforce an effective password policy.6. Ensure you have infection and incident
response procedures in place.
Hottest Cyber-Risk Solutions
NGFW (NEXT GENERATION FIREWALL)• Application aware, uses deep packet inspection techniques to
examine traffic for anomalies and known malware.
NAC (NETWORK ACCESS CONTROL)• A computer networking solution that uses a set of protocols to
define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network.
WORKFORCE AWARENESS TRAINING
• Creating the Human Firewall
10
Data Breach is Not Just an IT Issue
Train employees about the data risks in your organization.• Physical
• Psychological
Monitor risks and keep training and awareness up to date.
“Think like the bad guys.”
Build from “Teachable Moments”.
Creating the Human Firewall Recognize this is a cultural shift.
• Think harassment or workplace safety.
• Expect and promote secondary benefits for employees.
Start the change process with people who have disproportionate influence in the organization.
Look for ways to get people to experience the harsh realities that make change necessary.
Look for ways to redistribute resources toward “hot spots” –activities that require few resources but result in large change.
