CYBERTHREATSCAPE
William Francis "Willie" Sutton, Jr.
Prolific American bank
robber
During his forty-year
criminal career he stole
an estimated $2 million
”Because that's
where the money is”
2
1960
The Internet of Things (IoT)
Who would target you and why?
• Hacktivists use computer network exploitation to advance their political or social
causes.
• Individuals and sophisticated criminal enterprises steal personal information and
extort victims for financial gain.
• Trusted insiders steal proprietary information for personal, financial, and ideological
reasons.
• Nation-state actors conduct computer intrusions to steal sensitive state secrets and
proprietary information from private companies.
• Terrorist groups sabotage the computer systems that operate our critical infrastructure,
such as the electric grid.
• Nation-state actors sabotage military and critical infrastructure systems to gain an
advantage in the event of conflict.
TH
RE
AT
S
MOTIVATIONS
Cyber Threat Actors and Motives
Why Should We Care About Cybercrime?
6
• Consumer cost of cybercrime in 2015: $158 billion
• 429 million Personal Records were stolen• Over 1 million victims per day
• 12 victims per second
• 41% of online adults have fallen victim to attacks (malware, viruses, hacking, fraud, etc.)
• 2012: Cyber attack wiped 75% of Saudi Aramco’s workstations
• 2013: “DarkSeoul” attack wiped over 30,000 systems crippling the financial sector of South Korea
• 2014: Hackers wiped thousands of servers and computers across the network of Las Vegas Sands Corp.
• 2014: Sony Pictures Entertainment Breach
7
Why Should We Care About Cybercrime?
• 2015: OPM Data Breach: 21.5 million records stolen from the United States Office of Personnel Management.
• 2016: Bangladesh Bank Heist. 81 million dollars stolen. Target amount One billion dollars.
• 2017: WannaCry. A strain of ransomware spread around the world, attacking thousands of targets to include public utilities and large corporations.
• 2017: Equifax data breach. 143 Million records stolen.
8
Threat Landscape
Sources: 1. 2015 Internet Security Threat Report , Vol 20 published in Apr 2015 by Symantec
2. Morrison & Foerster Insights: Consumer Outlooks on Privacy, January 2016
MOBILE
DEVICES• Symantec found that 17% of all Android apps (nearly one
million total) were actually malware in disguise
SCAMS &
SOCIAL MEDIA
• 70% of social media scams were manually shared
PRIVACY
BREACHES
• Privacy concerns influence 35% of purchasing decisions
• 22% of college educated, higher income consumers stop buying
E-CRIME
& MALWARE
• 317 Million new pieces of Malware were created to bring the
overall total number of known Malware to 1.7 Billion
• Ransomware attacks grew 113%
• Average time to resolve a ransomware attack: 23 Days
TARGETED
ATTACKS• 60% of all targeted attacks struck small- and-medium-sized
Organizations
Far-reaching vulnerabilities, faster attacks, files held for ransom and more malicious code than ever
Sales/Marketing 35%
Finance 30%
Operations 27%
R & D 23%
IT 19%
Top 5 Risk Ration of Spear-
Phishing Attacks by Department
.doc 35%
.exe 30%
.scr 27%
.au3 23%
.jpg 19%
Spear-Phishing Email Types
Used in Targeted Attacks
Threat Landscape
Sources: 1. 2017 Cost of Cyber Crime Report (Ponemon Institute and Accenture)
Malware • Average total cost of a successful malware breach:
2.4 million dollars
Average
Annual Cost
of Cyber
Crime
Business E-mail
Compromise
• Average monthly global loss to Business E-mail Compromise:
200 million dollars
The Cost of Cyber Crime
Threat Landscape
• 2017: 11.7 million dollars (per company)
(up from 7.2 million dollars in 2013)
Average Bank Robbery Loss:
$3,816
Threat Landscape – Internet Crime Complaint Center
Information Protection
A risk management discipline that serves the objectives of
Confidentiality, Integrity, Availability, and Privacy of information by
applying a risk management framework and yielding confidence
that risks are adequately managed.
Data lost due to disasters is devastating, but losing it to
hackers, malicious insiders or from malware infections can
have far greater concerns
Associated Costs of a Privacy Breach
Direct Costs
Risk Vectors
Sources: 1. “2015 Cost of Data Breach Study: United States” by Ponemon Institute
2. “2015 Cyber Liability Market Analysis” Lockton Insurance Brokers, LLC
3. Cost evaluation of 4 leading credit monitoring services
$1m – $13m
Legal liability and sanctions
Charges of deceptive business practices
Liability from identity theft
Cyber Insurance deductible
$7m - $33mOutside counsel
Credit monitoring services
Indirect Costs
Variable
OEM marketing to acquire new customers
Damage to the reputation, brand, or business
relationships
Customer and / or employee distrust
Lost revenues
1
2, 3
Financial
• Direct + Indirect costs
• Cyber insurance costs
Reputational
• Brand damage
• Lost business opportunities
Regulatory
• Monitoring
• Fines
Operational
• Decreased productivity
1
2
3
4
Data Lost … Reportable Breach
Why Should We Care About Cybercrime?
13
• Global cost of cybercrime in 2015: $158 billion
• Global cost of cybercrime in 2016: $450 Billion
• Estimated global cost in 2020: $2 -$ 6 Trillion