the onslaught of cyber security threats and what that ... · threats are more sophisticated and...
TRANSCRIPT
The Onslaught of Cyber Security Threats
and
What that Means to You
200M
432M
11.6M
No End in Sight for Cyber Crime Growth
Number of accounts hacked CNN Money
Number of malware samples collected Intel Security
Number of mobile devices affected IBM
43%
54%
68%
Cyber Crime is Hurting Us All
Americans who have experienced a malicious attack Norton By Symantic
Employees steal proprietary corporate data when they quit or fired Heimdal Security
Enterprises in U.S. that suffered a security breach USA Today
Agenda
– Breach landscape – Evolution – Regulators Response – Summary – Q&A
Staying Ahead of The Trends
Threats are more sophisticated and evolving
VIRUSES AND WORMS
ADWARE AND SPYWARE
DDOS APTS
RANSOMWARE HACTIVISM STATE SPONSORED CYBERWEAPONS INDUSTRIAL ESPIONAGE NEXT GEN APTS MOBILE MALWARE CLOUD & WEB SERVICES ATTACKS
2014
2010 2007
2004
1997
1,300 known viruses
50,000 known viruses
100,000+ malware variants daily
An Ever-Changing Threat Landscape
Managed Endpoints
Malware
Business Partners
External Threats
Social Engineering
Mobile Device Loss/theft
Evolution of Vulnerability's
Insider Threats
Explosion of Connected Devices
Results
• Data Compromised – Seemingly everything stored in the network.
• Entrance Method – Stolen system administrator credentials
• Time Undetected – Unknown
• Discovery Method – On Nov. 22 employee computers received messages threatening public distribution
• Estimated Damages - Could exceed $100 million.
• Data Compromised – 80 million • Entrance Method – Attackers used credentials of at least
five different employees.
• Time Undetected – A month and a half .
• Discovery Method – The admin himself noticed his credentials being used to query their data warehouse.
• Estimated Damages - $100 million
• Data Compromised – 40 million credit and debit cards, 70 million phone numbers
• Entrance Method – HVAC company
• Time Undetected – About two weeks
• Discovery Method– The Department of Justice • Estimated Damages - $148 million
• Data Compromised – Estimated 7 million
• Entrance Method – Compromised computer with special privileges.
• Time Undetected – Three months
• Discovery Method – Internal investigation • Estimated Damages - $200 million
• Data Compromised – 56 million credit
• Entrance Method – Third-party vendor’s credentials • Time Undetected – Six months
• Discovery Method – 3rd party notification • Estimated Damages - $62 million
Number of People Affected • Sony – 6,000
• Anthem Inc. – 80,000,000 • Target – 70,000,000
• JP Morgan – 76,000,000
• Home Depot – 56,000,000
Regulators Response
PCI-DSS: Security Penalties
The Payment Card Industry has established fines of up to $500,000 per incident for security breaches when merchants
are not PCI compliant. Potential cost of a security breach • Fines of $500,000 per incident for being PCI non-compliant • Increased audit requirements • Potential for campus wide shut down of credit card activity
by their merchant bank • Cost of printing and postage for customer notification
mailing • Cost of staff time (payroll) during security recovery • Cost of lost business during register or store closures and
processing time • Decreased sales due to marred public image and loss of
customer confidence
HIPAA Penalties
1) Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
$100 - $50,000 for each violation, up to a maximum of $1.5 million for identical provisions
during a calendar year.
2) The HIPAA violation had a reasonable cause and was not due to willful neglect.
$1,000 - $50,000 for each violation, up to a maximum of $1.5 million for identical provisions
during a calendar year.
3) The HIPAA violation was due to willful neglect but violation is corrected within the required time
period.
$10,000 - $50,000 for each violation, up to a maximum of $1.5 million for identical provisions
during a calendar year.
4) The HIPAA violation is due to willful neglect and is not corrected.
$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a
calendar year.
GLBA Penalties Violation of GLBA: Gramm-Leach-Bliley Act and
Financial Privacy • The financial institution shall be subject to a civil
penalty of not more than $100,000 for each violation; and
• The officers and directors of the financial institution shall be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation
• Also, fines in accordance with Title 18 of the US Code, imprisonment for not more than five years, or both
$5,403,644
$4,823,583
$4,104,932
$3,763,299
$3,143,048
$2,282,095
$2,275,404
$1,321,903
$1,115,804
Average Cost of a Data Breach
US
DE
AU
FR
UK
JP
IT
BZ
IN
$1,000,000 $3,000,000 $2,000,000 $6,000,000 $5,000,000 $4,000,000
Security Approaches
Siloed Security Approach
Single Vendor Approach
Interconnected Approach
Our Approach
Detect & Protect
Secure Access
Advanced Threat Protection
Data Protection
Compliance
236
46%
49%
167%
1,000,000
18,000,000
200,000,000+
Increase in malicious signed binaries in Q1 2014
New threats every minute, or almost 4 every second
Increase in new threats attacking the master boot record in Q1 2014
Increase in the amount of mobile malware samples in the past year
Number of new ransomware samples in 2013
New malicious URLs in Q1 2014 – a 19% increase over the previous quarter
Known Malware samples as of Q1 2014
Threat Landscape