State of IT Security

{`
Kelly School of Business
Indiana University
Information Systems Graduate Programs
`}

There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.

John Chambers, Executive Chairman and former CEO of Cisco

Kelley MBA '76, Academy of Alumni Fellows 1996

Agenda

  • Cyber crime statistics
  • Information security trends for 2018
  • Digital business and information security
  • Common threats and vulnerabilities
  • Anatomy of attacks and data breaches
  • Conclusion

Global cyber crime statistics and costs of cyber crime paint an alarming picture

Global cyber crime statistics

Source: http://www2.deloitte.com/content/dam/Deloitte/xe/Documents/AboutDeloitte/mepovdocuments/mepov17/are-you-safe-mepov17.pdf

Source: https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016en.pdf?aid=elq_&om_sem_kw=elq_16202357&om_ext_cid=biz_email_elq_&elqTrackId=283a3acdb3f f42f4a70ab5a9f236eb71&elqaid=2902&elqat=2

cost of cyber crime

Interesting statistics revealed by Norton’s security survey

70% 431

MILLION U.S. consumers would rather More than 1/3 (36%) of those sharing NEW RANSOMEWARE cancel dinner plans with a best passwords in the U.S. Have shared the VARIANTS friend than have to cancel their password to their banking account +36% in 2015 debit/credit card.

Two in three believe it is riskier to share their email password with their friend than lend them their car.

63% would rather go on a bad date than have to deal with customer service after a security breach.

Source: Norton cybersecurity Insight report - https://us.norton.com/norton-cybersecurity-insights-reportglobal

Gartner's Top Security Trends for 2018

Senior business executives are finally aware that cybersecurity has a significant impact on the ability to achieve business goals and protect corporate reputation

GDPR and data protection regulations impact digital business strategies

Geopolitical security impacts where businesses buy their products from

Security products are rapidly exploiting cloud delivery to provide more agile solutions.

Machine learning is providing value in simple security tasks and elevating suspicious events for human analysis.

Source: “Top Security and Risk Management Trends,” Gartner

Information security and the CIA triad

Information Security – NIST defines Information security as ‘The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability’

The objective of information system security is to :

  • optimize the performance of an organization with respect to the risks to which it is exposed • preserve goals of information security

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner

Ensuring timely and reliable access to and use of information.

Source: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf

Gartner’s proposed information security tetrad for digital business

information security tetrad for digital business

“Protecting information alone isn't enough, and ensuring the confidentiality, integrity and availability of that information isn't enough. Leaders in risk and cybersecurity must now assume the responsibility of providing safety for both people and their environments or, at minimum, participate in providing that safety with other security practices”

Source: “Managing Risk and Security at the Speed of Digital Business “ Gartner

Two key characteristics of digital business are challenging conventional IT control:

  1. As the business claims increasing autonomy in deploying new digital technologies, it degrades the authority of the central IT organization.
  2. The dramatic increase in the number of elements (e.g., systems, devices, things, data and dynamic relationships) exposes scalability issues with many traditional security control solutions.

Digital business requires more robust security

  • Programs must also allow for new value to be created through disruptive technologies while sensibly managing risks. Security must adapt to a digital business strategy or ironically expose the enterprise to even greater risk

Security must be designed to align with a digital business strategy. Conventional principles must be challenged to support business agility

Define, communicate and enforce security policies with all stakeholders

Continually assess and improve maturity and performance

Sources: “Managing Risk and Security at the Speed of Digital Business,” Gartner

Common security threats and vulnerabilities

Common security threats

Social engineering

Crime ware like Ransomware

  1. 2.
  2. Insider vulnerabilities
  3. Information warfare
  4. Malicious code
  5. Mobile code
  6. Denial of service attacks
  7. Spam, Phishing and Trojans
  8. Web based vulnerabilities like SQL injection, cross site scripting
  9. Physical threats to Information Infrastructure

Source: Computer Security Handbook, Sixth edition

Social engineering remains amongst the top 3 causes for data breaches

Top five data varieties breached by phishing attacks

Top five data varieties breached by phishing attacks Top 10 Threat action varieties within Web App Attack breaches

Source: Verizon 2016 Data Breach Investigations Report

Social Engineering Example: Gmail password reset scam

Gmail password reset scam

CIO magazine states that 93% of phishing emails are now ransomware

Top five malware varieties within Crimeware
  • Ransomware is a type of malware that prevents Top five malware varieties within Crimeware or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid.
  • More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.

Source: Verizon 2016 Data Breach Investigations Report

Source: http://www.trendmicro.com/vinfo/us/security/definition/ransomware

Russian-based hacking organization offering Ransomware-as-a-Service

organization offering Ransomware-as-a-Service

Source: https://www.flashpoint-intel.com/home/assets/Media/Flashpoint_Ransomware_April2016.pdf Source: http://www.extremetech.com/extreme/229162-hospital-pays-ransomware-but-doesnt-get-filesdecrypted

Anatomy of attacks that cause data breaches

Zero day vulnerabilities and ICS vulnerabilities

Zero day vulnerabilities and ICS vulnerabilities

Source: https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-

en.pdf?aid=elq_&om_sem_kw=elq_16202357&om_ext_cid=biz_email_elq_&elqTrackId=283a3acdb3ff 42f4a70ab5a9f236eb71&elqaid=2902&elqat=2

Data breaches in 2017

Data breaches in 2017

Source: https://frankonfraud.com/fraud-trends/data-breach-index-is-going-off-a-cliff-in-2017/

The cost of data breaches in 2017

  • Verizon received a $350 million discount on their purchase of Yahoo! as a result of Yahoo!'s data breach, which resulted in a failure to hit the standard of due care.
  • Maersk took a $300 million expense as a result of a massive ransomware attack.
  • Equifax's breach cost the CEO, CIO, and the CSO their jobs, and will have a continuing significant financial impact.
  • Global economic losses from the {"WannaCry"} attack was estimated to be between $1.5 and $4 billion.

Source: Verizon 2016 Data Breach Investigations Report

As cybercrime increases at an alarming rate, more collaboration between senior business managers and information security professionals is required

equally alarming picture

We need a holistic approach to security to reduce organizational risk

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

How does this impact you?

  • The demand for security skills — both classic technical skills as well as businessoriented skills — continues to be greater than the available supply
  • Mature security organizations are investing in security and risk managers that have the background and experience

to work closely with business stakeholders to understand their risk appetite and risk tolerance

Sources: “Top Security and Risk Management Trends,” Gartner; “Managing Risk and Security at the Speed of Digital Business,” Gartner

References

Appendix

Insider threat incident statistics for 2015

Insider threat incident statistics for 2015

Source: https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf?aid=elq_&om_sem_kw=elq_16202357&om_ext_cid=biz_email_elq_&elqTrackId=283a3acdb3ff 42f4a70ab5a9f236eb71&elqaid=2902&elqat=2

Distribution of the benchmark sample by root

cause of the data breach

Source: http://www-01.ibm.com/common/ssi/cgibin/ssialias?subtype=WH&infotype=S A&htmlfid=SEW03053WWEN&attach ment=SEW03053WWEN.PDF

Percentage direct and indirect per capita data breach costs

Percentage direct and indirect per capita data breach cost

Source: http://www01.ibm.com/common/ssi/cgibin/ssialias?subtype=WH&infotype=S A&htmlfid=SEW03053WWEN&attach ment=SEW03053WWEN.PDF

Vulnerabilities identified for 2015

Vulnerabilities identified for 2015

Source: https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016en.pdf?aid=elq_&om_sem_kw=elq_16202357&om_ext_cid=biz_email_elq_&elqTrackId=283a3acdb3ff42f4a730 0ab5a9f236eb71&elqaid=2902&elqat=2

Law enforcement is the rising breach discovery method over time

Law enforcement is the rising breach discovery method over time

Source: Verizon 2016 Data Breach Investigations Report