INDUSTRY TRENDS IN INFORMATION SECURITY

Gary BahadurCEO KRAA Security

www.kraasecurity.com

What Are The Key Trends?

Identity Theft

Mobile security threats

Web application weaknesses

Insider threats

• Social networks

• Regulatory Compliance

• Data Loss Prevention

• Malware

Objectives of Security Threats

1. Information Capture2. Destruction3. Monetary4. Competitive Advantage5. Political Gain6. Activism

Attacks aim to compromise 7. Confidentiality8. Integrity9. Availability

Identity Theft

Weaknesses caused by: Lack of proper data handling

procedures Weak data protection Inadvertent data loss Unencrypted data

Source FTC

Identity Theft - Data Breaches That Could Lead To Identity Theft By Sector

Education, 24%

Retail/wholesale, 6%

Telecommunications, 3%

Military, 3%

Government, 20%Computer software, 2%

Financial, 14%

Biotech/pharmaceutical, 2%

Transportation, 2%

Health care, 16%

Insurance, 1%

Computer hardware, 1%

Other, 4%

Source: Attrition.org

Mobile Security

Weaknesses caused by: Theft of device Unencrypted data on devices No management of devices Unsecure mobile applications No socialization of security on mobiles Spyware and attachments compromise mobiles

Most Risky Mobile Devices – Ponemon Institute

Web Applications

Weaknesses caused by: Poor Coding Not testing enough No protection mechanism on the website No Security Development Lifecycle Model Un-patched servers

Vulnerability by Industry – Source Whitehat

Insider ThreatsWeaknesses caused by: Weak internal controls Unvetted employees Disgruntled employees with excessive access Inadvertent weaknesses introduced

Losses due to insiders - CSI

Social networking Weaknesses caused by: Very un-educated users Insecure social networking applications Ease of development of social applications

Regulatory

Weaknesses caused by: Inability to manage against requirements No consistent assessment process Unable to keep up with new changes No accountability for measurements

Source -E&Y

Data Loss PreventionWeaknesses caused by: Insecure internal data storage Lost data through backup process Application vulnerabilities Excessive user permissions No tracking, monitoring, blocking of data movement

Organizations Attacked Most Often

Source – Breach Security

Malware

Weaknesses caused by: Weakly protected systems Email and Web surfing External device connections Uneducated users

Source McAfee

Malware

2008 CSI Computer Crime and Security Survey

Average reported cost of breach close to $500,000 (for those who experienced financial fraud)

The second-most expensive, was dealing with “bot” computers within the organization’s network, $350,000 per respondent.

Virus incidents occurred most frequently occurring at almost half (49 percent) of the respondent

Insider abuse of networks was second-most frequently occurring, at 44 percent

Third was theft of laptops and other mobile devices (42 percent).

What does data cost in the Underground?

Current Rank

Previous Rank Goods and Services

Current Percentage

Previous Percentage Range of Prices

1 2 Bank accounts 22% 21% $10–$1000

2 1 Credit cards 13% 22% $0.40–$20

3 7 Full identities 9% 6% $1–$15

4 N/AOnline auction site accounts 7% N/A $1–$8

5 8 Scams 7% 6%$2.50/week–$50/week

for hosting, $25 for design

6 4 Mailers 6% 8% $1–$10

7 5 Email addresses 5% 6% $0.83/MB–$10/MB

8 3 Email passwords 5% 8% $4–$30

9 N/A Drop (request or offer) 5% N/A 10%–50% of total drop amount

10 6 Proxies 5% 6% $1.50–$30

Source: Symantec Global internet Security Treat Report XIII

2003 2004 2005 2006 2007 2008

Frequency and Costs of Data Breaches

Data Processors International5 MILLION AFFECTEDMarch 6, 2003

Citigroup30 MILLIONJune 6, 2005

U.S. Department of Veteran Affairs26.5 MILLIONMay 22, 2006

Dai Nippon Printing Company8.6 MILLIONMarch 12, 2007

TD Ameritrade6.3 MILLIONSeptember 14, 2007

America Online30 MILLIONJune 24, 2004

Visa, MasterCard, and American Express40 MILLIONJune 19, 2005

TJX Companies, Inc.94 MILLIONJanuary 17, 2007

Fidelity National Information Services8.5 MILLIONJuly 3, 2007

HM Revenue and Customs25 MILLIONNovember 20, 2007

Source: Attrition Data Loss Archive and Database

10 (+1) Largest Data Breaches Since 2000As more information goes digital, it becomes more important to protect against hackers.

FlowingData

According to Ponemon Institute, an independent information practices research group, data breaches cost businesses an average of $197 per customer record in 2007, up from $182 in 2006. Ponemon also reports the average cost of a data breach in 2007 was $6.3 million, up from $4.8 million in 2006.

GS Caltex11 MILLIONSEPTEMBER 06, 2008

Percentages of Incidents

Source CSI

State Breach Notification Laws

State Security Breach Notification Laws As of July 27, 2009. Forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. 

http://www.ncsl.org/Alaska 2008 H.B. 65

Arizona Ariz. Rev. Stat. § 44-7501

Arkansas Ark. Code § 4-110-101 et seq.

California Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.29, 1798.82 

Colorado Colo. Rev. Stat. § 6-1-716

Connecticut Conn. Gen Stat. 36a-701(b)

Delaware Del. Code tit. 6, § 12B-101 et seq.

Florida Fla. Stat. § 817.5681

Georgia Ga. Code §§ 10-1-910, -911

How to Address These Trends?

1. Risk Assessment2. Security Policies and Procedures

Processes3. Security Layered Approach4. Data Loss Protection Mechanisms5. Used Security Educations6. Secure Development7. Monitoring

Contact

Gary Bahadurinfo@kraasecurity.comwww.kraasecurity.comblog.kraasecurity.comTwitter.com/kraasecurity888-KRAA-911