• Share
  • Email
  • Embed
  • Like
  • Private Content
CyberSecurity Threat Intelligence Report June 2014
 

CyberSecurity Threat Intelligence Report June 2014

on

  • 3,999 views

CyberSecurity Threat Intelligence Report June 2014

CyberSecurity Threat Intelligence Report June 2014

Statistics

Views

Total Views
3,999
Views on SlideShare
3,970
Embed Views
29

Actions

Likes
4
Downloads
52
Comments
0

4 Embeds 29

https://twitter.com 21
http://www.linkedin.com 4
https://www.linkedin.com 3
https://tweetdeck.twitter.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    CyberSecurity Threat Intelligence Report June 2014 CyberSecurity Threat Intelligence Report June 2014 Document Transcript

    • The CCSO CyberSecurity Threat Intelligence report identify one primary threat, “Humans”. This threat can come from any geographic or physical direction. Depending on the motivation this threat could register on the risk assessment scale anywhere from >90 Extreme to 29< Low. Several risk based criteria must be assessed to help managers distinguish the Extreme risks and Critical Threats from less serious threats, so they can concentrate limited resources or capital on immediate risks. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com It was estimated that only 74% of existing vulnerabilities are known, in reality its much worse. Many organizations do not report defects found in their products. Combine that fact with the multitude of hacking techniques not reliant upon known vulnerabilities like social engineering, misconfiguration, etc… The problem is that most threats need a vulnerability to exist before its can become a serious threat and many companies unintentionally or intentionally provide that attack vector. Below are a few sources that quantify this threat. New malicious files 8,206,419 Detection by Anti- Virus software 6,153,370 Undetected 2,053,049 Credits RedSocks March 2014 Report Cybercrime cost Canadians $3B in past year. Global Study at a Glance 234 total companies in six countries 1,935 interviews with company personnel 1,372 attacks used to measure total cost $7.22 million is the average annualized cost 30% net increase in cost over the past year 15% average ROI for seven security technologies Credits Norton 2013 Report Credits Ponemon Institute 2013 Page 1 of 5
    • The CCSO CyberSecurity Threat Intelligence Insight report identified Threats that are beyond our control, these threats are categorized as “Acts of Nature”. Our only recourse is to design resilient /redundant infrastructures and business practices that mitigate these risks. A critical part of capability and maturity is to documenting our business continuity plans so that knowledge can be shared and verified /validated through testing. These threats are so extreme it is impossible to mitigate the risk of them 100%. Examples including costs have been provided below. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com Cost of natural disasters has quadrupled over past 30 years: EU official Credits: The Associated Press European Commissioner for humanitarian aid and crisis response, told a conference on disaster risk reduction and management of the Asia-Europe Meeting that costs related to natural disasters have increased from $50 billion a year in the 1980s to $200 billion in the last decade. In three of the last four years, costs exceeded $200 billion. 1. Flooding In Central Europe Cost $22B 2. An Earthquake In Lushan, China Cost $14B 3. Super Typhoon Haiyan Cost $13B 4. Typhoon Fitow In China And Japan Cost $10B 5. Droughts In China Cost $10B 6. A Series of Droughts In Brazil Cost $8B 7. Flooding In Alberta, Canada Cost $5.2B 8. Aug-Sept Floods In North China Cost $5B 9. 2nd Flood In Southwest China Cost $4.5B 10. Hurricane Manuel In Mexico Cost $4.2B Top 10 2013 Natural Disasters Page 2 of 5
    • Making the connection between a vulnerability and threat is paramount to root-cause analysis and taking corrective action and/or preventive action designed to effectively, efficiently remediate a risk. Todays business environments Enterprises span multiple countries and continents where a multitude of potential attack vectors exist. Humans are crucial to the success of mitigating CyberSecurity Threats because they can avoid or mitigate most vulnerabilities. Below is a summary of the top three vulnerabilities that can be avoided with human intervention. Humans can also lead to a breach of security or be the victim of a breach. The average cost $200.00 USD per record for three years following the security breach and this does not including damages. The largest breach cost $177 million. There have also been several companies that have been breached are forced to close. In the following each threat was created by Humans. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com Most Threats can be remediated, but all threats would not exist in the absence of a vulnerability. Root-Cause Analysis suggests that if you fix the vulnerabilities the Threats will go away! Summary of Threat Report Findings for 2013 (74 threats / 7 sources) CSI 2013 • Malware infection • Insider Abuse of Net Access /eMail • Laptop /Mobile Theft Verizon Data Breach 2013 •Network Intrusion /stolen credentials • Used some form of hacking • Incorporated Malware Websense 2014 Threat Report • Web Threats. • Social Media Threats. • Mobile Threats. OWSAP Top 10 Risks • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) CSI 2011 Survey • Malware infection • Bots / zombies within the organization • Fraudulently represented as sender of phishing messages ISC2 - 2013 Global Report • Application Vulnerabilities • Malware • Mobile Devices CSA Top Risks 2013 • Data Breaches • Data Loss • Account Hijacking Page 3 of 5
    • What I can only conclude from the current state of affairs is that we are experiencing a lack of quality management during the development of technology hardware, software and telecommunications has led to the creation of a database of defects equaling 61,000 report. Its very likely that there are many more unreported if you consider that 2,053,049 have already been identified as undetected, that’s 25%. This situation is pushing the risk down from the manufacturer to the customer yet we are expected to pay full price for defective products. There exists today a culture of driving products to the market place before they have been tested and hardened with security standards. The majority of products on the market today are vulnerable to fraud and hacktivism. There is also a culture within Information Technology to promote software, hardware and telecommunications based on tacit knowledge leaving many systems improperly deployed or misconfigured and not hardened. The adoption and integration of best practices ISO 9001, ISO 27001, ISO 38500, ISO 31000, ISO 14001 and ISO 18001 would help to stabilize the technology environment. I’ve provided an excerpt from ISO 9001, so that you can see the activities. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com Emerging vulnerabilities awaiting threat exploitation include robots, our food chain and Nanotechnology. The latter is already in use today maintaining both a military and medical application. At this point in time Nanotechnology is completely undetectable and the perfect attack vector. A lack of “Quality” and a demonstrable “Standard of Care” by Executive management in the development of software, hardware and telecommunications is our greatest threat today! 8 Measurement, analysis and improvement 8.1 General 8.2 Monitoring and measurement 8.3 Control of nonconforming product 8.4 Analysis of data 8.5 Improvement 7 Product realization 7.1 Planning of product realization 7.2 Customer-related processes 7.3 Design and development 7.4 Purchasing 7.5 Production and service provision 7.6 Control of monitoring and measuring equipment ISO 9001 Product Realization Strategy Page 4 of 5
    • This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com The solution depends on establishing a solid proven information security management system based on an internationally accepted standard framework ISO/IEC 27001:2013. This framework will mitigate 261 of the most common compliance risks and operational risks to information and knowledge. This framework can be independently audited. This framework can help to make compliance with statutes, regulations and contractual obligations more self sustainable. Page 5 of 5