SlideShare a Scribd company logo

NumaanHuq_Hackfest2015

Download as PPTX, PDF
N
Numaan Huq
1 of 48
1 Numaan Huq Forward-Looking Threat Research Team Dissecting Data Breaches – The Everyday Cybercrime
Who Am I? 2
A Primer on Data Breaches
4
Scope of Research • Focused on the US – other countries don’t have data breach information readily available • Only publicly disclosed data breach incidents were used • Data was collected for period: Jan 2005 – Apr 2015 • The data used is really the “tip of the iceberg” – the majority of incidents remain unreported and undisclosed 7
What is a data breach? Many definitions out there, but the ISO/IEC 27040 definition best summarizes data breaches (IMHO): “Compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored, or otherwise processed.” 8
Recent “Sensational” Data Breaches • Hacking Team – the creators of surveillance software – was hacked and 400GB+ of stolen data was leaked online • 21.5M SSNs and other sensitive data was stolen in the “second” breach of Office of Personnel Management’s (OPM) background check database • Ashley Madison – an online dating service that caters to extramarital affairs was hacked and 37M members’ records were leaked online 9
A Decade of Data Breaches 10
Breach Methods Observed 11
Breach Methods Observed by Year 12
Record Types Compromised • PII: Name, address, SSN, DoB, phone number, etc. • Financial data: Banking, insurance, and billing information, etc. • Health data: Medical records, medical insurance, etc. • Education data: School, college, university, or related records • Payment cards: Credit, debit, store-branded credit, and prepaid gift cards • Credentials: Log-in credentials for eBay, PayPal, Web-based email, online banking, social networks, etc. • Others: Intellectual property and intelligence about an organization • Unknown: Investigators failed to determine what was stolen 13
Record Types Compromised 14
Industries Affected by Data Breaches 15
Top 5 Industries – Healthcare 16
Top 5 Industries – Government Sector 17
Top 5 Industries – Retail 18
Top 5 Industries – Financial Sector 19
Top 5 Industries – Education 20
Top 20 Publicly Disclosed Data Breaches 21
Diagnosing Data Breaches
Probability of Different Breach Methods 23
Other Probabilities Calculated 24
Co-occurrence Network 25
Bayesian Network 26
Findings: Hype and Heavy Tails • Paper uses the same PRC data that we used – they developed Bayesian Generalized Linear Models to investigate trends in data breaches • Their statistical analysis suggests neither size nor frequency of data breaches has increased over the past decade • They predict that the likelihood of very large data breaches (i.e. headline- grabbing events) occurring within the next year is small AND they predict that smaller breaches will occur more frequently • They predict data breaches will cost businesses/organizations up to $55B over the next three years 27
Follow the Data
Who is stealing your data? • Insiders • Individual criminals • Organized criminal groups • State sponsored groups • Hacktivists 29
Crimes Committed • PII data – identity fraud, file fraudulent tax returns, apply for bank loans, apply for credit cards, register fake accounts, spam & phishing attacks, etc. • Financial data – create counterfeit credit cards, pay bills, fraudulent online transactions, fraudulent money transfers, etc. • Credentials – steal intellectual property, espionage, spam & phishing attacks, etc. • Others – vengeance attacks, hacktivism, blackmail, ransom, etc. 30
Are people becoming desensitized? YES!… and here’s why • There is an overload of daily news articles on data breaches • Stolen sensitive data is not tangible like a stolen mobile phone • The bad consequences of having sensitive data stolen are not instantly felt • There is a lack of understanding of the repercussions of sensitive data theft 31
For Sale – Accounts 32
For Sale – Accounts 33
For Sale – Bank Logins 34
For Sale – Credit Cards 35
For Sale – PII 36
What about “Other” data? • The vast majority of breaches remain unreported and undisclosed – we don’t know what data was stolen, when it was stolen, and by whom • Theft of “other” data strongly implies espionage, intelligence collection, intellectual property theft, gain competitive advantage, etc. • These breaches are orchestrated by groups who have a vested interest in procuring data for their advantage • Victimized businesses rarely disclose the actual damage inflicted – this could easily be in the millions or billions of dollars depending on the industry 37
Defending Against Data Breaches
Red Queen Hypothesis • Sophistication of attacks increasing over time • This follows what is called the Red Queen Hypothesis – Based on Leigh Van Valen’s observations of a biological evolutionary arms race – Antagonistic co-evolution of predators/prey or parasites/hosts; no evolution = extinction • “Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!” – Lewis Carroll, Alice Through the Looking Glass 39
Key Principles of Defense No defense is impregnable against determined adversaries! Always assume you have been compromised. Now what do you do? – Have a response plan ready – Quickly identify and respond to ongoing security breaches – Contain the breach and stop the loss of sensitive data – Preemptively prevent breaches by securing all exploitable avenues – Apply lessons learned to further strengthen defenses and prevent repeats 40
41
Critical Security Controls • Implementing all 20 security controls can be very expensive and requires dedicated teams for daily operations, monitoring, response, and maintenance • A large business/organization should have the resources to implement all 20 security controls, but most small businesses/organizations can only afford to implement a subset of the controls • The Critical Security Controls provides a comprehensive set of guidelines and implementing even a subset of them will go a long way in preventing data breaches 42
Insider Threats • Insiders are trusted individuals or persons of authority with access privileges who steal data • They are typically motivated by Money, Ideologies, Coercion, and Ego (MICE) • Insider attacks should be accorded the same level of prioritization as external attacks • Broadly speaking, Insider threat mitigation techniques can be grouped into two categories – technical and non-technical 43
Insider Threats • Technical steps to prevent insider attacks use security best practices: – Information access control – Monitoring and logging of activities – Promptly disable credentials of ex-employees – Identify employees who’s credentials have been compromised, etc. • Non-technical means of security are equally effective: – Good management practices in handling delicate situations – Recognizing and rewarding employees – Looking after employee well-being, etc. • In a nutshell, happy employees are less likely to turn against their employers 44
Concluding Thoughts
Data Breach Legislations in the US • The US has no federal standards in place that provides a uniform set of rules governing notification procedures following a data breach – only specialized federal laws e.g. HIPPA • 47 US states, the District of Columbia, Guam, Puerto Rico, and the US Virgin Islands each have enacted their own legislations • The data breach notification laws that exist vary from state to state and at times can be conflicting e.g. disclosure timelines • Compliance with multiple data breach notification laws introduces additional complexity on top of responding to a breach incident 46
Data Breaches are here to stay… • The number of data breach disclosures involving big businesses/organizations is increasing, which can only mean smaller businesses/organizations are being relentlessly targeted • Damage done to everyday individuals, irrespective of where their data was stolen from is still the same – they face serious risks of identity, financial, and other types of fraud • In reality, any business or organization that processes and/or stores sensitive data is a potential data breach target • As long as a sensitive data can be monetized, data breaches will happen 47
Interrogate! numaan_huq@trendmicro.com

Recommended

Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case studyAbhilash vijayan
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15E Andrew Keeney
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
Dealing Data Leaks: Creating Your Data Breach Response Plan
Dealing Data Leaks: Creating Your Data Breach Response PlanDealing Data Leaks: Creating Your Data Breach Response Plan
Dealing Data Leaks: Creating Your Data Breach Response Planbenefitexpress
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 

Recommended

Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case studyAbhilash vijayan
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15E Andrew Keeney
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
Dealing Data Leaks: Creating Your Data Breach Response Plan
Dealing Data Leaks: Creating Your Data Breach Response PlanDealing Data Leaks: Creating Your Data Breach Response Plan
Dealing Data Leaks: Creating Your Data Breach Response Planbenefitexpress
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationJames Mulhern
 
Target data breach presentation
Target data breach presentationTarget data breach presentation
Target data breach presentationSreejith Nair
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
(2016_01_20)_IS_Management_Basics_LinkedIn
(2016_01_20)_IS_Management_Basics_LinkedIn(2016_01_20)_IS_Management_Basics_LinkedIn
(2016_01_20)_IS_Management_Basics_LinkedInIan Naumenko, CISSP, CRISC
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...James Mulhern
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Joseph White MPA CPM
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesKroll
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
02 presentation-christianprobst
02 presentation-christianprobst02 presentation-christianprobst
02 presentation-christianprobstInfinIT - Innovationsnetværket for it
 
Target Breach Analysis
Target Breach AnalysisTarget Breach Analysis
Target Breach AnalysisTal Be'ery
 
AJS 524 Enhance teaching - tutorialrank.com
AJS 524 Enhance teaching - tutorialrank.comAJS 524 Enhance teaching - tutorialrank.com
AJS 524 Enhance teaching - tutorialrank.comLeoTolstoy17
 
Hiding in the Dyad - Bean-Bayog
Hiding in the Dyad - Bean-BayogHiding in the Dyad - Bean-Bayog
Hiding in the Dyad - Bean-BayogEd Shapiro
 
Power point
Power pointPower point
Power pointputhoor2015
 

More Related Content

What's hot

How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationJames Mulhern
 
Target data breach presentation
Target data breach presentationTarget data breach presentation
Target data breach presentationSreejith Nair
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...James Mulhern
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Joseph White MPA CPM
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesKroll
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
Target Breach Analysis
Target Breach AnalysisTarget Breach Analysis
Target Breach AnalysisTal Be'ery
 
AJS 524 Enhance teaching - tutorialrank.com
AJS 524 Enhance teaching - tutorialrank.comAJS 524 Enhance teaching - tutorialrank.com
AJS 524 Enhance teaching - tutorialrank.comLeoTolstoy17
 

What's hot (20)

How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability Presentation
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulation
 
Target data breach presentation
Target data breach presentationTarget data breach presentation
Target data breach presentation
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security Strategies
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breach
 
(2016_01_20)_IS_Management_Basics_LinkedIn
(2016_01_20)_IS_Management_Basics_LinkedIn(2016_01_20)_IS_Management_Basics_LinkedIn
(2016_01_20)_IS_Management_Basics_LinkedIn
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policies
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMS
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 
02 presentation-christianprobst
02 presentation-christianprobst02 presentation-christianprobst
02 presentation-christianprobst
 
Target Breach Analysis
Target Breach AnalysisTarget Breach Analysis
Target Breach Analysis
 
AJS 524 Enhance teaching - tutorialrank.com
AJS 524 Enhance teaching - tutorialrank.comAJS 524 Enhance teaching - tutorialrank.com
AJS 524 Enhance teaching - tutorialrank.com
 

Viewers also liked

Hiding in the Dyad - Bean-Bayog
Hiding in the Dyad - Bean-BayogHiding in the Dyad - Bean-Bayog
Hiding in the Dyad - Bean-BayogEd Shapiro
 
Nicole Sittman update onlife
Nicole Sittman update onlifeNicole Sittman update onlife
Nicole Sittman update onlifeNicole Sittman
 
Industria dominicana. Energia eólica
Industria dominicana. Energia eólicaIndustria dominicana. Energia eólica
Industria dominicana. Energia eólicaGORBEIA ENERGY S.L.
 
APPAH Thompson IFP Training Certificate
APPAH Thompson IFP Training CertificateAPPAH Thompson IFP Training Certificate
APPAH Thompson IFP Training CertificateThompson Appah
 
Arul jose john sahayam inventions details implemention procedure advantages &...
Arul jose john sahayam inventions details implemention procedure advantages &...Arul jose john sahayam inventions details implemention procedure advantages &...
Arul jose john sahayam inventions details implemention procedure advantages &...Arul Jose John Sahayam
 
summer training report
summer training reportsummer training report
summer training reportPrince _
 
wp-cyber-threats-to-the-mining-industry
wp-cyber-threats-to-the-mining-industrywp-cyber-threats-to-the-mining-industry
wp-cyber-threats-to-the-mining-industryNumaan Huq
 
[vbrownbag presentation] network_traffic_logging
[vbrownbag presentation] network_traffic_logging[vbrownbag presentation] network_traffic_logging
[vbrownbag presentation] network_traffic_loggingnguyen phuong an
 
Eco 1.report
Eco 1.reportEco 1.report
Eco 1.reportGigantz
 
Lista de Cotejo de Reporte de Video
Lista de Cotejo de Reporte de VideoLista de Cotejo de Reporte de Video
Lista de Cotejo de Reporte de VideoChistian Hernandez
 
National Retail Payment System and Proposed Payment Systems Act
National Retail Payment System and Proposed Payment Systems ActNational Retail Payment System and Proposed Payment Systems Act
National Retail Payment System and Proposed Payment Systems ActJanette Toral
 

Viewers also liked (20)

Hiding in the Dyad - Bean-Bayog
Hiding in the Dyad - Bean-BayogHiding in the Dyad - Bean-Bayog
Hiding in the Dyad - Bean-Bayog
 
Power point
Power pointPower point
Power point
 
Nicole Sittman update onlife
Nicole Sittman update onlifeNicole Sittman update onlife
Nicole Sittman update onlife
 
Elvis rojas
Elvis rojasElvis rojas
Elvis rojas
 
Industria dominicana. Energia eólica
Industria dominicana. Energia eólicaIndustria dominicana. Energia eólica
Industria dominicana. Energia eólica
 
APPAH Thompson IFP Training Certificate
APPAH Thompson IFP Training CertificateAPPAH Thompson IFP Training Certificate
APPAH Thompson IFP Training Certificate
 
Tiempos continuos
Tiempos continuosTiempos continuos
Tiempos continuos
 
Arul jose john sahayam inventions details implemention procedure advantages &...
Arul jose john sahayam inventions details implemention procedure advantages &...Arul jose john sahayam inventions details implemention procedure advantages &...
Arul jose john sahayam inventions details implemention procedure advantages &...
 
summer training report
summer training reportsummer training report
summer training report
 
wp-cyber-threats-to-the-mining-industry
wp-cyber-threats-to-the-mining-industrywp-cyber-threats-to-the-mining-industry
wp-cyber-threats-to-the-mining-industry
 
Documento_test
Documento_testDocumento_test
Documento_test
 
Aspectos de evaluación
Aspectos de evaluaciónAspectos de evaluación
Aspectos de evaluación
 
Reglamento interno de la materia
Reglamento interno de la materiaReglamento interno de la materia
Reglamento interno de la materia
 
[vbrownbag presentation] network_traffic_logging
[vbrownbag presentation] network_traffic_logging[vbrownbag presentation] network_traffic_logging
[vbrownbag presentation] network_traffic_logging
 
Eco 1.report
Eco 1.reportEco 1.report
Eco 1.report
 
Aspectos de evaluación
Aspectos de evaluación Aspectos de evaluación
Aspectos de evaluación
 
Lista de Cotejo de Reporte de Video
Lista de Cotejo de Reporte de VideoLista de Cotejo de Reporte de Video
Lista de Cotejo de Reporte de Video
 
Hermoso desafio
Hermoso desafioHermoso desafio
Hermoso desafio
 
El Embarazo
El EmbarazoEl Embarazo
El Embarazo
 
National Retail Payment System and Proposed Payment Systems Act
National Retail Payment System and Proposed Payment Systems ActNational Retail Payment System and Proposed Payment Systems Act
National Retail Payment System and Proposed Payment Systems Act
 

Similar to NumaanHuq_Hackfest2015

74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16Glenn E. Davis
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachJim Brashear
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Lawley Insurance
 
Introduction to Incident Response Management
Introduction to Incident Response ManagementIntroduction to Incident Response Management
Introduction to Incident Response ManagementDon Caeiro
 
Working with law enforcement
Working with law enforcementWorking with law enforcement
Working with law enforcementMeg Weber
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 
ILG CERT Presentation Final
ILG CERT Presentation FinalILG CERT Presentation Final
ILG CERT Presentation FinalJon Praed
 
Hacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR ChapterHacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR ChapterJose L. Quiñones-Borrero
 
Cyber Response and Planning for SMBs
Cyber Response and Planning for SMBsCyber Response and Planning for SMBs
Cyber Response and Planning for SMBsMary Brophy
 
NextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingNextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingJoe Nathans
 

Similar to NumaanHuq_Hackfest2015 (20)

Cybersecurity Workshop
Cybersecurity Workshop Cybersecurity Workshop
Cybersecurity Workshop
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy Compliance
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
 
Introduction to Incident Response Management
Introduction to Incident Response ManagementIntroduction to Incident Response Management
Introduction to Incident Response Management
 
Working with law enforcement
Working with law enforcementWorking with law enforcement
Working with law enforcement
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionage
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
 
ILG CERT Presentation Final
ILG CERT Presentation FinalILG CERT Presentation Final
ILG CERT Presentation Final
 
Hacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR ChapterHacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR Chapter
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum 2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum
 
Cyber Response and Planning for SMBs
Cyber Response and Planning for SMBsCyber Response and Planning for SMBs
Cyber Response and Planning for SMBs
 
NextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingNextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive Briefing
 

NumaanHuq_Hackfest2015

  • 1. 1 Numaan Huq Forward-Looking Threat Research Team Dissecting Data Breaches – The Everyday Cybercrime
  • 3. A Primer on Data Breaches
  • 4. 4
  • 5.
  • 6.
  • 7. Scope of Research • Focused on the US – other countries don’t have data breach information readily available • Only publicly disclosed data breach incidents were used • Data was collected for period: Jan 2005 – Apr 2015 • The data used is really the “tip of the iceberg” – the majority of incidents remain unreported and undisclosed 7
  • 8. What is a data breach? Many definitions out there, but the ISO/IEC 27040 definition best summarizes data breaches (IMHO): “Compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored, or otherwise processed.” 8
  • 9. Recent “Sensational” Data Breaches • Hacking Team – the creators of surveillance software – was hacked and 400GB+ of stolen data was leaked online • 21.5M SSNs and other sensitive data was stolen in the “second” breach of Office of Personnel Management’s (OPM) background check database • Ashley Madison – an online dating service that caters to extramarital affairs was hacked and 37M members’ records were leaked online 9
  • 10. A Decade of Data Breaches 10
  • 13. Record Types Compromised • PII: Name, address, SSN, DoB, phone number, etc. • Financial data: Banking, insurance, and billing information, etc. • Health data: Medical records, medical insurance, etc. • Education data: School, college, university, or related records • Payment cards: Credit, debit, store-branded credit, and prepaid gift cards • Credentials: Log-in credentials for eBay, PayPal, Web-based email, online banking, social networks, etc. • Others: Intellectual property and intelligence about an organization • Unknown: Investigators failed to determine what was stolen 13
  • 15. Industries Affected by Data Breaches 15
  • 16. Top 5 Industries – Healthcare 16
  • 17. Top 5 Industries – Government Sector 17
  • 18. Top 5 Industries – Retail 18
  • 19. Top 5 Industries – Financial Sector 19
  • 20. Top 5 Industries – Education 20
  • 21. Top 20 Publicly Disclosed Data Breaches 21
  • 23. Probability of Different Breach Methods 23
  • 27. Findings: Hype and Heavy Tails • Paper uses the same PRC data that we used – they developed Bayesian Generalized Linear Models to investigate trends in data breaches • Their statistical analysis suggests neither size nor frequency of data breaches has increased over the past decade • They predict that the likelihood of very large data breaches (i.e. headline- grabbing events) occurring within the next year is small AND they predict that smaller breaches will occur more frequently • They predict data breaches will cost businesses/organizations up to $55B over the next three years 27
  • 29. Who is stealing your data? • Insiders • Individual criminals • Organized criminal groups • State sponsored groups • Hacktivists 29
  • 30. Crimes Committed • PII data – identity fraud, file fraudulent tax returns, apply for bank loans, apply for credit cards, register fake accounts, spam & phishing attacks, etc. • Financial data – create counterfeit credit cards, pay bills, fraudulent online transactions, fraudulent money transfers, etc. • Credentials – steal intellectual property, espionage, spam & phishing attacks, etc. • Others – vengeance attacks, hacktivism, blackmail, ransom, etc. 30
  • 31. Are people becoming desensitized? YES!… and here’s why • There is an overload of daily news articles on data breaches • Stolen sensitive data is not tangible like a stolen mobile phone • The bad consequences of having sensitive data stolen are not instantly felt • There is a lack of understanding of the repercussions of sensitive data theft 31
  • 32. For Sale – Accounts 32
  • 33. For Sale – Accounts 33
  • 34. For Sale – Bank Logins 34
  • 35. For Sale – Credit Cards 35
  • 36. For Sale – PII 36
  • 37. What about “Other” data? • The vast majority of breaches remain unreported and undisclosed – we don’t know what data was stolen, when it was stolen, and by whom • Theft of “other” data strongly implies espionage, intelligence collection, intellectual property theft, gain competitive advantage, etc. • These breaches are orchestrated by groups who have a vested interest in procuring data for their advantage • Victimized businesses rarely disclose the actual damage inflicted – this could easily be in the millions or billions of dollars depending on the industry 37
  • 39. Red Queen Hypothesis • Sophistication of attacks increasing over time • This follows what is called the Red Queen Hypothesis – Based on Leigh Van Valen’s observations of a biological evolutionary arms race – Antagonistic co-evolution of predators/prey or parasites/hosts; no evolution = extinction • “Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!” – Lewis Carroll, Alice Through the Looking Glass 39
  • 40. Key Principles of Defense No defense is impregnable against determined adversaries! Always assume you have been compromised. Now what do you do? – Have a response plan ready – Quickly identify and respond to ongoing security breaches – Contain the breach and stop the loss of sensitive data – Preemptively prevent breaches by securing all exploitable avenues – Apply lessons learned to further strengthen defenses and prevent repeats 40
  • 41. 41
  • 42. Critical Security Controls • Implementing all 20 security controls can be very expensive and requires dedicated teams for daily operations, monitoring, response, and maintenance • A large business/organization should have the resources to implement all 20 security controls, but most small businesses/organizations can only afford to implement a subset of the controls • The Critical Security Controls provides a comprehensive set of guidelines and implementing even a subset of them will go a long way in preventing data breaches 42
  • 43. Insider Threats • Insiders are trusted individuals or persons of authority with access privileges who steal data • They are typically motivated by Money, Ideologies, Coercion, and Ego (MICE) • Insider attacks should be accorded the same level of prioritization as external attacks • Broadly speaking, Insider threat mitigation techniques can be grouped into two categories – technical and non-technical 43
  • 44. Insider Threats • Technical steps to prevent insider attacks use security best practices: – Information access control – Monitoring and logging of activities – Promptly disable credentials of ex-employees – Identify employees who’s credentials have been compromised, etc. • Non-technical means of security are equally effective: – Good management practices in handling delicate situations – Recognizing and rewarding employees – Looking after employee well-being, etc. • In a nutshell, happy employees are less likely to turn against their employers 44
  • 46. Data Breach Legislations in the US • The US has no federal standards in place that provides a uniform set of rules governing notification procedures following a data breach – only specialized federal laws e.g. HIPPA • 47 US states, the District of Columbia, Guam, Puerto Rico, and the US Virgin Islands each have enacted their own legislations • The data breach notification laws that exist vary from state to state and at times can be conflicting e.g. disclosure timelines • Compliance with multiple data breach notification laws introduces additional complexity on top of responding to a breach incident 46
  • 47. Data Breaches are here to stay… • The number of data breach disclosures involving big businesses/organizations is increasing, which can only mean smaller businesses/organizations are being relentlessly targeted • Damage done to everyday individuals, irrespective of where their data was stolen from is still the same – they face serious risks of identity, financial, and other types of fraud • In reality, any business or organization that processes and/or stores sensitive data is a potential data breach target • As long as a sensitive data can be monetized, data breaches will happen 47

Editor's Notes

  1. Privacy Rights Clearinghouse (PRC) is a non-profit corporation based in California They publish a database which contains all publicly disclosed data breach incidents in the United States Their data is vetted before being published on their website, and is free to use
  2. 2015 numbers currently stand at 159 – so looks like the downward trend in disclosed data breach numbers continue Are you frigging kidding me? What are the reasons behind reported numbers declining? Not reported… does not need reporting Not discovered... on average takes several weeks to months to discover and more often than not is informed about breach by a third party e.g. customers, lea, banks, etc.
  3. A bit out of date as it doesn’t contain OPM or Ashley Madison
  4. They mention that they expect their predictions to lose accuracy over time
  5. Something worth nothing is we found the prices of stolen data has fallen compared to last year. We attribute this to over supply from all the data breaches.
  6. From the “Hype and Heavy Tails” paper We are in a never ending arms race with our competitors, the malware authors Interestingly enough these malware authors are also some of the most prolific customers of our research We have to deliver information and tools so the populace can run at least twice as fast as the malicious actors look to steal from them
  7. Defensive strategies for some of the breach methods discussed in this talks is outside the scope of this research and thus have been omitted
  8. Maintained by the Center for Internet Security (CIS) – an independent global non-profit entity
  9. Limitations – where it directly affects the everyday consumer If a company is breached and important IP or “Other” data is lost which is not directly tied to a consumer, the companies don’t have to report that We lose visibility into data breaches and understanding of the overall impact data breaches have on society