Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
INFOSEC’S CREDIBILITY CRISIS IS
ALSO OUR BIGGEST OPPORTUNITY
JEREMIAH GROSSMAN
@jeremiahg
https://www.jeremiahgrossman.com...
JEREMIAH GROSSMAN
WHO I AM…
▸ Professional Hacker
▸ OWASP Person of the Year (2015)
▸ International Speaker
▸ Black Belt i...
AREAS OF INTEREST
▸ Intersection of security guarantees and cyber-insurance
▸ Malware / Ransomware
▸ Easing the burden of ...
“I OFTEN SAY THAT WHEN YOU
CAN MEASURE WHAT YOU ARE
SPEAKING ABOUT, AND EXPRESS
IT IN NUMBERS, YOU KNOW
SOMETHING ABOUT IT...
“2015 GLOBAL SPENDING ON
INFORMATION SECURITY IS SET
TO GROW BY CLOSE TO 5% THIS
YEAR TO TOP $75BN,
ACCORDING TO THE LATES...
ORGANIZED CRIME
NATION-STATE TERRORISM?
HACKTIVISTS
1,083,252,900 SITESNETCRAFT: APRIL 2016 WEB SERVER SURVEY
VERIZON DATA BREACH INVESTIGATIONS REPORT (2016)
FREQUENCY OF INCIDENT CLASSIFICATION PATTERNS
OVER TIME ACROSS CONFIRMED ...
VERIZON DATA BREACH INVESTIGATIONS REPORT (2016)
INCIDENT PATTERNS BY INDUSTRY
(ONLY CONFIRMED DATA BREACHES)
TRUSTWAVE GLOBAL SECURITY REPORT (2016)
METHODS OF INTRUSION
VERIZON DATA BREACH INVESTIGATIONS REPORT (2016)
TOP 10 THREAT ACTION VARIETIES
WITHIN WEB APP ATTACK BREACHES
VULNERABILITY LIKELIHOOD (1 OR MORE)
WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015
70%!
56%!
47%!
29%! 26%! 24%!
16%!...
VERACODE: STATE OF SOFTWARE SECURITY REPORT VOL 6, FALL 2015
TOP 10 VULNERABILITY CATEGORIES
BY PROGRAMMING LANGUAGE
AVERAGE TIME-TO-FIX (DAYS)
WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015
73!
97! 99! 108! 111!
130! 132! 136!
158! 16...
WINDOWS OF EXPOSURE
WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015
60%!
38%!
52%!
39%!
9%!
11%!
11%!
14%!
10%!
14%!
12...
VERACODE: STATE OF SOFTWARE SECURITY REPORT VOL 6, FALL 2015
PERCENT VULNERABILITIES
FOUND VS. FIXED
TRUSTWAVE GLOBAL SECURITY REPORT (2016)
APPLICATION SECURITY
“IN 2014, 71% OF SECURITY PROFESSIONALS SAID THEIR
NETWORKS WERE BREACHED. 22% OF THEM VICTIMIZED
6 OR MORE TIMES. THIS IN...
CYBER EDGE GROUP: 2015 CYBERTHREAT DEFENSE REPORT
NORTH AMERICA & EUROPE
HOW MANY TIMES DO YOU ESTIMATE THAT YOUR ORGANIZA...
CYBER EDGE GROUP: 2015 CYBERTHREAT DEFENSE REPORT
NORTH AMERICA & EUROPE
WHAT IS THE LIKELIHOOD THAT YOUR ORGANIZATION’S
N...
DO YOU EXPECT A CYBERATTACK TO STRIKE YOUR
ORGANIZATION IN 2015? (N = 3,435)
A. YES 46% 

B. NO 24%
C. UNSURE 30%
Responde...
“71% WERE AFFECTED BY A
SUCCESSFUL CYBERATTACK IN 2014,
BUT ONLY 52% EXPECT TO FALL VICTIM
AGAIN IN 2015.”

2015 CYBERTHRE...
RANGE OF EXPECTED LOSSES
RECORDS PREDICTION
(LOWER)!
AVERAGE
(LOWER)!
EXPECTED AVERAGE
(UPPER)!
PREDICTION
(UPPER)!
100! $...
DOWNSIDE PROTECTION
CYBER-INSURANCE
▸ As of 2014, American businesses
were expected to pay up to $2
billion on cyber-insur...
“ACCORDING TO PWC, THE
CYBER INSURANCE MARKET
IS SET TO TRIPLE IN THE NEXT
FEW YEARS AND WILL REACH
$7.5 BILLION BY 2020.”...
“THE LARGEST BARRIER TO GROWTH IS
LACK OF ACTUARIAL DATA ABOUT
CYBERATTACKS, BUT THIS IS QUICKLY
CHANGING WITH CONTINUED C...
“ABOUT A THIRD OF U.S. COMPANIES
ALREADY HAVE SOME FORM OF
CYBER-INSURANCE COVERAGE,
ACCORDING TO A REPORT
PRICEWATERHOUSE...
SMALL PAYOUTS. LARGE PAYOUTS.
BREACH CLAIMS
▸ Target spent $248 million after
hackers stole 40 million payment
card accoun...
LOTS OF INSURERS GETTING INTO THE BUSINESS
BREACH CLAIMS
▸ “Anthem has $150 million to $200
million in cyber coverage,
inc...
“AVERAGE RATES FOR RETAILERS SURGED 32% IN
THE FIRST HALF OF THIS YEAR, AFTER STAYING
FLAT IN 2014, ACCORDING TO PREVIOUSL...
“DHS IS LOOKING AT
ALTERNATIVES TO INCENTIVIZE
BETTER SECURITY IN VARIOUS
INDUSTRIES AND IS LOOKING AT
CYBER INSURANCE AS ...
2014 – 2015
NEW SECURITY INVESTMENT VS. CYBER-INSURANCE
$3,800,000,000
$3,200,000,000
Informa(on	Security	Spending	(Global...
EVER NOTICE HOW
EVERYTHING IN THE
INFORMATION SECURITY

INDUSTRY IS SOLD “AS IS”?
NO GUARANTEES
NO WARRANTIES
NO RETURN PO...
INFORMATION SECURITY


THE
$75 BILLION
GARAGE SALE

INFOSEC’S BIGGEST OPPORTUNITY
SECURITY GUARANTEES
“WHITEHAT RECENTLY STRUCK A PARTNERSHIP WITH
FRANCHISE PERILS, AN INSURER OF ONLINE RETAIL
WEBSITES, BY WHICH FRANCHISE PE...
“THE ONLY TWO
PRODUCTS NOT COVERED
BY PRODUCT LIABILITY
ARE RELIGION AND
SOFTWARE, AND
SOFTWARE SHALL NOT
ESCAPE MUCH LONG...
HACK YOURSELF FIRST.
Jeremiah Grossman
@jeremiahg
https://www.facebook.com/jeremiahgrossman
https://www.linkedin.com/in/gr...
InfoSec’s Credibility Crisis is also our Biggest Opportunity
Upcoming SlideShare
Loading in …5
×

InfoSec’s Credibility Crisis is also our Biggest Opportunity

1,361 views

Published on

Anyone who has been in Information Security for any length of time knows the difficultly of getting people to listen — the frustrating challenge in convincing people to take security seriously. In the enterprise, every single InfoSec budget dollar is painfully scrutinized. Every security decision resisted. Many feel that no matter what InfoSec pros say or do, those they’re responsible for protecting prefer to wait for something bad to happen first. In the meantime InfoSec laments how no one listens, and when an incident eventually does happen, it will ambulance chase and cry “told you so!”

Maybe the resistance is warranted though. Maybe after the world spends $75 billion annually on InfoSec, only to see the hacks large and small continue on, become more damaging, and threat actors more brazen, people are justifiably skeptical of our value. In the eyes of many, InfoSec at best is seen as a necessary evil. InfoSec’s performance (or lack thereof) and this skepticism is why we now see billions of dollars flowing toward cyber-insurance premiums to cover breach costs, dollars NOT going directly toward preventing break-ins. This is a wake-up call and clear signal that InfoSec is in the midst of an credibility crisis, a crisis that puts everyone at risk.

It also doesn’t help when the websites of security certification providers are laced with malware, when popular security software packages such as anti-virus are riddled with vulnerabilities that make customers less safe, or when major incident response vendors themselves suffer their own data breaches. Our work is too important to continue with the status quo. We need to turn things around, and as such, InfoSec has an important choice to make. InfoSec can either choose to continue pointing fingers, complaining about the same things over and over year after year, or as an industry we can take responsibility and do something about it.

First and foremost, we must find ways to improve InfoSec’s credibility and measurably prove its worth. One way to do that, a way that stands above all others, is for security vendors to contractually guarantee that their products and services will perform as advertised. Guarantees like we see and expect from every other major industry in the world. InfoSec is an incredibly confusing space, littered with snake-oil and charlatans, so when security vendors are willing to provide guarantees and SLAs, it builds trust that differentiates them like nothing else can. Security guarantees are the biggest opportunity for every security practitioner and vendor to make a real difference and everyone needs to get involved.

Published in: Technology

InfoSec’s Credibility Crisis is also our Biggest Opportunity

  1. 1. INFOSEC’S CREDIBILITY CRISIS IS ALSO OUR BIGGEST OPPORTUNITY JEREMIAH GROSSMAN @jeremiahg https://www.jeremiahgrossman.com/ http://blog.jeremiahgrossman.com/
  2. 2. JEREMIAH GROSSMAN WHO I AM… ▸ Professional Hacker ▸ OWASP Person of the Year (2015) ▸ International Speaker ▸ Black Belt in Brazilian Jiu-Jitsu ▸ Founder of WhiteHat Security
  3. 3. AREAS OF INTEREST ▸ Intersection of security guarantees and cyber-insurance ▸ Malware / Ransomware ▸ Easing the burden of vulnerability remediation ▸ Security crowd-sourcing ▸ Industry skill shortage
  4. 4. “I OFTEN SAY THAT WHEN YOU CAN MEASURE WHAT YOU ARE SPEAKING ABOUT, AND EXPRESS IT IN NUMBERS, YOU KNOW SOMETHING ABOUT IT; BUT WHEN YOU CANNOT MEASURE IT, WHEN YOU CANNOT EXPRESS IT IN NUMBERS, YOUR KNOWLEDGE IS OF A MEAGRE AND UNSATISFACTORY KIND." Lord Kelvin
  5. 5. “2015 GLOBAL SPENDING ON INFORMATION SECURITY IS SET TO GROW BY CLOSE TO 5% THIS YEAR TO TOP $75BN, ACCORDING TO THE LATEST FIGURES FROM GARTNER” The Wall Street Journal GROWTH INDUSTRY
  6. 6. ORGANIZED CRIME NATION-STATE TERRORISM? HACKTIVISTS
  7. 7. 1,083,252,900 SITESNETCRAFT: APRIL 2016 WEB SERVER SURVEY
  8. 8. VERIZON DATA BREACH INVESTIGATIONS REPORT (2016) FREQUENCY OF INCIDENT CLASSIFICATION PATTERNS OVER TIME ACROSS CONFIRMED DATA BREACHES.
  9. 9. VERIZON DATA BREACH INVESTIGATIONS REPORT (2016) INCIDENT PATTERNS BY INDUSTRY (ONLY CONFIRMED DATA BREACHES)
  10. 10. TRUSTWAVE GLOBAL SECURITY REPORT (2016) METHODS OF INTRUSION
  11. 11. VERIZON DATA BREACH INVESTIGATIONS REPORT (2016) TOP 10 THREAT ACTION VARIETIES WITHIN WEB APP ATTACK BREACHES
  12. 12. VULNERABILITY LIKELIHOOD (1 OR MORE) WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015 70%! 56%! 47%! 29%! 26%! 24%! 16%! 15%! 11%! 11%! 8%! 6%! 6%! 6%! 5%! 0%! 10%! 20%! 30%! 40%! 50%! 60%! 70%! 80%! 90%! 100%! InsufficientTransportLayer Inform ation Leakage! C ross Site Scripting!Brute Force! C ontentSpoofing! C ross Site RequestForgery! U RL RedirectorAbuse! Predictable Resource Location! Session Fixation! InsufficientAuthorization! D irectory Indexing! Abuse ofFunctionality! SQ L Injection! InsufficientPassw ord Recovery! Fingerprinting!
  13. 13. VERACODE: STATE OF SOFTWARE SECURITY REPORT VOL 6, FALL 2015 TOP 10 VULNERABILITY CATEGORIES BY PROGRAMMING LANGUAGE
  14. 14. AVERAGE TIME-TO-FIX (DAYS) WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015 73! 97! 99! 108! 111! 130! 132! 136! 158! 160! 191! 192! 227! 0! 50! 100! 150! 200! 250! Transportation! Arts & Entertainm ent! Accom m odation! Professional& Scientific! Public Adm inistration!O therServices! Inform ation! EducationalServices! H ealth C are & Social! Finance & Insurance!M anufacturing! U tilities! RetailTrade!
  15. 15. WINDOWS OF EXPOSURE WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015 60%! 38%! 52%! 39%! 9%! 11%! 11%! 14%! 10%! 14%! 12%! 11%! 11%! 16%! 11%! 18%! 11%! 22%! 14%! 17%! Retail Trade! Information! Health Care &! Social Assistance! Finance &! Insurance! Always Vulnerable! Frequently Vulnerable (271-364 days a year)! Regularly Vulnerable (151-270 days a year)! Occasionally Vulnerable (31-150 days a year)! Rarely Vulnerable (30 days or less a year)!
  16. 16. VERACODE: STATE OF SOFTWARE SECURITY REPORT VOL 6, FALL 2015 PERCENT VULNERABILITIES FOUND VS. FIXED
  17. 17. TRUSTWAVE GLOBAL SECURITY REPORT (2016) APPLICATION SECURITY
  18. 18. “IN 2014, 71% OF SECURITY PROFESSIONALS SAID THEIR NETWORKS WERE BREACHED. 22% OF THEM VICTIMIZED 6 OR MORE TIMES. THIS INCREASED FROM 62% AND 16% RESPECTIVELY FROM 2013.” “52% SAID THEIR ORGANIZATIONS WILL LIKELY BE SUCCESSFULLY HACKED IN THE NEXT 12 MONTHS.” “THIS IS UP FROM 39% IN 2013.” Survey of Security Professionals by CyberEdge HAVE YOU BEEN HACKED? DO YOU THINK YOU’LL BE HACKED AGAIN?
  19. 19. CYBER EDGE GROUP: 2015 CYBERTHREAT DEFENSE REPORT NORTH AMERICA & EUROPE HOW MANY TIMES DO YOU ESTIMATE THAT YOUR ORGANIZATION’S GLOBAL NETWORK HAS BEEN COMPROMISED BY A SUCCESSFUL CYBERATTACK WITHIN THE LAST 12 MONTHS?
  20. 20. CYBER EDGE GROUP: 2015 CYBERTHREAT DEFENSE REPORT NORTH AMERICA & EUROPE WHAT IS THE LIKELIHOOD THAT YOUR ORGANIZATION’S NETWORK WILL BECOME COMPROMISED BY A SUCCESSFUL CYBERATTACK IN 2015?
  21. 21. DO YOU EXPECT A CYBERATTACK TO STRIKE YOUR ORGANIZATION IN 2015? (N = 3,435) A. YES 46% 
 B. NO 24% C. UNSURE 30% Respondents are global business and IT professionals who are members of ISACA. DO YOU THINK YOU’LL BE HACKED AGAIN?
  22. 22. “71% WERE AFFECTED BY A SUCCESSFUL CYBERATTACK IN 2014, BUT ONLY 52% EXPECT TO FALL VICTIM AGAIN IN 2015.”
 2015 CYBERTHREAT DEFENSE REPORT NORTH AMERICA & EUROPE APATHY OR PRAGMATISM?
  23. 23. RANGE OF EXPECTED LOSSES RECORDS PREDICTION (LOWER)! AVERAGE (LOWER)! EXPECTED AVERAGE (UPPER)! PREDICTION (UPPER)! 100! $1,170! $18,120! $25,450! $35,730! $555,660! 1,000! $3,110! $52,260! $67,480! $87,140! $1,461,730! 10,000! $8,280! $143,360! $178,960! $223,400! $3,866,400! 100,000! $21,900! $366,500! $474,600! $614,600! $10,283,200! 1,000,000! $57,600! $892,400! $1,258,670! $1,775,350! $27,500,090! 10,000,000! $150,700! $2,125,900! $3,338,020! $5,241,300! $73,943,950! 100,000,000! $392,000! $5,016,200! $8,852,540! $15,622,700! $199,895,100! VERIZON DATA BREACH INVESTIGATIONS REPORT (2015)
  24. 24. DOWNSIDE PROTECTION CYBER-INSURANCE ▸ As of 2014, American businesses were expected to pay up to $2 billion on cyber-insurance premiums, a 67% spike from $1.2 billion spent in 2013. ▸ Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth.
  25. 25. “ACCORDING TO PWC, THE CYBER INSURANCE MARKET IS SET TO TRIPLE IN THE NEXT FEW YEARS AND WILL REACH $7.5 BILLION BY 2020.” Dark Reading BOOMING INDUSTRY
  26. 26. “THE LARGEST BARRIER TO GROWTH IS LACK OF ACTUARIAL DATA ABOUT CYBERATTACKS, BUT THIS IS QUICKLY CHANGING WITH CONTINUED CYBER ASSAULTS.” “ABI RESEARCH FORECASTS THE MARKET TO HIT US $10 BILLION BY 2020.” ABI Research DATA IS LACKING
  27. 27. “ABOUT A THIRD OF U.S. COMPANIES ALREADY HAVE SOME FORM OF CYBER-INSURANCE COVERAGE, ACCORDING TO A REPORT PRICEWATERHOUSECOOPERS RELEASED LAST YEAR.” The Parallax BUY WHATEVER THERE IS
  28. 28. SMALL PAYOUTS. LARGE PAYOUTS. BREACH CLAIMS ▸ Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million. ▸ Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.
  29. 29. LOTS OF INSURERS GETTING INTO THE BUSINESS BREACH CLAIMS ▸ “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” ▸ “Insurers providing excess layers of cyber coverage include: Lloyd’s of London syndicates: operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.:
  30. 30. “AVERAGE RATES FOR RETAILERS SURGED 32% IN THE FIRST HALF OF THIS YEAR, AFTER STAYING FLAT IN 2014, ACCORDING TO PREVIOUSLY UNREPORTED FIGURES FROM MARSH.” “AND EVEN THE BIGGEST INSURERS WILL NOT WRITE POLICIES FOR MORE THAN $100 MILLION FOR RISKY CUSTOMERS.” The Security Ledger INCIDENTS DRIVING UP COST OF PREMIUMS
  31. 31. “DHS IS LOOKING AT ALTERNATIVES TO INCENTIVIZE BETTER SECURITY IN VARIOUS INDUSTRIES AND IS LOOKING AT CYBER INSURANCE AS ONE OF THOSE MEANS.” Federal Times GOVERNMENT ACTION
  32. 32. 2014 – 2015 NEW SECURITY INVESTMENT VS. CYBER-INSURANCE $3,800,000,000 $3,200,000,000 Informa(on Security Spending (Global) ~ $3.8 billion in new spending (+4.7%) Cyber-Security Insurance ~$3.2 billion in spending (+67%)
  33. 33. EVER NOTICE HOW EVERYTHING IN THE INFORMATION SECURITY
 INDUSTRY IS SOLD “AS IS”? NO GUARANTEES NO WARRANTIES NO RETURN POLICIES
  34. 34. INFORMATION SECURITY 
 THE $75 BILLION GARAGE SALE

  35. 35. INFOSEC’S BIGGEST OPPORTUNITY SECURITY GUARANTEES
  36. 36. “WHITEHAT RECENTLY STRUCK A PARTNERSHIP WITH FRANCHISE PERILS, AN INSURER OF ONLINE RETAIL WEBSITES, BY WHICH FRANCHISE PERILS WILL CONTRIBUTE TOWARD THE PURCHASE OF WHITEHAT’S FLAGSHIP SERVICE, SENTINEL, FOR ANY ONLINE RETAILER PURCHASING A CYBER POLICY.” “WHITEHAT WILL GIVE IT A HIGHER SCORE IN ITS WHITEHAT SECURITY INDEX, RANGING FROM 0 TO 800— SIMILAR TO A CREDIT RATING FOR CONSUMERS.” Third Certainty HOW ONE COMPANY IS DOING IT
  37. 37. “THE ONLY TWO PRODUCTS NOT COVERED BY PRODUCT LIABILITY ARE RELIGION AND SOFTWARE, AND SOFTWARE SHALL NOT ESCAPE MUCH LONGER.” Dan Geer CISO, In-Q-Tel
  38. 38. HACK YOURSELF FIRST. Jeremiah Grossman @jeremiahg https://www.facebook.com/jeremiahgrossman https://www.linkedin.com/in/grossmanjeremiah https://www.jeremiahgrossman.com/ http://blog.jeremiahgrossman.com/ I'M OK WITH IT BEING AWKWARD BETWEEN US

×