Join Kaseya and guest cybersecurity expert from Kaspersky, Cynthia James, to hear how companies like Target, eBay, and Home Depot are losing data, and how you can protect your company from suffering the same fate.
• The latest cybersecurity threats and vectors putting organizations at risk
• How your organization can avoid falling victim to a data breach
• Additional strategies to secure your organization and its data
4. Where are, where we’ve come from
• 200K unique pieces of malware in 2006; 315K per DAY by Q4 2013
• Cybercrime will NEVER stop
(Over
315K/day )
Where many end users
think we are
5. Security threats in 2014
Cybercriminals earn over $100 billion annually!
1. No need to be technical:
malware can be rented – it’s easier than ever
2. Cybercrime markets extremely
organized and sophisticated –
anything can be sold
3. Constant innovation and debugging
- by us!
6. Ransomware
• Cryptolocker – a encryption Trojan (Sept 2013)
• Estimated $27M earned in first 2 months (41% vs 3%
paid)
• Huge issue in Russia
• 52% of infections are in the US
• Spread primarily thru spam & phishing
• Goes after backup files if they are on the network
• Can spread from home network thru VPN to corporate
network
• 2.0 “version” in December + CryptoDefense, etc.
7. Let’s talk about data breaches!
• Definition: “an unauthorized person viewed,
copied, transmitted, used or took possession of
sensitive, protected or confidential data”
1. Did they only have access or did actually view it or take
possession of it?
2. Is there reason to believe they misused it?
3. How many records?
• Why report if no one* will find out?
• *victims, employees, customers, law enforcement, the
press, banks, compliance agencies
8. The data breach reporting problem
• Typical breach-reporting language: “when there is a
reasonable likelihood of harm”; “tell victims in a
timely manner”
• Who to report to? Feds, state, agency?*
• Three states have NO laws
1. Breach notification is costly
– Process, fines, loss of customers, lawsuits
2. No one ever wants to report a breach
3. We don’t hear about the majority of breaches!
4. When we do hear…it’s about PII
9. Legislation & Compliance – it’s only
about PII (although IP matters too)
• Compliance (HIPAA, etc.)
• Federal: US is working to unify breach laws – adding prison
terms for knowingly concealing a breach
• EU will complete that this year (2014)
across 28 European countries –
to apply to any company with data
from EU citizens
• How soon post-breach to report
• What to report
• How to notify customers
• Compliance rules (security minimums, fines, etc.)
• Up to 2% of gross revenues, breaks for SMBs
• Canada – stronger than US law, not as strong as Europe
• Who’s PII are you holding?
10. Looking at breaches: the research
• Who is most likely to report?
• Healthcare – due to HIPAA
• Education – due to HIPAA (on campus healthcare) or
“code of ethics” or transparency or liability
• What are they reporting?
• PII
• How likely is it that we get full reporting?
• Except for Healthcare: far less than 100%
11. University of Maryland breach
• 287,000 records stolen
• 78% were purged after the fact!
• $5M allocated
• Biggest take-away:
• The Three Ps –
• Purge (free)
• Push off-line (cheap)
• Protect (expensive: cost of layers + liability)
12. Biggest Breaches in Education 2014
• College of the Desert, CA – inadvertent email, PII on all employees
• Douglas County School District, Colorado – via stolen laptop
• Univ of Illinois, Chicago – haven’t said yet how many
• Orangeburg Calhoun Tech College, Orangeburg, SC – 20K via stolen laptop
• Penn State College of Medicine - 1176 student records
• University of California Irvine – 1.5 months of key logging student health center
• Uxbridge School District and Milford Schools – 3K students, laptop stolen from a 3rd party billing
provider (Multistate Billing Services)
• Butler University, Indianapolis – 160K records hacked (informed by law enforcement)
• Orange Public School District – teen hacked grades, is being charged
• The University California, Washington Center – didn’t say how many
• Riverside Community College – 35K students – emailed file to the wrong address
• Stanford Federal Credit Union: 18K emailed to the wrong employee (destroyed?)
• Arkansas State University College – “unauthorized access”
• Iowa State – 30K hack
• University Pittsburgh Medical Center – 27K (originally reported 800)
• UMASS Memorial (May) malicious insider hack
13. Biggest Breaches in Healthcare
2014
• Community Health Systems – 4.5 million records…+IP?
• Access Health Connecticut – employee backpack stolen w/500 patient documents
• Rady’s Children’s Hospital, San Diego, CA – 14K patient data emailed out by mistake
• Redwood Regional Medical Group, Santa Rosa, CA 33K patients‘ information on a stolen
thumb drive “back up” left in a “zipped container in an unlocked locker”
• Boulder Community Health, Boulder, CO – “friendly” hack (warning)
• Blue Shield of California, San Francisco – “inadvertent disclosure”
• St Vincent Breast Center, Indianapolis – “inadvertent disclosure via letters”
• Apple Valley Christian Care Center, Apple Valley, CA – breach via “technical glitch”
• 3K patients at Bay Area Pain Medical Associates in Sausalito, CA - stolen laptop
• Penn Medicine – receipts stolen from unlocked office at Pennsylvania Hospital
• Baylor Regional Medical Center, Dallas TX – phishing scam to physicians, at least partially
successful, may have compromised database
• Vermont Health Exchange – easily hacked because default password not changed nor was the
list of authorized people restricted. “No customers compromised”
14. Characterizing breaches in 2014
• Healthcare – records are constantly on the move (Fin Serv
too)
• 85% employee error
• 15% deliberate
• Education Breaches 2014
• 55% based on employee error or stolen, unencrypted laptops
• 45% deliberate hacks
• Almost 100% of these are outside hackers:
• Federal agencies
→ The #1 cause is employee error!!!*
* Doesn’t include the times employees open the door to cybercriminal attacks
15. Top 3 protection strategies
1. Encrypt PII and other valuable data
• At rest or in motion
• Outsource if possible
2. Practice the three Ps for all valued data
• Purge
• Push off-line OR
• Protect
3. Restrict access to only educated employees
16. Employee education
• Make the case based on
failure rates of employees
in your business sector
• Education should be mandated for access to PII
• Will liability or fines be the outcome of future forensics
investigations? (RSA’s $72M man)
• What’s the cost of a breach compared to a
harassment lawsuit?
• A good goal: BEGIN fostering a sense of mutual
accountability for security
18. About Kaspersky Lab
• Founded in 1997; largest private
anti-malware company – 100%
focused on anti-malware
• Over $700M annual revenues
• Presence in 27 countries: CEO is Russian; incorporated
in the UK; new to US market in 2005
• #1 vendor in Germany, France, Spain, Eastern Europe
• Protecting over 300 million end points
• Top supplier to OEMs/ISVs of anti-malware worldwide