This document discusses cyber security risks and incidents over time. It notes that 52% of all incidents are from businesses, with government, medical, and education each accounting for around 15-20% of incidents. The majority (57%) of incidents are caused by outside actors, while 20% are from insider threats and 10% are accidental insider incidents. The number of reported data loss incidents has increased significantly over time from just over 100 in 2004 to over 1600 in 2013. The document advocates returning to basic risk management practices, including prioritizing remediation based on risk, impact, costs, and addressing the most critical gaps in assets, processes, technologies and threats based on priority. It warns against overspending on products and focusing

1. "Cyber" security - all
good, no need to worry?
Ian Amit
Director of Services, IOActive

2. ¡Hola

4. Source: datalossdb.org

5. Incidents by Business Type - All Time
Biz
Gov
Med
Source: datalossdb.org
Edu

6. Incidents by Business Type - All Time
52%
Biz
Gov
Med
Source: datalossdb.org
Edu

7. Incidents by Business Type - All Time
52%
18%
Biz
Gov
Med
Source: datalossdb.org
Edu

8. Incidents by Business Type - All Time
16%
52%
18%
Biz
Gov
Med
Source: datalossdb.org
Edu

9. Incidents by Business Type - All Time
14%
16%
52%
18%
Biz
Gov
Med
Source: datalossdb.org
Edu

10. Source: datalossdb.org

11. Incidents by Vector - All Time
Outside
Inside
Inside - Accidental
Inside - Malicious
Source: datalossdb.org
Unknown

12. Incidents by Vector - All Time
57%
Outside
Inside
Inside - Accidental
Inside - Malicious
Source: datalossdb.org
Unknown

13. Incidents by Vector - All Time
57%
20%
Outside
Inside
Inside - Accidental
Inside - Malicious
Source: datalossdb.org
Unknown

14. Incidents by Vector - All Time
10%
57%
20%
Outside
Inside
Inside - Accidental
Inside - Malicious
Source: datalossdb.org
Unknown

15. Incidents by Vector - All Time
7%
10%
57%
20%
Outside
Inside
Inside - Accidental
Inside - Malicious
Source: datalossdb.org
Unknown

16. Incidents by Vector - All Time
7%
6%
10%
57%
20%
Outside
Inside
Inside - Accidental
Inside - Malicious
Source: datalossdb.org
Unknown

18. DataLossDB.org Incidents Over Time
1800
1621
1350
1091
1048
900
829
775
728
695
644
450
157
43
0
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013

26. Problem ✓

27. Problem ✓
Solution?

43. What would CISO do?

44. What would CISO do?

47. WTF?

49. RISK
MANAGEMENT

57. We need to get back to BASICS

59. insert crowd pic here

61. Prioritize
!
Based on risk,
impact,
potential cost,
and cost of
remediation

66. Summary
1. Stop throwing money on products
2. Identify assets, processes, technology, threats.
3. Assess your current posture. Identify gaps.
4. Address gaps based on priority and
relevance. Consider cost (of impact, of fixing).
5. Test effectiveness.
6. Back to 2.

67. REMEMBER!
• You are not fighting off pentesters.
You are fighting off actual adversaries.
• You are not fighting off auditors.
You keep your organization working.
• You are not fighting off regulators.
You are trying to keep yourself out of jail.

68. Thank You!
¡gracias
Ian Amit
Director of Services, IOActive
ian.amit@ioactive.com
Twitter: @iiamit