Presentation at the 2016 Big Sky Developers' Conference.
Overview of the dismal state of security on the Web, some suggestions for better app development processes to mitigate problems.
This document provides a summary of cybersecurity threats and trends from Symantec's January 2014 Intelligence Report. Some key highlights include:
- Two large data breaches were reported in January exposing over 105 million identities total. The number exposed in a November breach was adjusted upwards to 110 million identities.
- Targeted attacks increased in January to their highest level since August 2013, with manufacturing and non-traditional services being the most targeted industries.
- 555 new vulnerabilities were reported in January, bringing the 12-month total to 6443. Google Chrome and Oracle Java had the most browser and plugin vulnerabilities respectively.
- The global spam rate decreased slightly while phishing and email virus rates also reduced. Sex
A Joint Study by National University of Singapore and IDCMicrosoft Asia
This document summarizes the key findings of a study on the link between pirated software and cybersecurity breaches:
1) The study found that consumers and enterprises have a 33% chance of encountering malware when obtaining pirated software or buying a PC with pirated software pre-installed. A forensic analysis of 203 PCs found 61% were infected with malware.
2) Consumers will spend $25 billion dealing with security issues caused by malware on pirated software in 2014. Enterprises will spend $491 billion, with $315 billion resulting from criminal organizations' activities.
3) Asia Pacific will incur over 40% of worldwide consumer losses and over 45% of enterprise losses from malware on pir
Symantec Internet Security Threat Report 2014 - Volume 19Symantec
The 2014 Internet Security Threat Report gives an overview of global threat activity for the past year based on data from Symantec’s Global Intelligence Network.
This document discusses the growing problem of SMS phishing and how current security approaches are ineffective. It proposes a new "Zero Trust" approach called Zero Trust SMS that would authenticate URLs in SMS messages before delivery to help subscribers avoid phishing links. This is presented as being more effective than just blocking URLs after the fact. The benefits of this approach for multiple stakeholders are outlined. The document also provides details on the company MetaCert and their technology and services that aim to implement this Zero Trust SMS approach for mobile operators and their subscribers.
Welcome to the May edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 57.6 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Intelligence, Symantec Managed Security Services, Norton consumer products, and other third-party data sources.
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Symantec
Internet Security Threat Report 2014 :: Volume 19 :: Appendices
Hardcore data from Symantec’s Internet Security Threat Report.
Real number crunching on Threat Malicious Code, Fraud & Vulnerability trends including
Threat Activity Trends
• Malicious Activity by Source
• Malicious Web-Based Attack Prevalence
• Analysis of Malicious Web Activity by Attack Toolkits
• Analysis of Web-Based Spyware, Adware, and Potentially Unwanted Programs
• Analysis of Web Policy Risks from Inappropriate Use
• Analysis of Website Categories Exploited to Deliver Malicious Code
• Bot-Infected Computers
• Analysis of Mobile Threats
• Quantified Self – A Path to Self-Enlightenment or Just Another Security Nightmare?
• Data Breaches that could lead to Identity Theft
• Threat of the Insider
• Gaming Attacks
• The New Black Market
Malicious Code Trends
• Top Malicious Code Families
• Analysis of Malicious Code Activity by Geography, Industry Sector, and Company Size
• Propagation Mechanisms
• Email-Targeted Spear-Phishing Attacks Intelligence
Spam and Fraud Activity Trends
• Analysis of Spam Activity Trends
• Analysis of Spam Activity by Geography, Industry Sector, and Company Size
• Analysis of Spam Delivered by Botnets
• Significant Spam Tactics
• Analysis of Spam by Categorization
• Phishing Activity Trends
• Analysis of Phishing Activity by Geography, Industry Sector, and Company Size
• New Spam Trend: BGP Hijacking
Vulnerability Trends
• Total Number of Vulnerabilities
• Zero-Day Vulnerabilities
• Web Browser Vulnerabilities
• Web Browser Plug-in Vulnerabilities
• Web Attack Toolkits SCADA Vulnerabilities
This document provides a summary of cybersecurity threats and trends from Symantec's January 2014 Intelligence Report. Some key highlights include:
- Two large data breaches were reported in January exposing over 105 million identities total. The number exposed in a November breach was adjusted upwards to 110 million identities.
- Targeted attacks increased in January to their highest level since August 2013, with manufacturing and non-traditional services being the most targeted industries.
- 555 new vulnerabilities were reported in January, bringing the 12-month total to 6443. Google Chrome and Oracle Java had the most browser and plugin vulnerabilities respectively.
- The global spam rate decreased slightly while phishing and email virus rates also reduced. Sex
A Joint Study by National University of Singapore and IDCMicrosoft Asia
This document summarizes the key findings of a study on the link between pirated software and cybersecurity breaches:
1) The study found that consumers and enterprises have a 33% chance of encountering malware when obtaining pirated software or buying a PC with pirated software pre-installed. A forensic analysis of 203 PCs found 61% were infected with malware.
2) Consumers will spend $25 billion dealing with security issues caused by malware on pirated software in 2014. Enterprises will spend $491 billion, with $315 billion resulting from criminal organizations' activities.
3) Asia Pacific will incur over 40% of worldwide consumer losses and over 45% of enterprise losses from malware on pir
Symantec Internet Security Threat Report 2014 - Volume 19Symantec
The 2014 Internet Security Threat Report gives an overview of global threat activity for the past year based on data from Symantec’s Global Intelligence Network.
This document discusses the growing problem of SMS phishing and how current security approaches are ineffective. It proposes a new "Zero Trust" approach called Zero Trust SMS that would authenticate URLs in SMS messages before delivery to help subscribers avoid phishing links. This is presented as being more effective than just blocking URLs after the fact. The benefits of this approach for multiple stakeholders are outlined. The document also provides details on the company MetaCert and their technology and services that aim to implement this Zero Trust SMS approach for mobile operators and their subscribers.
Welcome to the May edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 57.6 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Intelligence, Symantec Managed Security Services, Norton consumer products, and other third-party data sources.
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Symantec
Internet Security Threat Report 2014 :: Volume 19 :: Appendices
Hardcore data from Symantec’s Internet Security Threat Report.
Real number crunching on Threat Malicious Code, Fraud & Vulnerability trends including
Threat Activity Trends
• Malicious Activity by Source
• Malicious Web-Based Attack Prevalence
• Analysis of Malicious Web Activity by Attack Toolkits
• Analysis of Web-Based Spyware, Adware, and Potentially Unwanted Programs
• Analysis of Web Policy Risks from Inappropriate Use
• Analysis of Website Categories Exploited to Deliver Malicious Code
• Bot-Infected Computers
• Analysis of Mobile Threats
• Quantified Self – A Path to Self-Enlightenment or Just Another Security Nightmare?
• Data Breaches that could lead to Identity Theft
• Threat of the Insider
• Gaming Attacks
• The New Black Market
Malicious Code Trends
• Top Malicious Code Families
• Analysis of Malicious Code Activity by Geography, Industry Sector, and Company Size
• Propagation Mechanisms
• Email-Targeted Spear-Phishing Attacks Intelligence
Spam and Fraud Activity Trends
• Analysis of Spam Activity Trends
• Analysis of Spam Activity by Geography, Industry Sector, and Company Size
• Analysis of Spam Delivered by Botnets
• Significant Spam Tactics
• Analysis of Spam by Categorization
• Phishing Activity Trends
• Analysis of Phishing Activity by Geography, Industry Sector, and Company Size
• New Spam Trend: BGP Hijacking
Vulnerability Trends
• Total Number of Vulnerabilities
• Zero-Day Vulnerabilities
• Web Browser Vulnerabilities
• Web Browser Plug-in Vulnerabilities
• Web Attack Toolkits SCADA Vulnerabilities
Better Security Through Big Data AnalyticsSymantec
Think Big Data Analytics can't help you with your security? Do these stats make you nervous?
Attackers Moving Faster, defenses are not; 5 out of 6 large companies attacked; a 40% increase over 2013
More than 317 million new pieces of malware created last year; 1 million new threats created daily
60% of all targeted attacks struck small- and medium-sized organizations
Retail Remains Hot Spot for Identities: 1 billion stolen in the last 2 years; 59% of all identities exposed in 2014 came from the retail sector
Top 5 zero-days left companies without a patch for 295 days
Digital extortion on the rise: 113% increase in ransomeware; 45 times more people had their devices held hostage by vicious crypto-ransomeware
Malware gets smarter -- 28% of all malware was “virtual machine aware “
2014 had an all-time high of 24 discovered zero-day vulnerabilities
The document outlines 11 statistics that demonstrate the severity of security risks posed by mobile devices and the importance of mobile security for businesses. Some key points include: 92% of popular Android apps carry security or privacy risks; mobile malware increased 33% in 2013; 35% of online adults have lost or had their mobile device stolen; only 20% of emails sent were legitimate as spam increased to 76% of email traffic; and the average cost of a data breach is $5.5 million. The document emphasizes that mobile devices now pose one of the largest threats to enterprise data security and strict security policies and employee training are needed.
In 2013, targeted attacks increased, with spear-phishing attacks rising 91% over 2012. Watering hole attacks utilizing unpatched website vulnerabilities and zero-day exploits also grew. Eight data breaches exposed over 10 million identities each, termed "mega breaches". A total of 552 million identities were breached in 2013, over 5 times more than the 93 million in 2012. Web attacks blocked per day rose 23% from 2012. 78% of websites had vulnerabilities, and 16% had critical vulnerabilities that could be easily exploited by attackers.
Symantec's Internet Security Threat Report for the Government SectorSymantec
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services, Norton consumer products, and other third-party data sources.
In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 60,000 recorded vulnerabilities (spanning more than two decades) from over 19,000 vendors representing over 54,000 products.
Spam, phishing, and malware data is captured through a variety of sources including the Symantec Probe Network, a system of more than 5 million decoy accounts, Symantec.cloud, and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology, is able to detect new and sophisticated targeted threats before they reach customers’ networks. Over 8.4 billion email messages are processed each month and more than 1.7 billion web requests filtered each day across 14 data centers. Symantec also gathers phishing information through an extensive anti-fraud community of enterprises, security vendors, and more than 50 million consumers.
Symantec Trust Services provides 100 percent availability and processes over 6 billion Online Certificate Status Protocol (OCSP) look-ups per day, which are used for obtaining the revocation status of X.509 digital certificates around the world. These resources give Symantec analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises, small businesses, and consumers essential information to secure their system effectively now and into the future.
INFOGRAPHIC: The Evolution of Data PrivacySymantec
The document discusses the growing issue of data privacy and protection as data volumes continue to rapidly increase. It notes that by 2020 there will be 40 zettabytes of digital data, and many businesses are unprepared to properly handle and protect this data. The EU's new General Data Protection Regulation will require businesses to be more accountable with data and comply with regulations like mandatory breach notification, data subject rights, and restrictions on consumer profiling. Proper compliance will require businesses to know exactly what data they have, where it is stored, who has access, and how it is being used.
The document discusses improvements organizations have made to address cyber threats, but also areas that still need work. It finds that many organizations now recognize the extent of cyber threats, with 76% owning information security policies at the highest level. 70% conduct security assessments of third parties accessing their data. However, the document notes that while improvements have been made, organizations need to do more quickly to address increasing cyber risks. Leading practices and innovation are needed to better protect against known and unknown future threats.
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security ReportHackerOne
Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges.
In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries.
Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies.
Read on for all of the facts!
1. The number of malicious web links grew by almost 600% worldwide according to data from Websense Security Labs.
2. 85% of malicious web links were found on legitimate web hosts that had been compromised, indicating websites can no longer be trusted based on their reputation.
3. Traditional anti-virus and firewall defenses are no longer sufficient to prevent web-borne threats, as the web serves both as an attack vector and in supporting other attack vectors like social media, mobile, and email. Advanced defenses that can identify compromised legitimate sites in real-time are needed.
Symantec's Internet Security Threat Report, Volume 18 revealed a 42 percent surge during 2012 in targeted attacks compared to the prior year. Designed to steal intellectual property, these targeted cyberespionage attacks are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31 percent of these attacks. Small businesses are attractive targets themselves and a way in to ultimately reach larger companies via “watering hole” techniques. In addition, consumers remain vulnerable to ransomware and mobile threats, particularly on the Android platform.
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012Symantec
Symantec's 2011 Internet Security Threat Report, Volume 17 shows that while the number of vulnerabilities decreased by 20 percent, the number of malicious attacks continued to skyrocket by 81 percent. In addition, the report highlights that advanced targeted attacks are spreading to organizations of all sizes and variety of personnel, data breaches are increasing, and that attackers are focusing on mobile threats.
It’s our second all-Equifax “Open Source Insight,” as the Equifax breach unfortunately still leads the cybersecurity and open source security news cycle this week. As the Equifax breach has shown, open source security risks are a daunting reality. But that breach should never have happened — a known, fixable open source vulnerability not being remediated.
Open source software — such as Apache Struts — comprises 80 to 90 percent of the code in modern applications, yet most organizations lack any visibility into the open source they are using. In response, Black Duck, the global leader in automated solutions for securing and managing open source software, announced this week the availability of a free-use tool that enables organizations to determine if they are at risk from the Apache Struts vulnerability that was exploited in the recent, high-profile Equifax breach.
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseaditi agarwal
Deepfake technology has advanced to the point where average users with smartphones can easily generate highly realistic synthetic media without expertise. This raises concerns about non-consensual deepfakes, especially pornographic ones. While some apps aim to prevent abuse through controls, deepfakes remain very difficult to detect as real or fake. There are proposals to expand liability for deepfakes beyond just the perpetrator, but regulating this emerging technology poses technical and ethical challenges.
Cyberthreats broke new ground with mobile devices, while reaching deeper into social media. Online criminals also stepped up attacks via email, web and other traditional vectors.
This document summarizes a presentation about securing software supply chains and the importance of DevSecOps. It notes that 52% of Fortune 500 companies from 2000 are no longer around and that business leaders are under attack. It discusses how software supply chain management is like managing physical parts and components. It highlights statistics about software usage, open source components, and vulnerabilities. It discusses how the speed of exploits has increased and the need to automate security faster than adversaries. The document emphasizes having complete software bills of materials, identifying vulnerabilities, and immediately remediating them. It discusses rising software liability and new PCI standards around software security.
The document is a report from G DATA on mobile malware trends in Q2 2015. Some key points:
- G DATA analyzed over 560,000 new Android malware samples in Q2 2015, a 27% increase from Q1. On average, over 6,100 new samples were found daily.
- For the first time, over 1 million new Android malware samples were found in the first half of 2015 alone. G DATA predicts over 2 million new samples for all of 2015.
- Monitoring apps that secretly track users are a growing threat. One app disguised itself as Google Drive but was actually monitoring app.
- Pre-installed malware has been found on over 26 mobile device models from various brands. Middle
Welcome to the July edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks. Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services, Norton consumer products, and other third-party data sources.
The average number of spear-phishing attacks per day has dropped back to a similar level seen in May. The .doc file type continues to be the most common attachment type used in spear-phishing attacks, followed by .exe files. Organizations with 2500+ employees were the most likely to be targeted, which non-traditional services, such as Business, Amusement, and Repair-related services, lead the Top-Ten Industries targeted, followed by Manufacturing.
The largest data breach reported in July resulted in the exposure of 900,000 identities. Hackers continue to be responsible for 49 % of data breaches over the last 12 months, most often exposing real names, government ID numbers, such as Social Security numbers, and home addresses in the data breaches. W32.Sality and W32.Ramnit variants continue to dominate the top-ten malware list. The most common OSX threat seen was OSX.RSPlug.A, making up 38 % of all OSX malware found on OSX Endpoints.
There were 575 vulnerabilities disclosed during the month of July, though no zero-day vulnerabilities discovered. Internet Explorer has reported the most browser vulnerabilities in the last 12 months, while Oracle’s Java reported the most plug-in vulnerabilities over the same time period.
There were four Android malware families discovered in July. Of the mobile threats discovered in the last 12 months, 24 % steal information from the device and 22 % track the device’s user. In terms of social networking scams, 63 % were fake offerings and 27 % were manually shared scams.
Finally, the phishing rate was down in July, at one in 1,299 emails, down from one in 496 emails in June. The global spam rate was 63.7 % for the month of July, one out of every 351 emails contained a virus, and of the email traffic in the month of July, 7.9 % contained a malicious URL. We hope that you enjoy this month’s report and feel free to contact us with any comments or feedback.
The Internet of Security Things (A Story about Change) Lori MacVittie
Lots of change is impacting security. This presentation looks at four key security concerns that are most impacted by application and technology trends and what we can look for in solutions to address those concerns.
The document provides an overview of CynergisTek's monthly cybersecurity briefing. It discusses the cybersecurity threats facing the healthcare industry, including an increasing reliance on automated and digital systems, staffing shortages, and outdated software. It notes that healthcare spends less on cybersecurity than other regulated industries and that less than half of healthcare entities actively monitor for threats or conduct security exercises. The briefing examines characteristics of cyber adversaries targeting healthcare and provides threat intelligence reports. It emphasizes the need for organizations to adopt proactive cybersecurity postures and engage law enforcement if targeted by criminals.
Better Security Through Big Data AnalyticsSymantec
Think Big Data Analytics can't help you with your security? Do these stats make you nervous?
Attackers Moving Faster, defenses are not; 5 out of 6 large companies attacked; a 40% increase over 2013
More than 317 million new pieces of malware created last year; 1 million new threats created daily
60% of all targeted attacks struck small- and medium-sized organizations
Retail Remains Hot Spot for Identities: 1 billion stolen in the last 2 years; 59% of all identities exposed in 2014 came from the retail sector
Top 5 zero-days left companies without a patch for 295 days
Digital extortion on the rise: 113% increase in ransomeware; 45 times more people had their devices held hostage by vicious crypto-ransomeware
Malware gets smarter -- 28% of all malware was “virtual machine aware “
2014 had an all-time high of 24 discovered zero-day vulnerabilities
The document outlines 11 statistics that demonstrate the severity of security risks posed by mobile devices and the importance of mobile security for businesses. Some key points include: 92% of popular Android apps carry security or privacy risks; mobile malware increased 33% in 2013; 35% of online adults have lost or had their mobile device stolen; only 20% of emails sent were legitimate as spam increased to 76% of email traffic; and the average cost of a data breach is $5.5 million. The document emphasizes that mobile devices now pose one of the largest threats to enterprise data security and strict security policies and employee training are needed.
In 2013, targeted attacks increased, with spear-phishing attacks rising 91% over 2012. Watering hole attacks utilizing unpatched website vulnerabilities and zero-day exploits also grew. Eight data breaches exposed over 10 million identities each, termed "mega breaches". A total of 552 million identities were breached in 2013, over 5 times more than the 93 million in 2012. Web attacks blocked per day rose 23% from 2012. 78% of websites had vulnerabilities, and 16% had critical vulnerabilities that could be easily exploited by attackers.
Symantec's Internet Security Threat Report for the Government SectorSymantec
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services, Norton consumer products, and other third-party data sources.
In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 60,000 recorded vulnerabilities (spanning more than two decades) from over 19,000 vendors representing over 54,000 products.
Spam, phishing, and malware data is captured through a variety of sources including the Symantec Probe Network, a system of more than 5 million decoy accounts, Symantec.cloud, and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology, is able to detect new and sophisticated targeted threats before they reach customers’ networks. Over 8.4 billion email messages are processed each month and more than 1.7 billion web requests filtered each day across 14 data centers. Symantec also gathers phishing information through an extensive anti-fraud community of enterprises, security vendors, and more than 50 million consumers.
Symantec Trust Services provides 100 percent availability and processes over 6 billion Online Certificate Status Protocol (OCSP) look-ups per day, which are used for obtaining the revocation status of X.509 digital certificates around the world. These resources give Symantec analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises, small businesses, and consumers essential information to secure their system effectively now and into the future.
INFOGRAPHIC: The Evolution of Data PrivacySymantec
The document discusses the growing issue of data privacy and protection as data volumes continue to rapidly increase. It notes that by 2020 there will be 40 zettabytes of digital data, and many businesses are unprepared to properly handle and protect this data. The EU's new General Data Protection Regulation will require businesses to be more accountable with data and comply with regulations like mandatory breach notification, data subject rights, and restrictions on consumer profiling. Proper compliance will require businesses to know exactly what data they have, where it is stored, who has access, and how it is being used.
The document discusses improvements organizations have made to address cyber threats, but also areas that still need work. It finds that many organizations now recognize the extent of cyber threats, with 76% owning information security policies at the highest level. 70% conduct security assessments of third parties accessing their data. However, the document notes that while improvements have been made, organizations need to do more quickly to address increasing cyber risks. Leading practices and innovation are needed to better protect against known and unknown future threats.
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security ReportHackerOne
Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges.
In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries.
Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies.
Read on for all of the facts!
1. The number of malicious web links grew by almost 600% worldwide according to data from Websense Security Labs.
2. 85% of malicious web links were found on legitimate web hosts that had been compromised, indicating websites can no longer be trusted based on their reputation.
3. Traditional anti-virus and firewall defenses are no longer sufficient to prevent web-borne threats, as the web serves both as an attack vector and in supporting other attack vectors like social media, mobile, and email. Advanced defenses that can identify compromised legitimate sites in real-time are needed.
Symantec's Internet Security Threat Report, Volume 18 revealed a 42 percent surge during 2012 in targeted attacks compared to the prior year. Designed to steal intellectual property, these targeted cyberespionage attacks are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31 percent of these attacks. Small businesses are attractive targets themselves and a way in to ultimately reach larger companies via “watering hole” techniques. In addition, consumers remain vulnerable to ransomware and mobile threats, particularly on the Android platform.
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012Symantec
Symantec's 2011 Internet Security Threat Report, Volume 17 shows that while the number of vulnerabilities decreased by 20 percent, the number of malicious attacks continued to skyrocket by 81 percent. In addition, the report highlights that advanced targeted attacks are spreading to organizations of all sizes and variety of personnel, data breaches are increasing, and that attackers are focusing on mobile threats.
It’s our second all-Equifax “Open Source Insight,” as the Equifax breach unfortunately still leads the cybersecurity and open source security news cycle this week. As the Equifax breach has shown, open source security risks are a daunting reality. But that breach should never have happened — a known, fixable open source vulnerability not being remediated.
Open source software — such as Apache Struts — comprises 80 to 90 percent of the code in modern applications, yet most organizations lack any visibility into the open source they are using. In response, Black Duck, the global leader in automated solutions for securing and managing open source software, announced this week the availability of a free-use tool that enables organizations to determine if they are at risk from the Apache Struts vulnerability that was exploited in the recent, high-profile Equifax breach.
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseaditi agarwal
Deepfake technology has advanced to the point where average users with smartphones can easily generate highly realistic synthetic media without expertise. This raises concerns about non-consensual deepfakes, especially pornographic ones. While some apps aim to prevent abuse through controls, deepfakes remain very difficult to detect as real or fake. There are proposals to expand liability for deepfakes beyond just the perpetrator, but regulating this emerging technology poses technical and ethical challenges.
Cyberthreats broke new ground with mobile devices, while reaching deeper into social media. Online criminals also stepped up attacks via email, web and other traditional vectors.
This document summarizes a presentation about securing software supply chains and the importance of DevSecOps. It notes that 52% of Fortune 500 companies from 2000 are no longer around and that business leaders are under attack. It discusses how software supply chain management is like managing physical parts and components. It highlights statistics about software usage, open source components, and vulnerabilities. It discusses how the speed of exploits has increased and the need to automate security faster than adversaries. The document emphasizes having complete software bills of materials, identifying vulnerabilities, and immediately remediating them. It discusses rising software liability and new PCI standards around software security.
The document is a report from G DATA on mobile malware trends in Q2 2015. Some key points:
- G DATA analyzed over 560,000 new Android malware samples in Q2 2015, a 27% increase from Q1. On average, over 6,100 new samples were found daily.
- For the first time, over 1 million new Android malware samples were found in the first half of 2015 alone. G DATA predicts over 2 million new samples for all of 2015.
- Monitoring apps that secretly track users are a growing threat. One app disguised itself as Google Drive but was actually monitoring app.
- Pre-installed malware has been found on over 26 mobile device models from various brands. Middle
Welcome to the July edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks. Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services, Norton consumer products, and other third-party data sources.
The average number of spear-phishing attacks per day has dropped back to a similar level seen in May. The .doc file type continues to be the most common attachment type used in spear-phishing attacks, followed by .exe files. Organizations with 2500+ employees were the most likely to be targeted, which non-traditional services, such as Business, Amusement, and Repair-related services, lead the Top-Ten Industries targeted, followed by Manufacturing.
The largest data breach reported in July resulted in the exposure of 900,000 identities. Hackers continue to be responsible for 49 % of data breaches over the last 12 months, most often exposing real names, government ID numbers, such as Social Security numbers, and home addresses in the data breaches. W32.Sality and W32.Ramnit variants continue to dominate the top-ten malware list. The most common OSX threat seen was OSX.RSPlug.A, making up 38 % of all OSX malware found on OSX Endpoints.
There were 575 vulnerabilities disclosed during the month of July, though no zero-day vulnerabilities discovered. Internet Explorer has reported the most browser vulnerabilities in the last 12 months, while Oracle’s Java reported the most plug-in vulnerabilities over the same time period.
There were four Android malware families discovered in July. Of the mobile threats discovered in the last 12 months, 24 % steal information from the device and 22 % track the device’s user. In terms of social networking scams, 63 % were fake offerings and 27 % were manually shared scams.
Finally, the phishing rate was down in July, at one in 1,299 emails, down from one in 496 emails in June. The global spam rate was 63.7 % for the month of July, one out of every 351 emails contained a virus, and of the email traffic in the month of July, 7.9 % contained a malicious URL. We hope that you enjoy this month’s report and feel free to contact us with any comments or feedback.
The Internet of Security Things (A Story about Change) Lori MacVittie
Lots of change is impacting security. This presentation looks at four key security concerns that are most impacted by application and technology trends and what we can look for in solutions to address those concerns.
The document provides an overview of CynergisTek's monthly cybersecurity briefing. It discusses the cybersecurity threats facing the healthcare industry, including an increasing reliance on automated and digital systems, staffing shortages, and outdated software. It notes that healthcare spends less on cybersecurity than other regulated industries and that less than half of healthcare entities actively monitor for threats or conduct security exercises. The briefing examines characteristics of cyber adversaries targeting healthcare and provides threat intelligence reports. It emphasizes the need for organizations to adopt proactive cybersecurity postures and engage law enforcement if targeted by criminals.
The document provides an overview of CynergisTek's monthly cybersecurity briefing. It discusses the current threat landscape facing the healthcare industry, including that nearly all healthcare processes and information are now digital and healthcare has a large attack surface. It notes the increasing costs and impacts of ransomware on healthcare organizations. The briefing then examines characteristics of adversaries targeting healthcare and provides threat intelligence reports. It emphasizes the need for vigilance given geopolitical tensions and outlines actions organizations can take to strengthen their security posture and resilience.
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
Most of us learned cybersecurity practices based on the application of controls that were part of a framework. Once the framework was implemented then the controls didn’t change often. It’s time to adjust our thinking and recognize that on-going adjustment of controls may be a better indicator of cyber-maturity than adherence to any framework.
(Source: RSA USA 2016-San Francisco)
1) Around half of organizations surveyed were hit by ransomware in the last year, with attacks encrypting data in around 3 out of 4 cases.
2) Most victims were able to recover their data through backups, but one in four paid the ransom. This doubled the overall costs of remediation.
3) Coverage for ransomware varies - around 20% of organizations have cybersecurity insurance that does not cover ransomware attacks.
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
Presentation on the 2015-2016 State of Cybersecurity and Third Party Vendor Risk Management, presented by Matt Pascussi and Rishi Singh.
This presentation was sponsored by TekSystems.
- Cybersecurity risks are a growing concern for organizations as high-profile data breaches continue to occur globally, exposing millions of customer records. Common causes of breaches include targeted emails, virus/malware infections, and human error.
- Traditional perimeter-based security defenses are no longer sufficient as attackers become more sophisticated. Organizations need to rely on tools that monitor behavior and enable rapid response, but many have not implemented these.
- Internal audit can play a key role by integrating cybersecurity into audit plans, increasing board engagement, and helping organizations assess and strengthen their ability to identify, assess, and mitigate cybersecurity risks. Regular breach detection audits and reviews of third-party access are also recommended.
Mobile malware and enterprise security v 1.2_0Javier Gonzalez
This document discusses mobile malware threats facing enterprises. It begins by providing background on the rise of BYOD policies and the security challenges they pose. It then discusses the growing risk of mobile malware, citing statistics on its rapid growth rate and prevalence in apps. The document outlines common types of mobile malware like adware, spyware, and phishing. It explains how these threats can compromise enterprise data and infect networks through BYOD devices. It emphasizes the need for enterprises to adopt comprehensive security solutions to protect corporate data on personal mobile devices.
IT security threats for next year will be introducing new players while bringing back some old ones (with a few new twists). The 2015 threat landscape — It's complicated.
The top 5 IT security threats for 2015 include more insider breaches, more crime as a service, and more reputation sabotage.
Most tech and healthcare executives surveyed viewed cyber attacks as a serious threat to their business and data. While over half were moderately confident in their own security, far fewer were confident in their partners' security. In response, 98% of companies are maintaining or increasing cybersecurity resources, focusing more on response than prevention. Over half of companies now offer cybersecurity as part of their products and services. Increased media coverage has heightened awareness of cyber threats for many executives.
The survey found that:
- 82% of organizations experienced at least one online attack or threat in the last year, with the average company experiencing three types.
- While ransomware was less common, it had the highest severity of impact. Browser vulnerabilities were identified as the biggest challenge to endpoint security.
- The most common impacts of attacks were increased help desk workload and reduced employee productivity. Most organizations now use multiple endpoint security solutions due to the ineffectiveness of traditional antivirus against advanced malware.
Michael Daly, Chief Technology Officer for Cybersecurity & Special Missions at Raytheon, described global cybersecurity trends during his presentation at the 2015 Chief Information Officer Leadership Forum in Boston on March 26. In his presentation, “Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs,” Daly pointed out that cybersecurity is becoming a major concern for C-level executives.
The survey found that organizations are facing increasing endpoint security risks. 64% of respondents said their networks were not more secure than the previous year. Common incidents over the past year included virus/malware infections (98%), device theft (95%), and data loss from negligent/malicious insiders (89% and 61% respectively). The top security risks for the next year were expected to be advanced persistent threats, insider threats, and web-based malware. Many organizations are not effectively managing applications and vulnerabilities on endpoints. Costs are increasing mainly due to lost productivity and IT staff time spent addressing malware incidents.
The survey found that organizations are facing increasing endpoint security risks. 64% of respondents said their networks were not more secure than the previous year. Common incidents over the past year included virus/malware infections (98%), device theft (95%), and data loss from negligent/malicious insiders (89% and 61% respectively). Respondents reported that malware attacks were among the most frequent network incidents and had increased over the past year for many organizations. The top security risks for the coming year were identified as advanced persistent threats, insider threats, and web-based threats. However, many organizations are not effectively addressing these risks through technology solutions or application and policy management.
The survey found that organizations are facing increasing endpoint security risks. 64% of respondents said their networks were not more secure than the previous year. Common incidents over the past year included virus/malware infections (98%), device theft (95%), and data loss from negligent/malicious insiders (89% and 61% respectively). The top security risks for the next year were expected to be advanced persistent threats, insider threats, and web-based malware. Current endpoint security approaches were found to be ineffective and costly. IT operating costs were rising mainly due to lost productivity and increased malware incidents.
Most notable apt_ attacks_of_2015_and_2016 predictionsCyphort
This season is the time to consider the year in review and the year to come. Nick will review the biggest malware attacks and breaches of the year, including OPM breach, Apple App store malware, Ashley Madison and Hacking Team. Then it’s on to the future as Nick unveils his security predictions for 2016.
Cybersecurity Risks of 3rd Party Cloud-Apps in 2022 Whitepaper by Protected H...Protected Harbor
Cybersecurity Risks in Third-Party Cloud Apps (2022) is a comprehensive whitepaper that examines the evolving threat landscape surrounding third-party cloud applications. Delve into the intricate web of security concerns and mitigation strategies to safeguard your organization's sensitive data from potential breaches and unauthorized access. Explore the dynamic challenges posed by third-party cloud apps in 2022 and equip your business with actionable insights to fortify its digital ecosystem against emerging cybersecurity threats.
Vulnerability stats, full stack cyber issues.
Vulnerability management, threat analysis and attack surface management. Exposures, MTTR and cyber risk management.
Bested in the assessment of thousands of systems globally on a continuous basis.
This document provides statistics on vulnerabilities from assessments performed in 2021 using the Edgescan platform. It finds that 20.4% of full stack vulnerabilities were high or critical risk. Web applications had more critical vulnerabilities but also more low risk issues than the network layer. The average time to remediate vulnerabilities across the full stack was 57.5 days, with critical issues taking longer to fix on the web application/API layer (47.6 days) than the device/host layer (61.4 days). Industries like healthcare had shorter remediation times than public administration and manufacturing. The report aims to demonstrate the state of security based on Edgescan's vulnerability assessments and identify trends.
Similar to The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear (20)
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Takashi Kobayashi and Hironori Washizaki, "SWEBOK Guide and Future of SE Education," First International Symposium on the Future of Software Engineering (FUSE), June 3-6, 2024, Okinawa, Japan
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfUndress Baby
The quest for the best AI face swap solution is marked by an amalgamation of technological prowess and artistic finesse, where cutting-edge algorithms seamlessly replace faces in images or videos with striking realism. Leveraging advanced deep learning techniques, the best AI face swap tools meticulously analyze facial features, lighting conditions, and expressions to execute flawless transformations, ensuring natural-looking results that blur the line between reality and illusion, captivating users with their ingenuity and sophistication.
Web:- https://undressbaby.com/
WhatsApp offers simple, reliable, and private messaging and calling services for free worldwide. With end-to-end encryption, your personal messages and calls are secure, ensuring only you and the recipient can access them. Enjoy voice and video calls to stay connected with loved ones or colleagues. Express yourself using stickers, GIFs, or by sharing moments on Status. WhatsApp Business enables global customer outreach, facilitating sales growth and relationship building through showcasing products and services. Stay connected effortlessly with group chats for planning outings with friends or staying updated on family conversations.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
1. The Internet is a
dog-eat-dog world,
and your app is
clad in Milk Bone
underwear.
-Bob Wall
Yum
2. ‘Cause hackers aren’t going to
rush your foxhole. They’re going to
sneak in under cover of night.
3. “And I’ve got the scars to prove it.”
Bob Wall
@bithead_bob BobWall23 /in/bobwall23
Former Chief Architect at Oracle Current CTO at IronCore Labs
Four Degrees Crypto Nerd Music Junkie
4. 47%
43%
of U.S. adults hacked in one year (May 2014)
of U.S. corporations hacked in one year (Sep 2014)
Sources: CNN and USA Today
5. Source: Breach Level Index Annual Report 2014
1,023,108,267
Records Stolen in 2014
Billion!!
6. Source: National Vulnerability Database and IronCore Labs
40%
50%
60%
70%
80%
2010 2011 2012 2013 2014 2015
60%
66%
70%
68%
71%
75%
75%
OF HIGH SEVERITY VULNERABILITIES WERE
LOW COMPLEXITY (EASY TO EXPLOIT) IN 2015.
Up 25%
SINCE FROM 2010 LEVELS
Conclusion: Applications are
getting worse at basic security
measures.
High Severity
Low Complexity
10. Privacy Is Dead (but hooray convenience!)
Your smartphone can know everything about you. Under the control of a hacker, it can relay your conversations, your
location, your communications and much more, which is why mobile malware is such a scary up and coming threat.
Sources: Consumer Reports, IDC and Symantec Internet Security Theft Report
$
1.4 billion
SOLD IN 2015
430 million
NEW MALWARE IN 2015
5.2 million
LOST OR STOLEN
IN THE U.S. IN 2014
Smartphones
Up 10%
Up 36%
Up 15% total,
but thefts
down 32%
11. 86%
of web applications tested had serious issues with
authentication, access control, and confidentiality.
Increased from 72% in 2014.
Source: HPE 2016 Cyber Risk Report
13. News Coverage of Breaches
Playstation Breach 1 Home Depot Hack Ashley Madison HackZappos Hack Target Hack
According to Google Trends
2010
←2011
←2012
←2013
←2014
Source: Google Trends
Evernote Hack
2015
15. 47 States with Breach Disclosure Laws
+ HIPAA
Breach disclosure only required when
unencrypted PII* data is accessed.
*PII = Personally Identifiable Information
16. Data is Distributed
Cloud Services
Mobile Devices
Internet of Things
Partners
Employee Laptops
Uncontrolled and with minimal security
20. Web App Vulnerability Likelihood
Source: Whitehat Security Stats Report 2015
0%
25%
50%
75%
100%
InsufficientTransportLayer
InformationLeakage
CrossSiteScripting
BruteForce
ContentSpoofingCrossSiteRequestForgeryURLRedirectorAbuse
PredictableResourceLocation
SessionFixationInsufficientAuthorization
DirectoryIndexing
AbuseofFunctionality
SQLInjection
InsufficientPasswordRecovery
Fingerprinting
5%6%6%6%8%11%11%
15%16%
24%26%29%
47%
56%
70%
#1. Insufficient Transport = Poor SSL
#2. Info Leak = Dev Errors to User
#3. XSS = Poor Input Sanitization
#4. Brute Force = No rate limiting
#5. Content Spoofing = Poor Input Sanitization
21. % of Web
Using
OpenSSL
66%
Does not include
IMAP and the many
other apps that use
OpenSSL
OpenSSL Vulnerabilities
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
0 10 20 30 40
Low Moderate High
FREAK, Logjam
HeartBleed, Poodle, Goto Fail
DROWN
OCSP Stapling
ASN1 Bio
Plaintext Recovery
** Through March 2016
22. OpenSSL Unit Test Coverage
Not Covered
52%
Covered
48%
Code is poorly tested. Code is old, crusty, riddled with goto statements.
#1 crypto library ➫ #1 app problem ➫ Coincidence?
23. Encryption Pitfalls
Single Key
One key is shared between all apps and
users. Anyone who gains access to the
system can access all of the data in the
system unchecked by encryption.
Unlocked in Memory
In typical transparent disk and database
systems, as long as the system is running,
the data is not encrypted. These systems
protect against stolen hard drives, but not
hackers in the system.
Key on Server
If you lock a desk drawer and put the key
on top of the desk or in the unlocked
drawer beside it, your physical security
would be as bad as most electronic
security.
Reliance on HTTPS
A surprising number of apps and
infrastructures think they are encrypted and
secure because they use https. https by
itself does almost nothing to secure a
system and can even be actively negative.
Typical implementations suffer these issues
PLENTY OF COMPANIES brag that their communications app is encrypted. But that
marketing claim demands a followup question: Who has the key?“
25. % of Organizations with Serious Vulnerabilities
Finance/Insurance
Healthcare
Info Tech
Retail
Public Admin
0% 25% 50% 75% 100%
21%
10%
14%
12%
11%
9%
11%
11%
14%
64%
60%
38%
52%
39%
Every Day More Than 271 Days More Than 151 Days
Source: Whitehat Security Stats Report 2015
Out of the 2015 calendar year
64%
75%
63%
79%
85%
26. Average Days To Fix by Industry
Source: Whitehat Security Stats Report 2015
0
62.5
125
187.5
250 Transportation
Arts&Entertainment
Accomodation
Professional&Scientific
PublicAdmin
OtherServices
Information
Education
Healthcare
Finance/Insurance
Manufacturing
Utilities
Retail
227
192191
160158
136132130
111108
9997
73
27. Hard Breach Costs
%
9
Lloyd’s of London estimate of the
cost to the global economy
$400b
2014 increase in per-record cost
$3.8m per breach
Average cost per record (US)
Average cost of a breach
including notifications,
investigations, legal issues
and credit monitoring.
$201 per breached record
Source: Ponemon Institute
28. Cyber-Insurance
Premiums up
32% in first half of 2015
83%
of claims paid out
78% Crisis Services
8% Legal Defense
9% Legal Settlements
5% Regulatory
Payout Breakdown
$15m
BIGGEST PAYOUT
$674k
AVERAGE PAYOUT
$77k
MEDIAN PAYOUT
32% of claims
due to third party breaches
Source: Netdiligence 2015 Cyber Claims Study
99% of exposed records
due to hackers and malware
29. General stats aren’t known, but smaller companies get badly hurt
Sources: All Things D and NYTimes
Soft Breach Costs
CASE STUDY
2013
50 million
Database hacked (SQL injection?)
Customers affected
15-20% Revenue drop in subsequent months
-82% Employee reduction now vs. pre-breach
30. Network security
App security
Almost triple the spending
goes to network security.
Security Spending
Source: Lumension 2015 State of the Endpoint
32. Accomodation Point of Sale 91%
Education Crimeware 32%
Entertainment Point of Sale 73%
Financial
Services
Crimeware
Web App Attack
36%
31%
Healthcare
Misc. Errors
Insider Misuse
32%
26%
Information /
Tech
Cyber-Espionage
Web App Attack
36%
35%
Manufacturing Cyber-Espionage 60%
Public Crimeware 51%
Retail Point of Sale 70%
Top Threats
By Industry
Source: Verizon 2015 Data Breach Report
33. 66%
Two-thirds of cyber-espionage
attacks relied on targeted
phishing emails with malicious
links or attachments.
MarketingPhishing
27%
27% of victims were
Manufacturing corporations.
Public sector targets
accounted for 20%.
MarketingVictims
0.8%
Of all breaches resulting in data
loss, only 0.8% were due to
cyber-espionage.
MarketingSource
Cyber-Espionage
Spy vs. Computer
Source: Verizon 2015 Data Breach Report
34. 23%
of recipients open phishing emails
11%
open the attachments
Phishing
Source: Verizon 2015 Data Breach Report
36. Of cars networked by
2020.3
More connected
devices than people
globally.2
Connected devices
by 2020.2
Vulnerable to attack.1 Collect personal
information.1
Average
vulnerabilities found
per device.1
Internet of Crap
90%70% 25
SOURCES:
1. HP Internet of things research study 2015
2. Cisco
3. Gartner
20% 2008 50b
37. Wall of Shame Highlights
• Aetna
• Alliance Health
• Anthem
• Blue Cross
• Cigna
• CVS
• Harvard Pilgrim
• Humana
• John Hopkins
• Kaiser
• Mayo Clinic
• Rite Aid
• University of
Colorado Health
• Walgreens
2772015 HEALTHCARE BREACHES
$10 / record
ON THE BLACK MARKET
112,832,082
RECORDS STOLEN
Source: Identity Theft Research Center
67%
OF STOLEN RECORDS
ACROSS INDUSTRIES
38. • Aetna
• Alliance Health
• Anthem
• Blue Cross
• Cigna
• CVS
• Harvard Pilgrim
• Humana
• John Hopkins
• Kaiser
• Mayo Clinic
• Rite Aid
• University of
Colorado Health
• Walgreens
2772015 HEALTHCARE BREACHES
$10 / record
ON THE BLACK MARKET
112,832,082
RECORDS STOLEN
Source: Identity Theft Research Center
67%
OF STOLEN RECORDS
ACROSS INDUSTRIES
Montana Jan-Mar 2016
Bozeman Health Deaconess Hospital: 1,124 records
New West Health Services of Montana: 28,209 records
Wall of Shame Highlights
39. Breach Detection
Source: Mandiant M-Trends 2015
67%33%229
DAYS BEFORE
DETECTION (MEDIAN)
32
DAYS TO RESPOND
TO BREACH (AVERAGE)
67%
LEARNED OF THEIR BREACH FROM AN
EXTERNAL ENTITY
40. Summing Up So Far
Software Devs Need to Step Up
Breaches
Through the roof.
Firewalls
Insufficient to
secure data.
Apps
Are the problem.
Trivial
Most vulnerabilities
are easy to exploit.
IOT
More insecure
devices every day.
Bad Security
Very costly and kills
companies.
42. Computer Science Degrees in the U.S.
Source: National Science Foundation WebCASPAR Database
0
15000
30000
45000
60000
1966 1970 1974 1978 1982 1986 1990 1994 1998 2002 2006 2010 2014
Associate's Degrees Bachelor's Degrees Advanced Degrees
56,130 Bachelors
37,643 Associates
26,618 Advanced
2004
1986
120,391 Grads 2014
43. 0%
Computer Science Degrees
Source: IronCore Labs using US News Rankings
56,130 Bachelors
TOP 20 COMP. SCI.
UNDERGRAD PROGRAMS
REQUIRING SECURE CODING
University Shame List
1. Carnegie Mellon
1. MIT
1. Stanford
1. UC Berkeley
5. University of Illinois, Urbana-Champaigne
6. Cornell
6. University of Washington
8. Princeton
9. Georgia Institute of Technology
9. University of Texas, Austin
11. California Institute of Technology
11. University of Wisconsin, Madison
13. UCLA
13. University of Michigan, Ann-Arbor
15. Colombia
15. UC San Diego
15. University of Maryland, College Park
18. Harvard University
19. University of Pennsylvania
20. Brown University
20. Purdue University, West Lafayette
20. Rice University
20. University of Southern California
20. Yale University
20. Duke University
45. Internet Security First Aid
✓Teach all developers secure coding
✓Teach all QA basic security testing
✓Recurring - each new employee
and a refresh cycle (2 years)
PHASE ONE: TRAINING
Look at Coursera, SANS, ISC, CERT, securecoding.org, secureset.com and others for help.
46. Internet Security First Aid
✓Product Managers should include
malicious users in their personas list.
✓Require security features up front. Ex:
• Account lockouts
• Form submission rate limits
PHASE TWO-A: REQUIREMENTS
47. Did you know?
25
Number of accounts
for average web
user. 6.5
Number of passwords
for average web
user.
8.2b
Number of password
guesses per second
for a single desktop
computer.*
Source: Microsoft Research, Ars Technica
* Stat from 2012. Actual speed
depends on hardware and hashing
algorithm used.
48. Internet Security First Aid
✓Find and leverage applicable security
checklists such as OWASP App Security
Cheat Sheet and Other Cheat Sheets
✓Specify input sanitization and user
content handling strategy.
✓Specify operational expectations and
configurations.
PHASE TWO-B: DESIGN
54. Work Item
(Feature/Defect)
Normal
Verify work item is correctly working.
Secure
Also try to break it using hacking techniques
and tools like manual cookie and parameter
changes.
UNIT TESTSCODE CI
MANUAL QA
56. Work Item
(Feature/Defect)
Release
(Deliver to Ops)
Release
(Deliver to Ops)
Work Item
(Feature/Defect)
UNIT TESTSCODE CI
3RD PARTY AUDIT MANUAL QA
Add Security at Every Step
Fix problems before release
58. App Security First Aid
PHASE FOUR: PRODUCTION AND MAINTENANCE
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
59. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Harden
Least permissions,
separation of
concerns...
segmentation, uninstall
anything you don’t
need, …
60. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Encrypt
Encrypt all the things.
Use HTTPS, DB
encryption, disk
encryption, and add
extra crypto to your
most sensitive data.
Use password-less SSH
(key-based identity) and
two-factor authentication
everywhere.
61. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Update libs
Watch 3rd party
libraries and APIs
closely for security
updates (and
deprecations) and
adopt those
immediately.
This is going to
require some good
regression test suites
to maintain
confidence in system
functionality after
library upgrades.
62. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
And automate your
update process!
Make sure all your
systems are running
the same software,
and that they can be
kept that way with
minimal effort.
Update servers
Religiously update
operating systems,
server software
(Apache/whatever),
etc. across all
systems.
63. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Again, you are going
to need some
automation. Relying
on humans to
monitor logs and
notice problems is a
recipe for failure.
Monitor
Log everything,
have intrusion
detection systems,
monitor logs and
alerts and act on
them.
64. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Threat intelligence
Keep up on current
threats, major
vulnerabilities,
hacking techniques,
worms, etc. in order
to better counter
them.
65. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Scan / audit
Audit the production
environment in
addition to the app,
use port scanners
to find out what’s
running that you
didn’t know about.
66. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Respond
A process for
managing, escalating,
and responding to
events is critical. Agree
on risk thresholds for
emergency releases,
update software, don’t
lose track of work
items.
68. Em
ployee Educ
ation
Training
All developers must be trained in the
writing of secure code. All QA must be
trained in basic security testing and fuzzing.
Architecture
Use secure coding checklists, verify
the security of 3rd party libraries,
model threats and design with
adversaries and best practices in mind.
Require
m
ents Desig
n
Dev
elop Veri
fy
Implementation
Develop and test, adding QA fuzzing
and security checks, automated static
code analysis, and before release,
an audit or pen-test (even automated).
Rel
ease M
o
nitor,Respond
Production and Maintenance
Release is not the end. Software has
bugs and security issues inevitably.
Ongoing security testing, monitoring
of logs, and most importantly,
responding to any issues and pushing
back to development.
Summary