Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cyber Security Risk in the Global
Organization:
Trends, Challenges and
Strategies for Effective
Management
David Childers,...
Three Things We Know
Three Things We Know…
There is no data security
There is no data security
Every enterprise, regardless of size, is a
target for cybercriminal activity. Today’s
cybercrimi...
Glossary of Terms
• Adware – Although generally harmless, adware is considered Malware it offends our ideas of informed co...
Glossary of Terms
• RAT - Remote Access Trojan, malware that allows an attacker to remotely control a infected PC or "bot"...
There is no data security
Malware-as-a-Service
• Carberp Trojan or Syscron goes
for $40K for full version
• SpyEye Trojan ...
There is no data security
No Secret in the Underground
Also Trafficked
“ Western university
databases for sale USA,
CA - also hack for hire ”
“Verified vendor”
provides list of ...
Breaches of Service (ID Theft)
Accounts for
researching
SSN/DOB
Three Things I know…
We are living in a
world with
unprecedented data
risk
Unprecedented Data Risk
• Social Media
• Global Threats
– Espionage
– Cyber Crime
– Activists
• Third-Parties
• BYOD
Unprecedented Data Risk
• Two-thirds (67%) of the working professionals surveyed had worked
outside their offices within t...
Volumes in the Headlines
Not Just Financial Data
Three Things I know…
In terms of a data breach
or data loss, it is not a
matter of if but when
Global Data Breach Statistics
• Cyber crime is the fastest growing economic crime – up more than
2300% since 2009
– More l...
Who are the Victims?
How do Data Breaches Occur?
What Commonalities Exist?
Where help is available
• Atlanta
• Baltimore
• Birmingham
• Boston
• Oklahoma
• Buffalo
• Charlotte
• Chicago
• Cleveland...
Data Breach Costs
$188 per record lost*
Prevention Pays:
• Pre-Prepared Data Breach
Response Plan saves $42
per record
• S...
Data Breach Costs
Collateral Damage
– Brand Reputation
– Share Price
– Employee Morale
– Business Relations
*US Average
20...
Compliance Time-Bomb
Data Privacy and Data Protection
• Alphabet Soup…
HIPAA GLBA COPPA
FISMA FCRA CAN-SPAM
FACTA FTCA FER...
Data Security is a PICNIC
Problem
In
Chair
Not
In
Computer
Creating the Human Firewall
• Train employees about
the data risks in your
organization
– Physical
– Psychological
• Monit...
Creating the Human Firewall
• Recognize that this is a cultural shift
– Think Harassment or Workplace Safety
– Expect and ...
IT Integration Checklist
• Use Strong Passwords and Change them
Regularly
• Keep your desktop anti-virus software up-to-da...
Questions?
david.childers@compli.comsjohnson@trailblazerintnational.com
Upcoming SlideShare
Loading in …5
×

[301] Cyber Security Risk in the Global Organization: Trends, Challenges & Strategies for Effective Management SCCE Compliance & Ethics Institute 2013

622 views

Published on

[301] Cyber Security Risk in the Global Organization: Trends, Challenges & Strategies for Effective Management SCCE Compliance & Ethics Institute 2013

Published in: Education
  • Be the first to comment

  • Be the first to like this

[301] Cyber Security Risk in the Global Organization: Trends, Challenges & Strategies for Effective Management SCCE Compliance & Ethics Institute 2013

  1. 1. Cyber Security Risk in the Global Organization: Trends, Challenges and Strategies for Effective Management David Childers, CIPP, OCEG Fellow CEO, Compli Scott Johnson CEO Trailblazer International Former Deputy Assistant Director, Office of Investigations US Secret Service
  2. 2. Three Things We Know
  3. 3. Three Things We Know… There is no data security
  4. 4. There is no data security Every enterprise, regardless of size, is a target for cybercriminal activity. Today’s cybercriminals are smarter, better organized and developing sophisticated tools and malware code that is making it difficult if not impossible to defend your data.
  5. 5. Glossary of Terms • Adware – Although generally harmless, adware is considered Malware it offends our ideas of informed consent. For example, you are invited to download a handy toolbar for your browser: it is also a mechanism for serving advertising to your browser or desktop but this is not explained to you. • Blind Drop – A drop that is well hidden and is designed to run while unattended, until an attacker comes to collect the data. In the case of remote access Trojans, can also refer to file hidden locally. • Bot – A computer infected with software that allows it to be controlled by a remote attacker. Also used to refer to the malware itself which allows that control. • Downloader – A small piece of code, usually a single instruction, used in the payload of an exploit to silently fetch a malicious EXE file from the attacker's server. • Drop – A clandestine computer or service [such as e-mail account] that collects data stolen by a Trojan. • Exploit – Code used to take advantage vulnerabilities in software code and configuration, usually to install malware. • Form-grabber – A program that steals information submitted by a user to a web site. (Originally forms were the only way to submit user input to a web server, but now the meaning has changed to encompass any HTTP communication using a POST request.) • iFrame – A special tag used to load one web page into a part of another webpage. Used by iFramers to load malicious code, often JavaScript, onto an otherwise trusted page. • Keylogger - A Keylogger is a kind of Spyware. It is a computer program or piece of code that collects a record of all the keys you type on your keyboard. • Malware – Any executable code that uses a computer in a way not authorized by it's owner. Includes Trojans that install backdoors, spyware, bot clients, keyloggers, worms, viruses, or other malicious code. • Packer – A tool used to compress and scramble an EXE file. Used to hide the malicious nature of malware and thwart analysis by researchers. • Phising - attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.
  6. 6. Glossary of Terms • RAT - Remote Access Trojan, malware that allows an attacker to remotely control a infected PC or "bot". • Redirect – A feature of HTTP used to automatically forward someone from one web site to another. In the case of malware, redirects are done invisibly, sometimes inside iFrames. • Rootkit – Code that plugs into and changes the low-level functions of an operating system. Used by malware to hide itself from users and even the operating system itself. • Spyware - Refers to programs that run without asking and invade your privacy. The intent is identity theft, including attempts to discover personal information such as your credit card details and passwords • Torpig – A relatively new family of Trojans representing the latest in malware capabilities, including the ability to hide itself and provide backdoor access for installing other configurations, components, or even other Trojans. • Trojan – A program that attempts to hide its malicious code by masquerading as an innocuous program most commonly through the use of a "packer." • Variant – Malware that is produced from the same code base (or "family") as a previous version but is different enough to require new signatures for detection by anti-virus and anti-malware products. • Virus - A virus is a computer program or piece of code that can copy itself – and spread to more computers by making copies of itself. A virus is very likely to be malware, i.e. part of an attempt at vandalism, theft, spying or extortion. • VXer – Originally, a virus writer. Now refers to anyone involved in the production or use of malware. • Worm - A worm is a program or piece of code that copies and spreads itself to many computers. Unlike a virus, a worm does not rely on infecting a host file. The term 'worm' is used to identify programs that aim to spread through a network, by whatever means possible (including email and SMS), without users knowing about it. • Zombie – Following the infection of your computer with a virus or a worm the Malware code can employ your machine to do things such as spread spam or attack other computers or networks.
  7. 7. There is no data security Malware-as-a-Service • Carberp Trojan or Syscron goes for $40K for full version • SpyEye Trojan sold for $10K in 2011 is now $600 • Zeus Trojan sold for $10K is now $380 • Malware injection scripts are as little as $5 each and can be done as a MaaS subscription for $50 per month The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response, EMA and RSA, March 2012
  8. 8. There is no data security
  9. 9. No Secret in the Underground
  10. 10. Also Trafficked “ Western university databases for sale USA, CA - also hack for hire ” “Verified vendor” provides list of hacked databases for sale: universities, a bank, payment systems, job sites, e-shops, etc.
  11. 11. Breaches of Service (ID Theft) Accounts for researching SSN/DOB
  12. 12. Three Things I know… We are living in a world with unprecedented data risk
  13. 13. Unprecedented Data Risk • Social Media • Global Threats – Espionage – Cyber Crime – Activists • Third-Parties • BYOD
  14. 14. Unprecedented Data Risk • Two-thirds (67%) of the working professionals surveyed had worked outside their offices within the past year with some type of sensitive data – customer credit card numbers (26%) – customer Social Security numbers (24%) – patient medical information (15%) – internal corporate financial information (42%) • Convenience is more important than privacy and security for employees working outside the office. – One in four (26%) users said they accessed corporate e-mail on an unprotected network in a high-traffic public area • 70% of those surveyed said their companies had no explicit policies on working in public places The Visual Data Breach Risk Assessment Study, conducted by People Security and commissioned by 3M
  15. 15. Volumes in the Headlines
  16. 16. Not Just Financial Data
  17. 17. Three Things I know… In terms of a data breach or data loss, it is not a matter of if but when
  18. 18. Global Data Breach Statistics • Cyber crime is the fastest growing economic crime – up more than 2300% since 2009 – More lucrative than selling drugs! – Stolen Data has a long “shelf life” • 68% of those surveyed globally had experienced a breach event – 22% had 10 or more! – Malicious breaches are the most expensive and damaging – 63% of breaches nationally are human error, negligence or system error Ponemon Institute global survey for CIO, CSO and PwC, Global State of Information Security 2013 • 60% of HCCA/SCCE responding organizations had suffered an incident in the last year, and 20% had suffered four or more – Human error and electronic exploitation split 50-50 Data Breach Incidents & Responses - A 2012 Survey by SCCE and HCCA
  19. 19. Who are the Victims?
  20. 20. How do Data Breaches Occur?
  21. 21. What Commonalities Exist?
  22. 22. Where help is available • Atlanta • Baltimore • Birmingham • Boston • Oklahoma • Buffalo • Charlotte • Chicago • Cleveland • Dallas • Houston • Las Vegas • Los Angeles • Louisville • Miami • Minneapolis • New York/New Jersey • Orlando • Philadelphia • Phoenix • Pittsburgh • San Francisco • Seattle • South Carolina • Washington DC U.S. Secret Service Electronic Crimes Task Forces
  23. 23. Data Breach Costs $188 per record lost* Prevention Pays: • Pre-Prepared Data Breach Response Plan saves $42 per record • Strong Security Posture saves $34 per record • Having a CISO or CPO saves $13 per record *US Average 2013 Cost of Data Breach Study: Global Analysis Benchmark research sponsored by Symantec, Independently Conducted by Ponemon Institute LLC. May 2013
  24. 24. Data Breach Costs Collateral Damage – Brand Reputation – Share Price – Employee Morale – Business Relations *US Average 2013 Cost of Data Breach Study: Global Analysis Benchmark research sponsored by Symantec, Independently Conducted by Ponemon Institute LLC. May 2013 Brand Value Diminished 21% Post a Breach Event
  25. 25. Compliance Time-Bomb Data Privacy and Data Protection • Alphabet Soup… HIPAA GLBA COPPA FISMA FCRA CAN-SPAM FACTA FTCA FERPA PPA PIC ECPA • 3rd Party Contractual Agreements • NGO and CSR “requirements”
  26. 26. Data Security is a PICNIC Problem In Chair Not In Computer
  27. 27. Creating the Human Firewall • Train employees about the data risks in your organization – Physical – Psychological • Monitor risks and keep training and awareness up to date • “Think like the bad guys" • Build from “Teachable Moments”
  28. 28. Creating the Human Firewall • Recognize that this is a cultural shift – Think Harassment or Workplace Safety – Expect and promote secondary benefits for employees • Start the change process with people who have disproportionate influence in the organization • Look for ways to get people to experience the harsh realities that make change necessary • Look for ways to redistribute resources toward “hot spots” – activities that require few resources but result in large change
  29. 29. IT Integration Checklist • Use Strong Passwords and Change them Regularly • Keep your desktop anti-virus software up-to-date • Control access to sensitive data – Physical – Limit network access • Know which BYOD are being used and understand their unique vulnerably
  30. 30. Questions? david.childers@compli.comsjohnson@trailblazerintnational.com

×