Post on 19-Jan-2015
description
Quantifying Business
Value of Information
Security
Andris Soroka 21st of March, 2014
Riga, Latvia
We have something to share…
We have something to share…
About speaker
“Data Security Solutions” business card
Specialization – IT Security
IT Security services (consulting,
audit, pen-testing, market analysis,
system testing and integration,
training and technical support)
Solutions and experience portfolio
with more than 20 different
technologies – cyber-security global
market leaders from more than 10
countries
Trusted services provider for
banks, insurance companies,
government and private companies
(critical infrastructure etc.)
Role of DSS in Cyber-security
Development in Baltics
Cyber-Security Awareness Raising
Technology and knowledge transfer
Most Innovative Portfolio
Trusted Advisor to its Customers
Cybersecurity Awareness Raising
Own organized conference “DSS ITSEC”
5th annual event this year
More than 400 visitors and more than 250 online
live streaming watchers from LV, EE, LT
4 parallel sessions with more than 40
international speakers, including Microsoft, Oracle,
Symantec, IBM, Samsung and many more –
everything free of charge
Participation in other events & sponsorship
CERT & ISACA conferences
RIGA COMM exhibition & conferences
Roadshows and events in Latvia / Lithuania /
Estonia (f.i. Vilnius Innovation Forum, Devcon,
ITSEC HeadLight, SFK, business associations)
Participation in cyber security discussions, strategy
preparations, seminaries, publications etc.
Innovations – technology & knowledge transfer
Innovative Technology Transfer Number of unique projects done with
different technology global leadership
vendors
Knowledge transfer (own employees,
customers – both from private & public,
other IT companies)
Areas include:
Endpoint Security
Network Security
Security Management
Application Security
Mobile Security
Data Security
Cyber-security
Security Intelligence
Our portfolio is most innovative in Baltics!
Some just basic ideas
AGENDA – IT Security basics in 20 min
Introduction of DSS and speaker
Prologue: Digital World 2014
The Saga begins – Cyber Criminals
Introduction & business card
Business behind
Examples
The Story Continues – Targets of Cyber
Criminals
Individuals
Business Owners
Government
Value of Information Security for business
Risk management
Technology
Conclusion
Q&A (if time allows)
Prologue: The Digital World 2014 - future
Prologue: Some new technologies
3D Printers
Google Glasses (“glassh**es)
Cloud Computing
Big Data & Supercomputers
Mobile Payment & Virtual Money
Robotics and Intraday Deliveries
Internet of things
Augmented Reality
Extreme development of Aps
Digital prototyping
Gadgets (devices) & Mobility
Technology replace jobs
Geo-location power
Biometrics
Health bands and mHealth
Electronic cars
Avegant Glymph and much, much
more
Prologue: Mobility & Gadgets
Digital Agenda for European Union
New EU Data Protection reform (March’14)
New EU Data Protection reform (March’14)
The same rules for all companies – regardless of their
establishment: Today European companies have to adhere to
stricter standards than their competitors established outside the
EU but also doing business on our Single Market. With the
reform, companies based outside of Europe will have to apply the
same rules. European regulators will be equipped with strong
powers to enforce this: data protection authorities will be able to
fine companies who do not comply with EU rules with up to
2% of their global annual turnover. European companies
with strong procedures for protecting personal data will have a
competitive advantage on a global scale at a time when the issue
is becoming increasingly sensitive.
Source: http://europa.eu/rapid/press-release_MEMO-14-186_en.htm
The Sage Continues: Cybercriminals
True or fake? In fact this isn’t funny...
Best «success story» describing hackers..
No changes in that perspective
Disaster in software world - NSA
Disaster in technology world - NSA
Governments write malware and
exploits (USA started, others follow..)
Cyber espionage
Sabotage
Infecting own citizens
Surveillance
Known NSA “partners”
Microsoft (incl. Skype)
Apple
Adobe
Many, many others
Internet is changing!!!
Questions, questions, questions!
USA thinks that internet is their
creation and foreign users should
think of USA as their masters…
Disaster in software world - NSA
Bright future of the internet way ahead..
1995 – 2005
1st Decade of the
Commercial Internet
2005 – 2015
2nd Decade of the
Commercial Internet Motive
Script-kiddies or hackers
Insiders
Organized crime
Competitors, hacktivists
National Security Infrastructure Attack
Espionage Political Activism
Monetary Gain
Revenge
Curiosity
Global statistics
Mobility & Security...
Mobility and Security (cont.)
McAfee 2013 Q1 Threats Report
Federal Reserve Survey March 2013
Mobile Malware Explodes
Mobile banking adoption rising
End users fall victim to mobile attacks
Mobile Malware increases all the time..
Some examples of incidents (DDoS)
Cyberwars going on!
Examples: Whistleblowers should be careful
Source: Juris Pūce, Analytica IT Security
Examples: Hacker is watching / listening
Examples (continued)
Examples (continued)
Google maps helped hacked incercept calls..
Examples: Advanced Persistent Threat
The Sage: Simplicity
Some examples of incidents
Hacking business services...
Current prices on the Russian underground market:
Hacking corporate mailbox: $500
Winlocker ransomware: $10-$20
Unintelligent exploit bundle: $25
Intelligent exploit bundle: $10-$3,000
Basic crypter (for inserting rogue code into benign file): $10-$30
SOCKS bot (to get around firewalls): $100
Hiring a DDoS attack: $30-$70 / day, $1,200 / month
Botnet: $200 for 2,000 bots
DDoS Botnet: $700
ZeuS source code: $200-$250
Windows rootkit (for installing malicious drivers): $292
Hacking Facebook or Twitter account: $130
Hacking Gmail account: $162
Email spam: $10 per one million emails
Email scam (using customer database): $50-$500 per one million emails
Weakest link is always the most important
Source: IBM X-Force annual report 2013
Lets summarize The Saga told
The Sage Continues: Targets
National
Security
Nation-state
actors
Stuxnet
Espionage,
Activism
Competitors and
Hacktivists
Aurora
Monetary
Gain
Organized
crime
Zeus
Revenge,
Curiosity
Insiders and
Script-kiddies
Code Red
Think security first
Source: Brian Crebs IT security blog
Why hackers might want to “contact” You?
Business Commercial espionage (financial, business and personal data)
An attack can stop the business, services (competition)
You are spam target
Your home page could be damaged
They can control and monitor you
They can change data in systems
Home page cross-scripting
Private person You have the infrastructure for tests of new viruses and robots
You have server where to store illegal stuff (programs, files etc.)
They can do criminal activities using your computer
WiFi – they can just borrow the internet
You have the information which could be sold in black market
The results of damage Financial (costs, data, market, value)
Reputation (customer, partner, HR)
Development and competitiveness
Conclusion: The Saga will continue anyway
For many companies security is like salt, people just sprinkle it on top.
Smart ones act smart way – risk mgmt.
Think security first & Where are You here?
Organizations Need an Intelligent View of Their Security Posture
Proactive
Au
tom
ated
M
an
ua
l
Reactive
Optimized Organizations use
predictive and
automated security
analytics to drive toward
security intelligence
Proficient Security is layered
into the IT fabric and
business operations
Basic Organizations
employ perimeter
protection, which
regulates access and
feeds manual reporting
New game, new rules..
Productivity
Security
Challenge for business ahead..
DROŠĪBAS PASĀKUMI
Costs Security costs
Optimum? Remaining part of risk
Security actions
Risks New optimum?
Source: Māris Gabaliņš, The Art Of The Systems
Take-Away as conclusion
Security Maturity
Develop a Risk-aware Security Strategy
49% of C level executives have no measure
of the effectiveness of their security efforts
31% of IT professionals have no risk strategy
2012 Forrester Research Study, 2013 Global Reputational Risk & IT Study, IBM
Costs for business from cybercrime
Return of Investment
“DSS” is here for You! Just ask for…
Si vis pacem, para bellum. (Lat.)
Think security first