Cybercrime is not just a hobby, it’s big business

NATION STATES

TERROR GROUPS

ORGANIZED CRIME

Now there’s a thriving black market in software vulnerabilities driven by:

SECURITY VULNERABILITIES HIT AN ALL-TIME HIGH IN 2014

Security Vulnerabilities By Year (Includes code execution, gain information, XSS, SQL Injection, etc)

2010

4,000

6,000

8,000

2011 2012 2013 2014

Source: National Institute of Standards & Technology (NIST) Vulnerability Database

of vulnerabilities discovered in 2014

were defined asHIGH SEVERITY

Source: National Institute of Standards & Technology (NIST) Vulnerability Database

24%

2014 VULNERABILITY REWINDRemember these bad boys?

DISCOVERED:

April 2014SEVERITY LEVEL:

MediumATTACK VECTOR:

OpenSSL

VITAL STATS

Heartbleed makes the SSL layer used by millions of websites and thousands of cloud providers vulnerable.

HeartbleedCVE-2014-0160

ATTACK VECTOR:

OpenSSL

Heartbleed makes the SSL layer used by millions of websites and thousands of cloud providers vulnerable.

HeartbleedCVE-2014-0160

DEFENSE CHECKLIST

Check which services are vulnerable

Change your passwords

Use an encryptiongateway

Number of cloud providers still vulnerable24 hours after Heartbleed was reported

368

DISCOVERED:

September 2014SEVERITY LEVEL:

HighATTACK VECTOR:

Bourne Again Shell(Bash)

VITAL STATS

Shellshock exposes a vulnerability in Bash, the widely-used shell for Unix-based operating systems such as Linux and OS X.

ShellshockCVE-2014-6271

ShellshockCVE-2014-6271

Percentage of top IaaS providers vulnerable to Bash

90%

DEFENSE CHECKLIST

Check for Bash vulnerabilities

Update to the latest version of Bash

Deploy a web application firewall

DISCOVERED:

October 2014SEVERITY LEVEL:

HighATTACK VECTOR:

Microsoft Windows

VITAL STATS

Sandworm impacts all supported versions of Windows, allowing attackers to embed OLE files from external sources and download malware on target computers.

SandwormCVE-2014-4114

Source: Net Application “Desktop Operating System Market Share”

SandwormCVE-2014-4114

DEFENSE CHECKLIST

Apply the official patch from Microsoft

Update antivirus definitions

Don’t open suspicious email attachments70%

Percentage of computers running a vulnerable version of Windows

DISCOVERED:

September 2014SEVERITY LEVEL:

MediumATTACK VECTOR:

SSLv3

VITAL STATS

POODLE lets attackers decrypt SSLv3 connections and hijack the cookie session that identifies you to a service, allowing them to control your account without needing your password.

POODLECVE-2014-3566

POODLE lets attackers decrypt SSLv3 connections and hijack the cookie session that identifies you to a service, allowing them to control your account without needing your password.

POODLECVE-2014-3566

61%Percentage of cloud services still vulnerable 24 hours after POODLE was reported

DEFENSE CHECKLIST

Disable SSLv3 on all services

Rely on TLS version 1.0 or greater

Likewise for browsersand forward proxies

The sheer number of vulnerabilities can make it difficult for companies to

protect against breaches

More than 2 in 5 companies experienced a breach of confidential data in 2014

2013

33%43%

2014

Source: Ponemon Institute “Is Your Company Ready for A Big Data Breach?”

Michael’s3 MILLION

eBay145 MILLION

Home Depot56 MILLION

Sony47,000

Apple iCloud

100

2014

TOP 5 DATA BREACHES OF 2014

MICHAEL’SJanuary 2014

WHAT WAS STOLEN:

3 Million Customer Credit & Debit Card Numbers

ROOT CAUSE:

Malware

EBAYMay 2014

WHAT WAS STOLEN:

145 Million Users’ Login Credentials & Personal Information (Name, Address, Data of Birth)

ROOT CAUSE:

Cyber Attack

WHAT WAS STOLEN:

100+ Nude Photos Of Celebrities

ROOT CAUSE:

SocialEngineeringAPPLE ICLOUD

August 2014

WHAT WAS STOLEN:

56 MillionPayment Cards & 53 MillionEmail Addresses

ROOT CAUSE:

BlackPOSMalware

HOME DEPOTSeptember 2014

SONY PICTURESENTERTAINMENT

November 2014

WHAT WAS STOLEN:

47,000Social Security Numbers of Employees and Celebrities, Scripts, Unreleased Movies

ROOT CAUSE:

Malware

SONY PICTURES ENTERTAINMENT

Tip: To learn what cloud apps are in use at your company, get a complimentary cloud audit

REQUEST COMPLIMENTARY CLOUD AUDIT

“With Skyhigh we discovered a wide range of services, allowing us to understand their associated risks and put in place policies to protect corporate data.”

Steve Martino VP Information Security

http://bit.ly/ComplimentaryCloudAudit