Industry Trendsin Information Security
-
Upload
gary-bahadur -
Category
Business
-
view
1.851 -
download
1
description
Transcript of Industry Trendsin Information Security
INDUSTRY TRENDS IN INFORMATION SECURITY
Gary BahadurCEO KRAA Security
www.kraasecurity.com
What Are The Key Trends?
Identity Theft
Mobile security threats
Web application weaknesses
Insider threats
• Social networks
• Regulatory Compliance
• Data Loss Prevention
• Malware
Objectives of Security Threats
1. Information Capture2. Destruction3. Monetary4. Competitive Advantage5. Political Gain6. Activism
Attacks aim to compromise 7. Confidentiality8. Integrity9. Availability
Identity Theft
Weaknesses caused by: Lack of proper data handling
procedures Weak data protection Inadvertent data loss Unencrypted data
Source FTC
Identity Theft - Data Breaches That Could Lead To Identity Theft By Sector
Education, 24%
Retail/wholesale, 6%
Telecommunications, 3%
Military, 3%
Government, 20%Computer software, 2%
Financial, 14%
Biotech/pharmaceutical, 2%
Transportation, 2%
Health care, 16%
Insurance, 1%
Computer hardware, 1%
Other, 4%
Source: Attrition.org
Mobile Security
Weaknesses caused by: Theft of device Unencrypted data on devices No management of devices Unsecure mobile applications No socialization of security on mobiles Spyware and attachments compromise mobiles
Most Risky Mobile Devices – Ponemon Institute
Web Applications
Weaknesses caused by: Poor Coding Not testing enough No protection mechanism on the website No Security Development Lifecycle Model Un-patched servers
Vulnerability by Industry – Source Whitehat
Insider ThreatsWeaknesses caused by: Weak internal controls Unvetted employees Disgruntled employees with excessive access Inadvertent weaknesses introduced
Losses due to insiders - CSI
Social networking Weaknesses caused by: Very un-educated users Insecure social networking applications Ease of development of social applications
Regulatory
Weaknesses caused by: Inability to manage against requirements No consistent assessment process Unable to keep up with new changes No accountability for measurements
Source -E&Y
Data Loss PreventionWeaknesses caused by: Insecure internal data storage Lost data through backup process Application vulnerabilities Excessive user permissions No tracking, monitoring, blocking of data movement
Organizations Attacked Most Often
Source – Breach Security
Malware
Weaknesses caused by: Weakly protected systems Email and Web surfing External device connections Uneducated users
Source McAfee
Malware
2008 CSI Computer Crime and Security Survey
Average reported cost of breach close to $500,000 (for those who experienced financial fraud)
The second-most expensive, was dealing with “bot” computers within the organization’s network, $350,000 per respondent.
Virus incidents occurred most frequently occurring at almost half (49 percent) of the respondent
Insider abuse of networks was second-most frequently occurring, at 44 percent
Third was theft of laptops and other mobile devices (42 percent).
What does data cost in the Underground?
Current Rank
Previous Rank Goods and Services
Current Percentage
Previous Percentage Range of Prices
1 2 Bank accounts 22% 21% $10–$1000
2 1 Credit cards 13% 22% $0.40–$20
3 7 Full identities 9% 6% $1–$15
4 N/AOnline auction site accounts 7% N/A $1–$8
5 8 Scams 7% 6%$2.50/week–$50/week
for hosting, $25 for design
6 4 Mailers 6% 8% $1–$10
7 5 Email addresses 5% 6% $0.83/MB–$10/MB
8 3 Email passwords 5% 8% $4–$30
9 N/A Drop (request or offer) 5% N/A 10%–50% of total drop amount
10 6 Proxies 5% 6% $1.50–$30
Source: Symantec Global internet Security Treat Report XIII
2003 2004 2005 2006 2007 2008
Frequency and Costs of Data Breaches
Data Processors International5 MILLION AFFECTEDMarch 6, 2003
Citigroup30 MILLIONJune 6, 2005
U.S. Department of Veteran Affairs26.5 MILLIONMay 22, 2006
Dai Nippon Printing Company8.6 MILLIONMarch 12, 2007
TD Ameritrade6.3 MILLIONSeptember 14, 2007
America Online30 MILLIONJune 24, 2004
Visa, MasterCard, and American Express40 MILLIONJune 19, 2005
TJX Companies, Inc.94 MILLIONJanuary 17, 2007
Fidelity National Information Services8.5 MILLIONJuly 3, 2007
HM Revenue and Customs25 MILLIONNovember 20, 2007
Source: Attrition Data Loss Archive and Database
10 (+1) Largest Data Breaches Since 2000As more information goes digital, it becomes more important to protect against hackers.
FlowingData
According to Ponemon Institute, an independent information practices research group, data breaches cost businesses an average of $197 per customer record in 2007, up from $182 in 2006. Ponemon also reports the average cost of a data breach in 2007 was $6.3 million, up from $4.8 million in 2006.
GS Caltex11 MILLIONSEPTEMBER 06, 2008
Percentages of Incidents
Source CSI
State Breach Notification Laws
State Security Breach Notification Laws As of July 27, 2009. Forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.
http://www.ncsl.org/Alaska 2008 H.B. 65
Arizona Ariz. Rev. Stat. § 44-7501
Arkansas Ark. Code § 4-110-101 et seq.
California Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.29, 1798.82
Colorado Colo. Rev. Stat. § 6-1-716
Connecticut Conn. Gen Stat. 36a-701(b)
Delaware Del. Code tit. 6, § 12B-101 et seq.
Florida Fla. Stat. § 817.5681
Georgia Ga. Code §§ 10-1-910, -911
How to Address These Trends?
1. Risk Assessment2. Security Policies and Procedures
Processes3. Security Layered Approach4. Data Loss Protection Mechanisms5. Used Security Educations6. Secure Development7. Monitoring
Contact
Gary Bahadurinfo@kraasecurity.comwww.kraasecurity.comblog.kraasecurity.comTwitter.com/kraasecurity888-KRAA-911