CYBERCRIME - PowerPoint PPT Presentation

Loading...

PPT – CYBERCRIME PowerPoint presentation | free to download - id: 6b0624-MTI2N



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

CYBERCRIME

Description:

CYBERCRIME The Actors, Their Actions, and What They're After Wade H. Baker wade.baker_at_verizonbusiness.com – PowerPoint PPT presentation

Number of Views:2
Avg rating:3.0/5.0
Date added: 15 October 2019
Slides: 37
Provided by: LandorAs4
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: CYBERCRIME


1
CYBERCRIME
  • The Actors, Their Actions, and What They're After

Wade H. Baker wade.baker_at_verizonbusiness.com
2
PROPRIETARY STATEMENT This document and any
attached materials are the sole property of
Verizon and are not to be used by you other than
to evaluate Verizons service. This document and
any attached materials are not to be
disseminated, distributed, or otherwise conveyed
throughout your organization to employees without
a need for this information or to any third
parties without the express written permission of
Verizon. The Verizon and Verizon Business names
and logos and all other names, logos, and slogans
identifying Verizons products and services are
trademarks and service marks or registered
trademarks and service marks of Verizon Trademark
Services LLC or its affiliates in the United
States and/or other countries. All other
trademarks and service marks are the property of
their respective owners.
3
Assumptions
  • GOALS
  • You want to BE secure (enough)
  • You want to KNOW you are secure
  • You need to PROVE you are secure
  • CONSTRAINTS
  • You have limited RESOURCES
  • You have limited DATA

4
RISK Intel What We Do
Collection
Analysis
Distribution
External Data
Products Personnel Public
Risk Intel Team
Internal Data (Products Services)
5
RISK Intel Internal Data
Knowledge
Practice
Products Services
Framework

?
Goal Every product and service creates revenue
but also contributes and consumes intelligence
?
v
Models
Data
n
6
If you cant measure
InfoSec Data
7
you cant manage
  • You want to BE secure (enough)
  • You want to KNOW you are secure
  • You need to PROVE you are secure

8
  • Results are based upon practices
  • Practices are based upon beliefs
  • Beliefs are based upon data
  • Therefore
  • Data drives results by changing beliefs

9
The Basis of Belief
Are squares A B the same color?
Evidence Claim Logic Experience Measurement
10
The Basis of Belief
11
The Basis of Belief
12
The Basis of Belief
What forms the basis of your information security
program?
Evidence Claim Logic Experience Measurement
13
Sound Familiar?
IMPRACTICAL
UNKNOWABLE
UNRELIABLE
  • Not enough data
  • Poor quality data
  • Garbage in, Garbage out
  • Too many unknowns
  • Risk factors change
  • Cant predict rare events
  • Inadequate models
  • Time consuming
  • Overly difficult
  • Not aligned with business
  • Too much techno babble
  • Too much biz speak

IMPOSSIBLE
UNCERTAINTY
14
Lessons from Organizational Theory
UNCERTAINTY

Data
15
we will create a National Digital Security
Board modeled on the National Transportation
Safety Board. The NDSB will have the authority to
investigate information security breaches
reported by victim organizations. The NDSB will
publish reports on its findings for the benefit
of the public and other organizations, thereby
increasing transparency in two respects. First,
intrusions will have real costs beyond those
directly associated with the incident, by
bringing potentially poor security practices and
software to the attention of the public. Second,
other organizations will learn how to avoid the
mistakes made by those who fall victim to
intruders. -- Remarks by the president on
securing our nations cyber infrastructure May
29, 2009 http//www.whitehouse.gov/the_press_offi
ce/Remarks-by-the-President-on-Securing-Our-Nation
s-Cyber-Infrastructure/
16
A Wise Proverb
  • Without knowledge there is no understanding
    without understanding there is no knowledge

17
Lessons from Organizational Theory
EQUIVOCALITY

Framework
18
Greatest Threat?
  • Hackers
  • Insiders
  • Network intrusion
  • Human errors
  • Targeted attacks
  • Software vulnerabilities
  • Securing web apps
  • Internet infrastructure
  • Large databases
  • Data compromise
  • Downtime
  • Brand damage

(All of these arent threats)
19
Define the Problem Threat
  • An incident can be described by the following
    components
  • Agent Source of the threat
  • Action Threat type or method
  • Asset Target of attack
  • Attribute Security property affected (CIA)

Agent Internal privileged administrator Action
Abuse of access privileges Asset Structured data
repository Attribute Confidentiality
1
2
3
4
20
Lessons from Organizational Theory
DAFT, R. AND LENGEL, R. 1986. Organizational
Information Requirements, Media Richness and
Structural Design. Management Science, 32, 4,
554-569.
21
RISK Intel What We Do
Collection
Analysis
Distribution
External Data
Products Personnel Public
Risk Intel Team
Internal Data (Products Services)
22
Data Breach Investigations Report
http//verizonbusiness.com/databreach http//secur
ityblog.verizonbusiness.com
23
Methodology
  • Data Source
  • Verizon Business Investigative Response Team
  • Collection and Analysis
  • Case metrics collected during and after
    investigation
  • Anonymized then aggregated for analysis
  • Risk Intelligence team provides analytics
  • Data Sample
  • 5 years of paid forensic investigations
  • Not internal Verizon incidents
  • 600 breaches in sample
  • Actual compromise rather than data-at-risk
  • Both disclosed and non-disclosed
  • Most of the largest breaches ever reported

24
Data Sample
All Breaches
What can we learn?
25
Breach Sources
  • External sources
  • 90 of stolen records linked to organized crime
  • Internal sources
  • Roughly equal between end-users and IT admins
  • Partner sources
  • Mostly hijacked third-party accounts/connections

26
Breach Sources
Insider breaches typically larger
but overall, outsiders more damaging
27
Breach Methods
  • Most breaches and records linked to Hacking
    Malware
  • Misuse is fairly common
  • Mostly abuse of authorized access
  • Physical attacks
  • Theft and tampering most common
  • Deceit and social attacks
  • Varied methods, vectors, and targets
  • Error is extremely common
  • Usually contributory (62) rather than direct
    cause (3)
  • Mostly omissions followed by misconfigurations

28
Breakdown of Hacking (60 of breaches)
  • Default credentials, SQL injection, weak ACLs
    most common methods
  • Minority of attacks exploit patchable vulns Most
    of them are old
  • Web applications remote access connections are
    main vectors

2008 Data
Patch availability prior to breach Patch availability prior to breach
lt 1 month 0
1-3 months 4
3-6 months 6
6-12 months 16
gt1 year 74
2008 Data
Vulns expl in 16 of breaches
29
Breakdown of Malware (32 of breaches)
  • Most malware installed by remote attacker
  • Malware captures data or provides access/control
  • Increasingly customized

30
Attack Difficulty and Targeting
  • Highly difficult sophisticated attacks not the
    norm
  • Difficulty usually malware rather than intrusion
  • Fully targeted attacks in minority but growing
  • doubled in 2008
  • Difficult and targeted attacks increasingly
    damaging
  • Shows ROI is good for skilled attackers

Percentage of Records Breached Percentage of Records Breached Percentage of Records Breached
04-07 2008
Highly Difficult 68 95
Fully Targeted 14 90
31
Breach Timeline
  • Data compromised within hours/days after
    breaching perimeter
  • Actually good news for detection prevention
  • Breaches go undiscovered for months
  • Ability to detect breaches woefully inadequate
    (or at least inefficient)
  • It typically takes days to weeks to contain a
    breach
  • Poor planning and response procedures

31
32
Breach Discovery Methods
  • Most breaches discovered by a third party
  • Majority of internal discoveries are accidental
  • Effectiveness of event monitoring far below
    potential
  • Evidence found in existing log files for 80 of
    breaches

33
Compromised Assets and Data
  • Most data breached from online systems
  • Conflicts with public disclosures
  • Cybercrime is financially motivated
  • Cashable data is targeted
  • Other types common as well
  • Auth credentials allow deeper access
  • Intellectual property at 5-year high

34
Unknown Unknowns
An SYSTEM unknown to the organization DATA
unknowingly stored on an asset Unknown or
forgotten ICT CONNECTIONS Accounts and
PRIVILEGES not known to exist
Yes, were positive all sensitive data of that
type is confined to these systems.
35
Attack Commonalities
  • The last year shows much of the same but new
    twists and trends as well
  • Sources Similar distribution organized crime
    behind most large breaches
  • Organized criminal groups driving evolution of
    cybercrime
  • Attacks Criminals exploit errors, hack into
    systems, install malware
  • 2008 saw more targeted attacks, especially
    against orgs processing or storing large volumes
    of desirable data
  • Highly difficult attacks not common but very
    damaging
  • Large increase in customized, intelligent malware
  • Assets and Data Focus is online cashable data
  • Nearly all breached from servers apps
  • New data types (PIN data) sought which requires
    new techniques and targets
  • Discovery Takes months and is accomplished by
    3rd parties
  • Prevention The basicsif done consistentlyare
    effective in most cases
  • Increasing divergence between Targets of
    Opportunity and Targets of Choice
  • ToO Remove blatant opportunities through basic
    controls
  • ToC Same as above but prepare for very
    determined, very skilled attacks
  • Initial hack appears the easiest point of control

36
Victim Commonalities
  • False assumptions regarding information assets
  • Low awareness of network and system activity
  • Do not necessarily have a terrible security
    program
  • Fail to consistently and comprehensively follow
    the basics
  • Lack of assurance and validation procedures
  • Cost of prevention orders of magnitude less than
    impact
  • An inefficient approach to security
  • Focus too much on things that dont happen
  • Focus too little on the things that do happen
  • If you like mnemonics
  • Visibility
  • Variability
  • Viability

37
Recommendations
  • Align process with policy
  • Achieve Essential then worry about Excellent
  • Secure Business Partner Connections
  • Create a Data Retention Plan
  • Control data with transaction zones
  • Monitor event logs
  • Create an Incident Response Plan
  • Increase awareness
  • Engage in mock incident testing
  • Changing default credentials is key
  • Avoid shared credentials
  • User Account Review
  • Application Testing and Code Review
  • Smarter Patch Management Strategies
  • Human Resources Termination Procedures
  • Enable Application Logs and Monitor

38
(No Transcript)
About PowerShow.com