The Shocking Reality Behind the Network Breaches Happening All Over the World
Corporate America’s dirty little secret:
Sshhh. Our network has been compromised.
According to security experts, 60-70% of the Fortune 1000 have been hacked in the last 16 months or don’t even know they are currently compromised. Their intellectual property (IP) and customer data is being systematically siphoned out of the country to China, Russia, Africa or Al Qaeda.
If you feel safe, you shouldn’t. Unless you do cyber security full time, you will lose this battle. You are one SQL injection away from a security breach disaster. Assuming you have been compromised, how do you clean up the mess (quietly) and keep the bad guys out in the future while maintaining compliance?
A Dirty Little Secret
The Chief Security Officer (CSO) reports directly to General Counsel (GC) for an important reason: To buffer the Board of Directors (BOD), who may have personal liability, and give them time to meet reporting obligations and maintain compliance should there be a security breach. And of course to patch the hole(s) in the network and put together a plan to keep it from happening again.
Oftentimes, the GC will discover that the enterprise Incident Response Team (IRC) is ill equipped to combat the cyber attacks and will directly engage a 3rd party security specialist to do mitigation, forensics, and remediation. C-levels and senior management certainly know there are security problems but have no idea of the scope of the compromise or what is being done about it.
Cyber Crime Up 20% in 2013
Cyber crime pays and is on the rise. Gartner has reported that most of its Enterprise customers’ #1 priority for 2014 is security. And rightly so with so much at risk with hacktivists and organized crime and cyber espionage attacks all increasing in 2013. Security experts predict the growth trend will continue into 2014.
Cost of Cyber Crime Up 78%
Conducted by the Ponemon Institute and sponsored by HP Enterprise Security Products, “2013 Cost of Cyber Crime Study” reveals that the average cost incurred by organizations victimized by cyber crime over a 10-month period is $11.56 million. That marks a 78% increase since the study was first completed four years ago.
Of the 60 U.S. organizations interviewed for this year’s report, total cyber crime costs ranged between $1.3 million and $58 million, with the average cost to resolve a single incident falling in at just over $1 million – as opposed to just under $600,000 in 2012.
Meanwhile, increasingly sophisticated attacks – including denial-of-service, malicious insider, and web-based incursions, such as zero-day vulnerabilities – have caused the average time it takes to resolve a cyber crime to shoot up 130% in four years, which translates this year to about 32 days before a full recovery, eight days more than in 2012.
One type of attack that throws a wrench in the spokes from a research perspective is the advanced persistent threat (APT), said Ponemon. He explained that organizations sometimes believe they have resolved a threat, when in actuality, it has gone into a dormant phase and shows up again unexpectedly sometime down the line.
When it comes to what is hiking up the cost of cyber crime, Ponemon pointed out that companies view information leakage as the most significant and costly, followed by business disruption and loss of productivity.
“In the study, where there was a $58 million loss, it was a data loss,” Ponemon said. “It was information on a new product for the company.” The companies believe that once data is extricated, the value of its product is lost, he added.
One of the most interesting studies proposed regarding cyber crime offers was presented by Fortinet in December 2012. The report produced by the security firm describes the model of “Crime-as-a-Service” in particular, providing a detailed price list for principal hacking services offered in “Attacks-as-a-Service,” with some interesting data:
- Consulting services such as botnet setup, $350-$400
- Infection/spreading services, under $100 per a thousand installs
- Botnets and rental, Direct Denial of Service (DdoS), $535 for five hours a day for one week, email spam, $40 per 20,000 emails, and Web spam, $2 per thirty posts.
- Blackhat Search Engine Optimization (SEO), $80 for 20,000 spammed backlinks.
- Inter-Carrier money exchange and mule services, 25% commission.
- CAPTCHA breaking, $1 per a thousand CAPTCHAs, done by recruited humans.
- Crimeware upgrade modules: Using Zeus modules as an example, they range anywhere from $500 to $10,000.
508,000 US Jobs Lost
In the last report issued by ENISA, titled Threat Landscape Mid Year 2013, the organization confirmed the results of the Ponemon Institute.
The security firm sponsored a report titled “Estimating the Cost of Cybercrime and Cyber Espionage”, The Center for Strategic and International Studies (CSIS) collaborated.
“Using figures from the Commerce Department on the ratio of exports to US jobs, we arrived at a high-end estimate of 508,000 US jobs potentially lost from cyber-espionage. As with other estimates in the report, however, the raw numbers might tell just part of the story. If a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effects could be more wide ranging.”
Cyber Crime Study Takeaways
- The average annualized cost of cyber crime incurred per organization was $11.56 million, with a range of $1.3 million to $58 million. This is an increase of 26%, or $2.6 million, over the average cost reported in 2012.
- Organizations in defense, financial services and energy and utilities suffered the highest cyber crime costs.
- Data theft caused major costs, 43% of the total external costs, business disruption or lost productivity accounts for 36% of external costs. While the data theft decreased by 2% in the last year, business disruption increased by 18%.
- Organizations experienced an average of 122 successful attacks per week, up from 102 attacks per week in 2012.
- The average time to resolve a cyber attack was 32 days, with an average cost incurred during this period of $1,035,769, or $32,469 per day—a 55% increase over last year’s estimated average cost of $591,780 for a 24-day period.
- Denial-of-service, web-based attacks and insiders account for more than 55% of overall annual cyber crime costs per organization.
Top 2014 Security Threats
Threats will explode over the next five years as the world’s population is enabled with mobile devices and enterprises struggle to enable their workers with the agility of mobile devices while securing the corporate network. China currently has 700 million mobile users and growing.
- Drive-by-exploits: Browser-based attacks still remain the most reported threats, and Java remains the most exploited software for this kind of threat.
- Worms/Trojans: Sophisticated malware is used by cyber criminals and governments for various purposes, such as offensive attacks, cyber espionage, and sophisticated cyber scams. Cyber crime makes extensive use of malware, especially for banking fraud. The mobile platform and social network situation is very concerning. Those platforms are exploited to spread large-scale malicious agents.
- Code Injection: Attacks are notably popular against web Content Management Systems (CMSs). Due to their wide use, popular CMSes constitute a considerable attack surface that has drawn the attention of cyber-criminals. Cloud service providing networks are increasingly used to host tools for automated attacks.
Botnets, Denial of Services, rogueware/scareware, targeted attacks, identity theft and search engine poisoning will continue to represent a serious menace to the IT community.
You will do well to proactively amp up your security spend in 2014 whether it be on-premises equipment and personnel upgrades or managed security services. If you have any of the following alphabet soup of compliance requirements, a sustainable secure network will keep your auditors and customers content.
HIPAA/Hitech, PCI, DSS 2.0, hitrust compliance, SSAE 16/SAS 70, data sovereignty, ISO 27001, etc. Don’t be the next TJ Max or Target! Remember Target’s first release of customers affected was 30 million. Second tally a week later was 70 million. Two weeks later it rose to 110 million as the forensics data rolled in. PCI compliance will be a major challenge for them going forward.
Common Cyber Crime Penetrations
In order of most common attacks, here is the hit list:
- SQL injection
- Cross site scripting (XSS)
- Malicious attacks
- Directory traversal
- Illegal requests
- Cross site request forgery
- Email hording
Post Security Breach
Once you know there is a problem and you have stopped the bad guys from getting in and your data from flowing out (mitigation), the real fun begins.
You or your service provider may be compelled to notify all your customers of the breach and the possibility that their personal information is in the wild. Forensics will reveal how the bad guys got in and what they took. These are smart thieves, so it will take some time and cost some serious money. But don’t rush the process. You need the forensics information to build a proper secure network (remediation) so this doesn’t happen again. “Once bitten, twice shy.” So after mitigation, the steps look like:
- Notify customers
Keeping your Data Safe and Secure
There is a high probability that your CSO and IRC are overwhelmed and have a low level of confidence in their network security, whether it be pre or post breach (charming I know).
As you look for alternatives, your analysis will lead to the typical build vs. buy decision. Do you try to do it yourself by adding resources (expensive and hard to retain), bringing in consultants (who have no skin in the game) and buy new security hardware (again, expensive) or do you outsource it?
There are two flavors to outsourcing: Fully managed in your data center or fully managed at security provider (cloud). Under any of the above scenarios, there are three basic building blocks for you to consider operationally:
- Secure cloud – private network on-premises or hosted for you and only you
- Secure servers – hardened, secure access and living inside your private network (cloud)
- Secure storage – encrypted data at rest and secure connection calls only to secure servers inside your private secure network.
Secure Cloud Architecture
What does a typical secure network (cloud) architecture look like? Here are the basic building blocks that live in front of your secure cloud home to your secure servers and secure storage.
- Edge firewalls
- Intrusion protection/detection
- Denial of service protection
- Web application firewall
- Advanced malware (zero day, APT attacks)
Fully Managed Secure Network
You need fully managed security services protecting your enterprise from real threats 24/7/365.
A secure infrastructure includes:
- Host security – hypervisor firewall, secure san storage, hardened os
- Managed infrastructure – patching, malware, log mgt, vulnerability monitoring
- Perimeter security – intrusion detection, IP reputation filtering, penetration testing
- DDoS mitigation, web application firewall
Security Information and Event Management (SIEM)
The 2013 Cost of Cyber Crime Study also revealed that corporations are deploying advanced security intelligence tools in their IT systems such as “security information and event management (SIEM), network intelligence systems and big data analytics” to mitigate the cyber threats. But this may not be enough to thwart your next attack.
Vault Your Data
TJ Max and Target cannot afford to compromise. They must do it right the second time around.
Similarly, you must ask yourself the same questions. Can you afford not to properly protect your customers’ data? True, you may not need to put all your data in a hyper-secure environment, but at least some of it needs a properly secure home. Build or rent a data vault and get it managed by security experts. Your livelihood depends on it.