cybercrime: the new reality of information security info impact of hacktivism lulzsec 50-day...
TRANSCRIPT
![Page 1: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/1.jpg)
© 2012 IBM Corporation
Cybercrime: the New Reality of Information Security
Christina Peters,
Senior Counsel,
Security and Privacy
IBM
Jack Danahy,
Director for Advanced Security,
IBM Security Systems
Thomas X. Grasso, Jr.
Supervisory Special Agent
Federal Bureau of Investigation
National Cyber-Forensics and Training Alliance
![Page 2: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/2.jpg)
© 2012 IBM Corporation 2
Cybersecurity Incidents: This is Not a Drill
540,000,000+: All Records Breached Since 2005 (est.) (privacyrights.org)
$6,750,000: Average Cost Per Incident as of 2009 (ponemon.org)
Average Cost Per Lost Record as of 2009: $204 (ponemon.org)
![Page 3: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/3.jpg)
© 2012 IBM Corporation 3
What are privacy professionals asking?
What’s behind cybercrime?
What do cybercriminals do?
How can you tell you’re a target? What can you do?
What are the implications for organizations and for society?
What’s the future outlook? What are governments doing?
![Page 4: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/4.jpg)
4
The
Underground Economy and
Identity Trafficking
Thomas X. Grasso, Jr.
Supervisory Special Agent
Federal Bureau of Investigation
National Cyber-Forensics and Training Alliance
![Page 5: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/5.jpg)
5
Cyber Underground
A highly organized criminal network based
primarily in Eastern Europe
Consist of Specialized Cells for Specific
Functions
Utilize Web Forums to meet, cut deals, and
exchange stolen data.
Market for things bought/sold and advice
![Page 6: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/6.jpg)
6
Cyber Criminal Activities
Conduct network intrusion on merchant processors
Write Viruses, Trojans and other Malware
Use of Spam/Phishing to exploit banks, credit card
users, online account holders
Escrow and Auction Fraud
Use of compromised credit cards and compromised
online accounts to conduct reshipping operations
![Page 7: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/7.jpg)
7
How They Work
Computer Hackers
Data Brokers
Distribution Activities
Counterfeit Document Producers
Money Launderers
![Page 8: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/8.jpg)
© 2012 IBM Corporation 8
The world is becoming more digitized and interconnected
Organizations continue to move to new
platforms including cloud, virtualization,
mobile, social business and more
EVERYTHING
IS EVERYWHERE
With the advent of Enterprise 2.0 and social
business, the line between personal and
professional hours, devices and data has
disappeared
CONSUMERIZATION
OF IT
The age of Big Data – the explosion of digital
information – has arrived and is facilitated by
the pervasiveness of applications accessed
from everywhere
DATA
EXPLOSION
The speed and dexterity of attacks has
increased coupled with new actors with new
motivations from cyber crime to terrorism
to state-sponsored intrusions
ATTACK
SOPHISTICATION
![Page 9: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/9.jpg)
© 2012 IBM Corporation 9
Targeted Attacks Shake Businesses and Governments
IBM Security X-Force® 2011 Midyear Trend and Risk Report September 2011
Attack Type
SQL Injection
URL Tampering
Spear Phishing
3rd Party SW
DDoS
Secure ID
Unknown
Mar April May June July Aug Feb
Sony
Epsilon
L3 Communications Sony BMG
Greece
US Senate NATO
AZ Police
Turkish Government
SK Communications Korea
Monsanto
RSA HB Gary
Nintendo Brazil Gov.
Lockheed Martin
Vanguard Defense
Booz Allen
Hamilton
PBS
PBS
SOCA
Malaysian Gov. Site Peru Special
Police
Gmail Accounts
Spanish Nat. Police
Citigroup
Sega
Fox News X-Factor
Italy PM Site IMF
Northrop Grumman
Bethesda Software
Size of circle estimates relative impact of breach
![Page 10: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/10.jpg)
© 2012 IBM Corporation 10
There is Escalation in Potential for Damaging Impact
Adversary
Motive
The national cybersecurity agenda is rising in importance
Damage / Impact to Life and Property
National Security
Monetary Gain
Espionage, Political Activism
Revenge
Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”
Insiders, using inside information
Organized crime, hackers and crackers with sophisticated tools, expertise and substantial resources
Competitors, hacktivists
Nation-state actors; targeted attacks (advanced persistent threat)
![Page 11: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/11.jpg)
© 2012 IBM Corporation 11
Cyber Security has Become a Board Room Discussion
Business
results
Sony estimates
potential $1B
long term
impact –
$171M / 100
customers*
Supply chain
Epsilon breach
impacts 100
national brands
Legal
exposure
TJX estimates
$150M class
action
settlement in
release of
credit / debit
card info
Impact of
hacktivism
Lulzsec 50-day
hack-at-will
spree impacts
Nintendo, CIA,
PBS, UK NHS,
UK SOCA,
Sony …
Audit risk
Zurich
Insurance PLc
fined £2.275M
($3.8M) for the
loss and
exposure of
46K customer
records
Brand image
HSBC data
breach
discloses 24K
private banking
customers
*Sources for all breaches shown in speaker notes
![Page 12: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/12.jpg)
© 2012 IBM Corporation 12
Security Has Become a Complex Permutation
People
Data
Applications
Infrastructure
Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers
Systems applications Web applications Web 2.0 Mobile apps
Structured Unstructured At rest In motion
Of Sources, Technologies, and Systems
![Page 13: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/13.jpg)
© 2012 IBM Corporation 13
Security Must Evolve to an Intelligence View
Proactive
Au
tom
ated
M
anu
al
Reactive
Optimized Organizations use
predictive and
automated security
analytics to drive toward
security intelligence
Proficient Security is layered
into the IT fabric and
business operations
Basic Organizations
employ perimeter
protection, which
regulates access and
feeds manual reporting
![Page 14: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/14.jpg)
© 2012 IBM Corporation 14
Future Outlook
Cybercrime trends
Legislative and related activity
– White House Proposal and GOP response now available
– Various draft legislation in both houses
– IBM helping to launch ABA task force on legal issues related to
cybersecurity
Regulatory activity: SEC staff disclosure guidance
![Page 15: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/15.jpg)
© 2012 IBM Corporation 15
White House Cyber Security Agenda
Emerging Technologies and
Cloud Computing End Game: Reduce Data Breaches
DHS Consolidation and
FISMA Reform
Data Privacy (PII)
![Page 16: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/16.jpg)
© 2012 IBM Corporation 16 16
Congressional Attention We count on computer networks to deliver our oil and gas, our
power and our water. We rely on them for public transportation and
air traffic control… But just as we failed in the past to invest in our
physical infrastructure – our roads, our bridges and rails – we've
failed to invest in the security of our digital infrastructure… This
status quo is no longer acceptable – not when there's so much at
stake. We can and we must do better. – President Obama, May
29, 2009*
*Source: FACT SHEET: Cybersecurity Legislative Proposal
• Current bills: • Cybersecurity Act of 2012 introduced
2/14/2012 by Sens. Lieberman (I-CT),
Collins (R-ME), Rockefeller (D-WV) and
Feinstein (D-CA)
• Lungren
• Information Sharing:
• Feinstein bill, also section 7 of
Cybersecurity Act
• Rogers
• Cyber security often “trumped” by other
pressing priorities
• Ongoing debate about which agency has
priority jurisdiction over cyber security
![Page 17: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/17.jpg)
© 2012 IBM Corporation 17
References
2010/2011 CSI Computer Crime and Security Survey,
http://gocsi.com/survey
IBM X-Force Threat Insight Quarterly Report,
http://www-935.ibm.com/services/us/iss/html/xforce-threat-insight.html
White House Cybersecurity Legislative Proposal,
http://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-
proposal
Recommendations of the House Republican Cybersecurity Task Force,
http://thornberry.house.gov/UploadedFiles/CSTF_Final_Recommendations.pdf
Cybersecurity Act of 2012 (proposed)
http://www.hsgac.senate.gov/media/majority-media/lieberman-collins-rockefeller-feinstein_offer-
bipartisan-comprehensive-bill-to-secure-fed-and-critical-private-sector-cyber-systems
Cyber Intelligence Sharing and Protection Act of 2011 (Rogers & Ruppersberger)
http://mikerogers.house.gov/News/DocumentSingle.aspx?DocumentID=270598
SEC CF Disclosure Guidance: Topic No. 2,
http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
![Page 18: Cybercrime: the New Reality of Information Security info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich](https://reader031.vdocument.in/reader031/viewer/2022030510/5aba981e7f8b9af27d8bd11f/html5/thumbnails/18.jpg)
© 2012 IBM Corporation 18
Contacts
Christina Peters
(720) 396-5384
Jack Danahy
(603) 774-8200
Tom Grasso
FBI Cyber Division
(412) 802-8000 ext. 258
PGP Fingerprint:
EB83 DBB2 1742 B143 E1A2 A608 DC10 22F9 5ADD 12C5