© 2012 IBM Corporation

Cybercrime: the New Reality of Information Security

Christina Peters,

Senior Counsel,

Security and Privacy

IBM

Jack Danahy,

Director for Advanced Security,

IBM Security Systems

Thomas X. Grasso, Jr.

Supervisory Special Agent

Federal Bureau of Investigation

National Cyber-Forensics and Training Alliance

© 2012 IBM Corporation 2

Cybersecurity Incidents: This is Not a Drill

540,000,000+: All Records Breached Since 2005 (est.) (privacyrights.org)

$6,750,000: Average Cost Per Incident as of 2009 (ponemon.org)

Average Cost Per Lost Record as of 2009: $204 (ponemon.org)

© 2012 IBM Corporation 3

What are privacy professionals asking?

What’s behind cybercrime?

What do cybercriminals do?

How can you tell you’re a target? What can you do?

What are the implications for organizations and for society?

What’s the future outlook? What are governments doing?

4

The

Underground Economy and

Identity Trafficking

Thomas X. Grasso, Jr.

Supervisory Special Agent

Federal Bureau of Investigation

National Cyber-Forensics and Training Alliance

5

Cyber Underground

A highly organized criminal network based

primarily in Eastern Europe

Consist of Specialized Cells for Specific

Functions

Utilize Web Forums to meet, cut deals, and

exchange stolen data.

Market for things bought/sold and advice

6

Cyber Criminal Activities

Conduct network intrusion on merchant processors

Write Viruses, Trojans and other Malware

Use of Spam/Phishing to exploit banks, credit card

users, online account holders

Escrow and Auction Fraud

Use of compromised credit cards and compromised

online accounts to conduct reshipping operations

7

How They Work

Computer Hackers

Data Brokers

Distribution Activities

Counterfeit Document Producers

Money Launderers

© 2012 IBM Corporation 8

The world is becoming more digitized and interconnected

Organizations continue to move to new

platforms including cloud, virtualization,

mobile, social business and more

EVERYTHING

IS EVERYWHERE

With the advent of Enterprise 2.0 and social

business, the line between personal and

professional hours, devices and data has

disappeared

CONSUMERIZATION

OF IT

The age of Big Data – the explosion of digital

information – has arrived and is facilitated by

the pervasiveness of applications accessed

from everywhere

DATA

EXPLOSION

The speed and dexterity of attacks has

increased coupled with new actors with new

motivations from cyber crime to terrorism

to state-sponsored intrusions

ATTACK

SOPHISTICATION

© 2012 IBM Corporation 9

Targeted Attacks Shake Businesses and Governments

IBM Security X-Force® 2011 Midyear Trend and Risk Report September 2011

Attack Type

SQL Injection

URL Tampering

Spear Phishing

3rd Party SW

DDoS

Secure ID

Unknown

Mar April May June July Aug Feb

Sony

Epsilon

L3 Communications Sony BMG

Greece

US Senate NATO

AZ Police

Turkish Government

SK Communications Korea

Monsanto

RSA HB Gary

Nintendo Brazil Gov.

Lockheed Martin

Vanguard Defense

Booz Allen

Hamilton

PBS

PBS

SOCA

Malaysian Gov. Site Peru Special

Police

Gmail Accounts

Spanish Nat. Police

Citigroup

Sega

Fox News X-Factor

Italy PM Site IMF

Northrop Grumman

Bethesda Software

Size of circle estimates relative impact of breach

© 2012 IBM Corporation 10

There is Escalation in Potential for Damaging Impact

Adversary

Motive

The national cybersecurity agenda is rising in importance

Damage / Impact to Life and Property

National Security

Monetary Gain

Espionage, Political Activism

Revenge

Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”

Insiders, using inside information

Organized crime, hackers and crackers with sophisticated tools, expertise and substantial resources

Competitors, hacktivists

Nation-state actors; targeted attacks (advanced persistent threat)

© 2012 IBM Corporation 11

Cyber Security has Become a Board Room Discussion

Business

results

Sony estimates

potential $1B

long term

impact –

$171M / 100

customers*

Supply chain

Epsilon breach

impacts 100

national brands

Legal

exposure

TJX estimates

$150M class

action

settlement in

release of

credit / debit

card info

Impact of

hacktivism

Lulzsec 50-day

hack-at-will

spree impacts

Nintendo, CIA,

PBS, UK NHS,

UK SOCA,

Sony …

Audit risk

Zurich

Insurance PLc

fined £2.275M

($3.8M) for the

loss and

exposure of

46K customer

records

Brand image

HSBC data

breach

discloses 24K

private banking

customers

*Sources for all breaches shown in speaker notes

© 2012 IBM Corporation 12

Security Has Become a Complex Permutation

People

Data

Applications

Infrastructure

Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers

Systems applications Web applications Web 2.0 Mobile apps

Structured Unstructured At rest In motion

Of Sources, Technologies, and Systems

© 2012 IBM Corporation 13

Security Must Evolve to an Intelligence View

Proactive

Au

tom

ated

M

anu

al

Reactive

Optimized Organizations use

predictive and

automated security

analytics to drive toward

security intelligence

Proficient Security is layered

into the IT fabric and

business operations

Basic Organizations

employ perimeter

protection, which

regulates access and

feeds manual reporting

© 2012 IBM Corporation 14

Future Outlook

Cybercrime trends

Legislative and related activity

– White House Proposal and GOP response now available

– Various draft legislation in both houses

– IBM helping to launch ABA task force on legal issues related to

cybersecurity

Regulatory activity: SEC staff disclosure guidance

© 2012 IBM Corporation 15

White House Cyber Security Agenda

Emerging Technologies and

Cloud Computing End Game: Reduce Data Breaches

DHS Consolidation and

FISMA Reform

Data Privacy (PII)

© 2012 IBM Corporation 16 16

Congressional Attention We count on computer networks to deliver our oil and gas, our

power and our water. We rely on them for public transportation and

air traffic control… But just as we failed in the past to invest in our

physical infrastructure – our roads, our bridges and rails – we've

failed to invest in the security of our digital infrastructure… This

status quo is no longer acceptable – not when there's so much at

stake. We can and we must do better. – President Obama, May

29, 2009*

*Source: FACT SHEET: Cybersecurity Legislative Proposal

• Current bills: • Cybersecurity Act of 2012 introduced

2/14/2012 by Sens. Lieberman (I-CT),

Collins (R-ME), Rockefeller (D-WV) and

Feinstein (D-CA)

• Lungren

• Information Sharing:

• Feinstein bill, also section 7 of

Cybersecurity Act

• Rogers

• Cyber security often “trumped” by other

pressing priorities

• Ongoing debate about which agency has

priority jurisdiction over cyber security

© 2012 IBM Corporation 17

References

2010/2011 CSI Computer Crime and Security Survey,

http://gocsi.com/survey

IBM X-Force Threat Insight Quarterly Report,

http://www-935.ibm.com/services/us/iss/html/xforce-threat-insight.html

White House Cybersecurity Legislative Proposal,

http://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-

proposal

Recommendations of the House Republican Cybersecurity Task Force,

http://thornberry.house.gov/UploadedFiles/CSTF_Final_Recommendations.pdf

Cybersecurity Act of 2012 (proposed)

http://www.hsgac.senate.gov/media/majority-media/lieberman-collins-rockefeller-feinstein_offer-

bipartisan-comprehensive-bill-to-secure-fed-and-critical-private-sector-cyber-systems

Cyber Intelligence Sharing and Protection Act of 2011 (Rogers & Ruppersberger)

http://mikerogers.house.gov/News/DocumentSingle.aspx?DocumentID=270598

SEC CF Disclosure Guidance: Topic No. 2,

http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

© 2012 IBM Corporation 18

Contacts

Christina Peters

cpeters@us.ibm.com

(720) 396-5384

Jack Danahy

jack.danahy@us.ibm.com

(603) 774-8200

Tom Grasso

FBI Cyber Division

tom@ncfta.net

(412) 802-8000 ext. 258

PGP Fingerprint:

EB83 DBB2 1742 B143 E1A2 A608 DC10 22F9 5ADD 12C5