Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Breach Report Analysis May 23, 2017
Breach Report Analysis
Today’s Moderator:
Michael Angelo Chief Security Architect at Micro
Focus
Chair of ISSA International Web
Conference Committee
To ask a question:
Type in your question in the
Questions area of your screen.
#ISSAWebConf
Speaker Introduction
Today’s Speakers
Larry Ponemon Chairman and Founder of the Ponemon Institute
Bhavesh Chauhan Principal Client Partner and Security Evangelist at the Verizon CTO Organization
Yolonda Smith Director of Product Management at Pwnie Express
Speaker Introduction
Larry Ponemon
• Founder and Chairman at Ponemon
Institute • Served on the Advisory Committee for
Online Access & Security for the United States Federal Trade Commission and the Data Privacy and Integrity Advisory Committee for the DHS.
• Served as founding member of the Certified Information Privacy Professional (CIPP) Advisory Board
Sponsored by Carbonite
May 23, 2017
The Rise of Ransomware
Purpose of the study
The purpose of this research is to understand how organizations are preparing for and dealing with ransomware infections. As of September 2016, the Justice Department reported there have been 4,000 ransomware attacks since January 1, 2016. This is a 300 percent increase over the approximately 1,000 attacks per day seen in 2015.
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 6
Sample response Freq Pct%
Sampling frame 15,580 100.0%
Total returns 685 4.4%
Rejected or screened surveys 67 0.4%
Final sample 618 4.0%
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 7
The ransomware prevention gap 1 = low to 10 = high, 7+ responses reported
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 8
66%
13%
0%
10%
20%
30%
40%
50%
60%
70%
Ransomware is very serious Our company can prevent ransomware
Impact of a ransomware attack
Companies experienced an average of 4 ransomware attacks and paid an average of $2,500 per attack.
If companies didn’t pay ransom it was because they had full and accurate backup. Respondents also believe full and accurate backup is the best defense.
Companies suffered such financial consequences as the need to invest in new technologies, the loss of customers and lost money due to downtime.
Cyber criminals were most likely to use phishing/social engineering and insecure websites to unleash ransomware. Respondents believe the cyber criminal specifically targeted their company.
Compromised devices infected other devices in the network. Very often data was exfiltrated from the device.
Companies were reluctant to report the incident to law enforcement because of concerns about negative publicity.
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 9
Ponemon Institute RIM Council Presentation Private and
Confidential Page 10
Ransomware threat response readiness
Perceptions about ransomware Strongly agree and Agree responses combined
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 11
46%
47%
57%
59%
0% 10% 20% 30% 40% 50% 60% 70%
Prevention of ransomware attacks isa high priority for our company
My company would never pay ransomeven if we lost the data
My company believes it is too small tobe the target of ransomware
A ransomware attack would haveserious financial consequences for
our company
The difficulty in dealing with the risk of ransomware Strongly agree and Agree responses combined
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 12
58%
27%
0%
10%
20%
30%
40%
50%
60%
70%
Our company’s use of IoT connected devices will increase our risk of ransomware
We are confident our current antivirus software willprotect our company from ransomware
In the typical month, how many ransomware infections go undetected?
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 13
27% 28%
10%
6%
29%
0%
5%
10%
15%
20%
25%
30%
35%
Less than 1 1 to 5 6 to 10 Greater than 10 Cannot determine
How vulnerable do you feel your company is to a ransomware attack over the next 12 months?
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 14
30%
38%
20%
6% 6%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Very vulnerable Vulnerable Not vulnerable Will never happen Do not know
How has the volume and severity of ransomware infections changed over the past 12 months?
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 15
22%
38%
26%
10%
3%
18%
39%
28%
13%
3%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Significant increase Increase Stayed the same Decrease Significant decrease
The volume or frequency of ransomware infection over the past 12 months
The severity of ransomware infection over the past 12 months
Ponemon Institute RIM Council Presentation Private and
Confidential Page 16
Employees are the weakest link in the
defense against ransomware
How confident are you that your employees can detect risky links or sites that could result in a ransomware attack?
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 17
9%
20%
17%
36%
18%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Very confident Confident Somewhat confident Not confident No confidence
How employees put companies at risk for a ransomware infection Very likely and Likely responses combined
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 18
57%
58%
59%
60%
0% 10% 20% 30% 40% 50% 60% 70%
Use business computers to access personalaccounts on social media or email during
working hours
Fall prey to a phishing/social engineeringscam that looks like an everyday business
request
Click on a website or advertisement forpersonal reasons knowing the link may not
be secure
Use third-party applications like Dropbox,Slack or Spotify on business computers
Ponemon Institute RIM Council Presentation Private and
Confidential Page 19
The consequences of a ransomware infection:
the experiences of targeted companies
Have you or your company experienced ransomware?
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 20
49%
6%
10%
17%
18%
0% 10% 20% 30% 40% 50% 60%
No
Yes, more than 12 months ago
Yes, within the past 12 months
Yes, within the past 6 months
Yes, within the past 3 months
What were the consequences of the ransomware attack? Two choices permitted
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 21
3%
15%
16%
22%
23%
24%
32%
32%
33%
0% 5% 10% 15% 20% 25% 30% 35%
Other
We had to postpone plans to expand ourbusiness
No consequences
We had to replace equipment
Lost customer data
Our reputation was diminished
We lost customers
Lost money from downtime
We had to invest in new securitytechnologies
How was the ransomware unleashed?
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 22
43%
30%
15%
8%
4%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Phishing/socialengineering
Insecure or spoofedwebsite
Malvertisements Social media Other
Did the compromised device infect other devices in the network and data stored in the cloud?
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 23
42%
58%
21%
79%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Yes No
Did the compromised device infect other devices in the network (e.g., lateral infection)?
Did the compromised device infect data stored in the cloud?
How did your company pay the ransom?
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 24
33%
25%
20%
14%
9%
0%
5%
10%
15%
20%
25%
30%
35%
Bitcoin Cash Other virtual currency Wired funds Other
Did the ransomware place a time limit for payment?
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 25
46%
28%
11%
16%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Yes, less than 2 days Yes, 2 to 5 days Yes, more than 5 days No
Did the ransomware exfiltrate data from the compromised device(s)?
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 26
6%
17%
32%
30%
6%
9%
0%
5%
10%
15%
20%
25%
30%
35%
Yes, with certainty Yes, very likely Yes, likely Not likely No Unsure
Why was ransom not paid?
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 27
3%
10%
14%
15%
16%
42%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Other
Law enforcement told us not to pay it
Compromised data was not critical for ourbusiness
We did not believe the bad guys wouldprovide the decryption cypher
Company policy is not to pay ransom
We had a full backup
Why did your company not report the incident to law enforcement?
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 28
21%
10%
17%
51%
0% 10% 20% 30% 40% 50% 60%
Other
Did not want the attackers toretaliate
Did not feel the extortion wasexorbitant
Did not want to publicize incident
Key takeaways
Many companies think they are too small to be a target.
Current technologies are not considered sufficient to prevent ransomware infections.
Inability to detect all ransomware infections puts companies at risk.
One or more ransomware attacks are believed to be possible in the next 12 months.
The severity and volume of ransomware infections have increased over the past 12 months.
Negligent and uninformed employees put companies at risk.
To prevent ransomware infections, employees need to become educated on the ransomware threat.
Most companies experience encrypting ransomware.
The consequences of ransomware are costly.
By far, most ransomware incidents are unleashed as a result of phishing and insecure websites.
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 29
Ponemon Institute RIM Council Presentation Private and
Confidential Page 30
Methods
Position level within the organization
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 31
12%
9%
19%
17%
18%
8%
11%
2% 2% 1%
Business owner Executive/VP
Director Manager
Supervisor Technician
Staff Consultant
Contractor Other
The primary person reported to within the organization
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 32
37%
22%
18%
8%
4%
4% 3% 2% 3%
Chief Information Officer
CEO/Business Owner
Chief Information Security Officer
Chief Financial Officer
Chief Security Officer
Data Center Management
General Counsel
Compliance Officer
Other
Primary industry focus
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 33
14%
10%
10%
8%
8% 8%
7%
6%
5%
5%
5%
4%
4% 2% 2% 2%
Financial services
Health & pharmaceuticals
Services
Retail
Technology & software
Industrial
Consumer products
Public sector
Energy & utilities
Education & research
Entertainment & media
Transportation
Hospitality
Communications
Agriculture & food services
Other
Worldwide headcount of the organization
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 34
11%
19%
21% 19%
21%
10%
Less than 100
100 to 200
201 to 300
301 to 400
401 to 500
More than 500
Caveats
There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.
Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who have responsibility for containing ransomware infections within their organization. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.
Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.
April 20, 2017 Ponemon Institute RIM Council Presentation Private and
Confidential 35
Ponemon Institute RIM Council Presentation Private and
Confidential Page 36
Questions?
Ponemon Institute
Toll Free: 800.887.3118
Michigan HQ: 2308 US 31 N.
Traverse City, MI 49686 USA
Speaker Introduction
Bhavesh Chauhan
• Principal Client Partner – Security Evangelist
within Verizon CTO organization • Previously led the Security Engineering and
Professional services for the North East Region
• Serves as a board member of the local ISACA chapter
• Holds a Masters of Science Degree in Physics and certifications such as CISSP, CISA and CISM
Speaker Introduction
Yolonda Smith
• Director of Product Management at Pwnie
Express • Spent 8 years in the United States Air Force
as a Cyberspace Operations Officer
• Developed and orchestrated the first Department of Defense Cyber Hunting missions
79
Open Discussion & Q&A
• Michael Angelo - Moderator
• Larry Ponemon
• Bhavesh Chauhan
• Yolonda Smith
To ask a question:
Type in your question in the Questions
area of your screen.
You may need to click on the double
arrows to open this function.
#ISSAWebConf
80
Building Security in a Business Culture
2-Hour Live Event: Tuesday, June 27th, 2017 Start Time: 9:00 a.m. US-Pacific/ 12:00 noon US-Eastern/ 5:00 p.m. London
Overview: Everyone knows security is critical to our organizations survival, but yet we all seem to bolt on our security culture after the fact. This session will provide insight into why and how you can build your security culture and leverage the role of change management & behavioral change in making security programs more effective. Culture is an outcome of values, behaviors and communications. Many of us are faced with cultures and management structures that seem hostile to a successful security program. We're going to talk about how to identify those cultures that make it difficult to be successful and how to make a decision about what you should do: fish or cut bait. Can you make a difference or is it time to move on?
Next International Web Conference:
81
A recording of the conference and a link to the survey to get CPE credit for attending the May ISSA International Web Conference will soon be available at: https://www.issa.org/page/May2017 and check out previous web conferences at https://www.issa.org/?OnDemandWebConf If you or your company are interested in becoming a sponsor for the monthly ISSA International Web Conferences, please visit: https://www.issa.org/?page=BecomeASponsor
Web Conference Survey
Join ISSA
Webinar attendees can join ISSA at a 20% discount by using the code WEBCON42 during the checkout process The discount is available for all memberships except Students, and can also be used to renew your membership