Breach Report Analysis · 2018. 4. 2. · Breach Report Analysis Today’s Moderator: Michael Angelo Chief Security Architect at Micro Focus Chair of ISSA International Web Conference

Breach Report Analysis May 23, 2017

Breach Report Analysis

Today’s Moderator:

Michael Angelo Chief Security Architect at Micro

Focus

Chair of ISSA International Web

Conference Committee

To ask a question:

Type in your question in the

Questions area of your screen.

#ISSAWebConf

Speaker Introduction

Today’s Speakers

Larry Ponemon Chairman and Founder of the Ponemon Institute

Bhavesh Chauhan Principal Client Partner and Security Evangelist at the Verizon CTO Organization

Yolonda Smith Director of Product Management at Pwnie Express


Larry Ponemon

• Founder and Chairman at Ponemon

Institute • Served on the Advisory Committee for

Online Access & Security for the United States Federal Trade Commission and the Data Privacy and Integrity Advisory Committee for the DHS.

• Served as founding member of the Certified Information Privacy Professional (CIPP) Advisory Board

Sponsored by Carbonite

May 23, 2017

The Rise of Ransomware

Purpose of the study

The purpose of this research is to understand how organizations are preparing for and dealing with ransomware infections. As of September 2016, the Justice Department reported there have been 4,000 ransomware attacks since January 1, 2016. This is a 300 percent increase over the approximately 1,000 attacks per day seen in 2015.

April 20, 2017 Ponemon Institute RIM Council Presentation Private and

Confidential 6

Sample response Freq Pct%

Sampling frame 15,580 100.0%

Total returns 685 4.4%

Rejected or screened surveys 67 0.4%

Final sample 618 4.0%


Confidential 7

The ransomware prevention gap 1 = low to 10 = high, 7+ responses reported


Confidential 8

66%

13%

0%

10%

20%

30%

40%

50%

60%

70%

Ransomware is very serious Our company can prevent ransomware

Impact of a ransomware attack

Companies experienced an average of 4 ransomware attacks and paid an average of $2,500 per attack.

If companies didn’t pay ransom it was because they had full and accurate backup. Respondents also believe full and accurate backup is the best defense.

Companies suffered such financial consequences as the need to invest in new technologies, the loss of customers and lost money due to downtime.

Cyber criminals were most likely to use phishing/social engineering and insecure websites to unleash ransomware. Respondents believe the cyber criminal specifically targeted their company.

Compromised devices infected other devices in the network. Very often data was exfiltrated from the device.

Companies were reluctant to report the incident to law enforcement because of concerns about negative publicity.


Confidential 9

Ponemon Institute RIM Council Presentation Private and

Confidential Page 10

Ransomware threat response readiness

Perceptions about ransomware Strongly agree and Agree responses combined


Confidential 11

46%

47%

57%

59%

0% 10% 20% 30% 40% 50% 60% 70%

Prevention of ransomware attacks isa high priority for our company

My company would never pay ransomeven if we lost the data

My company believes it is too small tobe the target of ransomware

A ransomware attack would haveserious financial consequences for

our company

The difficulty in dealing with the risk of ransomware Strongly agree and Agree responses combined


Confidential 12

58%

27%

0%

10%

20%

30%

40%

50%

60%

70%

Our company’s use of IoT connected devices will increase our risk of ransomware

We are confident our current antivirus software willprotect our company from ransomware

In the typical month, how many ransomware infections go undetected?


Confidential 13

27% 28%

10%

6%

29%

0%

5%

10%

15%

20%

25%

30%

35%

Less than 1 1 to 5 6 to 10 Greater than 10 Cannot determine

How vulnerable do you feel your company is to a ransomware attack over the next 12 months?


Confidential 14

30%

38%

20%

6% 6%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Very vulnerable Vulnerable Not vulnerable Will never happen Do not know

How has the volume and severity of ransomware infections changed over the past 12 months?


Confidential 15

22%

38%

26%

10%

3%

18%

39%

28%

13%

3%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Significant increase Increase Stayed the same Decrease Significant decrease

The volume or frequency of ransomware infection over the past 12 months

The severity of ransomware infection over the past 12 months



Employees are the weakest link in the

defense against ransomware

How confident are you that your employees can detect risky links or sites that could result in a ransomware attack?


Confidential 17

9%

20%

17%

36%

18%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Very confident Confident Somewhat confident Not confident No confidence

How employees put companies at risk for a ransomware infection Very likely and Likely responses combined


Confidential 18

57%

58%

59%

60%

0% 10% 20% 30% 40% 50% 60% 70%

Use business computers to access personalaccounts on social media or email during

working hours

Fall prey to a phishing/social engineeringscam that looks like an everyday business

request

Click on a website or advertisement forpersonal reasons knowing the link may not

be secure

Use third-party applications like Dropbox,Slack or Spotify on business computers



The consequences of a ransomware infection:

the experiences of targeted companies

Have you or your company experienced ransomware?


Confidential 20

49%

6%

10%

17%

18%

0% 10% 20% 30% 40% 50% 60%

No

Yes, more than 12 months ago

Yes, within the past 12 months



What were the consequences of the ransomware attack? Two choices permitted


Confidential 21

3%

15%

16%

22%

23%

24%

32%

32%

33%

0% 5% 10% 15% 20% 25% 30% 35%

Other

We had to postpone plans to expand ourbusiness

No consequences

We had to replace equipment

Lost customer data

Our reputation was diminished

We lost customers

Lost money from downtime

We had to invest in new securitytechnologies

How was the ransomware unleashed?


Confidential 22

43%

30%

15%

8%

4%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Phishing/socialengineering

Insecure or spoofedwebsite

Malvertisements Social media Other

Did the compromised device infect other devices in the network and data stored in the cloud?


Confidential 23

42%

58%

21%

79%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Yes No

Did the compromised device infect other devices in the network (e.g., lateral infection)?

Did the compromised device infect data stored in the cloud?

How did your company pay the ransom?


Confidential 24

33%

25%

20%

14%

9%

0%

5%

10%

15%

20%

25%

30%

35%

Bitcoin Cash Other virtual currency Wired funds Other

Did the ransomware place a time limit for payment?


Confidential 25

46%

28%

11%

16%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Yes, less than 2 days Yes, 2 to 5 days Yes, more than 5 days No

Did the ransomware exfiltrate data from the compromised device(s)?


Confidential 26

6%

17%

32%

30%

6%

9%

0%

5%

10%

15%

20%

25%

30%

35%

Yes, with certainty Yes, very likely Yes, likely Not likely No Unsure

Why was ransom not paid?


Confidential 27

3%

10%

14%

15%

16%

42%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Other

Law enforcement told us not to pay it

Compromised data was not critical for ourbusiness

We did not believe the bad guys wouldprovide the decryption cypher

Company policy is not to pay ransom

We had a full backup

Why did your company not report the incident to law enforcement?


Confidential 28

21%

10%

17%

51%

0% 10% 20% 30% 40% 50% 60%

Other

Did not want the attackers toretaliate

Did not feel the extortion wasexorbitant

Did not want to publicize incident

Key takeaways

Many companies think they are too small to be a target.

Current technologies are not considered sufficient to prevent ransomware infections.

Inability to detect all ransomware infections puts companies at risk.

One or more ransomware attacks are believed to be possible in the next 12 months.

The severity and volume of ransomware infections have increased over the past 12 months.

Negligent and uninformed employees put companies at risk.

To prevent ransomware infections, employees need to become educated on the ransomware threat.

Most companies experience encrypting ransomware.

The consequences of ransomware are costly.

By far, most ransomware incidents are unleashed as a result of phishing and insecure websites.


Confidential 29



Methods

Position level within the organization


Confidential 31

12%

9%

19%

17%

18%

8%

11%

2% 2% 1%

Business owner Executive/VP

Director Manager

Supervisor Technician

Staff Consultant

Contractor Other

The primary person reported to within the organization


Confidential 32

37%

22%

18%

8%

4%

4% 3% 2% 3%

Chief Information Officer

CEO/Business Owner

Chief Information Security Officer

Chief Financial Officer

Chief Security Officer

Data Center Management

General Counsel

Compliance Officer

Other

Primary industry focus


Confidential 33

14%

10%

10%

8%

8% 8%

7%

6%

5%

5%

5%

4%

4% 2% 2% 2%

Financial services

Health & pharmaceuticals

Services

Retail

Technology & software

Industrial

Consumer products

Public sector

Energy & utilities

Education & research

Entertainment & media

Transportation

Hospitality

Communications

Agriculture & food services

Other

Worldwide headcount of the organization


Confidential 34

11%

19%

21% 19%

21%

10%

Less than 100

100 to 200

201 to 300

301 to 400

401 to 500

More than 500

Caveats

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.

Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who have responsibility for containing ransomware infections within their organization. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.

Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.


Confidential 35



Questions?

Ponemon Institute

Toll Free: 800.887.3118

Michigan HQ: 2308 US 31 N.

Traverse City, MI 49686 USA

[email protected]

mailto:[email protected]


Bhavesh Chauhan

• Principal Client Partner – Security Evangelist

within Verizon CTO organization • Previously led the Security Engineering and

Professional services for the North East Region

• Serves as a board member of the local ISACA chapter

• Holds a Masters of Science Degree in Physics and certifications such as CISSP, CISA and CISM


Yolonda Smith

• Director of Product Management at Pwnie

Express • Spent 8 years in the United States Air Force

as a Cyberspace Operations Officer

• Developed and orchestrated the first Department of Defense Cyber Hunting missions

79

Open Discussion & Q&A

• Michael Angelo - Moderator

• Larry Ponemon

• Bhavesh Chauhan

• Yolonda Smith

To ask a question:

Type in your question in the Questions

area of your screen.

You may need to click on the double

arrows to open this function.

#ISSAWebConf

80

Building Security in a Business Culture

2-Hour Live Event: Tuesday, June 27th, 2017 Start Time: 9:00 a.m. US-Pacific/ 12:00 noon US-Eastern/ 5:00 p.m. London

Overview: Everyone knows security is critical to our organizations survival, but yet we all seem to bolt on our security culture after the fact. This session will provide insight into why and how you can build your security culture and leverage the role of change management & behavioral change in making security programs more effective. Culture is an outcome of values, behaviors and communications. Many of us are faced with cultures and management structures that seem hostile to a successful security program. We're going to talk about how to identify those cultures that make it difficult to be successful and how to make a decision about what you should do: fish or cut bait. Can you make a difference or is it time to move on?

Next International Web Conference:

81

A recording of the conference and a link to the survey to get CPE credit for attending the May ISSA International Web Conference will soon be available at: https://www.issa.org/page/May2017 and check out previous web conferences at https://www.issa.org/?OnDemandWebConf If you or your company are interested in becoming a sponsor for the monthly ISSA International Web Conferences, please visit: https://www.issa.org/?page=BecomeASponsor

Web Conference Survey

https://www.issa.org/page/May2017

https://www.issa.org/?OnDemandWebConf

https://www.issa.org/?page=BecomeASponsor

Join ISSA

Webinar attendees can join ISSA at a 20% discount by using the code WEBCON42 during the checkout process The discount is available for all memberships except Students, and can also be used to renew your membership

Documents

Breach Report Analysis · 2018. 4. 2. · Breach Report Analysis Today’s Moderator: Michael Angelo Chief Security Architect at Micro Focus Chair of ISSA International Web Conference