SECURITY SERVICES AND CYBERCRIME TRENDS - …schd.ws/hosted_files/creditunioninfosecurityconf2017/b0/CyberCrime... · SECURITY SERVICES AND CYBERCRIME TRENDS ... Cerber (early March)

SECURITY SERVICES AND CYBERCRIME TRENDS

Scott B. Suhy, [email protected]

®

Trend #1 – SME’s Pressured to Have More Protection

Copyright © 2017 NetWatcher All Rights Reserved. 6/7/2017

HPIBM

FireEyePalo AltoEtc…

(Fortune 5000)

MSSPs

(4200 customers)

Managed Services Providers

Small Medium Large

Size of Business

Threat Intelligence

SIEM

End Point Technology

Intrusion Detection

Intrusion Protection

…big gap…

FirewallAnti‐virus

Security

Soph

istication

GAP in Market!Customer demandsand compliance mandates

Solutions expensivedifficult to usesecurity analysts don’t existManaged Detection & Response

(5M+ customers)

Security is the #1 Growth area for Managed Services Providers (MSPs)‐‐CompTIA

Targeted Enterprises in the US

Copyright © 2017 NetWatcher All Rights Reserved.

MSSPsHP/FireEye PA/IBM

Description <20 20‐49 50‐99 100‐299 300‐499 500‐9991,0004,999

5,000‐9,999 10,000+

Professional, scientific, and technical services 721,841 30,828 9,106 5,811 1,158 942 1,290 291 458

Retail trade 628,726 40,552 12,969 7,465 1,159 849 870 204 343

Health care and social assistance 539,491 45,348 15,593 13,841 2,701 1,887 1,676 235 193

Accommodation and food services 379,301 68,002 18,258 7,878 1,413 1,018 747 115 122

Finance and insurance 232,604 10,612 4,382 3,410 719 536 693 169 263

Information 61,292 6,048 2,257 1,645 408 326 451 105 217

Management of companies and enterprises 5,295 2,828 3,270 6,148 2,620 2,614 3,350 670 814

Utilities 4,377 529 339 267 47 48 80 27 42

Educational services 60,734 9,326 4,090 2,698 540 552 525 56 99

Construction 697,644 43,101 12,462 6,264 877 527 438 66 95

Administrative 290,893 20,766 8,311 6,867 1,709 1,426 1,503 302 413

Wholesale trade 280,185 27,368 9,736 6,861 1,451 1,179 1,378 279 347

Real estate and rental and leasing 269,090 8,087 2,699 2,034 486 419 505 110 212

Manufacturing 208,675 38,891 16,115 11,593 2,298 1,769 1,726 260 317

Transportation and warehousing 148,967 11,060 3,871 3,012 755 695 923 250 404

Arts, entertainment, and recreation 99,357 9,008 3,568 2,259 436 320 309 45 74

Agriculture, forestry, fishing and hunting 20,491 861 242 189 32 22 50 7 17

Mining, quarrying, and oil and gas extraction 17,765 1,849 680 532 114 103 164 31 50

Description <20 20‐49 50‐99 100‐299 300‐499 500‐9991,0004,999

5,000‐9,999 10,000+

Professional, scientific, and technical services 721,841 30,828 9,106 5,811 1,158 942 1,290 291 458

Retail trade 628,726 40,552 12,969 7,465 1,159 849 870 204 343

Health care and social assistance 539,491 45,348 15,593 13,841 2,701 1,887 1,676 235 193

Accommodation and food services 379,301 68,002 18,258 7,878 1,413 1,018 747 115 122

Finance and insurance 232,604 10,612 4,382 3,410 719 536 693 169 263

Information 61,292 6,048 2,257 1,645 408 326 451 105 217

Management of companies and enterprises 5,295 2,828 3,270 6,148 2,620 2,614 3,350 670 814

Utilities 4,377 529 339 267 47 48 80 27 42

Educational services 60,734 9,326 4,090 2,698 540 552 525 56 99

Construction 697,644 43,101 12,462 6,264 877 527 438 66 95

Administrative 290,893 20,766 8,311 6,867 1,709 1,426 1,503 302 413

Wholesale trade 280,185 27,368 9,736 6,861 1,451 1,179 1,378 279 347

Real estate and rental and leasing 269,090 8,087 2,699 2,034 486 419 505 110 212

Manufacturing 208,675 38,891 16,115 11,593 2,298 1,769 1,726 260 317

Transportation and warehousing 148,967 11,060 3,871 3,012 755 695 923 250 404

Arts, entertainment, and recreation 99,357 9,008 3,568 2,259 436 320 309 45 74

Agriculture, forestry, fishing and hunting 20,491 861 242 189 32 22 50 7 17

Mining, quarrying, and oil and gas extraction 17,765 1,849 680 532 114 103 164 31 50

Trend #2 – Giant Skills Gap in Cyber Security


shortfall of 1.5 million security professionals by 2020 –Frost & Sullivan

Trend #3 – Managed Security Market Growing


Global Managed Security Services market is projected to reach $30 billion by 2020 (was $8 billion in 2014) ‐‐Allied Market Research

Trend #4 ‐ Known Vulnerabilities


44% of breaches came from vulnerabilities that are two to four years old… -- HP’s Cyber Risk Report

http://www.cvedetails.com/vulnerability‐list

Think about it… Organized crime and foreign government employees are….

Trend #5 – Ransomware – as ‐ service.


TrueCrypter (late April)CryptXXX (mid April)7ev3n‐HONE$T (mid April)AutoLocky (mid April)Jigsaw (early April)CryptoHost (early April)Rokku (late March)KimcilWare (late March)Coverton (late March)Petya (late March)Maktub Locker (mid March)Nemucod .CRYPTED (mid March)Samas/Kazi (mid March)The Surprise (mid March)Pompous (early March)KeRanger (early March)Cerber (early March)CTB‐Locker for web sites (mid February)Padcrypt (mid February)Locky (mid February)Umbrecrypt (early February)DMA Locker (early February)NanoLocker (late January)7ev3n (late January)LeChiffre (mid January)Magic (mid January)CryptoJoker (early January)Ransom32 (early January)

Trend #5 – Ransomware – it’s just the beginning…


According to the Cisco 2017 Annual Cybersecurity Report, ransomware is growing at a yearly rate of 350%.

Cybersecurity Ventures predicts that Ransomware damage costs will exceed $5 billion in 2017, up more than 15X from 2015.

Trend #6 ‐ Unintentional Insider Threat


Clicking on a Phishing MessageBrowsing Explicit Web SitesDownloading Risky Software (TOR, Hola, BitTorrent etc..)Using Vulnerable Software (outdated Java and Flash)Sending Personally Identifiable Information in Clear Text

Trend #7 ‐ Supply Chain Risk


Do you have customer data?Do you provide your customers data to third party vendors?Do you provide your data to third party vendors?

“It is abundantly clear that, in many respects,” Mr. Lawsky (New York State’s top financial regulator) said in the letter, “a firm’s level of cybersecurity is only as good as the security of its vendors.” -- NYTimes.com: After JPMorgan Cyberattack, a Push to Fortify Wall Street Banks

Think “Business Associate Agreement/HIPAA” – Your customers are going to be expecting you to have great Cyber Security Controls. You should expect the same of your suppliers…

Trend #8 ‐ Open Source


• Doh! Shellshock… Heartbleed… POODLE…

• Duh! They have the source code…

• What is managing the BOM in the solutions built on Open Source?

Trend #9 (FACT) – SME’s are Weak on Cyber Security


Generally no security controls (users have admin access to machines, weak employee policy documents, no cyber training, no cyber liability insurance, sr. execs not schooled on the risks etc…)

Most are not aware that they have already been compromised!

Don’t keep firmware up to date on WIFI, Routers, Switches, FirewallsMany do not change Default Passwords on equipment (see Shodan.io)Most don’t know who their employees are talking to and what bad actor scans are making it through the firewall

• 43% of cyber attacks target small business.• Only 14% of small businesses rate their ability to

mitigate cyber risks, vulnerabilities and attacks as highly effective.

• 60% of small companies go out of business within six months of a cyber attack.• 48% of data security breaches are caused by acts of malicious intent. Human error or system failure account for the

rest.• The numbers show that small businesses are not only at risk of attack, but have already been attacked:

– 55% of respondents say their companies have experienced a cyber attack in the past 12 months(May 2015 ‐May 2016), and

– 50% report they had data breaches involving customer and employee information in the past 12 months (May 2015 ‐May 2016).

• In the aftermath of these incidents, these companies spent an average of $879,582 because of damage or theft of IT assets.

• In addition, disruption to normal operations cost an average of $955,429

SMB Cyber Stats

www.netwatcher.com

https://smallbiztrends.com/2017/01/cyber‐security‐statistics‐small‐business.html

• While many small businesses are concerned about cyber attacks(58%), more than half (51%) are not allocating any budget at all to risk mitigation.

• Dangerous disconnect: one of the more popular responses as to small businesses they don’t allocate budget to risk mitigation was that they, “feel they don’t store any valuable data.” Yet a good number reported that they in fact DO store pieces of customer information that are of significant value to cyber criminals:

– 68% store email addresses;– 64% store phone numbers; and– 54% store billing addresses.

• Small businesses reported that only:– 38% regularly upgrade software solutions;– 31% monitor business credit reports; and– 22% encrypt databases.

• If a company has a password policy, 65% of respondents say they do not strictly enforce it. 16% of respondents admitted that they had only reviewed their cybersecurity posture after they were hit by an attack. 75% of small businesses have no cyber risk insurance.

www.netwatcher.com

https://smallbiztrends.com/2017/01/cyber‐security‐statistics‐small‐business.html

SMB Cyber Stats


Example… Your 12 year old can do this…





Click Here…





Trend #9 – It Will Get Worse Before It Gets Better…


2005 2015 2020

Cyber Attack Surface

Involvem

ent o

f Organize

d Crim

e & Nation States

MoreProtection

MoreInnovation

Desire for Privacy

More Surface to Attack

More Organized Crime

Convenience

Encrypted Malware


50% of all internet traffic is encrypted (“HTTPS”)

SSL inspection versus privacy debate

Reality of a Small Prof. Svc. Business Owner…

www.netwatcher.com

https://www.sans.org/reading‐room/whitepapers/analyst/security‐spending‐trends‐36697

RevenueBillable Resources (Jr) 10 85 1,530,000$ Billable Resources 20 100 3,600,000$ Billable Resources (Sr) 10 115 2,070,000$

Total Revenue 7,200,000$ Salary (Jr) 95000 950,000$ Salary 125000 2,500,000$ Salary (Sr) 150000 1,500,000$ Benefits 20000 800,120$ Rent 120000 120,000$ Utilities 12000 12,000$ Liability Insurance 12000 12,000$ Accounting/Payroll/Legal 36000 36,000$ Management/Support 3 130000 390,000$ Sales & Marketing 24000 24,000$ IT Budget 6000 258000 258,000$ Security Budget 6% 15,480$

Total Expense 6,617,600$ Net 582,400$

What can a company do with 15k?

1.Executive is not aware of the risks – “We have a firewall and anti‐virus so I think we are covered…”2.Executive has bad information – “Hackers only attack the big companies, what would they want from us?”3.Executive is a risk taker – “I’ll take the risk, the probability for us getting attacked is low.”4.Executive is cheap – “No ROI means no priority.”5.Executive doesn’t believe investment in security is worth it – “The loss involved will be so small compared to our revenues. It’s easier to take a chance and write off any losses should they occur.”6.Executive is overwhelmed by the size of the necessary investment required to add additional security measures – “We can’t afford Fire Eye, IBM, HP, Palo Alto etc.. those tools are only affordable to the fortune 1000”7.Executive believes they are covered when they are not – “Our vendor are responsible for our security not us…”8.Executive doesn’t believe any investment in cyber‐security will have much of an impact – “Big companies have all the tools and they are still getting hacked.”

Reality of a Small Business

www.netwatcher.com

• People to manage pre and post compliance– Build Policies – ex. Logical access policy– Build Procedures – Incident Response Plans

• Hardware / Software Updates / Upgrades• Technology Maintenance Services to Keep Up • Cyber Training• Cyber Insurance Requirements• Legal support• New Required Security Capabilities

The Cost of Compliance…

www.netwatcher.com


Trend #10 – Compliance Mandates Will Continue…

• GLBA, HIPAA…• State breach laws…• Dept of Financial Services 23 NYCRR 500• NIST 800‐171

Thank You!

www.netwatcher.comScott B. Suhy, [email protected]

Documents

SECURITY SERVICES AND CYBERCRIME TRENDS - …schd.ws/hosted_files/creditunioninfosecurityconf2017/b0/CyberCrime... · SECURITY SERVICES AND CYBERCRIME TRENDS ... Cerber (early March)