Embed Size (px)
DESCRIPTION
Beware Wolves in Sheep's Clothing: Information Security Threat Reports - Separating Fact from FUD
Citation preview
Beware Wolves in Sheep’s Clothing:
www.hackformers.org
Informa9on Security Threat Reports, Separa9ng Fact from FUD
Clare Nelson, CISSP CEO, ClearMark Consul9ng
January 11, 2013
“…just because it's true doesn't make it not FUD”1
-‐ Rafal Los
1Source: HP Enterprise Security Blog: h=p://h30499.www3.hp.com/t5/Following-‐the-‐Wh1t3-‐Rabbit/Abandon-‐FUD-‐scare-‐taMcs-‐and-‐markeMng-‐hype-‐to-‐sell-‐informaMon/ba-‐p/5551189
Speaker Background • 30+ years in high tech, startups and Fortune 100 companies:
– GM (Space ShuZle subcontractor for Boeing), ACC (now Ericcson), CMC (now Rockwell), DEC (now HP), EMC, Dazel (now HP), Dell, TeaLeaf Technology (now IBM), Novell (now The AZachmate Group), ClearMark Consul9ng
• ClearMark Consul9ng: business development for Secure Mentem, Blue Coat spinout Quarri Technologies, SGI
• Technical background, Sales & Marke9ng
– Soaware development (Unix device drivers, encrypted TCP/IP variants, Space ShuZle test soaware)
– System management, Product management, Marke9ng, Sales (Asia, Europe), Global Alliances, Business Development, IAM
• First female director in Dell’s Server and Storage division
• CISSP, Member Aus9n ISSA Board
• Publica9ons include “Security Metrics,” ISSA Journal, August 2010
• BS Mathema9cs, Tuas University
• @Safe_SaaS
Beware Wolves in Sheep’s Clothing
1. Teach Security 2. Teach Christ 3. Teach Security in Christ
HackFormers Mission
Informa9on Security Threat Reports, Separa9ng Fact from FUD
Teach Security
www.hackformers.org
Scope
• InformaMon Security Threat Reports • Free • Download with or without registraMon • Sources – Government, Industry, IT Companies
www.hackformers.org
What is a Threat? www.hackformers.org
Source: Diagram a=ributed to Rassmussen, h=p://www.gideonrasmussen.com/arMcle-‐24.html Source: Threat definiMon a=ributed to NIST, SP800-‐30-‐2, “Risk Management Guide for InformaMon Technology Systems,” July 2002, page 19
“Threat: The poten9al for a threat-‐source to exercise (accidentally trigger or inten9onally exploit) a specific vulnerability.”
What is a Threat, Really? www.hackformers.org
Source: Marinus van Aswegen, Security Architect, Telic ConsulMng, January 4, 2013 blog entry, h=p://telicthoughts.blogspot.com/2009/02/threats-‐vulnerabiliMes-‐and-‐risk.html?m=1
Risk
Threats
What Is a Threat Landscape? www.hackformers.org
Source: ForMnet, h=p://www.forMnet.com/aboutus/aboutus.html
What Is Your Threat Landscape IQ? www.hackformers.org
You
Understanding Of Threat Landscape
Unclassified
www.hackformers.org
Classified
Threat Landscape: Knowing What You Don’t Know
Iceberg metaphor a=ributed to Shawn Henry, President Services for CrowdStrike, from DEF CON talk
Unknown unknowns…
What Is at Stake? Risk, Loss Exposure1
“One company that was recently the vic3m of an intrusion determined it had lost 10 years worth of research and development—valued at $1 billion—virtually overnight.”2
www.hackformers.org
1 Source: ConSec 2012, AusMn, Texas: Jack Jones on Risk, he prefers the term, “Loss Exposure” 2Source: h=p://www.bi.gov/news/speeches/responding-‐to-‐the-‐cyber-‐threat
Shawn Henry ExecuMve Assistant Director Federal Bureau of InvesMgaMon
ISSA Interna9onal Conference BalMmore, Maryland October 20, 2011
The Problem
AZacks evolve, morph and improve. Limited 9me and resources for tracking, understanding threat landscape.
How Do You Stay Informed?
Informa9on Security Reports
Threat Intelligence Hype
Source: Dark Reading, November 16, 2012; h=p://www.darkreading.com/security-‐monitoring/167901086/security/news/240142229/threat-‐intelligence-‐hype.html
How to measure the IQ of the data you're being fed
“It's not enough just to tell you in detail what has already happened. If it's not helping you make decisions, or be proacMve, then it's not worth paying extra for it.”
Wendy Nather Research Director of the Enterprise Security Prac3ce, 451 Research
Secondary Problem www.hackformers.org
“Threat Intelligence Reports Play Key Role In Security Strategies”1
www.hackformers.org
1 Source: Dark Readingh=p://www.darkreading.com/threat-‐intelligence/167901121/security/vulnerabiliMes/240144404/survey-‐threat-‐intelligence-‐reports-‐play-‐key-‐role-‐in-‐security-‐strategies.html?cid=nl_DR_daily_2012-‐12-‐14_html&elq=224c4f1f11cd499a806bf687f64ec08a 2Source: SoluMonary, h=p://www.soluMonary.com/index/intelligence-‐center/press-‐releases/Threat-‐Intelligence-‐Survey.php 3Source: Security Ba=leground: An ExecuMve Field Manual (book) by Michael Fey, et al (March 2012)
Threat Intelligence Reports are used to: 1. Shape Security Strategies 2. Jus9fy Security Resource and Budget Requests 3. Execs want more "acAonable intelligence" and
"defense recommendaAons”2
Solu9onary Survey: n = 178
“Security has evolved from a tacAcal IT concern to boardroom-‐level dilemma. This transiAon has challenged many execuAves who are now obligated to protect their organizaAon's criAcal assets.”3
Beware the Survey and other Jabberwocks
www.hackformers.org
Look for reports based on first-‐hand evidence collected during forensics inves9ga9ons
Example 1: August 2012 Press Release
“Independent study finds that financial ins9tu9ons are losing clients as a result of a single fraud aZack”
“Third annual Guardian Analy3cs and Ponemon Ins3tute 'Business Banking Trust Study' detects widespread fraud and loss of funds”
www.hackformers.org
2Source: h=p://www.guardiananalyMcs.com/newsandevents/press_08062012.php
Example 1 (con9nued): Fact or FUD?
• Guardian paid Ponemon to conduct the independent survey – 998 SMBs in the US
• Guardian sells: Behavior-‐based anomaly detecAon soluAons to prevent banking fraud
www.hackformers.org
2Source: h=p://www.guardiananalyMcs.com/newsandevents/press_08062012.php
Example 2: Fact or FUD?
• McAfee quarterly threat report • “… the reports exaggerated mobile malware…” • "Virus companies are playing on your fears to try to sell you […bleeped word…] protecMon soqware for Android, RIM, and, iOS," DiBona said.
• "They are charlatans and scammers. If you work for a company selling virus protecMon for [them], you should be ashamed of yourself.”
www.hackformers.org
2Source: h=p://www.csoonline.com/arMcle/715489/threat-‐reports-‐finger-‐android-‐again
www.hackformers.org
Organization Threat Report AVG Threat Labs AVG Threat Labs Website Reports
CERT, CMU (DHS S&T, USSS) Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector, July 2012
Cisco Cisco 2Q 2011 Global Threat Report Commtouch Internet Threat Trends Report, October 2012 Deloitte 2012 Deloitte-NASCIO Cybersecurity Study ESET Global Threat Report: November 2012
FBI, National White Collar Crime Center 2011 Internet Crime Report
FireEye Advanced Threat Report 1H 2012 F-Secure Mobile Threat Report Q3/2012 Georgia Tech Information Security Center Emerging Cyber Threats Report 2013
HP 2011 Top Cyber Security Risks Report IBM IBM X-Force Mid-Year Trend and Risk Report, September 2012 Mandiant M-Trends 2012: An Evolving Threat McAfee McAfee Threats Report: Third Quarter 2012
Microsoft Microsoft Security Intelligence Report, (Includes Worldwide Threat Assessment), Volume 13
Sophos Security Threat Report 2013 Symantec Internet Security Threat Report, Volume 17 Trustwave Trustwave 2012 Global Security Report US Government Accountability Office (GAO) Cybersecurity Threats Impacting the Nation
Verizon Verizon Data Breach Investigations Report (DBIR) 2012 Verizon Verizon 2011 Investigative Response Caseload Review Websense Websense 2012 Threat Report WhiteHat Security WhiteHat Security Website Statistics Report, Summer 2012
What Are “Authorita9ve” Threat Reports? Good, Bad, Ugly
2012 Verizon DBIR
• 855 incidents, 174 million compromised records – Verizon – United States Secret Service (USSS) – Dutch NaMonal High Tech Crime Unit (NHTCU) – Australian Federal Police (AFP) – Irish ReporMng & InformaMon Security Service (IRISS) – Police Central eCrimes Unit (PCeU) of the London Metropolitan Police
• Summary Sta9s9cs – 85% of breaches took weeks or more to discover – 97% of breaches were avoidable through simple or intermediate controls
www.hackformers.org
Source: h=p://www.verizonbusiness.com/about/events/2012dbir/
What Are “Authorita9ve” Threat Reports? Who Tells Congress What to Read?
www.hackformers.org
Cybersecurity AuthoritaAve Reports and Resources
Tehan, R., (lastest version, December 2012) Congressional Research Service Prepared for Members of Congress 7-‐5700, www.crs.gov, R42507
What Are “Authorita9ve” Threat Reports? Are They a Form of Marke9ng?
www.hackformers.org
M-‐Trends: The One Threat Report You Need to Read
Source: h=ps://www.mandiant.com/blog/archives/2326
If you're not paying for something, you're not the customer; you're the product being sold.
-‐ Andrew Lewis
What Are “Authorita9ve” Threat Reports? Are They a Form of Marke9ng?
www.hackformers.org
“Annual security threat reports are expected from security companies, while security professionals chomp at the bit to read the research findings.”
-‐ David Schwartzberg, SophosLabs
Source: h=p://www.darkreading.com/blog/240143806/android-‐riskier-‐than-‐pcs-‐sophos-‐security-‐threat-‐report-‐2013.html
That Giant Sucking Sound1 www.hackformers.org
1Source: h=p://en.wikipedia.org/wiki/Giant_sucking_sound, The "giant sucking sound" was United States PresidenMal candidate Ross Perot's colorful phrase for what he believed would be the negaMve effects of the North American Free Trade Agreement (NAFTA), which he opposed.
“I wish more IT Security people would take: [Econ 101, Stats 101, Formal Logic, and Survey 101] (all people really)” -‐-‐ @joshcorman, Tweeted January 7, 2013
What Are “Authorita9ve” Threat Reports? Are They a Form of Marke9ng?
www.hackformers.org
Websense Security Labs discovers and inves3gates today’s advanced security threats and publishes its findings.
Source: Websense, h=p://www.websense.com/content/websense-‐2012-‐threat-‐report-‐download.aspx
Download report, get email, get phone call ...all within 30 minutes
What Are “Authorita9ve” Reports? Lies, Damned Lies and Sta9s9cs
www.hackformers.org
McAfee Explains The Dubious Math Behind Its ‘Unscien3fic' $1 Trillion Data Loss Claim -‐ August 3, 2012 Forbes.com
Source: Tehan, R., (July 2012) Cybersecurity Authorita3ve Reports and Resources, Congressional Research Service, Prepared for Members of Congress, 7-‐5700, www.crs.gov, R42507.
No, the staAsAc was not simply made up. Yes, it’s just a “ballpark figure” and an “unscienAfic” one, the company admits. But despite Pro Publica’s criAcisms and its own rather fuzzy math, the company stands by its trillion-‐dollar conclusion as a (very) rough esAmate.
What Are “Authorita9ve” Threat Reports? Art or Science?
www.hackformers.org
“Threat analysis, in many ways, is equal parts art and science.”
Source: McAfee Threats Report: Third Quarter 2012
What Are “Authorita9ve” Reports? “There Are No Facts, Only InterpretaAons”
www.hackformers.org
“At McAfee Labs we try to apply as much math and analyMcal rigor to our analysis as we can, but we oqen cannot see the whole picture. We must also interpret and surmise many things. German philosopher Friedrich Nietzsche wrote “There are no facts, only interpreta9ons.” This bit of wisdom strikes us as quite relevant to analyzing threats.
Depending on one’s perspec9ve, threats can mean many things. Spam, for example, looks like it’s on a steady decline when viewed globally, but when looked at locally or by country we see tremendous varia9ons. The same can be said of many threat vectors we analyze…”
Source: McAfee Threats Report: Third Quarter 2012
What is the Geographic Coverage?
F-‐Secure, Shadowserver and Conficker Working Group, “Conficker World Map.” Source: h=p://www.f-‐secure.com/weblog/archives/00001646.html (September 3, 2012).
Why Do Some Reports Conflict?
Who Sponsors the Reports? What is the Methodology?
Le Penseur, by Auguste Rodin
Methodology
Surveys
• UnrepresentaMve samples
• Measurement error
– Leading quesMons – Social desirability
• Sampling error and survey bias
MSSP and Product Data Collec9on
• Customer profile, installed base sampling, geography
• Filtering, default versus unique sewngs
• Compare with previous reports, not apples-‐to-‐apples
• Data aggregaMon methods
• Time: what period does the report cover?
• Does the report clearly state the date of publicaAon?
Sponsorship
Who Funded the Report?
• Spread misleading informaMon
• Spread FUD
• Skewed toward latest product or service
Are Terms Defined? www.hackformers.org
Advanced Persistent Threat
FUD or Not?
“Advanced malware con3nues to grow and in the first half of 2012 is up nearly 400% versus the first half of 2011.”
Source: h=p://blog.fireeye.com/research/2012/08/just-‐released-‐fireeye-‐advanced-‐threat-‐report-‐1h-‐2012.html (November 1, 2012)
Teach Christ
www.hackformers.org
Sermon on the Mount www.hackformers.org
Beware of false prophets, which come to you in sheep's clothing, but inwardly they are ravening wolves.
MaZhew 7:15
What is a False Prophet?
Ma=hew Henry's Commentary Ma\hew 7:15-‐20
Nothing so much prevents men from entering the strait gate, and becoming true followers of Christ, as the carnal, soothing, fla=ering doctrines of those who oppose the truth.
They may be known by the driq and effects of their doctrines. Some part of their temper and conduct is contrary to the mind of Christ. Those opinions come not from God and lead to sin.
Source: h=p://bible.cc/ma=hew/7-‐15.htm
Sermon on the Mount www.hackformers.org
Jesus concludes the sermon by warning against false prophets, and emphasizes that humans are unable to do right ("bear fruit") apart from God.
MaZhew 7:15-‐20
15 Beware of false prophets, which come to you in sheep's clothing, but inwardly they are ravening wolves.
16 Ye shall know them by their fruits. Do men gather grapes of thorns, or figs of thistles?
17 Even so every good tree bringeth forth good fruit; but a corrupt tree bringeth forth evil fruit.
18 A good tree cannot bring forth evil fruit, neither can a corrupt tree bring forth good fruit.
19 Every tree that bringeth not forth good fruit is hewn down, and cast into the fire.
20 Wherefore by their fruits ye shall know them.
www.hackformers.org
MaZhew 7 , King James Version (KJV), h=p://www.biblegateway.com/passage/?search=Ma=hew+7&version=KJV
Why Warn about False Prophets?
For false Christs and false prophets shall rise, and shall shew signs and wonders, to seduce, if it were possible, even the elect. Mark 13:22
But there were false prophets also among the people, even as there shall be false teachers among you, who privily shall bring in damnable heresies, even denying the Lord that bought them, and bring upon themselves swiq destrucMon. 2 Peter 2:1
Woe unto you, when all men shall speak well of you! for so did their fathers to the false prophets. Luke 6:26
And he said, Take heed that ye be not deceived: for many shall come in my name, saying, I am Christ; and the Mme draweth near: go ye not therefore aqer them. Luke 21:8
For many shall come in my name, saying, I am Christ; and shall deceive many. MaZhew 24:5
And many false prophets shall rise, and shall deceive many. MaZhew 24:11
Source: h=p://bible.cc/ma=hew/7-‐15.htm, h=p://bible.cc/ma=hew/24-‐5.htm, etc.
Many warnings in Bible
Teach Security In Christ
www.hackformers.org
Who Influences Your Faith?
InfoSec Ques9ons
• What are the data sources?
• What geographies are covered?
• Who funded the report? • Why was the report published?
• When was the report published?
• What are the report biases?
• Who wrote the report?
• Is the report methodology documented?
• Are trends tracked over Mme?
Beware
• “…read the threat reports with cauMon. They are vendor markeMng documents designed to posiMon vendor research teams as industry experts that bring the vendor a compeMMve advantage.”
• “The reports' findings only represent what the vendor is looking for along with a natural bias towards the vendor's business.”
• “Security pros can do beZer by examining mul9ple vendor threat reports to get a more complete picture and map the threat classes to the business.”
www.hackformers.org
Source: h=p://searchsecurity.techtarget.com/news/1373865/How-‐to-‐use-‐Internet-‐security-‐threat-‐reports
“How to use Internet security threat reports”
Author: Eric Ogren, founder and Principal Analyst of the Ogren Group, formerly with RSA, etc.
What is Decep9on?
Deceive de·∙ceive (d-‐sv)v. de·∙ceived, de·∙ceiv·∙ing, de·∙ceives v.tr.
1. To cause to believe what is not true; mislead. 2. Archaic To catch by guile; ensnare.
v.intr. 1. To pracMce deceit. 2. To give a false impression: appearances can deceive.
[Middle English deceiven, from Old French deceveir, from Vulgar LaMn *dcipre, from LaMn dcipere, to ensnare, deceive : d-‐, de-‐ + capere, to seize; see kap-‐ in Indo-‐European roots.]
Source: h=p://www.thefreedicMonary.com/deceive (November 2, 2012).
Discriminate
InfoSec Strategy
• QuesMon presenters and ask them to cite their sources
• PowerPoint defect: no “Insert” footnote funcAon
• Plan your report reading • Don’t just read latest inbox
delivery
• Create your own top ten report list
What Does This Mean Today?
“The salva9on promised is more than deliverance from evil, it is everlas9ng blessedness.”1
1Source: h=p://bible.cc/mark/13-‐13.htm, Ma=hew Henry commentary on Mark 13:13
Addi9onal References
1. Tehan, R., (July 2012) Cybersecurity Authorita3ve Reports and Resources, Congressional Research Service, Prepared for Members of Congress, 7-‐5700, www.crs.gov, R42507
2. Ma=hew 7:15, Online Parallel Bible, Retrieved December 1, 2012, from h=p://bible.cc/ma=hew/7-‐15.htm 3. The Holy Bible, King James Version 4. Tripwire blog, State of Security, “The Four Horsemen of the Apocalypse: Security Soqware FUD” by Kevin
Weston, November 9, 2012, h=p://www.tripwire.com/state-‐of-‐security/off-‐topic/the-‐four-‐horsemen-‐of-‐the-‐cyber-‐apocalypse-‐fud-‐in-‐security-‐soqware-‐markeMng/
5. Rafal Los, “Abandon FUD, Scare TacMcs and MarkeMng Hype,” February 26, 2012; h=p://www.infosecisland.com/blogview/20397-‐Abandon-‐FUD-‐Scare-‐TacMcs-‐and-‐MarkeMng-‐Hype.html
6. Gal Shpantzer, “Showcasing Fear, Uncertainty and Doubt from the InformaMon Security Industry,” May 14, 2010, h=p://fudsec.com/scsovlf-‐aka-‐the-‐shpantzer-‐coma-‐scale-‐of-‐vendo
7. InformaMon Security, ReputaMon and FUD, July 17, 2012, h=p://makeitcompliant.blogspot.com/2012/07/informaMon-‐security-‐reputaMon-‐and-‐fud.html
8. “Just Say No to FUD,” October 30, 2009; h=p://newschoolsecurity.com/2009/10/just-‐say-‐no-‐to-‐fud/, Featuring Dr. Anton Chuvakin”
9. CSO Online, “Cybersecurity Expert Argues FUD Can Be EffecMve,” June 11, 2012; Taylor Armerding, h=p://www.csoonline.com/arMcle/708215/cybersecurity-‐expert-‐argues-‐fud-‐can-‐be-‐effecMve
10. Richard Bejtlich’s blog, Monday, October 27, 2003, The Dynamic Duo Discuss Digital Risk, h=p://taosecurity.blogspot.com/2003/10/dynamic-‐duo-‐discuss-‐digital-‐risk.html?m=0
Backup Slides
www.hackformers.org
What is the Geographic Coverage?
Each country lists 6 contribuAng factors, share of malicious computer acAvity, malicious code rank, spam zombies rank, phishing web site hosts rank, bot rank and a`ack origin, to substanAate its cybercrime ranking.
BusinessWeek, Symantec: Cybercrime: Top 20 Countries, h=p://www.enigmasoqware.com/top-‐20-‐countries-‐the-‐most-‐cybercrime/ (September 3, 2012).
Verizon DBIR 2012 www.hackformers.org
On FUD (From Tripwire Blog)
• …Some soqware security vendors create sensaMonalisMc reports or claims, these false or exaggerated stories are then fed to the media. The media propagate the story without fact checking and someMmes embellishing it further to increase the likelihood that readers will click on and share links to the story making it go viral. For example the threat of mobile malware has been overinflated by several vendors who sell mobile anM-‐virus products who offer marginal levels of protecMon if any at all.
• It is important to remember that many tech blogs make money based on the number of ad impressions they have on their site, not the factual integrity of the story they are reporMng. Pair the revenue model with the number of stories a professional blogger needs to post in a day and you can pre=y much guarantee some writers will not actually fact check, or test the product they are wriMng about. MisinformaMon travels just as fast if not faster than truth. By the Mme the story has hit mainstream media the conquest is complete, even if there are correcMons to a story, once it goes viral the truth becomes irrelevant.
www.hackformers.org
Source: h=p://www.tripwire.com/state-‐of-‐security/off-‐topic/the-‐four-‐horsemen-‐of-‐the-‐cyber-‐apocalypse-‐fud-‐in-‐security-‐soqware-‐markeMng/
Showcasing Fear, Uncertainty and Doubt from the Informa9on Security Industry
Since the founding of Fudsec we've looked to expose FUD, but unMl today it's been a li=le like JusMce Stewart's definiMon of obscenity -‐ I can't define it, but "I know it when I see it."
www.hackformers.org
Source: h=p://fudsec.com/scsovlf-‐aka-‐the-‐shpantzer-‐coma-‐scale-‐of-‐vendo
Showcasing Fear, Uncertainty and Doubt from the Informa9on Security Industry
• FUD is the tool of choice for bad sales people in the informaMon security world, "you might be subject to this, This or even THIS!!".
• If you hear these cries you are probably talking to a bad sales person.
• Honest consultants will help you manage and understand informaMon security risks. They may even get to the point where they tell you that some risks can't be quanMfied using tradiMonal methods and then frame advice using good pracMce references.
www.hackformers.org
Source: h=p://makeitcompliant.blogspot.com/2012/07/informaMon-‐security-‐reputaMon-‐and-‐fud.html
FUD Origin
• The term “FUD” originated in the 1970s to describe some of IBM’s selling tacMcs against compeMtors (who had be=er price/performance, etc.).
• The FUD technique was used by IBM sales people to destabilize the decision-‐maker’s thinking process. FUD issues raised could not really be answered by the decision-‐maker or the compeMtor, and so nagged at the back of the mind. They had the effect of causing the decision-‐maker to retreat to the safe decision, which was IBM. “Nobody ever got fired for buying IBM”.
www.hackformers.org
Source: h=p://newschoolsecurity.com/2009/10/just-‐say-‐no-‐to-‐fud/
Cybersecurity Expert Argues FUD Can Be Effec9ve
• …she does not advocate sowing panic. But she believes FUD -‐-‐ especially doubt -‐-‐ "may make people quesMon things.”
• "It wouldn't take a hell of a lot to do damage. Our SCADA (supervisory control and data acquisiMon) systems have been penetrated before.”
• …biggest concern is that nobody yet understands the long-‐term consequences of cyber conflict. "When the atomic bomb was was developed, only a few people saw the long-‐term consequences. This is really no different. We don't have a handle on it," she said.
www.hackformers.org
Source: h=p://www.csoonline.com/arMcle/708215/cybersecurity-‐expert-‐argues-‐fud-‐can-‐be-‐effecMve
-‐ Sharon Nelson, an a=orney and president of the informaMon security, digital forensics and IT consulMng firm Sensei Enterprises
Are Threat Reports a Crude Form of Sharing?
• “Enterprises are restricted by legal issues, compe33ve considera3ons, and fears of reputa3on loss.”
• “Government agencies are restricted by classifica3on requirements and na3onal security concerns.”
www.hackformers.org
Source: RSA “Security for Business InnovaMon Council” report, 2012.
