Cyber Crimes the Good, the Bad, and the Ugly Mohd Serieh QCB Information & Security Conference November 2017 1
Knowledge check “I have internet access but I don’t shop online, this means I won’t become a victim of Cyber Crime.” Is this statement True or False? 2
Knowledge check “Cybercrime is limited to any criminal act dealing with computers and networks” Is this statement True or False? 3
Knowledge check “Cybercrime includes only traditional crimes conducted through the internet” Is this statement True or False? 4
Knowledge check “70% of fraud is cyber enabled” Is this statement True or False? 5
The good
1. Cost of data breach is decreasing The average total cost of data breach decreased by 11% this year. The average cost for each lost or stolen record containing sensitive and confidential information also significantly decreased 12% this year. Source: 2017 Cost of Data Breach Study: Global Overview Ponemon Institute, June 2017 7
2. More corporates are starting to rely on cloud security 11% No plans yet Putting plans 17% together, unsure when will deploy Putting plans 28% together, deployement end of year Pilot deployment 18% in place A full-service 19% deployment in place Several services are in 9% place, fairly mature Source: Amazon estimates based on 1000 compute cycles (300 compute cycles, 700 peak cycles) and data transfer (3000 GB of In data and 6,000 GB of “out” 8 data). Source: Gartner, “Private Cloud Matures, Hybrid Cloud Is Next,” Thomas J. Bittman,
3. Year-end cybercrime update 2016 • The hacker behind JPMordan Chase Hack, world’s largest- ever bank hack, arrested in Russia; • Hacker Gets 4 Years in Prison for Selling Stolen Bank Accounts on the Dark Web; • Teen Behind Titanium DDoS Stresser Pleads Guilty in London: used to launch over 1.7 million DDoS attacks; • FBI Arrests Customer of Xtreme Stresser DDoS-for-Hire Service; • Joint Cyber Operation Takes Down Avalanche Criminal Network Servers Enabled Nefarious Activity Worldwide; • Hacker known as Guccifer sentenced to 52 months in prison; • And the list goes on… 9
The bad
Cybercrime trends are higher than any other category There were almost 6M incidents of fraud and 7 cybercrime last year, according to the 2016 Crime 6 Survey for England and Wales- more than any other category of crime, and almost as much as all the other 5 categories measured in the survey when added 4 together. 3 2 1 0 Apr 2010 to Mar 2011 Apr 2011 to Mar 2012 Apr 2012 to Mar 2013 Apr 2013 to Mar 2014 Apr 2014 to Mar 2015 Apr 2015 to Mar 2016 Theft from a person Domistic burglary Vehicle theft Voilence towards a person Criminal damage Fraud & cybercrime Source: million incidents 11
And so are the costs 94 Worldwide security spending ($bn) 92 93 90 88 86 86 84 82 80 80 78 76 74 2016 2017 2018 12 Source: Gartner
Furthermore, highly regulated industries have the highest per-record data breach costs $227 $359 $294 $206 Healthcare Education Pharmaceutical Financial $155 $141 $122 $105 Consumer Energy Hospitality Retail *Currencies converted to US dollars Source: 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute, sponsored by IBM
And the ugly Insert Confidentiality Level in slide footer 14
Most enterprises lack security capabilities 15
And they know it! How prepared is your company for a cyber event? KPMG research unsure Are we prepared? Seventy-two percent of CEOs say they are not fully prepared for a cyber event, 50% more than 2015 Not where we want to be Can you be fully prepared? CEOs frequently said: “we are as prepared as we can be” or “you can never be fully prepare” Somewhat prepared How to prepare? By practicing the ability to respond to cyber events. Companies need an ability to be agile and Fully prepared deal with the unexpected 0% 10% 20% 30% 40% 50% 60% 70% 80% 2016 KPMG Channel Islands Limited 16
There are only two types of companies: Those that have been hacked and those that don’t know they have been hacked. Robert S. Mueller, III, Director FBI 17
Just like infections, there is an incubation period for hacks 30 Incubation period in weeks People know they 25 are infected, WHEN the symptoms start showing. 20 NOT when they are infected 15 Hacking is like 10 infection, Your systems do 5 not know they are hacked until 0 it is too late. Chicken pox Ebola Rabies HIV 18
Scared Yet? • Hardware and software keep getting cheaper; • Combine the Internet and a global scope, the the potential for attacks is limitless; • Security will always be breached; • Even when laws are passed to increase technological safeguards, new technology will always outstrip legislation 19
What are you going to do about it? 20
Here are the questions any CISO want to be able to answer… Quality 1 Establishing 2 Sophisticated 3 4 Predict 5 Counter 6 Mitigate Insider Baseline Attacks Hackitvism Cyber Attacks Fraud Threats Identify what needs Gain awareness of a Identify or warn of Alert to a possible Inform of an Surface new or to be defended or motivated/incentiviz users within the attack from groups impeding or ongoing existing fraud observed as well as ed attacker organization who that sympathize with attack by criminal methods that may formulate a risk attempting to may be inclined to causes that are groups compromise its profile to detect hide/disguise the perform actions that contrary to the compliance with • Which geographical abnormalities attack are detrimental to interests regulations or cause region may be the the organization’s sinigicant losses to its • Who are the • Which assets are • Which controversial origin of an attack? operations financial operations attractive targets? already issues may trigger a • Which hacking tools compromised? • What data is being negative sentiment • How can the • Which applications maybe used and leaked or lost and by about the organization identify to defend? • Which external who is gaining access whom? organization a fraudulent activity? domain may be the to them? • What is the normal source of attacks? • Who internally has • How to identify and • Which users have behavior profile for • Are there symptoms the motivation to monitor intentions? compromised users, assets, and • Are there any low of an attack compromise the identities that may application profile network • How does publicity underway or being cyber operation? lead a fraudlent traffic elements that of the company in planned manifesting activity? might signal an • Who is exhibiting the media impact themselves as ongoing imminent abnormal usage risk? support issues? • Can well known attack? behavior? fraud attempts have pattens can either be detected or even anticipated? 21
And no one knows backdoor answers, like our good old friend The Hacker 22
What is a hacker? 1. Creates and modifies. computer software and computer hardware; 2. Exploits systems and gains unauthorized access. through clever tactics and detailed knowledge; 3. Computer enthusiast/person who enjoys learning programming languages; 4. Someone who breaks into computers; 5. Can make a computer do what they want; 6. Anyone who ‘breaks open’ code and manipulates it in a clever or original; 7. Not necessarily illegal. 23
Kevin Mitnick (AKA The Darkside Hacker) The US Department of Justice called him “the most wanted computer criminal in US history” After serving a year in prison for hacking into the Digital Equipment Corporation’s network, he was let out for three years of supervised release. But near the end of that period, he fled and went on a 2.5-year hacking spree that involved breaching the national defense warning system and stealing corporate secrets. 24
Gary McKinnon (AKA Solo) He infiltrated 97 US military and NASA computers, by installing virus and deleting a few files. All the efforts to satisfy his curiosity. 25
Jake Leslie Davis (AKA: Topiary) Part of hacking group called lulzSec who Gained credentials for hacking into Sony, News International, CIA, FBI, Scotland Yard, and several noteworthy accounts. So notorious was the group that when it hacked into News Corporations account, they put across a false report of Rupert Murdoch having passed away. Topiary also an associate of Anonymous 26
Adrian Lamo Hacked into Yahoo!, Microsoft, Google, and The New York Times. This, although culminated into his arrest, it later helped him gain the batch of an American Threat Analyst. A guy who would hack into top-notch accounts sitting in the spacious and comforting cafeterias, libraries, internet cafes, soon turned Wikileaks suspect Bradley Manning over to FBI. While Manning was arrested for leaking several hundred sensitive US government documents, Lamo went hiding or should we presume, undercover? 27
Recommend
More recommend