Quantifying Business

Value of Information

Security

Andris Soroka 21st of March, 2014

Riga, Latvia

We have something to share…

We have something to share…

About speaker

“Data Security Solutions” business card

Specialization – IT Security

IT Security services (consulting,

audit, pen-testing, market analysis,

system testing and integration,

training and technical support)

Solutions and experience portfolio

with more than 20 different

technologies – cyber-security global

market leaders from more than 10

countries

Trusted services provider for

banks, insurance companies,

government and private companies

(critical infrastructure etc.)

Role of DSS in Cyber-security

Development in Baltics

Cyber-Security Awareness Raising

Technology and knowledge transfer

Most Innovative Portfolio

Trusted Advisor to its Customers

Cybersecurity Awareness Raising

Own organized conference “DSS ITSEC”

5th annual event this year

More than 400 visitors and more than 250 online

live streaming watchers from LV, EE, LT

4 parallel sessions with more than 40

international speakers, including Microsoft, Oracle,

Symantec, IBM, Samsung and many more –

everything free of charge

Participation in other events & sponsorship

CERT & ISACA conferences

RIGA COMM exhibition & conferences

Roadshows and events in Latvia / Lithuania /

Estonia (f.i. Vilnius Innovation Forum, Devcon,

ITSEC HeadLight, SFK, business associations)

Participation in cyber security discussions, strategy

preparations, seminaries, publications etc.

Innovations – technology & knowledge transfer

Innovative Technology Transfer Number of unique projects done with

different technology global leadership

vendors

Knowledge transfer (own employees,

customers – both from private & public,

other IT companies)

Areas include:

Endpoint Security

Network Security

Security Management

Application Security

Mobile Security

Data Security

Cyber-security

Security Intelligence

Our portfolio is most innovative in Baltics!

Some just basic ideas

AGENDA – IT Security basics in 20 min

Introduction of DSS and speaker

Prologue: Digital World 2014

The Saga begins – Cyber Criminals

Introduction & business card

Business behind

Examples

The Story Continues – Targets of Cyber

Criminals

Individuals

Business Owners

Government

Value of Information Security for business

Risk management

Technology

Conclusion

Q&A (if time allows)

Prologue: The Digital World 2014 - future

Prologue: Some new technologies

3D Printers

Google Glasses (“glassh**es)

Cloud Computing

Big Data & Supercomputers

Mobile Payment & Virtual Money

Robotics and Intraday Deliveries

Internet of things

Augmented Reality

Extreme development of Aps

Digital prototyping

Gadgets (devices) & Mobility

Technology replace jobs

Geo-location power

Biometrics

Health bands and mHealth

Electronic cars

Avegant Glymph and much, much

more

Prologue: Mobility & Gadgets

Digital Agenda for European Union

New EU Data Protection reform (March’14)

New EU Data Protection reform (March’14)

The same rules for all companies – regardless of their

establishment: Today European companies have to adhere to

stricter standards than their competitors established outside the

EU but also doing business on our Single Market. With the

reform, companies based outside of Europe will have to apply the

same rules. European regulators will be equipped with strong

powers to enforce this: data protection authorities will be able to

fine companies who do not comply with EU rules with up to

2% of their global annual turnover. European companies

with strong procedures for protecting personal data will have a

competitive advantage on a global scale at a time when the issue

is becoming increasingly sensitive.

Source: http://europa.eu/rapid/press-release_MEMO-14-186_en.htm

The Sage Continues: Cybercriminals

True or fake? In fact this isn’t funny...

Best «success story» describing hackers..

No changes in that perspective

Disaster in software world - NSA

Disaster in technology world - NSA

Governments write malware and

exploits (USA started, others follow..)

Cyber espionage

Sabotage

Infecting own citizens

Surveillance

Known NSA “partners”

Microsoft (incl. Skype)

Apple

Adobe

Facebook

Google

Many, many others

Internet is changing!!!

Questions, questions, questions!

USA thinks that internet is their

creation and foreign users should

think of USA as their masters…

Disaster in software world - NSA

Bright future of the internet way ahead..

1995 – 2005

1st Decade of the

Commercial Internet

2005 – 2015

2nd Decade of the

Commercial Internet Motive

Script-kiddies or hackers

Insiders

Organized crime

Competitors, hacktivists

National Security Infrastructure Attack

Espionage Political Activism

Monetary Gain

Revenge

Curiosity

Global statistics

Mobility & Security...

Mobility and Security (cont.)

McAfee 2013 Q1 Threats Report

Federal Reserve Survey March 2013

Mobile Malware Explodes

Mobile banking adoption rising

End users fall victim to mobile attacks

Mobile Malware increases all the time..

Some examples of incidents (DDoS)

Cyberwars going on!

Examples: Whistleblowers should be careful

Source: Juris Pūce, Analytica IT Security

Examples: Hacker is watching / listening

Examples (continued)

Examples (continued)

Google maps helped hacked incercept calls..

Examples: Advanced Persistent Threat

The Sage: Simplicity

Some examples of incidents

Hacking business services...

Current prices on the Russian underground market:

Hacking corporate mailbox: $500

Winlocker ransomware: $10-$20

Unintelligent exploit bundle: $25

Intelligent exploit bundle: $10-$3,000

Basic crypter (for inserting rogue code into benign file): $10-$30

SOCKS bot (to get around firewalls): $100

Hiring a DDoS attack: $30-$70 / day, $1,200 / month

Botnet: $200 for 2,000 bots

DDoS Botnet: $700

ZeuS source code: $200-$250

Windows rootkit (for installing malicious drivers): $292

Hacking Facebook or Twitter account: $130

Hacking Gmail account: $162

Email spam: $10 per one million emails

Email scam (using customer database): $50-$500 per one million emails

Weakest link is always the most important

Source: IBM X-Force annual report 2013

Lets summarize The Saga told

The Sage Continues: Targets

National

Security

Nation-state

actors

Stuxnet

Espionage,

Activism

Competitors and

Hacktivists

Aurora

Monetary

Gain

Organized

crime

Zeus

Revenge,

Curiosity

Insiders and

Script-kiddies

Code Red

Think security first

Source: Brian Crebs IT security blog

Why hackers might want to “contact” You?

Business Commercial espionage (financial, business and personal data)

An attack can stop the business, services (competition)

You are spam target

Your home page could be damaged

They can control and monitor you

They can change data in systems

Home page cross-scripting

Private person You have the infrastructure for tests of new viruses and robots

You have server where to store illegal stuff (programs, files etc.)

They can do criminal activities using your computer

WiFi – they can just borrow the internet

You have the information which could be sold in black market

The results of damage Financial (costs, data, market, value)

Reputation (customer, partner, HR)

Development and competitiveness

Conclusion: The Saga will continue anyway

For many companies security is like salt, people just sprinkle it on top.

Smart ones act smart way – risk mgmt.

Think security first & Where are You here?

Organizations Need an Intelligent View of Their Security Posture

Proactive

Au

tom

ated

M

an

ua

l

Reactive

Optimized Organizations use

predictive and

automated security

analytics to drive toward

security intelligence

Proficient Security is layered

into the IT fabric and

business operations

Basic Organizations

employ perimeter

protection, which

regulates access and

feeds manual reporting

New game, new rules..

Productivity

Security

Challenge for business ahead..

DROŠĪBAS PASĀKUMI

Costs Security costs

Optimum? Remaining part of risk

Security actions

Risks New optimum?

Source: Māris Gabaliņš, The Art Of The Systems

Take-Away as conclusion

Security Maturity

Develop a Risk-aware Security Strategy

49% of C level executives have no measure

of the effectiveness of their security efforts

31% of IT professionals have no risk strategy

2012 Forrester Research Study, 2013 Global Reputational Risk & IT Study, IBM

Costs for business from cybercrime

Return of Investment

“DSS” is here for You! Just ask for…

Si vis pacem, para bellum. (Lat.)

Think security first

www.dss.lv

andris@dss.lv

+371 29162784

Think security first