welcome! []“dod test report warns of major cybersecurity vulnerabilities” – morning defense...
TRANSCRIPT
Welcome!
Are you tweeting?!
@Advisen
#CyberRisk
Front Page
News Cyber!
Mondays & Thursdays
To subscribe please visit:
corner.advisen.com
Advisen for Cyber Risk
• Over 11,500 detailed data breach and privacy events – Loss Insight
• Over 370 policy wordings – Policy Insight
• Insurance buyer behavior & competitor analysis – Market Insight
Tom Srail of Willis
2014 Cyber Risk Awards Emcee
Save the Date for the
World’s Largest Cyber Risk
Conference!
Advisen’s Cyber Risk Insights Conference
The Grand Hyatt
New York, NY
Tues October 28 2014
Would you like to speak or
sponsor next year’s
program in February 2015?
See Advisen’s Jeff Cohen
Opening Remarks
David Bradford
President, Research & Editorial Division
Advisen
Keynote Address
Joseph Patanella
CEO
Trusted Knight Corporation
The Internet and Cyber Security Where have we been
and Where do we go from here?
ANY BANK – ANY TIME
“YOU KNOW, YOU CAN DO THIS ONLINE NOW. IT’S VERY SIMPLE AND THE RISK OF GETTING CAUGHT IS EXTREMELY LOW.”
© Trusted Knight Corporation The Problem with the Internet
It’s extraordinary! We love it! At this point, we can’t live without it! Our modern business world demands the use of portable devices – mobile phones, laptops, iPads and other tablets, USB drives, jump drives, media cards, all of which facilitate the loss of sensitive information.
Unfortunately…It’s increasingly SCARY!
Rise of Cyber attacks! Sophisticated malware and its use of key-logging, form-grabbing, and man-in-the-browser (MITB) attacks has completely undermined traditional security mechanisms (passwords, two-factor authentication, SSL, etc.) to allow criminals to exploit online banking, retailers and Intellectual Property.
Demise of Anti-Virus Methodologies & PC Security Crimeware continuously alters signatures to evade the detection capabilities of anti-virus products. Further, the 2011 public release of malware source code (ZeuS and SpyEye) fueled an epidemic of customized attacks targeting retail PoS terminals and online money transfers. Crimeware advancements are making it increasingly difficult to detect or remove.
Most Identity Theft stems from online security breaches
INJECT-BASED
Buffer-based method to obtain consumer-entered
data from memory.
HOOK-BASED
Logging keystrokes – highly inefficient.
FORM-BASED
Form-grabbing method to obtain consumer-entered
data from forms.
UPDATEABLE
Real-time updates to improve capabilities.
UNDETECTABLE
Morphs signature via varying binary .exe or
encryption.
HARDCODED
Simple static functionality.
MODULAR
“Plug-and-play” modules to support payloads with
diverse functionality.
1990 1995 2000 2010 2005
Crimeware introduced
Today
Source Code
Release
DNS-
BASED
Using DNS to change
controllers.
DISTRIBUTED
Distribute control via fastflux DNS for
survivability.
CONTROL
PANELS
Automated control of large-scale botnets
(100K+ bots).
CENTRALIZED
IRC controls bots in star topology. REDUNDANT
Multiple rotating controllers.
SOCIAL-
MEDIA &
PEER-TO-
PEER C&C. New Methods.
© Trusted Knight Corporation The Evolution of Cyber crime
DIVERSIFIED
Buffer-based method targeting expands to include other sources
2013
RESILIENT
Nation state techniques
incorporated
Al Gore invents the Internet
© Trusted Knight Corporation Who is at Risk?
Anyone entering data via browsers. In a word…EVERYONE.
…online banking customers…Senators…PC users…APT targets…gamers…
corporate enterprises…financial institutions…online purchasers…
…authentication providers...anti-virus companies…
judges…payment card users...small businesses…
web surfers…Federal agency employees…
developers of IP…lawyers…privacy advocates…insurance companies…CEOs…CFOs…
© Trusted Knight Corporation Common and Frequent Attacks
16
A study of all data breaches in 2013 found that the health-care center suffered the highest share of attacks last year, with 267 breaches (47%) of all attacks.
“DoD test report warns of major cybersecurity vulnerabilities” – Morning Defense
“Cyber Security Market Technology & Solutions Worth $120.1 Billion by 2017” – New Report by MarketsandMarkets
“Obama administration calls for tougher cyber security law” – Morning Defense
Small businesses experienced a 300% increase in cyberespionage attacks from 2011 to 2012 – Symantec Internet Security report, April 2013
Medical identity theft claimed more than 1.8 million U.S. victims before the end of 2013 – 2013 Survey on medical Identity Theft, Ponemon Institute, September 2013
Snowden Used Basic Web Scraping Tools In NSA Breach. Use of basic web crawlers leads to concern over the quality of the intelligence agency’s security
INTERNET
Online Banking Server
Banking Customer
Intruder
Customer’s Browser
1. Transfer $500 payment
2. Transfer $50,000 to Intruder
3. Approved $50,000 for Intruder
4. Approved $500 payment
© Trusted Knight Corporation Man-In-The-Browser (MITB or web-injects)
The sophistication level has gone up dramatically!
It’s not paranoia if they’re really after you!
‘09 ‘03 Today
Cri
mew
are
Var
ian
ts
MIL
LIO
NS
KEY YEARS
Undetectable
New Variants
Only catalogued crimeware variants are detectable – zero-day variants are undetectable. With crimeware toolkits producing ever increasing numbers of variants, the probability that a variant is catalogued is less and less likely. Trusted Knight’s Protector product defeats even zero-day crimeware variants.
Source Code Release
Source: http://www.pcworld.com/article/186037/25_million_strains_of_malware_identified_in_2009.html
10
0
Catalogued
Variants
16.6 Million new “banking Trojans” in 2009
20
30
40
50+
“More than 25 million new strains of malware were created last year, says PandaLabs. According to the security vendor's Annual Malware Report, the number of new versions of malware identified has topped the 15 million identified throughout the company's 20-year history. PandaLabs said that 66 percent of the new malware identified were banking Trojans...”
© Trusted Knight Corporation The Fallacy of Detection
‘05 ‘11
© Trusted Knight Corporation The Escalating Cyber Crime Threat
Criminal advancements outpace cyber-security defenses:
Anti-Detection (stealth) – Prevents signature (antivirus) and behavioral (intrusion) detection by varying crimeware characteristics (registry locations, file names, CLSIDs, protocols).
Form-Grabbing – Refines harvesting of online bank account IDs and passwords on PCs to avoid pitfalls of hook-based key-logging (backspaces & deletions) .
Web-Injects (man-in-the-browser) – Defeats FFIEC mandated two-factor authentication by allowing criminals to take over authenticated connections from within PCs or other infected devices.
Expanded Browser/OS Support – Expands attacks beyond IE/Windows initially to Firefox and then to other browsers (Chrome, Opera, and Safari) and OS (Apple OS X).
Source Code Release – Public release of ZeuS and SpyEye source code enables larger base of developers to exploit the sophisticated mechanisms employed to subvert PCs.
Anti-malware Disabling/Circumventing – Anti-malware product availability spurs criminal developers to automate disabling / circumventing of those products w/o stealth capability.
Mobile Device Support (man-in-the-mobile) – Expands attacks to mobile devices when banks turn to out-of-band authentication to validate customer transactions.
Anti-Removal (persistence) – Permits malware to re-emerge on PCs after its supposed removal – once compromised, always compromised.
Increasing Browser / OS / Device Support, Attack Capabilities & Availability
© Trusted Knight Corporation Conclusions
Just joking…?
Track Criminal Techniques Track the technical evolution of attacks – past and present – and identify vulnerabilities that have not yet been exploited.
Advanced Response Proactive Defense – it’s not good enough to detect malicious activity after the fact; new technology is being used to “break” the criminals’ code.
Layered Technical Solutions Ensure solutions are resilient against exploitation while defending against automated disabling and circumvention. Big data, network activity correlation, security awareness all play important roles.
Business Solutions Risk Intelligence, Cyber Insurance – IT solutions are not enough, Insurance purchasers need to bring IT staff into the discussion
UNPLUG!!
The Cyber Liability
Insurance Market Jim Blinn
EVP, Information & Analytics Division
Advisen
members only Slides are available for
Risk Intelligent
Enterprise: Cyber Risk
Culture
Risk Intelligent Enterprise:
Cyber Risk Culture
Mary Beth Borgwing
Global Executive Director of Cyber Risk and CRO Practices
Advisen
Moderator
• Mary Beth Borgwing, Global Executive Director of Cyber
Risk and CRO Practices, Advisen
• Brad Briegleb, Senior Director of Claims and Litigation
Strategy, Stanford University Medical Network Risk Authority,
LLC
• Russell Cohen, Partner, Orrick, Herrington & Sutcliffe LLP
• Evelyn de Souza, Cloud Compliance and Data Privacy
Strategy Leader, Cisco
Risk Intelligent Enterprise:
Cyber Risk Culture
Issues in Selling
Cyber Insurance
Issues in Selling Cyber
Insurance
Marc Voses
Partner
Nelson Levine de Luca & Hamilton LLC
Moderator
Issues in Selling Cyber
Insurance
• Marc Voses, Partner, Nelson Levine de Luca & Hamilton
LLC
• Garrett Koehn, President, Northwestern US, CRC/Crump
• Michael Palotay, Senior Vice President, NAS Insurance
• Karl Pedersen, Senior Vice President, FINEX Cyber and
E&O Team, Willis
• Susan Young, Vice President, Marsh
Mock Data Breach
Table Top
Mock Data Breach Table Top
Paul Nikhinson
Privacy Breach Response Services Manager
Beazley
Moderator
Mock Data Breach Table Top
• Paul Nikhinson, Privacy Breach Response Services
Manager, Beazley
• Michael Bruemmer, VP, Data Breach Resolution,
Experian
• Winston Krone, Managing Director, Kivu Consulting, Inc.
• John Mullen, Partner, Lewis Brisbois Bisgaard & Smith,
LLP
Afternoon Keynote
George Gerchow
Director, VMware Center for Policy & Compliance
VMware
© 2014 VMware Inc. All rights reserved.
Data Protection in the Cloud Advisen San Francisco 2014
George Gerchow - VMware Cloud Management Solutions Evangelist Security & Compliance – CISSP, ITIL, CCNA, MCPS, SCP
Personal Experience with Data Protection
Agenda
• Cloud Market Place Update
• Where is the Trust?
• Top Ten Cloud Data Protection Trends & Consideration
• 3 ½ Takeaways
• Questions
Our world is changing fast
New Assets
New Threats
New Vulnerabilities
The NIST Definition of Cloud Computing - 800-
145 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
Days - Hours
2012
Months - Weeks
2008
Minutes - Seconds
Future
Virtual Server Server Virtual Data
Center
TRUST
Trusted IT Means
Identifying & Repelling Threats
Advanced Security
Ensuring Availability of
Applications, Systems & Data
Continuous Availability
Protecting Data
Integrated Backup & Recovery
2014 Cloud Landscape
The Cloud question is no longer “What is Cloud?” -
it’s HOW and I need it NOW!
Cloud-scale
Message Bus Message Broker
Cloud
Services Device
s
Application
s
The applications are different
now…
The tools are
maturing and
plentiful…
Public options
abound…
Storage
Resources Fabric Resources
Cabling & Racking
Thermal Design
Vblock®
Power Design Physical &
Logistical Design
Compute
Resources
Converged infrastructure is
becoming mainstream…
Service Provider options…
Compliance is MORE Complicated in the Cloud
Increases
the impact
of any
compromis
e
Increases
complexity:
additional layers
require additional
controls
Creates a new
attack surface
that must be
hardened
Impacts
roles and
responsibiliti
es
Challenges Cloud Brings and the Issue of Trust
Mixed Mode Levels of Trust
• VMs riding on the same Guest with different Trust Levels (PCI)
• Multi-tenancy protecting Intellectual Property (IP) with shared Resources
• Auditor, QSA Approval of Design
Evidence-Based Compliance
• How is my data being protected and segmented by level of security?
• What standards and frameworks do I adopt to minimize risk?
Separation of consumer and provider
• Evidence from provider around its infrastructure compliance
• How do I address data governance, privacy, etc?
• How do we account for change (Loss of Service)?
vSphere
!
PCI CDE
vSphere
PCI CDE
!
vSphere
PCI CDE
!
Capture Changes
Assess Report
Remediate
10. Focus Turning To Cloud Access Controls
9. Key Management Standard Rising in Importance
8. Key Management
7. Cloud Encryption Market is Growing
6. Confidence In Cloud Providers is Rising (FedRamp is changing the Game)
5. Selecting Compliance Content is Critical
Must match updated and CLEAR security policy for items like file
sharing, Social Media…
4.Implement a GRC as a Service Offering
3. Encryption, Authentication Trending In The Cloud
2. Data Migration Increases Risk
1.Figure out what your customers\organization is doing about cloud computing
Two Man Rule
3 ½ take aways
http://justwriteclick.com/2013/07/01/book-sprint-for-openstack-security-guide/
http://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=cloud.100
http://blogs.vmware.com/security/
http://www.gsa.gov/portal/category/105279
Final Thoughts