Welcome!

Are you tweeting?!

@Advisen

#CyberRisk

Front Page

News Cyber!

Mondays & Thursdays

To subscribe please visit:

corner.advisen.com

Advisen for Cyber Risk

• Over 11,500 detailed data breach and privacy events – Loss Insight

• Over 370 policy wordings – Policy Insight

• Insurance buyer behavior & competitor analysis – Market Insight

Tom Srail of Willis

2014 Cyber Risk Awards Emcee

Save the Date for the

World’s Largest Cyber Risk

Conference!

Advisen’s Cyber Risk Insights Conference

The Grand Hyatt

New York, NY

Tues October 28 2014

Would you like to speak or

sponsor next year’s

program in February 2015?

See Advisen’s Jeff Cohen

Opening Remarks

David Bradford

President, Research & Editorial Division

Advisen

For more information about subscriptions

contact Jim Delaney at jdelaney@advisen.com

Sponsored by

Keynote Address

Joseph Patanella

CEO

Trusted Knight Corporation

The Internet and Cyber Security Where have we been

and Where do we go from here?

ANY BANK – ANY TIME

“YOU KNOW, YOU CAN DO THIS ONLINE NOW. IT’S VERY SIMPLE AND THE RISK OF GETTING CAUGHT IS EXTREMELY LOW.”

© Trusted Knight Corporation The Problem with the Internet

It’s extraordinary! We love it! At this point, we can’t live without it! Our modern business world demands the use of portable devices – mobile phones, laptops, iPads and other tablets, USB drives, jump drives, media cards, all of which facilitate the loss of sensitive information.

Unfortunately…It’s increasingly SCARY!

Rise of Cyber attacks! Sophisticated malware and its use of key-logging, form-grabbing, and man-in-the-browser (MITB) attacks has completely undermined traditional security mechanisms (passwords, two-factor authentication, SSL, etc.) to allow criminals to exploit online banking, retailers and Intellectual Property.

Demise of Anti-Virus Methodologies & PC Security Crimeware continuously alters signatures to evade the detection capabilities of anti-virus products. Further, the 2011 public release of malware source code (ZeuS and SpyEye) fueled an epidemic of customized attacks targeting retail PoS terminals and online money transfers. Crimeware advancements are making it increasingly difficult to detect or remove.

Most Identity Theft stems from online security breaches

INJECT-BASED

Buffer-based method to obtain consumer-entered

data from memory.

HOOK-BASED

Logging keystrokes – highly inefficient.

FORM-BASED

Form-grabbing method to obtain consumer-entered

data from forms.

UPDATEABLE

Real-time updates to improve capabilities.

UNDETECTABLE

Morphs signature via varying binary .exe or

encryption.

HARDCODED

Simple static functionality.

MODULAR

“Plug-and-play” modules to support payloads with

diverse functionality.

1990 1995 2000 2010 2005

Crimeware introduced

Today

Source Code

Release

DNS-

BASED

Using DNS to change

controllers.

DISTRIBUTED

Distribute control via fastflux DNS for

survivability.

CONTROL

PANELS

Automated control of large-scale botnets

(100K+ bots).

CENTRALIZED

IRC controls bots in star topology. REDUNDANT

Multiple rotating controllers.

SOCIAL-

MEDIA &

PEER-TO-

PEER C&C. New Methods.

© Trusted Knight Corporation The Evolution of Cyber crime

DIVERSIFIED

Buffer-based method targeting expands to include other sources

2013

RESILIENT

Nation state techniques

incorporated

Al Gore invents the Internet

© Trusted Knight Corporation Who is at Risk?

Anyone entering data via browsers. In a word…EVERYONE.

…online banking customers…Senators…PC users…APT targets…gamers…

corporate enterprises…financial institutions…online purchasers…

…authentication providers...anti-virus companies…

judges…payment card users...small businesses…

web surfers…Federal agency employees…

developers of IP…lawyers…privacy advocates…insurance companies…CEOs…CFOs…

© Trusted Knight Corporation Common and Frequent Attacks

16

A study of all data breaches in 2013 found that the health-care center suffered the highest share of attacks last year, with 267 breaches (47%) of all attacks.

“DoD test report warns of major cybersecurity vulnerabilities” – Morning Defense

“Cyber Security Market Technology & Solutions Worth $120.1 Billion by 2017” – New Report by MarketsandMarkets

“Obama administration calls for tougher cyber security law” – Morning Defense

Small businesses experienced a 300% increase in cyberespionage attacks from 2011 to 2012 – Symantec Internet Security report, April 2013

Medical identity theft claimed more than 1.8 million U.S. victims before the end of 2013 – 2013 Survey on medical Identity Theft, Ponemon Institute, September 2013

Snowden Used Basic Web Scraping Tools In NSA Breach. Use of basic web crawlers leads to concern over the quality of the intelligence agency’s security

INTERNET

Online Banking Server

Banking Customer

Intruder

Customer’s Browser

1. Transfer $500 payment

2. Transfer $50,000 to Intruder

3. Approved $50,000 for Intruder

4. Approved $500 payment

© Trusted Knight Corporation Man-In-The-Browser (MITB or web-injects)

The sophistication level has gone up dramatically!

It’s not paranoia if they’re really after you!

‘09 ‘03 Today

Cri

mew

are

Var

ian

ts

MIL

LIO

NS

KEY YEARS

Undetectable

New Variants

Only catalogued crimeware variants are detectable – zero-day variants are undetectable. With crimeware toolkits producing ever increasing numbers of variants, the probability that a variant is catalogued is less and less likely. Trusted Knight’s Protector product defeats even zero-day crimeware variants.

Source Code Release

Source: http://www.pcworld.com/article/186037/25_million_strains_of_malware_identified_in_2009.html

10

0

Catalogued

Variants

16.6 Million new “banking Trojans” in 2009

20

30

40

50+

“More than 25 million new strains of malware were created last year, says PandaLabs. According to the security vendor's Annual Malware Report, the number of new versions of malware identified has topped the 15 million identified throughout the company's 20-year history. PandaLabs said that 66 percent of the new malware identified were banking Trojans...”

© Trusted Knight Corporation The Fallacy of Detection

‘05 ‘11

© Trusted Knight Corporation The Escalating Cyber Crime Threat

Criminal advancements outpace cyber-security defenses:

Anti-Detection (stealth) – Prevents signature (antivirus) and behavioral (intrusion) detection by varying crimeware characteristics (registry locations, file names, CLSIDs, protocols).

Form-Grabbing – Refines harvesting of online bank account IDs and passwords on PCs to avoid pitfalls of hook-based key-logging (backspaces & deletions) .

Web-Injects (man-in-the-browser) – Defeats FFIEC mandated two-factor authentication by allowing criminals to take over authenticated connections from within PCs or other infected devices.

Expanded Browser/OS Support – Expands attacks beyond IE/Windows initially to Firefox and then to other browsers (Chrome, Opera, and Safari) and OS (Apple OS X).

Source Code Release – Public release of ZeuS and SpyEye source code enables larger base of developers to exploit the sophisticated mechanisms employed to subvert PCs.

Anti-malware Disabling/Circumventing – Anti-malware product availability spurs criminal developers to automate disabling / circumventing of those products w/o stealth capability.

Mobile Device Support (man-in-the-mobile) – Expands attacks to mobile devices when banks turn to out-of-band authentication to validate customer transactions.

Anti-Removal (persistence) – Permits malware to re-emerge on PCs after its supposed removal – once compromised, always compromised.

Increasing Browser / OS / Device Support, Attack Capabilities & Availability

© Trusted Knight Corporation Conclusions

Just joking…?

Track Criminal Techniques Track the technical evolution of attacks – past and present – and identify vulnerabilities that have not yet been exploited.

Advanced Response Proactive Defense – it’s not good enough to detect malicious activity after the fact; new technology is being used to “break” the criminals’ code.

Layered Technical Solutions Ensure solutions are resilient against exploitation while defending against automated disabling and circumvention. Big data, network activity correlation, security awareness all play important roles.

Business Solutions Risk Intelligence, Cyber Insurance – IT solutions are not enough, Insurance purchasers need to bring IT staff into the discussion

UNPLUG!!

The Cyber Liability

Insurance Market Jim Blinn

EVP, Information & Analytics Division

Advisen

members only Slides are available for

Risk Intelligent

Enterprise: Cyber Risk

Culture

Risk Intelligent Enterprise:

Cyber Risk Culture

Mary Beth Borgwing

Global Executive Director of Cyber Risk and CRO Practices

Advisen

Moderator

• Mary Beth Borgwing, Global Executive Director of Cyber

Risk and CRO Practices, Advisen

• Brad Briegleb, Senior Director of Claims and Litigation

Strategy, Stanford University Medical Network Risk Authority,

LLC

• Russell Cohen, Partner, Orrick, Herrington & Sutcliffe LLP

• Evelyn de Souza, Cloud Compliance and Data Privacy

Strategy Leader, Cisco

Risk Intelligent Enterprise:

Cyber Risk Culture

Issues in Selling

Cyber Insurance

Issues in Selling Cyber

Insurance

Marc Voses

Partner

Nelson Levine de Luca & Hamilton LLC

Moderator

Issues in Selling Cyber

Insurance

• Marc Voses, Partner, Nelson Levine de Luca & Hamilton

LLC

• Garrett Koehn, President, Northwestern US, CRC/Crump

• Michael Palotay, Senior Vice President, NAS Insurance

• Karl Pedersen, Senior Vice President, FINEX Cyber and

E&O Team, Willis

• Susan Young, Vice President, Marsh

Mock Data Breach

Table Top

Mock Data Breach Table Top

Paul Nikhinson

Privacy Breach Response Services Manager

Beazley

Moderator

Mock Data Breach Table Top

• Paul Nikhinson, Privacy Breach Response Services

Manager, Beazley

• Michael Bruemmer, VP, Data Breach Resolution,

Experian

• Winston Krone, Managing Director, Kivu Consulting, Inc.

• John Mullen, Partner, Lewis Brisbois Bisgaard & Smith,

LLP

Afternoon Keynote

George Gerchow

Director, VMware Center for Policy & Compliance

VMware

© 2014 VMware Inc. All rights reserved.

Data Protection in the Cloud Advisen San Francisco 2014

George Gerchow - VMware Cloud Management Solutions Evangelist Security & Compliance – CISSP, ITIL, CCNA, MCPS, SCP

Personal Experience with Data Protection

Agenda

• Cloud Market Place Update

• Where is the Trust?

• Top Ten Cloud Data Protection Trends & Consideration

• 3 ½ Takeaways

• Questions

Our world is changing fast

New Assets

New Threats

New Vulnerabilities

The NIST Definition of Cloud Computing - 800-

145 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

Days - Hours

2012

Months - Weeks

2008

Minutes - Seconds

Future

Virtual Server Server Virtual Data

Center

TRUST

Trusted IT Means

Identifying & Repelling Threats

Advanced Security

Ensuring Availability of

Applications, Systems & Data

Continuous Availability

Protecting Data

Integrated Backup & Recovery

2014 Cloud Landscape

The Cloud question is no longer “What is Cloud?” -

it’s HOW and I need it NOW!

Cloud-scale

Message Bus Message Broker

Cloud

Services Device

s

Application

s

The applications are different

now…

The tools are

maturing and

plentiful…

Public options

abound…

Storage

Resources Fabric Resources

Cabling & Racking

Thermal Design

Vblock®

Power Design Physical &

Logistical Design

Compute

Resources

Converged infrastructure is

becoming mainstream…

Service Provider options…

Compliance is MORE Complicated in the Cloud

Increases

the impact

of any

compromis

e

Increases

complexity:

additional layers

require additional

controls

Creates a new

attack surface

that must be

hardened

Impacts

roles and

responsibiliti

es

Challenges Cloud Brings and the Issue of Trust

Mixed Mode Levels of Trust

• VMs riding on the same Guest with different Trust Levels (PCI)

• Multi-tenancy protecting Intellectual Property (IP) with shared Resources

• Auditor, QSA Approval of Design

Evidence-Based Compliance

• How is my data being protected and segmented by level of security?

• What standards and frameworks do I adopt to minimize risk?

Separation of consumer and provider

• Evidence from provider around its infrastructure compliance

• How do I address data governance, privacy, etc?

• How do we account for change (Loss of Service)?

vSphere

!

PCI CDE

vSphere

PCI CDE

!

vSphere

PCI CDE

!

Capture Changes

Assess Report

Remediate

10. Focus Turning To Cloud Access Controls

9. Key Management Standard Rising in Importance

8. Key Management

7. Cloud Encryption Market is Growing

6. Confidence In Cloud Providers is Rising (FedRamp is changing the Game)

5. Selecting Compliance Content is Critical

Must match updated and CLEAR security policy for items like file

sharing, Social Media…

4.Implement a GRC as a Service Offering

3. Encryption, Authentication Trending In The Cloud

2. Data Migration Increases Risk

1.Figure out what your customers\organization is doing about cloud computing

Two Man Rule

3 ½ take aways

http://justwriteclick.com/2013/07/01/book-sprint-for-openstack-security-guide/

http://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=cloud.100

http://blogs.vmware.com/security/

http://www.gsa.gov/portal/category/105279

Final Thoughts

For more information about subscriptions

contact Jim Delaney at jdelaney@advisen.com

Sponsored by