In 2011, attitude towards hacks shifted from "It happens," to "It is happening.” A poorly coded website and web application is all that’s needed to wreak havoc – expensive firewall, pervasive anti-virus and multi-factor authentication be damned. But what is possible? What types of attacks and attackers should we be mindful of? This presentation will show the real risks in a post-2011 Internet.
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13. “ One intrusion set [hacker attack], not the most prolific, we see pulling data out globally that is 50 times greater than Wikileaks ever day. ” General Keith B. Alexander, USA, Commander, U.S. Cyber Command
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30. "French espionage is so widespread that the damages (it causes) the German economy are larger as a whole than those caused by China or Russia." an undated note from the US embassy in Berlin said, according to a Norwegian translation by Aftenposten.
31.
32.
33.
34.
35.
36. "It [cyber-attack] could theoretically cause a loss of life, but also a huge economic loss. ” Janet Napolitano Department of Homeland Security Chief
37.
38.
39.
40.
41.
42. “ This summer a significant attempt on the Foreign Office system was foiled. These are attacks on our national interest. They are unacceptable. And we will respond to them as robustly as we do any other national security threat. ” David Cameron, UK Prime Minister
43. “ When warranted, we will respond to hostile acts in cyberspace as we would to any other threat to our country. ” Department of Defense Cyberspace Policy Report (Nov. 2011)
44.
45.
46.
47. “ China is playing by different rules. One, they are stealing intellectual property. Number two, they're hacking into our computer systems, both government and corporate. ” Mitt Romney
48.
49.
50.
51.
52. “ Rogers has actually spoken with executives from some of the American businesses hit by cyberattacks, and he says stolen intellectual property from just one hi-tech company cost them billions of dollars in research and revenue as well as thousands of U.S. jobs. ” The Chairman of the House Intelligence Committee Republican Rep. Mike Rogers of Michigan
53.
54.
55.
56.
57.
58.
59.
60.
61.
62. "When nations steal terabytes of information our nation suffers for 20, 30, 40 years . ” (Retired) Lt. Gen. Steven Boutelle Former U.S. Army's Chief Information Officer
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73.
74.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84. Builders Those who develop of secure code. Breakers Those who locate vulnerabilities in written code. Defenders Those who fend off active website attacks. The biggest problem in application security today… The need for qualified people.
85. Builders Gary McGraw (CTO, Cigital) says roughly 1% of all programmers should be software security pros, or “Builders” in our case. Gary, through a project called BSIMM, arrived at 1% by surveying dozens of software security programs among large companies and measuring what they do. Worldwide programmer population: 17 million We’ll need 170,000 “Builders”
86. Breakers We’ll use a ratio of 1 “breaker” per to 100 websites. This ratio comes from internal metrics at WhiteHat Security generated from assessment conducted over the last 8 years and encompassing more than 5,000 websites. “ Important” (SSL) website population: 1.2 million We’ll need 12,000 “Breakers” Out of 550 million total websites that should be assessed continuously for vulnerabilities.
87. Defenders No idea how to begin to estimate the Defender need, but it’ll be in the tens of thousands at least. Considering the vast number of website assets that must be protected, the 1 billion online users who someone needs to ensure are playing nice, and monitoring the serious volume of Web traffic they generate. ?