Information Security and Data Breach Trends 2014-2015
•Als PPTX, PDF herunterladen•
2 gefällt mir•550 views
This document discusses trends in information security from January 2015. It notes that a Cisco audit found evidence of intrusion at all enterprises. Medical information is valued much higher by cybercriminals than payment card or personal information. The average data breach takes over 220 days to discover. Major breaches in 2014 impacted retailers like Target and Home Depot, as well as financial institutions and healthcare providers. The rapid rise of internet-connected devices and the Internet of Things introduces new vulnerabilities and threats. Information security teams must focus on detection and incident response as breaches are assumed to be inevitable.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (16)
Ähnlich wie Information Security and Data Breach Trends 2014-2015
Ähnlich wie Information Security and Data Breach Trends 2014-2015 (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Information Security and Data Breach Trends 2014-2015
- 1. 1© Copyright 2014 EMC Corporation. All rights reserved.© Copyright 2014 EMC Corporation. All rights reserved. Information Security Trends Jan 2015 Brian Levine Director of Cloud Security EMC2 Syncplicity
- 2. 2© Copyright 2014 EMC Corporation. All rights reserved.© Copyright 2014 EMC Corporation. All rights reserved. Cisco audit reveals that 100% of enterprises have evidence of intrusion
- 3. 3© Copyright 2014 EMC Corporation. All rights reserved.© Copyright 2014 EMC Corporation. All rights reserved. Medical Identity is 10x - 50x more valuable to cybercriminals than payment card info Attacks against hospitals are up 600 percent in 2014
- 4. 4© Copyright 2014 EMC Corporation. All rights reserved.© Copyright 2014 EMC Corporation. All rights reserved. The average data breach takes over 220 days to be discovered. 20% of organizations take over 2 years to discover a breach.
- 5. 5© Copyright 2014 EMC Corporation. All rights reserved.© Copyright 2014 EMC Corporation. All rights reserved. Data breaches reach unprecedented levels. Retail, Financial, and Medical targets are primary focus. 2014 # Disclosed Breaches: Retail 2014 = 34, Finance and Insurance = 13, Medical Providers = 11 Target - 40 million cards and 70 million individuals compromised. CEO and CIO resign. 46% drop in profit. $100 million to upgrade. Class action lawsuits. Criminals accessed network using third-party credentials. Home Depot – 56 million cards and 53 million customer email addresses. $43 million cost in Q3. Over 40 pending lawsuits. Exploit lasted at least 6 months before 3rd party discovery. Criminals accessed network using third-party credentials. J.P. Morgan Chase – 76 million individuals and 8 million small businesses exposed. JP Morgan will be spending around $500 million on cyber security by 2020. Security misconfiguration (lack of 2FA). Community Health Systems – 4.5 million patients impacted. Second largest for‒profit hospital system. Estimated cost as much as $150 million. Heartbleed vulnerability in test server.
- 6. 6© Copyright 2014 EMC Corporation. All rights reserved.© Copyright 2014 EMC Corporation. All rights reserved. Sony Pictures Entertainment Leaked email boxes, employee sensitive info, company confidential documents Direct costs estimated $100+ million Additional losses in trade secrets, contracts, marketing plans, employee resignations, law suits, leaked scripts, unreleased films Attack does not appear financially motivated. Attack was enabled by stolen sys admin credentials, potentially a former employee.
- 7. 7© Copyright 2014 EMC Corporation. All rights reserved.© Copyright 2014 EMC Corporation. All rights reserved. Anthem Breach • 78.8 million healthcare records. • The source of the breach is believed to be a phishing attack, which granted attackers the credentials needed to access systems. Gemalto NSA GCHQ Breach • NSA and British Intelligence attack Danish engineers’ private social media and email accounts • Heist billions of SIM encryption keys used in mobile phones
- 8. 8© Copyright 2014 EMC Corporation. All rights reserved.© Copyright 2014 EMC Corporation. All rights reserved. The Internet of EveryThing (IoT) • Today there are roughly 10 billion connected devices (exceeds earth’s population) • By 2020 expected 50 billion devices • Many devices embed open source software with known security flaws • Content and context aware security and behavioral detection is critical to defend agains IoT vulnerabilities and attacks
- 9. 9© Copyright 2014 EMC Corporation. All rights reserved.© Copyright 2014 EMC Corporation. All rights reserved. • Today’s CISO assumes they have already been breached or will be breached • Greater focus on Detection and Incident Response
- 10. 10© Copyright 2014 EMC Corporation. All rights reserved.© Copyright 2014 EMC Corporation. All rights reserved. Trends / Summary • Cisco audit reveals that 100% of enterprises have evidence of intrusion. • Medical Identity is 10x more valuable to cybercriminals than PCI or PII • The average data breach takes over 220 days to be discovered • Breaches of Retail and Financial have occurred at an unprecedented rate in 2013-2014 (Target, Home Depot, JP Morgan, Community Health Systems, Sony) • Sony – Nation-state / hacktivist attack on content and intellectual property • Internet ofThings – Contextual awareness, pervasiveness of access, new threats • Security Budgets as % of IT flat or decreasing in many verticals • Today’s CISO assumes they have already been breached or will be breached • Companies andCISOs will place greater focus and investment on Incident Detection and Response
Hinweis der Redaktion
- Target Profit Falls 46% On Credit Card Breach In totaling the expenses it’s incurred so far due to the data breach, Target said that it saw a $17 million expense in the fourth quarter of 2013, a figure that reflects $61 million in total expenses offset by a $44 million insurance receivable. Among the charges contributing to this total are costs related to investigating the data breach, offering credit-monitoring and identity-theft protection services to customers, increased staffing in call centers, and legal expenses, the retailer said. Over 40 million credit cards were exposed in the cyber attack along with up to 110 million customer email addresses and phone numbers, affecting shoppers who frequented the store between November 27 and December 15, 2013. https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ http://www.csoonline.com/article/2601021/security0/11-steps-attackers-took-to-crack-target.html "Since Target was PCI compliant, the databases did not store any credit card specific data, so they had to switch to plan B and steal the credit cards directly from the Point of Sales themselves," Be'ery says. "The initial penetration point is not the story, because eventually you have to assume you're going to get breached," Be'ery says. "You cannot assume otherwise. You have to be prepared and have an incident response plan for what to do when you are breached. The real problem arises when malware is able to enable an attacker to penetrate deeper into the network.” "If you have the right visibility, that activity really stands out," he adds. What did we learn from Target Breach: 3rd party vendor access to systems is a weak link and a potential point of entry. Network should be properly segmented to prevent 3rd party entry traversing to sensitive high-risk systems. Compliance doesn’t equal security. Target was PCI compliant. Had spent $100 millions on data security. Had invested in tools (FireEye) Monitoring, Logging, Alerting meaningless if no action/response is taken on alerts - All told, up to five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale, and which were seen by Target's information security teams first in Bangalore, and then Minneapolis. Unfortunately, however, the security team appears to have made the wrong call. "Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up," she said. "With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different.” General User Awareness and Training are critical - Malware sent via a phishing email enable attackers to compromise the 3rd party contractors system. Most attacks on Retail 2014 = 34, Finance and Insurance = 13, Medical Providers = 11 https://www.privacyrights.org/data-breach/new http://healthitsecurity.com/2014/12/15/top-10-healthcare-data-breaches-for-2014/ http://krebsonsecurity.com/2014/11/home-depot-hackers-stole-53m-email-addreses/#more-28634 Home Depot and Target attacks both started by compromising a 3rd party suppliers credentials (username, password) to access the network. The massive Home Depot data breach disclosed earlier this fall involved the theft of 56 million credit and debit card numbers, and now the company has revealed that the incident so far has cost it $43 million. The costs are the result of both the investigation into the data breach as well as the recovery from it, including hiring security experts to find the details of the attack, bringing in more call center workers to handle consumer questions and paying for credit monitoring, among other things. In a financial filing on Tuesday, Home Depot said that as much as $15 million of those charges could be recoverable through insurance coverage. See more at: http://threatpost.com/home-depot-breach-cost-company-43-million-in-third-quarter/109629#sthash.lty8f2GK.dpuf http://www.bizjournals.com/atlanta/news/2014/11/25/home-depot-data-breach-lawsuits-rise-to-44.html?page=all Other retailers impacted included Home Depot, which reported the theft of 55 million credit and debit cards at its stores in the U.S. and Canada, and Michaels Stores, which said 2.6 million credit cards were exposed. High-profile franchises also were targeted, including 400 Dairy Queen ice cream franchise locations in 46 states and P.F. Chang's China Bistro, which announced a breach impacting 211 of its restaurants. The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation. August 28, 2014 J.P Morgan Chase New York, New York BSF HACK 76,000,00 So far, JP Morgan reports that only limited personal information, such as names, phone numbers, and addresses, were stolen, insisting that social security numbers, banking information, and other data remain safe. "There’s no real reason to think that Bank of America will have better systems than JP Morgan," said Edwards. JP Morgan, according to Edwards, was seen as being one of the best at security. If they can get hacked, so can just about anyone. Neglected Server Provided Entry for JPMorgan Hackers - Most big banks use a double authentication scheme, known as two-factor authentication, which requires a second one-time password to gain access to a protected system. But JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme, the people briefed on the matter said. That left the bank vulnerable to intrusion. August 18, 2014 Community Health Systems Franklin, Tennessee MED HACK 4.5 million Community Health Systems out of Franklin Tennessee has announced a large data breach of their medical system. The breach occured when hackers infiltrated the server of the health system compromising Social Security numbers, names and addresses for 4.5 million patients. Authorities believe that the hackers were based out of China and the attacks happened from April 2014 through June 2014. The home improvement retailer’s stock is up more than 14 percent this year and more than 2 percent since it confirmed a six-month breach of its payment system that affected some 53 million credit and debit cards. Home Depot says it expects its sales growth this year to be unaffected by the massive cyber intrusion. And after JPMorgan said last Thursday that cybercriminals had obtained customer names, addresses, phone numbers and e-mail addresses for 76 million households, the company’s stock price has hardly budged. http://www.wsj.com/video/jp-morgan-ceo-cybersecurity-spending-to-double/4591225B-B78C-4F0E-B4D1-65BE2D277D63.html CHS data breach included name, SSN, address, and phone # Information is now coming out about the source of the attack CHS — and it appears to be a Chinese hacker group.
- Hackers found a file with Sony usernames and passwords called “Usernames&Passwords.” As Kashmir Hill reported, there were only 11 people on the Sony information security team at the time of the hack: “The real problem lies in the fact that there was no real investment in or real understanding of what information security is,” said the former employee. One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected.
- In February, Anthem disclosed the breach. To date, the incident is said to have impacted 78.8 million people based on the company's public disclosures. The source of the breach is believed to be a Phishing attack, which granted those responsible for the incident the credentials needed to access various systems from at least five employees.
- Cisco. The new model of security http://www.rsaconference.com/events/us14/agenda/sessions/1340/the-new-model-of-security connected devices everywhere. IOT. connected devices. healthcare. mfg. automobiles. personalization of IT. IOT. connected devices. connected vehicle. new threat attack vectors. medical devices, manufacturing facilities, etc. assume every device is untrusted. ASSUME COMPROMISE.
- IOT – 10 billion connected devices By 2020 – 50 billion connected devices Assume Compromise