Dan Lohrmann, Chief Technology Officer
Department of Technology, Management & Budget Smart Grid Symposium
May 20, 2011
Department of Technology,
Management & Budget (DTMB)
What’s Hot and What’s Not in the World of
Cyber Security and Cyber Crime
Focus today:
Security Trends 2011
• Snapshot of Michigan’s IT environment • Did you know?• Top 5 Cyber Challenges for 2011 • Final Thoughts
But first a snapshot of Michigan…
3
2001: Michigan becomes first
state to fully consolidate IT
• 357 online services
• 70 email systems to 2
• 37 data centers to 3
• 64 percent reduction
in contractors
• Security controls implemented
– 10,928,702 Web browser
based attacks blocked (2010)
Michigan earns “A” in 2010 Digital States Survey
0 200000 400000 600000 800000 1000000 1200000 1400000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Web Renewals for Vehicles and Watercraft
• 17 agencies
• 47,000 state employees • IT support provided for:
– Over 800 critical business
applications
– Over 56,000 desktops
Michigan’s Current
IT Landscape
5
The services we touch
All of them!
Whenever a citizen:
• Files an income tax return
• Pays or receives child support • Wins the Lottery
• Compares schools
• Starts a business
• Applies for a drivers license…
or gets pulled over by a state trooper
5
But like you, Michigan is not without struggles when it comes to Cyber Security…
The Global State of Cyber
Security
7
Breach Statistics
• 510,714,985 records with personalinformation have been involved in
reported security breaches since 2005
Privacy Rights Clearinghouse
• 246,453,606 financial industry records
breach have been breached since 2005
- Privacy Rights Clearinghouse
• Average total cost of a breach is
estimated at $6.75M/breach - Privacy Rights Clearinghouse
Did you know?
•
Cyber criminals are running
black market on-line networks
that broker stolen confidential
information
- Source Panda Security•
This brokering is a rapidly
9
Did you know?
•
You can purchase
– Credit card details for $2-$90
per card or actual cards for $180
– Bank credentials from $80 to
$700 with guaranteed balances
– Money laundering services for
10% to 40% of the total
•
You can pay a project team
to set up your own fake
on-line store complete with
rogueware
Source Panda Security
Did you know?
Increase in enterprise malware attacks
30%
Attacks come from the Web
92%
Malware on legitimate Web sites
11
In 2010, 79% of sites hosting or redirecting visitors
to malicious content were legitimate sites.
Cyber crime is all about money
•
Globally businesses lose $1 trillion to
cyber crime every year
– Source: McAfeeBUT IT IS ALSO
•Low risk
•Easy (technically)
13
The Environment is Changing
Source: Rob Walters, Sr.
How about Michigan?
15
Average
Cyber Attacks Blocked
Per Day!
1 5
•
2,9942 Web browser based
attacks
•
24,671 Http based attacks
•
14,072 scans
•
88,774 Intrusion prevention
15
Securing government is more than a defensive strategy. Start internally with
What’s hot now…
You can expect to see the
following:
17
Challenge #1:
Malware Explosion
•
Significant growth in
new malware strains
•
2010 saw 20 million
Malware Explosion
Face the facts:
• The bad guys are getting better • The cyber world is an excellent
target for crime
• The malware development
cycle has become an organized process
19
Challenge #2:
Social Media requires protection
•
Cyber-criminals have
found social media sites
are perfect to infect
unwary users because
users are more trusting of
the tools than say
•
Increased collaboration
and openness will
increase organizational
vulnerability to data
Social
Media
Should government take on Facebook?
Mark Zuckerberg, Facebook’s founder and chief executive, has promised to improve the site’s complex privacy controls, which have frustrated many users.
21
Challenge #3
SmartPhones and Mobile Apps need security
•
Mobile subscribers are growing
rapidly - 5.8 billion mobile
subscribers worldwide by 2013
•
Push by employees to use
personal rather than company
provided cell phones
•
Many operating systems
•Little or no security
23
Mobile
Apps
An electron spinning technique could pave the way for a new
generation of wireless device signals difficult for enemies to intercept, according to researchers at the National Institute of Standards and Technology.
Mobile
Apps
• iPads• iPhones
• Droids
25
Challenge #4
Securing the Cloud
•
Securing the cloud becomes critical as business
moves its core processes to the cloud
•
Hackers will exploit the cloud as they look for
low hanging fruit that can lead them to monetary
gain
Cloud
Computing
Malware will invade the cloud in 2011
A new strain of malware was recently detected in a cloud-based service, and its presence may herald a new and potentially dangerous security threat for Internet users in 2011.
27
The good, the bad and the ugly
The
good
is dazzlingly good
• Lower costs
• On-demand access and
self-service
• Rapid provisioning /
de-provisioning
• Minimal manual effort • Ubiquitous network
access
• Measured service
And then there’s the
bad
…
• Loss of control • Trust • Security • Privacy • Availability • Resiliency • Where’s my data?29
But the
ugly
is really
ugly
• Below cost threshold for
procurement scrutiny
• Explosive growth/migration
of service consumption
• Fewer eyes on service use • Explosive bandwidth
consumption
• Paradigm shift for IT rates • Rogue cloud sourcing
Time for a reality check:
How ugly is it in your shop?
One extreme is
blind trust
• Adopt a commodity cloud
function as-is (cloud sets the rules)
• BUT: Provider accountability
is low while risks
are high
…Opposite extreme
is all about control
• Dictate the standards, terms & conditions, etc.
31
Challenge #5
Crimeware Kits
•
Crimeware kits are all encompassing
software packages that were
designed for nontechnical
cybercriminals
•
They open the door for a new era of
hackers
•
Some of the more well known
crimeware kits are: Zeus/SpyEye,
iPack, and Avalanche
•
These programs range in price
Final Thought…
As cyber crime evolves, the
approach to security must evolve with it. We must be open to new ways of thinking that include
enabling, providing options and forming partnerships without risking security programs.
33
Questions
Dan Lohrmann