© 2012 IBM Corporation
Cybercrime: the New Reality of
Information Security
Christina Peters,
Senior Counsel,
Security and Privacy
IBM
Jack Danahy,
Director for Advanced Security,
IBM Security Systems
Thomas X. Grasso, Jr.
Supervisory Special Agent
Federal Bureau of Investigation
© 2012 IBM Corporation 2
Cybersecurity Incidents:
This is Not a Drill
540,000,000+: All Records Breached Since 2005 (est.) (privacyrights.org)
$6,750,000: Average Cost Per Incident as of 2009 (ponemon.org)
© 2012 IBM Corporation 3
What are privacy professionals asking?
What’s behind cybercrime?
What do cybercriminals do?
How can you tell you’re a target? What can you do?
What are the implications for organizations and for society?
4
The
Underground Economy and
Identity Trafficking
Thomas X. Grasso, Jr.
Supervisory Special Agent
Federal Bureau of Investigation
5
Cyber Underground
A highly organized criminal network based
primarily in Eastern Europe
Consist of Specialized Cells for Specific
Functions
Utilize Web Forums to meet, cut deals, and
exchange stolen data.
6
Cyber Criminal Activities
Conduct network intrusion on merchant processors
Write Viruses, Trojans and other Malware
Use of Spam/Phishing to exploit banks, credit card
users, online account holders
Escrow and Auction Fraud
Use of compromised credit cards and compromised
7
How They Work
Computer Hackers
Data Brokers
Distribution Activities
Counterfeit Document Producers
© 2012 IBM Corporation 8
The world is becoming more digitized and interconnected
Organizations continue to move to new platforms including cloud, virtualization, mobile, social business and more
EVERYTHING IS EVERYWHERE
With the advent of Enterprise 2.0 and social business, the line between personal and professional hours, devices and data has disappeared
CONSUMERIZATION OF IT
The age of Big Data – the explosion of digital information – has arrived and is facilitated by the pervasiveness of applications accessed from everywhere
DATA
EXPLOSION
The speed and dexterity of attacks has increased coupled with new actors with new motivations from cyber crime to terrorism to state-sponsored intrusions
ATTACK
© 2012 IBM Corporation 9
Targeted Attacks Shake Businesses and Governments
IBM Security X-Force® 2011 Midyear Trend and Risk Report September 2011
Attack Type
SQL Injection URL Tampering Spear Phishing 3rd Party SW DDoS Secure ID UnknownMar April May June July Aug
Feb Sony Epsilon L3 Communications Sony BMG Greece US Senate NATO AZ Police Turkish Government SK Communications Korea Monsanto RSA HB Gary Nintendo Brazil Gov. Lockheed Martin Vanguard Defense Booz Allen Hamilton PBS PBS SOCA Malaysian Gov.
Site Peru Special Police Gmail Accounts Spanish Nat. Police Citigroup Sega Fox News X-Factor Italy PM Site IMF Northrop Grumman Bethesda Software
Size of circle estimates relative impact of breach
© 2012 IBM Corporation 10
There is Escalation in Potential for Damaging Impact
Adversary
Motive
The national cybersecurity agenda
is rising in importance
Damage / Impact to Life and Property
National Security
Monetary Gain
Espionage,
Political Activism
Revenge
Curiosity
Script-kiddies or hackers using tools, web-based “how-to’s” Insiders, using inside informationOrganized crime, hackers and crackers with sophisticated tools, expertise and
substantial resources
Competitors, hacktivists
Nation-state actors; targeted attacks (advanced persistent threat)
© 2012 IBM Corporation 11
Cyber Security has Become a Board Room Discussion
Business results Sony estimates potential $1B long term impact – $171M / 100 customers* Supply chain Epsilon breach impacts 100 national brands Legal exposure TJX estimates $150M class action settlement in release of credit / debit card info Impact of hacktivism Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony … Audit risk Zurich Insurance PLc fined £2.275M ($3.8M) for the loss and exposure of 46K customer records Brand image HSBC data breach discloses 24K private banking customers
© 2012 IBM Corporation 12
Security Has Become a Complex Permutation
People
Data
Applications
Infrastructure
Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers
Systems applications Web applications Web 2.0 Mobile apps
Structured Unstructured At rest In motion
© 2012 IBM Corporation 13
Security Must Evolve to an Intelligence View
Proactive Autom at ed Manua l Reactive
Optimized
Organizations use predictive and automated securityanalytics to drive toward
security intelligence
Proficient
Security is layered into the IT fabric andbusiness operations
Basic
Organizations employ perimeterprotection, which
regulates access and feeds manual reporting
© 2012 IBM Corporation 14
Future Outlook
Cybercrime trends
Legislative and related activity
–
White House Proposal and GOP response now available
–
Various draft legislation in both houses
–
IBM helping to launch ABA task force on legal issues related to
cybersecurity
© 2012 IBM Corporation 15
White House Cyber Security Agenda
Emerging Technologies and Cloud Computing
End Game: Reduce Data Breaches
DHS Consolidation and FISMA Reform
© 2012 IBM Corporation 16 16
Congressional Attention
We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control… But just as we failed in the past to invest in our physical infrastructure – our roads, our bridges and rails – we've failed to invest in the security of our digital infrastructure… This status quo is no longer acceptable – not when there's so much at stake. We can and we must do better. – President Obama, May 29, 2009*
*
Source: FACT SHEET: Cybersecurity Legislative Proposal•
Current bills:
• Cybersecurity Act of 2012 introduced
2/14/2012 by Sens. Lieberman (I-CT),
Collins (R-ME), Rockefeller (D-WV) and
Feinstein (D-CA)
• Lungren
• Information Sharing:
• Feinstein bill, also section 7 of
Cybersecurity Act
• Rogers
• Cyber security often “trumped” by other
pressing priorities
• Ongoing debate about which agency has
priority jurisdiction over cyber security
© 2012 IBM Corporation 17
References
2010/2011 CSI Computer Crime and Security Survey,
http://gocsi.com/survey
IBM X-Force Threat Insight Quarterly Report,
http://www-935.ibm.com/services/us/iss/html/xforce-threat-insight.html
White House Cybersecurity Legislative Proposal,
http://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-proposal
Recommendations of the House Republican Cybersecurity Task Force,
http://thornberry.house.gov/UploadedFiles/CSTF_Final_Recommendations.pdf
Cybersecurity Act of 2012 (proposed)
http://www.hsgac.senate.gov/media/majority-media/lieberman-collins-rockefeller-feinstein_offer-bipartisan-comprehensive-bill-to-secure-fed-and-critical-private-sector-cyber-systems
Cyber Intelligence Sharing and Protection Act of 2011 (Rogers & Ruppersberger)
http://mikerogers.house.gov/News/DocumentSingle.aspx?DocumentID=270598
SEC CF Disclosure Guidance: Topic No. 2,
© 2012 IBM Corporation 18