Wednesday, December 28, 2016

Cybercrime: $400 Billion in 2015 to over $6 Trillion in 2021

…according to Herjavec’s Cybercrime Revelation Report.  With Black-Hat hackers getting faster, more experienced and highly motivated by money, espionage and notoriety.
Another $1 Trillion spend for cybersecurity products and service over the same time frame – yet consistent/increased in cybersecurity workforce shortage.  Interestingly, nearly 50% of cyberattacks are committed on small business but the battle is in cyberspace where all things connected being affected.  Apparently, 90% of corporate executive reported they are NOT ready for a major cyber-attack.  Records are being broken yearly with increased/doubled malware, identity theft, victim counts, zero-day; and the 5 most cyber-attacked industries: Healthcare, Manufacturing, Financial Services, Government and followed by Transportation.  Oh, there Ransomware which grew 300% in 2016…

While it’s a foregone conclusion that no one can stop hackers completely, digital growth (size, complexity, convenience/convergence, etc.) will ensure it’s a catch up or reactive game. Stats show 12 people fall victim every second which is 1 million victims in the world daily. Moreover, Herjavec relates it to football terms, bad guys running no-huddle, hurry up offense while good guys require a huddle before any actions takes place…in situations where speed is of the essence.  Of course, you don’t always see the other/bad guys and they don’t stand in front of you to attack but instead remotely and with no set playbook (or rules).

Breaches can sound like a broken record and unfortunately, so one of the biggest solution to help combat which is, security awareness – employee training for the weakest link 
https://www.herjavecgroup.com/
But there is a list of 500 top/hot cybersecurity companies to watch 
http://cybersecurityventures.com/cybersecurity-500/
on No comments:

Thursday, December 22, 2016

Medical Device Cybersecurity...account for 42% of reported/related data breaches

With an uptick in FDA scrutiny, emerging requirements & expectations on Manufacturing is taking a hit - according to IRTC (Identity Threat Resources Center) 

Maybe indirectly, but devices can harm patients through interconnected medical devices allowing access to data as well as operations, if not tapering with device programming.  Devices connect to hospital networks, patient devices and healthcare worker...so key factors must come into consideration:
Pre-Design: requirements that address security plans, risks and critical cyber-documentation
Design Process: Connectivity characteristics should be analyzed and incorporated from the start with appropriate mitigation decisions along the way. An early start can result in less expensive remediation or retrofitting efforts
Prototyping: Assessing and conduct penetration testing allows correction of errors or security loopholes in the application, system or its use, allowing vulnerability identification and remediation
Post-Market Updates: Maintenance upon release is key to updating security patches via a security method and vulnerability management lifecycle to address and dedicate resources in addressing threats
Response Disclosure Policy: Ability and social responsibility to allow for reporting of vulnerabilities without legal reprisals and clear internal polices/plans that address reporting, correcting and communication important flaws or defects.


on No comments:

Sunday, December 11, 2016

SAP Cyber Report by Ponemon Institute

Key takeaways from "Uncovering the risk of SAPcyber breaches":

- Executives value importance to bottom line but ignore cyber risks; 63% of Exec underestimate the risks and 23% know what data resides in SAP systems
- Average cost of it being off line is $4.5B
- Responsibility for security is conflicted by 62% say SAP not company so ownership issue
- 25% say NO one is response for SAP security, only 19% say SAP security team is accountable and 18% Information Security team
- Consistently over 50% say, difficult to secure SAP app, high level of malware concern, believe one or more malware infections likely
- Less than 49% have the expertise to prevent, detect and respond to cyber attacks
- Visibility into security of SAP application is only at 34%
- 30% say remediation of incident is unknown
- 75% say detection of breach would be undetected at least for a week; in the other hand, 53% say detection would be within 1 Year
- Malware infection is rated at 33% to be Very Likely and 42% to be Likely
- 47% say increased sophistication of attack in next couple years
- New technology increases risks, mobile, IoT
- Only 43% consider the cyber security risks when moving SAP application to the cloud
- 73% say knowledge of recent threats will help identify security risks and zero-day is a significant is a significant threat
- segregation of duty improves SAP security
- Consistently over 80% say achieving security in SAP infrastructure requires zero-day detection, prioritizing threats and monitoring 
- SAP app most susceptible to attack:
  64% content and collaboration
  56% data management
  50% CRM - customer relationship management
  48% technology platform
  37% ERP - enterprise management
  35% financial management
  33% supplier relationship management
  25% human capital management

And study stats: 607 final sample, 35% Technicians, 21% Managers, 17% Directors. 15% Supervisors; 18% Financial Services, 9% Manufacturing, 8% Public Sector, 8% Retail, 7% Healthcare
on No comments:

Wednesday, December 7, 2016

Continuing predictions of 2017 for cybersecurity

from KnowBe4
1) ARTIFICIAL INTELLIGENCE.
Everyone and their brother will claim that they have machine learning and/or AI as an offering and/or built into their product/platform, yours truly included. It's going to be marketing buzzword hell, because at the moment AI is not nearly as smart as people would like it to be, so buyer beware.
However...
Machine Learning and AI *will* move forward with lightning speed. Some of them will pass the Turing test. You will be able to talk to supportbots and not know if it is a human or not. You will also see fully programmable digital avatars going into commercial use.
2) BLOCKCHAIN
Micropayments and Blockchain applications will go mainstream in 2017. Mobile payments will grow massively, and apps will use "micro-payments" built on digital protocols like the Blockchain. Perhaps Blockchain will allow us to vote from our own devices in the next election. We will see the first smart contracts built on Blockchain.
Ransomware-as-a-Service will become a major threat vector, with a new technical feature using Blockchain to deliver the decryption keys after ransom payment.
3) BOARD ROOM
During 2016, boards of directors have realized that InfoSec risk management is an enterprise risk equivalent to financial, reputational, and legal risk. In 2017, there will be a raft of boards demanding a corporate security culture starting from the C-level down.
4) CEO FRAUD aka BUSINESS EMAIL COMPROMISE
CEO fraud was the up and coming cyberfraud scheme right after ransomware these last 12 months. During 2017 it will be an epidemic, equaling the ransomware plague we are suffering now. Remember the Nigerian prince scams? These cyber gangs are really in Nigeria, but they have climbed up in the criminal food chain and CEO fraud is their focus now. Train your high-risk users within an inch of their lives.
5) ESPIONAGE
During 2017 it will become apparent that espionage will turn out to have gone massively mobile and nobody knew about it. Revelations about both Android and iPhone devices will show they have had 0-days for several years and the NSA was able to own any device they wanted at any time.
6) INTERNET OF THINGS
A major outage caused by a purely malicious Botnet of Things like Mirai will prompt the new U.S. Administration to enforce IoT device security standards and require certification from device vendors.
7) MOBILE MALWARE
Mobile malware will continue to grow at an exponential rate. During 2017 tens of millions of smartphones will be infected with auto-rooting malware. New strains can embed themselves in a phone's bootloader and remain persistent even after factory reset. Scary.
8) OPEN SOURCE
In 2017 we will see a very high-profile data breach based on an open source vulnerability that was disclosed in...wait for it... 2012. The average age of an open source vulnerability in commercial applications is more than five years, and almost everyone is using Open Source these days. Ouch.
9) RANSOMWARE
We have seen exponential ransomware infections in 2016, and this trend will continue in 2017. There are close to 250 different families at this point, this will triple in the next 12 months.
Locky will be the first strain with 1 billion dollar in criminal revenues. Organized Eastern European cybercrime will continue to specifically target health care, education and local government with updated ransomware strains.
10) STATE SPONSORED HACKING
Look, we have a low-grade cyberwar and massive cyber arms-race going on. It's simmering and now and then it flares up, basically with proof-of-concept attacks, except for Stuxnet which was the real deal. In 2017 we may very well see the first major real-world damage caused by state-sponsored hacking.
on No comments:

Sunday, December 4, 2016

CISO Executive Summit 2016

With over 200 CISO / Security Leadership in attendance this past week, a great day of session / breakout forums, networking a few vendor product / services solutions…

 

Key-note theme began with Silver Olympic winner John K. Coyle presenting on Apply Design Thinking concept: consisting of Understand, Empathize, Ideate, and Prototype i.e. clearly understanding the problem and uniquely develop solution – brings you to focus on strength and merely working around weaknesses.

 

Other key takeaways:

- SaaS is the new development model – trending to reality

- SAP is the shadow IT with limited security visibility (gap in patching and flow/integration)

- Ransomware will happen (to anyone) so weigh price of recovery vs. paying ransom (and do tabletop exercise)

- Mobile End-Points increase threats particularly without multiple factor authentication / MDM strategy, so a little friction is not always bad

- Security controls should weigh in on IT Operational cost – it's a shift in duty / control

- Directed attacks cannot be stopped; so position for response/detection more than position for prevention

- Hunting or spot-audits is necessary though resource is a constraint

- Lead in 2 directions, being normal security controls as well as user experience / expectation 

- We cannot be the CI"no" (user-centric security)

 

 

And, for an industry cyber security survey roll-up of over 700 CISOs (over 50% from Finance, Retail, Healthcare), see attached; summary being:

- Top Threats: IP theft, 3rd-Party risk and Reputational harm

- Top Priorities: Detect/Respond to adversarial threats, Build Security Awareness Organization, Communicate risk to stakeholders, Apply Risk Mgmt. to Security Strategy and Protect Cloud data/app/infrastructure

- 6% of overall IT spend is on Security

- 59% of CISO budgets expect to increase (modestly or significantly) on Vul mgmt., Incident Response and Awareness


on No comments:
Subscribe to: Posts (Atom)