A Tipping Point in The Battle Against Cyber Attacks

A Tipping Point in the Battle
Against Cyber Attacks

A Dark Reading Webcast
Sponsored by
Webcast Logistics
Todays Presenters

Dr. Larry Ponemon
Chairman & Founder, Ponemon Institute

Avi Chesla
Chief Technology Officer, Radware

Cyber Security on the Offense
A Study of IT Security Experts
Co-authored Research with Radware
Presentation by Dr. Larry Ponemon
November 14, 2012
About Ponemon Institute
Ponemon Institute conducts independent research on cyber security, data protection
and privacy issues.
Since our founding 11+ years ago our mission has remained constant, which is to
enable organizations in both the private and public sectors to have a clearer
understanding of the practices, enabling technologies and potential threats that will
affect the security, reliability and integrity of information assets and IT systems.
Ponemon Institute research informs organizations on how to improve upon their data
protection initiatives and enhance their brand and reputation as a trusted enterprise.
In addition to research, Ponemon Institute offers independent assessment and
strategic advisory services on privacy and data protection issues. The Institute also
conducts workshops and training programs.
The Institute is frequently engaged by leading companies to assess their privacy and
data protection activities in accordance with generally accepted standards and
practices on a global basis.
The Institute also performs customized benchmark studies to help organizations
identify inherent risk areas and gaps that might otherwise trigger regulatory action.

11/13/2012 Ponemon Institute: Private & Confidential Information 5
Spotlight on key findings
Availability is now the top priority
DoS & DDoS are two of the top three threats
Sixty-five percent of organizations experienced 3 more more DoS
attacks over the past 12 months
DoS & DDoS attacks cost organizations $3M on average
Counterattack techniques are viewed as viable improvements to
normal defense posture
A sampling frame of 22,501 IT and IT security practitioners located in all
regions of the United States were selected as participants to this survey.
The final sample was 705 surveys (or a 3.1 percent response rate).
Distribution of respondents according to
primary industry classification
19%
13%
11%
8%
7%
6%
6%
5%
5%
5%
4%
4%
2%
2%
2% 1%
Financial services
Public sector
Health & pharmaceuticals
Retail (conventional)
E-commerce
Industrial
Services
Energy & utilities
Hospitality
Technology & software
Consumer products
Transportation
Communications
Education & research
Entertainment & media
Agriculture & food services
Sample size = 705
What organizational level best describes
your current position?
2%
1%
17%
23%
19%
33%
4%
1%
Senior executive
Vice president
Director
Manager
Supervisor
Technician
Staff
Consultant
Sample size = 705
The primary person you or the IT security
leader reports to within the organization
61%
21%
5%
3%
2%
2%
2%
4%
Chief Information Officer
Chief Information Security Officer
Chief Risk Officer
General Counsel
Chief Financial Officer
Compliance Officer
Chief Security Officer
Other
Sample size = 705
The person most responsible for
managing the cyber security posture

41%
21%
12%
11%
4%
3%
3%
2%
2% 1%
Chief information officer
Chief information security officer
No one person has overall responsibility
Business unit management
Outside managed service provider
Chief risk officer
Corporate compliance or legal department
Chief technology officer
Data center management
Chief security officer
Sample size = 705
Global headcount
7%
9%
19%
34%
21%
6%
4%
< 100
100 to 500
501 to 1,000
1,001 to 5,000
5,001 to 25,000
25,001 to 75,000
> 75,000
Sample size = 705

Results

Current perceptions and response to
cyber attacks
Strongly agree and agree response combined
29%
44%
44%
48%
64%
0% 10% 20% 30% 40% 50% 60% 70%
My organization has in-house expertise to launch
counter measures against cyber criminals
Security budget is sufficient for mitigating most cyber
attacks
Launching a strong offensive against cyber criminals is
very important
My organization is vigilant in monitoring cyber attacks
The severity of cyber attacks is on the rise
Effectiveness in combating cyber attacks

29%
35%
36%
0% 5% 10% 15% 20% 25% 30% 35% 40%
More effective in combating attacks and intrusions
Less effective in combating attacks and intrusions
The same in terms of its effectiveness in combating
attacks and intrusions
Over the past 12 months, my organizations cyber defense has been . . .
Negative consequences of a cyber attack
8 = most severe to 1 = least severe

2.2
3.2
3.5
6.1
6.2
6.4
6.8
7.5
0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0
Regulatory actions or lawsuits
Cost of outside consultants and experts
Stolen or damaged equipment
Customer turnover
Lost revenue
Reputation damage
Productivity decline
Lost intellectual property/trade secrets
Greatest areas of potential cyber security risk
Three responses permitted

6%
6%
7%
8%
13%
15%
20%
22%
24%
25%
28%
29%
31%
32%
34%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Data centers
The server environment
Within operating systems
Virtual computing environments
Removable media and/or media (CDs, DVDs)
Network infrastructure environment
Desktop or laptop computers
Malicious insiders
Mobile devices such as smart phones
Organizational misalignment and complexity
Cloud computing infrastructure and providers
Across 3rd party applications
Negligent insiders
Mobile/remote employees
Lack of system connectivity/visibility
Downtime after one DDoS attack

10%
13%
16%
22%
11%
9%
5%
4%
10%
0%
5%
10%
15%
20%
25%
Less than 1
minute
1 to 10
minutes
11 to 20
minutes
21 to 30
minutes
31 to 60
minutes
1 to 2 hours 3 to 5 hours More than 5
hours
Cannot
determine
An extrapolated average of 53.5 minutes for the sample
Cost per minute of downtime
1%
8%
12%
15% 15%
21%
11%
7%
5% 5%
0%
5%
10%
15%
20%
25%
$1 to $10 $10 to
$100
$101 to
$1,000
$1,001 to
$5,000
$5,001 to
$10,000
$10,001 to
$25,000
$25,001 to
$50,000
$50,001 to
$100,000
More than
$100,000
Cannot
determine
An extrapolated average of $21,699 per minute of downtime
Cyber defenses most important
Very important and important response combined

50%
50%
51%
51%
52%
56%
59%
64%
71%
75%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Content aware firewalls
Web application firewalls
Security intelligence systems including SIEM
Endpoint security systems
Secure network gateways
Intrusion detection systems
Intrusion prevention systems
Identity and authentication systems
Anti-DoS/DDoS
Anti-virus/anti-malware
Cyber defenses not as important
26%
32%
36%
38%
39%
45%
47%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Mobile device management
Enterprise encryption for data at rest
ID credentialing including biometrics
Other crypto technologies including tokenization
Enterprise encryption for data in motion
Data loss prevention systems
Secure coding in the development of new applications
Cyber security threats according to risk mitigation priority
10 = highest priority to 1 = lowest priority
2.8
3.0
3.2
5.4
6.4
7.7
7.9
8.2
8.6
9.0
0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 9.0 10.0
Phishing and social engineering
Web scrapping
Cross-site scripting
Malicious insiders
Botnets
Malware
Viruses, worms and trojans
Distributed denial of service (DDoS)
Server side injection (SSI)
Denial of service (DoS)
Barriers to achieving a strong cyber security posture
Two responses permitted
1%
8%
10%
19%
22%
27%
34%
35%
44%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Other
Lack of leadership
Complexity of compliance and regulatory requirements
Lack of skilled or expert personnel
Insufficient assessment of cyber security risks
Lack of oversight or governance
Lack of effective security technology solutions
Insufficient resources or budget
Insufficient visibility of people and business processes
Ranking of cyber security objectives in
terms of a business priority objective
5 = highest priority to 1 = lowest priority

4.7
4.4
3.5
2.8
1.9
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0
Availability Compliance Integrity Confidentiality Interoperability
Counter technique capabilities most important

67%
60%
58%
52%
54%
56%
58%
60%
62%
64%
66%
68%
Technology that neutralizes denial of
service attacks before they happen
Technology that slows down or even
halts the attackers computers
Technology that pinpoints the
attackers weak spots
Technologies most favored
Two responses permitted
10%
15%
21%
31%
33%
33%
57%
0% 10% 20% 30% 40% 50% 60% 70%
Perimeter security technologies
Endpoint security technologies including mobile devices
Simplifying threat reporting technologies
Insider threat minimizing technologies
Intelligence about attackers motivation and weak spots
technologies
Security of information assets technologies
Intelligence about networks and traffic technologies
Ability to launch a counter technique
against a cyber criminal
1 = unable to perform counter technique to 10 = fully capable

16%
19%
17%
11%
8%
5%
7%
5%
9%
3%
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
20%
1 (weak) 2 3 4 5 6 7 8 9 10 (strong)
Reasons for not being fully capable of
launching a counter technique
More than one response permitted

71%
69%
53% 53%
2%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Lack of enabling
technologies
Lack of resources or
budget
Do not have ample
expert personnel
Not considered a
security-related
priority
Other
Methods for performing counter techniques
More than one response permitted

67%
61%
43%
2%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Manual surveillance
methods
Close examination of logs
and configuration settings
Use of security intelligence
tools
Other

Comparison of three industries
Most severe consequences of a cyber
attack for three industry sectors
8 = most severe to 1 = least severe
1.6
3.2
4.1
5.7
5.5
7.0
7.2
6.8
2.8
4.4
1.9
2.0
5.2
5.0
5.0
7.1
1.9
3.0
5.3
3.9
6.9
7.2
7.0
7.5
1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0
Cost of consultants and experts
Stolen or damaged equipment
Regulatory actions or lawsuits
Customer turnover
Lost intellectual property
Lost revenue
Reputation damage
Productivity decline
Health & pharmaceuticals Public sector Financial services
Frequency of DDoS attacks experienced
for organizations in three industries
Over the past 12 months

3.0
4.1
2.4
-
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
Financial services Public sector Health & pharmaceuticals
Average downtime organizations in three industries
Minutes of downtime

47.9
70.1
51.2
0
10
20
30
40
50
60
70
80
Estimated cost per minute of downtime
for organizations in three industries

$32,560
$15,447
$23,519
$-
$5,000
$10,000
$15,000
$20,000
$25,000
$30,000
$35,000
Conclusion and recommendations

As is revealed in this research, organizations are lagging behind in their ability to deal
with the aggressive and sophisticated tactics of cyber criminals. The IT security experts
surveyed give their organizations a below average score in their effectiveness to launch
counter measures.

To achieve a proactive cyber security posture, organizations should consider the
following practices:

Create a strategy and plan that puts emphasis on having a strong offense against
hackers and other cyber criminals.
Ensure internal IT staff as well as such external support as IT vendors and MSSPs
are knowledgeable and available to respond to attacks before they take place.
Support the strategy with the right technologies to prevent and detect cyber attacks.

In this and other Ponemon Institute studies on cyber crimes, the financial and
reputational consequences are well documented. Organizations that suffer attacks face
real-world consequences. The findings of this research can help organizations make the
business case for adopting a more proactive approach to the advanced persistent threats
facing them.

Questions?

Ponemon Institute
www.ponemon.org
Tel: 231.938.9900
Toll Free: 800.887.3118
Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA
research@ponemon.org

Avi Chesla
CTO
1.9
2.8
3.5
4.4
4.7
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Interoperability Confidentiality Integrity Compliance Availability
Ranking of cyber security objectives in terms of a business priority objective
5 = Highest Priority to 1 = Lowest Priority
Slide 37
Availability is Top Priority
1.9
2.8
3.5
4.4
4.7
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Interoperability Confidentiality Integrity Compliance Availability
Ranking of cyber security objectives in terms of a business priority objective
Slide 38
Availability is Top Priority
In the past, confidentiality & integrity were top priorities

As more organizations suffer from DoS & DDoS attacks,
availability is moving up as top priority

In todays online world, when availability is threatened it
has severe impact on the businesss performance and
operations
Availability Based Threats Are on the Rise
Slide 39
2.8
3.0
3.2
5.4
6.4
7.7
7.9
8.2
8.6
9.0
0.0 2.0 4.0 6.0 8.0 10.0
Web scrapping
Cross site scripting
Malicious insiders
Botnets
Malware
Server side injection
Availability Base Threats Are on the Rise
Slide 40
2.8
3.0
3.2
5.4
6.4
7.7
7.9
8.2
8.6
9.0
0.0 2.0 4.0 6.0 8.0 10.0
Web scrapping
Cross site scripting
Malicious insiders
Botnets
Malware
Server side injection
DDoS attacks are not rare occasions on few organizations - organizations
should expect to be under attack

Significant change in the threat landscape as DoS & DDoS are becoming
the top risks

On average, DDoS attacks cost companies approximately $3.5 million
annually this is a pain that must be addressed

Average Down Time What Does it Mean ?
Slide 41
10%
13%
16%
22%
11%
9%
5%
4%
10%
0%
5%
10%
15%
20%
25%
Less than
1 minute
1 to 10
minutes
11 to 20
minutes
21 to 30
minutes
31 to 60
minutes
1 to 2
hours
3 to 5
hours
More than
5 hours
Cannot
determine
Average downtime during one DDoS attack
Sophistication
(APT measure)
Time
Slide 42
Attack Campaigns APT Measure
Duration: 20 days
More than 7 attack vectors
Inner cycle involvement attack
target: Government in Europe
Duration: 3 days
5 Attack vectors
Only inner cycle involvement
Attack target: HKEX
Duration: 3 days
4 attack vectors
Attack target: Visa, MasterCard
Duration: 6 Days
5 attack vectors
Inner cycle involvement
Attack target: Israeli sites
Duration: 30 days
5 attack vectors
Inner cycle involvement attack
target: India (operation India)
The characteristics of cyber attack campaigns have fundamentally changed
Organizations Are Not Ready
Organizations Are Not Ready for Attacks
Less than half reported being vigilant in
monitoring for attacks

Much less putting into practice proactive
and preventative measures

The majority of organizations cannot launch
or implement a counter technique
Slide 44
Emergency Response Teams & Cyber War Rooms
Slide 45
Attack Time
Emergency Response
Team that fights
Get Ready
Audits
Policies
Technologies
Forensics
Analyze what happened
Adjust policies
Adapt new technologies
Existing Level of skills
Lack of Expertise
Required expertise during attack campaign
Complex risk assessment
Tracking and modifying protections against dynamically evolved attacks
Real time intelligence
Real time collaboration with other parties
Counter attack methods and plans
Preparation with cyber war games
The Best Defense Is A
Slide 46
Get Ready
Mapping Security Protection Tools
Slide 48
DoS Protection
Behavioral Analysis
IP Rep.
IPS
WAF
Large volume network flood attacks
Web attacks: XSS, Brute force
SYN flood attack
Application vulnerability, malware
Web attacks: SQL Injection
Port scan
Low & Slow DoS attacks (e.g.Sockstress)
Network scan
Intrusion
High and slow Application DoS attacks
Organizations should deploy an attack mitigation system that:

1. Mitigate all availability based threats

2. Performs on premise detection and mitigation for applications based attacks

3. Does not have blind spots and provides a holistic approach
Thank You
www.radware.com
Q&A Session

Dr. Larry Ponemon
Chairman & Founder, Ponemon Institute

Avi Chesla
Chief Technology Officer, Radware

Resources
To View This or Other Events On-Demand Please Visit:
http://informationweek.com/events/past

Download the entire Cyber Security on the Offense Report:
http://security.radware.com/uploadedFiles/Resources_and_Content/Att
ack_Tools/CyberSecurityontheOffense.pdf

For up-to-date information on the latest IT threats and reports please
visit:
www.ddoswarriors.com
http://www.radware.com/

A Tipping Point in The Battle Against Cyber Attacks

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

A Tipping Point in The Battle Against Cyber Attacks

Transféré par

Droits d'auteur :

Formats disponibles

A Tipping Point in the Battle

Against Cyber Attacks

Vous aimerez peut-être aussi