A Dark Reading Webcast Sponsored by Webcast Logistics Todays Presenters
Dr. Larry Ponemon Chairman & Founder, Ponemon Institute
Avi Chesla Chief Technology Officer, Radware
Cyber Security on the Offense A Study of IT Security Experts Co-authored Research with Radware Presentation by Dr. Larry Ponemon November 14, 2012 About Ponemon Institute Ponemon Institute conducts independent research on cyber security, data protection and privacy issues. Since our founding 11+ years ago our mission has remained constant, which is to enable organizations in both the private and public sectors to have a clearer understanding of the practices, enabling technologies and potential threats that will affect the security, reliability and integrity of information assets and IT systems. Ponemon Institute research informs organizations on how to improve upon their data protection initiatives and enhance their brand and reputation as a trusted enterprise. In addition to research, Ponemon Institute offers independent assessment and strategic advisory services on privacy and data protection issues. The Institute also conducts workshops and training programs. The Institute is frequently engaged by leading companies to assess their privacy and data protection activities in accordance with generally accepted standards and practices on a global basis. The Institute also performs customized benchmark studies to help organizations identify inherent risk areas and gaps that might otherwise trigger regulatory action.
11/13/2012 Ponemon Institute: Private & Confidential Information 5 Spotlight on key findings Availability is now the top priority DoS & DDoS are two of the top three threats Sixty-five percent of organizations experienced 3 more more DoS attacks over the past 12 months DoS & DDoS attacks cost organizations $3M on average Counterattack techniques are viewed as viable improvements to normal defense posture 11/13/2012 Ponemon Institute: Private & Confidential Information 6 A sampling frame of 22,501 IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. The final sample was 705 surveys (or a 3.1 percent response rate). Distribution of respondents according to primary industry classification 11/13/2012 Ponemon Institute: Private & Confidential Information 7 19% 13% 11% 8% 7% 6% 6% 5% 5% 5% 4% 4% 2% 2% 2% 1% Financial services Public sector Health & pharmaceuticals Retail (conventional) E-commerce Industrial Services Energy & utilities Hospitality Technology & software Consumer products Transportation Communications Education & research Entertainment & media Agriculture & food services Sample size = 705 What organizational level best describes your current position? 11/13/2012 Ponemon Institute: Private & Confidential Information 8 2% 1% 17% 23% 19% 33% 4% 1% Senior executive Vice president Director Manager Supervisor Technician Staff Consultant Sample size = 705 The primary person you or the IT security leader reports to within the organization 11/13/2012 Ponemon Institute: Private & Confidential Information 9 61% 21% 5% 3% 2% 2% 2% 4% Chief Information Officer Chief Information Security Officer Chief Risk Officer General Counsel Chief Financial Officer Compliance Officer Chief Security Officer Other Sample size = 705 The person most responsible for managing the cyber security posture
11/13/2012 Ponemon Institute: Private & Confidential Information 10 41% 21% 12% 11% 4% 3% 3% 2% 2% 1% Chief information officer Chief information security officer No one person has overall responsibility Business unit management Outside managed service provider Chief risk officer Corporate compliance or legal department Chief technology officer Data center management Chief security officer Sample size = 705 Global headcount 11/13/2012 Ponemon Institute: Private & Confidential Information 11 7% 9% 19% 34% 21% 6% 4% < 100 100 to 500 501 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 > 75,000 Sample size = 705
Results
Current perceptions and response to cyber attacks Strongly agree and agree response combined 11/13/2012 Ponemon Institute: Private & Confidential Information 13 29% 44% 44% 48% 64% 0% 10% 20% 30% 40% 50% 60% 70% My organization has in-house expertise to launch counter measures against cyber criminals Security budget is sufficient for mitigating most cyber attacks Launching a strong offensive against cyber criminals is very important My organization is vigilant in monitoring cyber attacks The severity of cyber attacks is on the rise Effectiveness in combating cyber attacks
11/13/2012 Ponemon Institute: Private & Confidential Information 14 29% 35% 36% 0% 5% 10% 15% 20% 25% 30% 35% 40% More effective in combating attacks and intrusions Less effective in combating attacks and intrusions The same in terms of its effectiveness in combating attacks and intrusions Over the past 12 months, my organizations cyber defense has been . . . Negative consequences of a cyber attack 8 = most severe to 1 = least severe
11/13/2012 Ponemon Institute: Private & Confidential Information 15 2.2 3.2 3.5 6.1 6.2 6.4 6.8 7.5 0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 Regulatory actions or lawsuits Cost of outside consultants and experts Stolen or damaged equipment Customer turnover Lost revenue Reputation damage Productivity decline Lost intellectual property/trade secrets Greatest areas of potential cyber security risk Three responses permitted
11/13/2012 Ponemon Institute: Private & Confidential Information 16 6% 6% 7% 8% 13% 15% 20% 22% 24% 25% 28% 29% 31% 32% 34% 0% 5% 10% 15% 20% 25% 30% 35% 40% Data centers The server environment Within operating systems Virtual computing environments Removable media and/or media (CDs, DVDs) Network infrastructure environment Desktop or laptop computers Malicious insiders Mobile devices such as smart phones Organizational misalignment and complexity Cloud computing infrastructure and providers Across 3rd party applications Negligent insiders Mobile/remote employees Lack of system connectivity/visibility Downtime after one DDoS attack
11/13/2012 Ponemon Institute: Private & Confidential Information 17 10% 13% 16% 22% 11% 9% 5% 4% 10% 0% 5% 10% 15% 20% 25% Less than 1 minute 1 to 10 minutes 11 to 20 minutes 21 to 30 minutes 31 to 60 minutes 1 to 2 hours 3 to 5 hours More than 5 hours Cannot determine An extrapolated average of 53.5 minutes for the sample Cost per minute of downtime 11/13/2012 Ponemon Institute: Private & Confidential Information 18 1% 8% 12% 15% 15% 21% 11% 7% 5% 5% 0% 5% 10% 15% 20% 25% $1 to $10 $10 to $100 $101 to $1,000 $1,001 to $5,000 $5,001 to $10,000 $10,001 to $25,000 $25,001 to $50,000 $50,001 to $100,000 More than $100,000 Cannot determine An extrapolated average of $21,699 per minute of downtime Cyber defenses most important Very important and important response combined
11/13/2012 Ponemon Institute: Private & Confidential Information 19 50% 50% 51% 51% 52% 56% 59% 64% 71% 75% 0% 10% 20% 30% 40% 50% 60% 70% 80% Content aware firewalls Web application firewalls Security intelligence systems including SIEM Endpoint security systems Secure network gateways Intrusion detection systems Intrusion prevention systems Identity and authentication systems Anti-DoS/DDoS Anti-virus/anti-malware Cyber defenses not as important Very important and important response combined 11/13/2012 Ponemon Institute: Private & Confidential Information 20 26% 32% 36% 38% 39% 45% 47% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Mobile device management Enterprise encryption for data at rest ID credentialing including biometrics Other crypto technologies including tokenization Enterprise encryption for data in motion Data loss prevention systems Secure coding in the development of new applications Cyber security threats according to risk mitigation priority 10 = highest priority to 1 = lowest priority 11/13/2012 Ponemon Institute: Private & Confidential Information 21 2.8 3.0 3.2 5.4 6.4 7.7 7.9 8.2 8.6 9.0 0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 9.0 10.0 Phishing and social engineering Web scrapping Cross-site scripting Malicious insiders Botnets Malware Viruses, worms and trojans Distributed denial of service (DDoS) Server side injection (SSI) Denial of service (DoS) Barriers to achieving a strong cyber security posture Two responses permitted 11/13/2012 Ponemon Institute: Private & Confidential Information 22 1% 8% 10% 19% 22% 27% 34% 35% 44% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Other Lack of leadership Complexity of compliance and regulatory requirements Lack of skilled or expert personnel Insufficient assessment of cyber security risks Lack of oversight or governance Lack of effective security technology solutions Insufficient resources or budget Insufficient visibility of people and business processes Ranking of cyber security objectives in terms of a business priority objective 5 = highest priority to 1 = lowest priority
11/13/2012 Ponemon Institute: Private & Confidential Information 23 4.7 4.4 3.5 2.8 1.9 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Availability Compliance Integrity Confidentiality Interoperability Counter technique capabilities most important Very important and important response combined
11/13/2012 Ponemon Institute: Private & Confidential Information 24 67% 60% 58% 52% 54% 56% 58% 60% 62% 64% 66% 68% Technology that neutralizes denial of service attacks before they happen Technology that slows down or even halts the attackers computers Technology that pinpoints the attackers weak spots Technologies most favored Two responses permitted 11/13/2012 Ponemon Institute: Private & Confidential Information 25 10% 15% 21% 31% 33% 33% 57% 0% 10% 20% 30% 40% 50% 60% 70% Perimeter security technologies Endpoint security technologies including mobile devices Simplifying threat reporting technologies Insider threat minimizing technologies Intelligence about attackers motivation and weak spots technologies Security of information assets technologies Intelligence about networks and traffic technologies Ability to launch a counter technique against a cyber criminal 1 = unable to perform counter technique to 10 = fully capable
11/13/2012 Ponemon Institute: Private & Confidential Information 26 16% 19% 17% 11% 8% 5% 7% 5% 9% 3% 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% 1 (weak) 2 3 4 5 6 7 8 9 10 (strong) Reasons for not being fully capable of launching a counter technique More than one response permitted
11/13/2012 Ponemon Institute: Private & Confidential Information 27 71% 69% 53% 53% 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% Lack of enabling technologies Lack of resources or budget Do not have ample expert personnel Not considered a security-related priority Other Methods for performing counter techniques More than one response permitted
11/13/2012 Ponemon Institute: Private & Confidential Information 28 67% 61% 43% 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% Manual surveillance methods Close examination of logs and configuration settings Use of security intelligence tools Other
Comparison of three industries Most severe consequences of a cyber attack for three industry sectors 8 = most severe to 1 = least severe 11/13/2012 Ponemon Institute: Private & Confidential Information 30 1.6 3.2 4.1 5.7 5.5 7.0 7.2 6.8 2.8 4.4 1.9 2.0 5.2 5.0 5.0 7.1 1.9 3.0 5.3 3.9 6.9 7.2 7.0 7.5 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 Cost of consultants and experts Stolen or damaged equipment Regulatory actions or lawsuits Customer turnover Lost intellectual property Lost revenue Reputation damage Productivity decline Health & pharmaceuticals Public sector Financial services Frequency of DDoS attacks experienced for organizations in three industries Over the past 12 months
11/13/2012 Ponemon Institute: Private & Confidential Information 31 3.0 4.1 2.4 - 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 Financial services Public sector Health & pharmaceuticals Average downtime organizations in three industries Minutes of downtime
11/13/2012 Ponemon Institute: Private & Confidential Information 32 47.9 70.1 51.2 0 10 20 30 40 50 60 70 80 Financial services Public sector Health & pharmaceuticals Estimated cost per minute of downtime for organizations in three industries
11/13/2012 Ponemon Institute: Private & Confidential Information 33 $32,560 $15,447 $23,519 $- $5,000 $10,000 $15,000 $20,000 $25,000 $30,000 $35,000 Financial services Public sector Health & pharmaceuticals Conclusion and recommendations
As is revealed in this research, organizations are lagging behind in their ability to deal with the aggressive and sophisticated tactics of cyber criminals. The IT security experts surveyed give their organizations a below average score in their effectiveness to launch counter measures.
To achieve a proactive cyber security posture, organizations should consider the following practices:
Create a strategy and plan that puts emphasis on having a strong offense against hackers and other cyber criminals. Ensure internal IT staff as well as such external support as IT vendors and MSSPs are knowledgeable and available to respond to attacks before they take place. Support the strategy with the right technologies to prevent and detect cyber attacks.
In this and other Ponemon Institute studies on cyber crimes, the financial and reputational consequences are well documented. Organizations that suffer attacks face real-world consequences. The findings of this research can help organizations make the business case for adopting a more proactive approach to the advanced persistent threats facing them.
11/13/2012 Ponemon Institute: Private & Confidential Information 34 Questions?
Ponemon Institute www.ponemon.org Tel: 231.938.9900 Toll Free: 800.887.3118 Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA research@ponemon.org
Avi Chesla CTO 1.9 2.8 3.5 4.4 4.7 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 Interoperability Confidentiality Integrity Compliance Availability Ranking of cyber security objectives in terms of a business priority objective 5 = Highest Priority to 1 = Lowest Priority Slide 37 Availability is Top Priority 1.9 2.8 3.5 4.4 4.7 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 Interoperability Confidentiality Integrity Compliance Availability Ranking of cyber security objectives in terms of a business priority objective 5 = Highest Priority to 1 = Lowest Priority Slide 38 Availability is Top Priority In the past, confidentiality & integrity were top priorities
As more organizations suffer from DoS & DDoS attacks, availability is moving up as top priority
In todays online world, when availability is threatened it has severe impact on the businesss performance and operations Availability Based Threats Are on the Rise Slide 39 2.8 3.0 3.2 5.4 6.4 7.7 7.9 8.2 8.6 9.0 0.0 2.0 4.0 6.0 8.0 10.0 Phishing and social engineering Web scrapping Cross site scripting Malicious insiders Botnets Malware Viruses, worms and trojans Distributed denial of service (DDoS) Server side injection Denial of service (DoS) Cyber security threats according to risk mitigation priority 10 = Highest Priority to 1 = Lowest Priority Availability Base Threats Are on the Rise Slide 40 2.8 3.0 3.2 5.4 6.4 7.7 7.9 8.2 8.6 9.0 0.0 2.0 4.0 6.0 8.0 10.0 Phishing and social engineering Web scrapping Cross site scripting Malicious insiders Botnets Malware Viruses, worms and trojans Distributed denial of service (DDoS) Server side injection Denial of service (DoS) Cyber security threats according to risk mitigation priority 10 = Highest Priority to 1 = Lowest Priority DDoS attacks are not rare occasions on few organizations - organizations should expect to be under attack
Significant change in the threat landscape as DoS & DDoS are becoming the top risks
On average, DDoS attacks cost companies approximately $3.5 million annually this is a pain that must be addressed
Average Down Time What Does it Mean ? Slide 41 10% 13% 16% 22% 11% 9% 5% 4% 10% 0% 5% 10% 15% 20% 25% Less than 1 minute 1 to 10 minutes 11 to 20 minutes 21 to 30 minutes 31 to 60 minutes 1 to 2 hours 3 to 5 hours More than 5 hours Cannot determine Average downtime during one DDoS attack Sophistication (APT measure) Time Slide 42 Attack Campaigns APT Measure Duration: 20 days More than 7 attack vectors Inner cycle involvement attack target: Government in Europe Duration: 3 days 5 Attack vectors Only inner cycle involvement Attack target: HKEX Duration: 3 days 4 attack vectors Attack target: Visa, MasterCard Duration: 6 Days 5 attack vectors Inner cycle involvement Attack target: Israeli sites Duration: 30 days 5 attack vectors Inner cycle involvement attack target: India (operation India) The characteristics of cyber attack campaigns have fundamentally changed Organizations Are Not Ready Organizations Are Not Ready for Attacks Less than half reported being vigilant in monitoring for attacks
Much less putting into practice proactive and preventative measures
The majority of organizations cannot launch or implement a counter technique Slide 44 Emergency Response Teams & Cyber War Rooms Slide 45 Attack Time Emergency Response Team that fights Get Ready Audits Policies Technologies Forensics Analyze what happened Adjust policies Adapt new technologies Existing Level of skills Lack of Expertise Required expertise during attack campaign Complex risk assessment Tracking and modifying protections against dynamically evolved attacks Real time intelligence Real time collaboration with other parties Counter attack methods and plans Preparation with cyber war games The Best Defense Is A Slide 46 Get Ready Mapping Security Protection Tools Slide 48 DoS Protection Behavioral Analysis IP Rep. IPS WAF Large volume network flood attacks Web attacks: XSS, Brute force SYN flood attack Application vulnerability, malware Web attacks: SQL Injection Port scan Low & Slow DoS attacks (e.g.Sockstress) Network scan Intrusion High and slow Application DoS attacks Organizations should deploy an attack mitigation system that:
1. Mitigate all availability based threats
2. Performs on premise detection and mitigation for applications based attacks
3. Does not have blind spots and provides a holistic approach Thank You www.radware.com Q&A Session
Dr. Larry Ponemon Chairman & Founder, Ponemon Institute
Avi Chesla Chief Technology Officer, Radware
Resources To View This or Other Events On-Demand Please Visit: http://informationweek.com/events/past
Download the entire Cyber Security on the Offense Report: http://security.radware.com/uploadedFiles/Resources_and_Content/Att ack_Tools/CyberSecurityontheOffense.pdf
For up-to-date information on the latest IT threats and reports please visit: www.ddoswarriors.com http://www.radware.com/