How Cybersecurity

Dr.MohitBansal Profile Pic
Published Date:26-10-2017
Your Website URL(Optional)
Cybersecurity: How Security Vulnerabilities Affect Your Business Thought Leadership A secure cloud is your goal, but a secure cloud is not the same as cloud security. When you are expanding your business into the cloud, you should use the information in this book to support your layered security approach to achieve a secure cloud within Microsoft Azure. This chapter benefits chief executive officers (CEOs), chief information officers (CIOs), and chief technical officers (CTOs) with its guidance for understanding the security risks that affect businesses as network teams adopt a hybrid cloud model. If you are a C-level executive, you need foundational security insight to understand a hacker’s motivation with factual resources for insightful security data and not just scary statistics. You then need a process to put people into roles and to put roles into practice using a proven cloud security framework that leverages the addition of the secure cloud features found in Azure Security Center. As a CEO, if you are too busy to read all the chapters in this book, at least read this one; it has been crafted to enable your current security team to rapidly expand with the adoption of a defensive cloud security framework. This chapter also provides chief information security officers (CISOs), security architects, and security analysts with a jump start into a secure cloud by leveraging the same guidance and then expanding with best practices and procedures to integrate with their current security processes. For a security team, the layered, on-premises security model expands into the cloud and requires you to fully understand your adversary’s determination to breach your cloud infrastructure. You and your team must learn about the increased availability of attacking tools as services. Many of the current attack tools are leveraging automated deployment, often within minutes after a bitcoin purchase, and some come with a service level agreement (SLA) to be rebuilt if taken down by authorities. Your business has a board of directors and CEO who provide the high-level requirements for the necessary security policy. After cloud security policies are written, they should be reviewed annually and updated to remain current as the business leveraging the cloud services changes. Security procedures should be created and updated to support the cloud security policies and then used to guide security teams with a “how-to” implementation process. These security procedures should be later reviewed and audited by third-party auditors to validate the security compliance of the company, and the security assessment findings are reported to the CEO and board of directors. In this chapter, security terms and acronyms are defined in a business context. This chapter promotes the need for a common language for business leaders not only to hear but to understand recommendations from their security professionals. If you are a CEO, just reading a security definition is not very helpful if you do not appreciate the financial impact to your business. If you are a security professional, presenting to business executives and using security acronyms they don’t fully comprehend does not often promote agreement for the necessary security improvements. As a security professional, you need to present the security risks within the context of the potential financial impact to the business. In other words, to start and maintain a conversation, business teams and security teams are required to speak using a common language. ■ Security Tip an application vulnerability is not an operating system (os) vulnerability but a system flaw or weakness in an application. if the vulnerability (or vuln, as referred to in some documents) is discovered by an attacker, the exploit could lead to a compromised application. application layer security flaws generally result from coding flaws in applications that are either shipped with or installed onto computational devices such as tables, laptops, and desktops. Executive Summary Many companies are migrating to the cloud, and they need to migrate securely. They have processes and procedures in place for their on-premises business, but when a business wants to lower or remove capital expenditures (capex) from a traditional on-premises datacenter, it can leverage the benefits of the Azure cloud operational expenditures (opex). This is not a discussion about the benefits of the cloud; this is a discussion using a common language to support securely migrating to the cloud and specifically creating a Microsoft Azure secure cloud. The fact is that applications are moving and services are moving, so security has to move at the same speed as the business. Most companies create copious amounts of security data in the form of log files that are transformed into text, tables, and graphs. The information is delivered using many automated methods, so the reports are received on a regular basis and almost never have the intended security controls. There is a language of security as well as a language the business needs to properly consume the security data effectively. Business teams need to be presented with information that is effective for business decisions and, from a security standpoint, that focuses on the right business perspective. This is often presented by a CISO, who reports with key performance indicators (KPIs) and key risk indicators (KRIs). Gathering, evaluating, and presenting the correct information for the business KPIs and KRIs is often challenging. ■ Security Tip Key performance indicators evaluate the success of an organization or business unit as the business continues to achieve business goals. Key risk indicators are metrics used by security teams to signal increasing or decreasing risk exposures in various business units as they affect the enterprise. The CISO has the challenging task of building a long-lasting relationship with the business and with the business develop the right KPIs and KRIs after understanding what is important to organizations. One of the major security concerns is selecting information from a complex database and then sampling the data to display KPIs and KRIs that are well defined. The National Vulnerability Database (NVD) is a database of all known vulnerability types, and it provides the ability to search by keyword. Figure 1-1 shows vulnerability types such as code injection, cross-site forgery, input validation, and many others, tracking utilization over the years. 4 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business Figure 1-1. U.S. National Vulnerability Database, view of vulnerability type change by year ■ Security Tip you can freely access the nVD database with all assets and visualizations at https://nvd., and you can get specific visualization updates at cwe-over-time. The National Vulnerability Database is a product from the National Institution of Standards and Technology (NIST) and is a repository of standards-based vulnerabilities. The NIST project is sponsored by the Department of Homeland Security’s National Cyber Security Division. The information in the database consists of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics. All NIST publications are available in the public domain according to Title 17 of the United States Code, which means companies are able to use the data provided; however, an acknowledgment about the value of NVD is appreciated. You will learn about the NVD throughout this chapter. Over the past few years many companies are increasing their number of security analysts and security architects for continuous improvement in their business security programs. Fortunately, several reports have been released from major corporations with worldwide data insight, including the Microsoft Security Intelligence Report (SIR), Verizon Data Breach Investigations Report (DBIR), IBM-sponsored Ponemon Cost of Data Breach Study, Cisco Annual Security Report, FireEye M-Trends 2017 Annual Security Report, and Georgia Tech Emerging Cyber Threats Report. As the data from these major reports is analyzed and their collective information correlated, customers have a desire to better protect their infrastructure in many different areas. The security focus is different for the type of business, location, and capability maturity level. The reports provide different information based on the respondents, location, and known historical information, and it is difficult for a single report to provide all the information necessary to understand the global view of cyber-breaches. However, common themes or areas of needed security focus are similar to past reports and for the next few years include recommendations for companies to invest security resources into many areas, including the following: • Software development security • Web site and application protection • Endpoint threat detection and response • Internet of Things (IoT) security 5 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business These attacks have continued over many years, and the trends to notice are the short amount of time in which a company’s network is breached, often minutes or hours, and how long it takes before a breach is discovered, often weeks and months. In other words, you must improve security defenses and shorten the time to discovery and remediation of security breaches. ■ Security Tip when attackers use a flaw in an application, they have the potential to exploit the application’s vulnerability. Cyber-crimes target the confidentiality, integrity, or availability (the Cia triad) of resources via the application. the cyber-attacker also may gain access to manipulate other data points of the application and application users. attackers typically rely on specific tools or methods to perform application vulnerability discovery and compromise. Cyber-attacks are proliferating in each state, so the sharing of security information is critical to quickly identify new or morphed cyber-families of malware. Unfortunately, some attacks are reluctantly reported because of trust between customers and law enforcement. Figure 1-2 presents detailed data from the NVD of vulnerability totals over the years. Figure 1-2. Relative vulnerability type totals by year, from the NVD database 6 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business Companies are losing intellectual property by the terabytes, petabytes, and exabytes yearly to cyber-crime, cyber-espionage, and cyber-terrorism. Future attacks may include a cyber-conflict beyond what was seen in the 2016 U.S. elections. ■ Security Tip the loss of data is not always the end goal of an attacker; sometimes changing source code and leaving it in place is the goal. as an example, during operation aurora in 2010, attackers were targeting technology companies including Google and modifying their source code repositories. As a CEO, you need to create a cloud security discovery team to provide updates to you and other executives weekly as you prepare to migrate data, servers, and application services to Microsoft Azure. The world as well as private companies are built by digital technology, and we all need to improve security with best practices and continued due diligence through the following types of analysis: • Intelligent security analytics • Context-aware security analytics • Big data security analytics Also, as the CEO or CIO, you can provide clear objectives and a purpose for the cloud security discovery team using the following five cloud security best practices so your business can migrate to a secure cloud: • Understand the Microsoft Azure share security model • Secure cloud, code, and patch services • Implement access management and governance • Validate regulatory compliance and data protection • Enable a business continuity and recovery model These best practices are part of the journey to a secure cloud. Your business requires a framework for securing the expansion from your current IT services to the Azure cloud. The areas supported by a framework such as Azure are governance and security policy, cloud administrative management, identity systems and identity access management (IaM), threat awareness, and data protection. In addition, the process to move to a secure cloud for your business requires a team effort that is driven by the CEO, with momentum from the board of directors to change a mind-set of “This is the way we’ve always done it” by lowering the cost from operational expenses. For example, budgets can be reallocated from traditional three- or four-year hardware refresh cycles because the Azure cloud platform has a hardware refresh cycle about every two years. In addition, the monthly billing for infrastructure as a service (IaaS) or platform as a service (PaaS) workload services is included in your company’s investment in Microsoft Azure, so the savings for your company continue to be delivered as business teams leverage Microsoft on a global scale. ■ Security Tip you can download the latest 2017 total cost of ownership document from https://azure. 7 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business Understanding Attackers’ Motivation Businesses have valuable assets, but one of the most difficult tasks is assessing the value of some business assets. To state the problem another way, what is the value of an asset and the cost to the business if it is compromised? Placing value on a business’s physical asset is easy, but determining the cost of compromise is often difficult, especially if the business doesn’t understand security impacts. The loss of assets impacts the business directly and indirectly. The direct impact is the cost to keep, maintain, or replace the asset if it stolen or compromised. An example of a compromise is the possibility of a ransomware attack. In this instance, the cost of a security breach is often difficult to calculate because there is no single formula that includes the costs of potential fines, hours to remediate, and loss of business related to the damage done to the brand. Figure 1-3 shows an NVD visualization of security severity. The purpose for viewing data facts in this type of visualization is to put attention on the impact a security breach has based via severity (high, medium, low) over time. Figure 1-3. Graph showing the distribution of vulnerabilities by severity over time This data breach visualization is a live version that is included as part of a larger project. However, for our purposes, this is the type of information from the database online tool that can be used in live presentations to your board of directors to gain insight into or amplify the overall effect of a security breach. 8 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business ■ Security Tip nist updates the severity levels of threats at visualizations/cvss-severity-distribution-over-time. this type of data is similar to other projects like the one created by David McCandless, a london-based author, writer, and designer. you can access his project at you can find a friendly guideline for using the tool for education and internal meetings, and the security breach information provides current data Editing the visualization with the appropriate data is helpful to remove all the noise and focus more on the type of business (such as legal, healthcare, web) and type of attack, leak, or hack. The indirect impact to the business is hard to quantify because of the unknowns about how the asset’s loss affects the business in totality. A business impact caused by security vulnerabilities requires a different perspective and introduces a different severity cost or penalty, if you will, based on the impact. Using a real- world example often helps executives gain insight into the unknown costs of security vulnerabilities. The question most customers ask is, why would an attacker want to attack me? Some of the information is provided through a much longer report, the Verizon Data Breach Investigations Report (DBIR), discussed later in this chapter. However, Figure 1-4 provides motivations over a number of years. Figure 1-4. Verizon DBIR showing financial motivation changes over the years. Reprinted with permission. Verizon 2016 Data Breach Investigations Report. The attacker or attacker nation is most likely after financial gain, as shown in Figure 1-4. However, your company may not be a financial institution. Money in bitcoins for attackers who use ransomware is a motivation for attacking small and medium-sized businesses. I recommend you read the Microsoft SIR and Verizon DBIR reports to understand the other motivations. If time does not allow you to read the reports from cover to cover, then the executive summaries of both are also informational. The following example illustrates the difficulty in measuring the total dollar impact of an “unsecured” solution. This requires a greater and more impactful conversation regarding the need to include security due diligence and due care. 9 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business LARGE-SCREEN TELEVISION FOR LOCAL CORPORATE ADVERTISEMENT Contoso Marketing Corporation has an internal marketing team that had funds available from their end-of-fiscal-year marketing budget, so they purchased several large-screen smart televisions to be used throughout the next year to promote local events that the company sponsors. the team wanted to drive awareness internally and gain support for internal employees to volunteer at these events. additionally, the smart tVs would be used at an event to showcase Contoso Marketing Corporation’s support for the community. their “impromptu” business plan was to take the inexpensive smart tVs and connect them to a corporate guest wireless wi-fi network internally and to free local wi-fi networks near the downtown event sites. the wi-fi connection would allow them to download company-branded promotional videos of sponsored events. to enable the marketing event to become a business-supported project, a corporate policy requires security analyses to be performed on any internet-connected equipment. the Contoso Marketing Corporation security team evaluated the security risk to the business by connecting one of the smart tVs to the internet guest wi-fi and performing security tests, including a security penetration test. the security team’s report identified several vulnerabilities and required several thousand dollars of security measures to be purchased by Contoso Marketing Corporation before the security team would sign off on the business requirements stating the device had been secured as a company asset. the Ciso asked to meet with representatives from the internal marketing team to explain the security assessment findings, receive agreement on the cost of security, and move forward with supporting the use of the smart tV installations. the internal marketing team was astonished to read the report that said several thousand dollars in security assets were required, when the original plan was for a few hundred dollars for the purchase of smart tVs. the Ciso explained that the connectivity of a smart tV to the internet would create a security risk to the company if the systems were compromised. the Ciso explained the penetration testing on the test television set revealed a known backdoor enabled by the tV manufacturer. the company that created the software used an open source operating system and created a second default administrator account and password that could be used in the event of support and future updates to the smart tV software. this administration account was identified on internet hacking blogs and was a known security vulnerability. to secure each smart tV from potential harm, a security firewall would be required to prevent a hacker from compromising the television. the manager for the internal marketing team suggested that if one of the promotional events had a compromised television, they could simply replace it since the price point of each tV was very low. the Ciso then asked, what is the cost to the company if the smart tV were compromised and the event- sponsored video were replaced with a video of pornography? what is the cost when the brand of the business is compromised and loss of business results in the compromise? what is the total financial impact from this single security vulnerability if a smart tV were compromised and used as part of a larger distributed denial-of-services (DDos) attack on another business? if that business files a lawsuit against Contoso, what is the financial impact of that? the result was that the smart tVs were returned, and the internal marketing team starting requesting a security team representative to attend planning events to gain security guidance at the beginning of a marketing plan rather than at the end. 10 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business This real-world example quickly brings into focus the financial impact of “brand” for many businesses with a security vulnerability impact that, if not remediated, may affect their customer base. The example did not involve loss of customer credit card information like the well-publicized attacks on several household names like Target and Home Depot. Companies such as these are investing in their current workforce by providing security training. In the next section, you’ll gain valuable insight through free reports from major professional security organizations. The individual reports vary but together complement the global security view and should be digested to gain clarity on potential impacts based on the type of business, attacker methods, and security countermeasures. ■ Security Tip the breach examples of target and home Depot were publicized through september 2014 and can be found using a bing or Google search. in these two examples, the data breach was caused by the same malware family. to learn more about the specific malware family, refer to brian Krebs’ blog at http:// Remain Current Through Security Facts Security analysis is the key to remaining agile as the number and impact of security breaches continue to be announced publicly. You, as a security professional, must stay aware to show support for the boards of directors as they significantly increase their focus on cloud information security, hybrid network cybersecurity, and IT risk management. Your security team requires up-to-date resources that provide a global view of international cyber-armies, with in-depth information about their attack vectors, weaponized payloads, and industry-specific targeting. Returning to a topic from the “Executive Summary” section, there are several key annual security publications that should be required reading. This list is not all that should be reviewed, but it’s a good start for publications published yearly and biyearly. Infrastructure teams new to security should start with this list, reading the most current publication and then reading the reports from the previous three years. The value of reading the current publications is to understand current cyber-attacks. As you read the older publications, you’ll notice the commonalities of the bad actors and families of malware. What is sometimes seen is the resurgence of previously successful attacks but with modifications and new signatures. The following list is a starting point for cloud architects who are new to cybersecurity: • Microsoft Security Intelligence Report (SIR) • Verizon Data Breach Investigations Report (DBIR) • IBM-sponsored Ponemon Cost of Data Breach Study • Other security reports: • Cisco Annual Security Report • FireEye M-Trends 2017 Annual Security Report • Georgia Tech Emerging Cyber Threats Report 11 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business Microsoft Security Intelligence Report You need to have good guidance on protecting your Microsoft Azure cloud subscription with solutions that include Azure Security Center, but an overall view of the cybersecurity landscape with attacks and weaponized payloads is required to “level set” your security researcher team. Many Microsoft customers are not aware of the SIR, and others have not realized the depth of information, understanding, and guidance provided by this free publication. (Microsoft does not allow the reuse of data graphs, which is why they do not appear in this section.) Brash cyber-attacks continue with increased agility and newer sophisticated tool suites with what can only be interpreted as methodical methods. Some of these criminals are very organized and use cyber-tactics that indicate a complexity that provides evidence of state-sponsored attacks including cyber-espionage and cyber-terror. Some of the weakness in the security layering includes the data provided by end users on social media sites and many attackers using proven social engineering and zero-day vulnerabilities to break in to corporate networks. While attackers access a network in order to gain considerable knowledge, stealing data, breaching privacy, or stealing money, once the breach is made public, the erosion of the business’s trust by the public shopper begins. For well-protected enterprises using many layers of security, attacks are incredibly expensive, costing them millions per incident. The greater damage to a company’s brand is difficult to put into a dollar amount. ■ Note the sir document uses the Common Vulnerability scoring system (CVss) as the Microsoft sir standardized, platform-independent scoring system. it is used for rating it vulnerabilities. the CVss base metric assigns a numeric value between 0 and 10. factors such as potential impact, access vectors, and ease of exploitation are included with the number rating. bigger numbers represent a greater severity. The information helps identify the many different types of attempts to exploit a security vulnerability. This illustrates the need to stay informed about vulnerabilities not just in the operating system but in all applications used on business systems. Additionally, you need to be aware of the use of exploit kits, which may have the ability to try different exploit methods rather than a single exploit type. “The Angler kit (Axpergle) appears clearly to be targeted predominantly at wealthier countries and regions in Europe and the Americas, possibly because of a belief that computers in those areas have more valuable data to steal than in others.” ■ Security Tip an exploit kit is software written by hackers and sold to be used by other hackers. the kit is usually easy-to-use web-based software that makes it easy for attackers to target specific populations, countries, operating system versions, browsers, and more. Reading through the report, you can see that thousands of such attacks were reported in 2015 and 2016. There are other annual security reports introduced in this chapter, and these two common threads appear in them: • Hackers breached networks in minutes. • It took IT security teams more than 100 days to discover a breach. 12 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business The Microsoft information comes from the many different operating systems that are being used in the world and that report data to online services. Information in the Microsoft SIR identifies the individual threat types by category, with Trojans being the most common. As you read through the SIR information, you may notice the amount of data that is collected to help identify common themes of hackers and attack vectors. In addition to the global data provided in the SIR, the Microsoft IT team also includes data from internal systems, including Windows Defender, System Center Endpoint Protection (SCEP), Windows Event Forwarding (WEF), DirectAccess, forensics, and the manual submission of suspicious files. If you are asking how much data is analyzed, refer to the following quote: Microsoft IT provides information technology services internally for Microsoft employees and resources. Microsoft IT manages more than 600,000 devices for more than 150,000 users across more than 100 countries and regions worldwide. One of the many reasons to read the Microsoft SIR is that the information is provided by a security team and includes best practices you can use as standards. For instance, according to the SIR, a security- compliant system requires the following: the computer must be connected to the Microsoft network, it must be running the latest version of the Defender or SCEP client, the anti-malware signatures must be no more than six days old, and real-time protection must be enabled. Because attackers’ techniques seem to be evolving at a faster pace than in past years and have become more sophisticated, the security layering approach needs to become smarter to provide valuable security guidance to large enterprises. If you ask IT directors, they most likely will tell you they need a full-fledged advanced threat protection solution that identifies attacks as fast as possible with wide-ranging intelligence, built-in actionable remediation, and less maintenance. Azure Security Center is clearly positioned as a cloud service (refer to Chapter 3), and the solution provides automated responses that in many applications remediate and then alert on the threat potential. The need to automate security alerts is a critical component because even professional developers can provide attackers with an unexpected advantage. ■ Security Tip for example, many developers leverage public code repositories such as Github because they can use it without the need to build and support their own infrastructure repository. however, developers can accidentally publish digital credentials through “access tokens” on Github. Accidentally publishing access tokens on public code sites is, unfortunately, common. Your cloud services can be compromised by attackers who search for and find these mistakes. Attackers have even created bots that have an algorithm that searches GitHub 24 hours per day for API keys. Why It Is Important The Microsoft Security Intelligence Report focuses on software vulnerabilities, software vulnerability exploits, malware, and unwanted software. Past reports and related resources are available for download The Microsoft Security Intelligence Report has been released twice a year since 2006. 13 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business The Microsoft Security Intelligence Report used in this example focuses on the first and second quarters of 2016, with trend data for the last several quarters presented on a quarterly basis. The reports are updated each year with three different options to freely review and share them. • SIR entire report • SIR key findings • SIR regional threats “Each volume is based upon data collected from millions of computers all over the world, which not only provides valuable insights on the worldwide threat landscape, both at home and at work, but also provides detailed information about threat profiles faced by computer users in more than a hundred individual countries and regions.” Attackers can trick an end user, as an example of SIR data findings we can look at phishing, through a phishing e-mail, to install software that looks for the end user’s cloud storage folder. The software replaces the user’s cloud storage synchronization token with the attacker’s cloud storage token, and then the attacker receives a copy of each file stored in the cloud folder. This type of attack is called a man-in-the-middle attack, but since it is for cloud storage, the company Imperva coined the phrase man-in-the-cloud attack. ■ Security Tip to download a copy of the imperva report, go to Man_In_The_Cloud_Attacks.pdf. Where to Download The free Microsoft Security Intelligent Report download page ( default.aspx) provides the latest SIR report, key findings, and regional threats. Also, you have access to a link to all downloads of previous editions. You are required to enter company and personal information, so read about the sharing of data in the acceptable use policy before completing the form. Verizon 2017 Data Breach Investigations Report Verizon has released the Verizon DBIR report for the past ten years, and the 2017 edition was recently made available. The DBIR provides timely information needed to understand the things that threaten the security of your business. The 2017 DBIR effectively exposes a worldview of cybersecurity with more than “40,000 incidents, including 1,935 confirmed data breaches.” You can use this information as part of narratives and slides at any board of director meetings and executive briefings to tell the “security story” and help the business make clear connections between cybersecurity and business objectives. Figure 1-5 shows highlights of who is behind the breaches. 14 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business Figure 1-5. Verizon 2017 DBIR executive summary of who is behind the breaches In the 2017 report, you will see the latest data concerning the following: • What business sector has the most impacting cybersecurity threats, with updated information on the mitigations of the threat • Who was attacked and more importantly the entry point that needs to be reviewed in your own business • What motivates the bad actors In the “Executive Briefing” section, there is more data, as shown in Figure 1-6, that identifies the hacking, malware, and social engineering efforts to penetrate the layers of network security. 15 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business Figure 1-6. Executive summary of tactics from the 2017 DBIR The Verizon 2017 Data Breach Investigations Report provides great insight into the attackers’ motives, patterns, and attack methods. You can find a detailed discussion in Appendix B that leverages the visual information in the 2017 DBIR graphs. Please refer to the DBIR report updates to gain insight into the cybersecurity attackers’ ability to compromise networks and exploit vulnerabilities. ■ Security Tip you can download the 2017 Dbir at lab/dbir. Verizon 2016 Data Breach Investigations Report The Verizon 2016 DBIR report features incidents in 82 countries and across numerous businesses and industries. The nine incident classification patterns identified from the 2014 report and the nine categories supporting most incident classes through 2017 indicate how attacks continue to gain profitable results. There are no dramatic changes (from 2016-2017) in the information and data patterns when compared to past years’ DBIR analysis reports. But if you read the reports every year, the research provides interesting data points to gain insight into hacker motivation, tools used, industry attack preferences, and cyber-attack focus. The 2016 report says this: “This year’s dataset is made up of over 100,000 incidents, of which 3,141 were confirmed data breaches. Of these, 64,199 incidents and 2,260 breaches comprise the finalized dataset that was used in the analysis and figures throughout the report.” 16 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business Each of the security reports provides cyber-attack insight; however, the different reporting organizations don’t use the same formatting of data points. Figure 1-7 is from the 2016 DBIR report and provides a visual representation of the time taken to identify a security breach and remove it, known as exfiltration. Figure 1-7. Verizon DBIR time to compromise and exfiltration. Reprinted with permission. Verizon 2016 Data Breach Investigations Report. The Verizon DBIR uses a metric called the Vocabulary for Event Recording and Incident Sharing (VERIS). VERIS is a framework to record and share customer-reported security events and incidents that lead to breaches; VERIS can be used by any company using a predicable naming standard for repeatability. VERIS categorizes the data collection by cyber-action taken, the attack method (such as the relationship to a known malware family, if any), and the asset targeted. The overall DBIR process also captures the timeline, victim demographics, discovery method, impact data, and much more. Like with the other annual security reports, some of the important information is in the details; Figure 1-8 shows some exploit details. 17 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business Figure 1-8. DBIR shows days to exploitation after publication. Reprinted with permission. Verizon 2016 Data Breach Investigations Report. The box plot in Figure 1-8 is a view of the number of days that a exploit is quickly available, by hackers, after the public publication of the exploit is announced. If you interpret this data, you’ll conclude that Adobe vulnerabilities are “weaponized” quickly, as are some of the Microsoft vulnerabilities. But others take more than 100 days. The Mozilla vulnerabilities take hackers much longer to have an exploit available after public disclosure. The data collected also provides insight into “phishing” e-mail campaigns. Figure 1-9 provides data about how successful a weaponized e-mail was when it was identified. 18 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business Figure 1-9. DBIR report in hours of clicked on and opened phishing e-mail. Reprinted with permission. Verizon 2016 Data Breach Investigations Report. Many of the phishing e-mails sent were opened and not just deleted by the end user. The other important statistic shown here is that the e-mail attachment was clicked in a median time of 3 minutes 45 seconds after the e-mail was sent. ■ Security Tip Spear-phishing attacks are weaponized e-mail attachments targeted at a specific person or group of people, like a Ceo, a Cio, accounting staff, or billing staff. attackers get contact names from corporate executive web pages and corporate web sites with published organizational charts. advanced persistent threat (apt) attacks, like operation aurora, used spear-phishing attacks to compromise systems. read more about the aurora attack by downloading a copy of the white paper at euscada10/PDFs/29%20Pollet%20APT.pdf. Why It Is Important The Verizon Data Breach Investigations Report provides details that every security professional should read and use as a reference. You should use the data to educate users, executives, and other IT and security professionals, possibly through “lunch-and-learn” events. One of the useful features in the DBIR is the at-a-glance information provided in a summarized view. Figure 1-10 shows an example of the at-a-glance topics, which are perfect for busy security professionals. 19 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business Figure 1-10. DBIR using focused information at a glance to summarize topics. Reprinted with permission. Verizon 2016 Data Breach Investigations Report. This at-a-glance view helps busy security teams understand the relevance of a security topic, such as a credential theft; these focused tables are used throughout the report for quick indexing of data. Where to Download To download this report, you will need to enter contact information and accept the usage rights, but the free report has a great deal of security insight. Since you are required to enter company and personal information, you should read about the sharing of data in the acceptable use policy before completing the form. You can find the download page IBM-Sponsored Ponemon Cost of Data Breach Study The 2016 Cost of Data Breach Study: Global Analysis is an excellent report full of information that could be included in a presentation for the CEO, CIO, or CISO. This report provides global evidence of the direct and indirect costs to companies that have experienced and reported data breaches. The reported data breach information is key because there are some (possibly many) breaches that are not reported because personally identifiable information (PII) data was not exposed. Many companies follow the payment card industry legal requirements about reporting breaches and do not publicly provide information that includes PII data. This is information such as who, when, how, and why. The data provided in the global study encompasses the following: • 383 companies in 12 countries • 4 million in average total cost of data breach • 29 percent increase in total cost of data breach since 2013 • 158 average cost per lost or stolen record • 15 percent increase in per-capita cost since 2013 20 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business The dollar amounts used in the report are in U.S. dollars, and the overall message is that the cost of breaches is increasing and has a global impact on companies and countries. In the IBM-sponsored report, the data breaches need to fit a specific definition of compromised records. Figure 1-11 shows the number of breached records by country; in the United States, the number is 29,611, and these are only the breached records that were reported. The fact that the number was near 30,000 in 2016 is disturbing indeed. Figure 1-11. Ponemon report for number of breached records by country. Reprinted with permission. Benchmark research sponsored by IBM. Independently conducted by Ponemon Institute LLC. The information provided in this report echoes other security data breach reports, and the fact that some industries had higher data breach costs than others across the globe should help those industries consider investing “differently” (solutions supporting Artificial Intelegence AI) in cybersecurity defense. Figure 1-12 shows the per-capita cost for sample industries such as healthcare, education, and financial organizations, which have substantially higher costs than the overall mean of 158 per lost or stolen record. 21 Chapter 1 ■ CyberseCurity: how seCurity Vulnerabilities affeCt your business Figure 1-12. Per-capita cost by industry classification. Reprinted with permission. Benchmark research sponsored by IBM. Independently conducted by Ponemon Institute LLC. Why It Is Important Security analysts look for credible security information to help provide evidence of potential cyber-attacks based on industry, country, impact cost, and root cause. Reports like the one conducted by the Ponemon Institute are needed to gain a global view of the cybersecurity issues from both a global perspective and an industry outlook. Where to Download There are many reports provided by IBM that offer a great deal of insight for novice and seasoned security professionals. You are required to enter company and personal information, so read about the sharing of data in the acceptable use policy before completing the form. You can find the download page at Other Annual Security Reports Time is never an asset for the security “blue” team, and the same is true for cybersecurity. However, additional reports are available and should become incorporated in the daily conversations and weekly summarization for the CEO, CIO, and CISO. You do not want to simply reprint the many data points in these reports; you should review the reports discussed in this chapter specifically to “tell the story through a 22

Advise: Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.