Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. CYBERCRIME The Actors, Their Actions, and What They're After Wade H. Baker

2 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. PROPRIETARY STATEMENT This document and any attached materials are the sole property of Verizon and are not to be used by you other than to evaluate Verizon’s service. This document and any attached materials are not to be disseminated, distributed, or otherwise conveyed throughout your organization to employees without a need for this information or to any third parties without the express written permission of Verizon. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners.

3 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Assumptions GOALS: You want to BE secure (enough) You want to KNOW you are secure You need to PROVE you are secure CONSTRAINTS: You have limited RESOURCES You have limited DATA

4 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. RISK Intel: What We Do External Data Internal Data (Products & Services) Collection Analysis Distribution Risk Intel Team Products Personnel Public

5 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. RISK Intel: Internal Data Practice Knowledge Products & Services √ ∫ ∑ Framework Models Data = ∩ Goal: Every product and service creates revenue but also contributes and consumes intelligence

6 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. InfoSec Data “If you can’t measure…

7 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. You want to BE secure (enough) You want to KNOW you are secure You need to PROVE you are secure …you can’t manage

8 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Results are based upon practices Practices are based upon beliefs Beliefs are based upon data Therefore Data drives results by changing beliefs

9 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Are squares A & B the same color? Evidence: Claim Logic Experience Measurement The Basis of Belief

10 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. The Basis of Belief

11 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. The Basis of Belief

12 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Evidence: Claim Logic Experience Measurement What forms the basis of your information security program? The Basis of Belief

13 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. UNCERTAINTY Not enough data Poor quality data Garbage in, Garbage out Too many unknowns Risk factors change Can’t predict rare events Inadequate models Time consuming Overly difficult Not aligned with business Too much techno babble Too much biz speak IMPOSSIBLE IMPRACTICALUNKNOWABLE UNRELIABLE Sound Familiar?

14 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. UNCERTAINTY = Data Lessons from Organizational Theory

15 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. “…we will create a National Digital Security Board modeled on the National Transportation Safety Board. The NDSB will have the authority to investigate information security breaches reported by victim organizations. The NDSB will publish reports on its findings for the benefit of the public and other organizations, thereby increasing transparency in two respects. First, intrusions will have real costs beyond those directly associated with the incident, by bringing potentially poor security practices and software to the attention of the public. Second, other organizations will learn how to avoid the mistakes made by those who fall victim to intruders.” -- Remarks by the president on securing our nation’s cyber infrastructure May 29,

16 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. “Without knowledge there is no understanding; without understanding there is no knowledge” A Wise Proverb

17 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. EQUIVOCALITY = Framework Lessons from Organizational Theory

18 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Greatest Threat? Hackers Insiders Network intrusion Human errors Targeted attacks Software vulnerabilities Securing web apps Internet infrastructure Large databases Data compromise Downtime Brand damage (All of these aren’t “threats”)

19 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Define the Problem Threat An “incident” can be described by the following components: Agent: Source of the threat Action: Threat type or method Asset: Target of attack Attribute: Security property affected (CIA) Agent: Internal privileged administrator Action: Abuse of access privileges Asset: Structured data repository Attribute: Confidentiality 1234

20 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. DAFT, R. AND LENGEL, R Organizational Information Requirements, Media Richness and Structural Design. Management Science, 32, 4, Lessons from Organizational Theory

21 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. RISK Intel: What We Do External Data Internal Data (Products & Services) Collection Analysis Distribution Risk Intel Team Products Personnel Public

22 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Data Breach Investigations Report

23 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Methodology Data Source Verizon Business Investigative Response Team Collection and Analysis Case metrics collected during and after investigation Anonymized then aggregated for analysis Risk Intelligence team provides analytics Data Sample 5 years of paid forensic investigations –Not internal Verizon incidents ~ 600 breaches in sample –Actual compromise rather than data-at-risk –Both disclosed and non-disclosed –Most of the largest breaches ever reported

24 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. All Breaches Data Sample What can we learn?

25 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. External sources 90+% of stolen records linked to organized crime Internal sources Roughly equal between end-users and IT admins Partner sources Mostly hijacked third-party accounts/connections Breach Sources

26 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Breach Sources Insider breaches typically larger… …but overall, outsiders more damaging

27 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Breach Methods Most breaches and records linked to Hacking & Malware Misuse is fairly common –Mostly abuse of authorized access Physical attacks –Theft and tampering most common Deceit and social attacks –Varied methods, vectors, and targets Error is extremely common –Usually contributory (62%) rather than direct cause (3%) –Mostly omissions followed by misconfigurations

28 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Breakdown of Hacking (60% of breaches) Patch availability prior to breach < 1 month0% 1-3 months4% 3-6 months6% 6-12 months16% >1 year74% Default credentials, SQL injection, weak ACLs most common methods Minority of attacks exploit patchable vulns; Most of them are old Web applications & remote access connections are main vectors **Vulns expl in 16% of breaches *2008 Data

29 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Most malware installed by remote attacker Malware captures data or provides access/control Increasingly customized Breakdown of Malware (32% of breaches)

30 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Attack Difficulty and Targeting Highly difficult & sophisticated attacks not the norm –Difficulty usually malware rather than intrusion Fully targeted attacks in minority but growing –% doubled in 2008 Difficult and targeted attacks increasingly damaging –Shows ROI is good for skilled attackers Percentage of Records Breached ‘04-’ Highly Difficult68%95% Fully Targeted14%90%

31 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 31 Data compromised within hours/days after breaching perimeter –Actually good news for detection & prevention Breaches go undiscovered for months –Ability to detect breaches woefully inadequate (or at least inefficient) It typically takes days to weeks to contain a breach –Poor planning and response procedures Breach Timeline

32 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Breach Discovery Methods Most breaches discovered by a third party Majority of internal discoveries are accidental Effectiveness of event monitoring far below potential –Evidence found in existing log files for 80% of breaches

33 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Compromised Assets and Data Most data breached from online systems –Conflicts with public disclosures Cybercrime is financially motivated –Cashable data is targeted Other types common as well –Auth credentials allow deeper access –Intellectual property at 5-year high

34 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Unknown Unknowns An SYSTEM unknown to the organization DATA unknowingly stored on an asset Unknown or forgotten ICT CONNECTIONS Accounts and PRIVILEGES not known to exist “Yes, we’re positive all sensitive data of that type is confined to these systems.”

35 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Attack Commonalities The last year shows much of the same but new twists and trends as well Sources: Similar distribution; organized crime behind most large breaches –Organized criminal groups driving evolution of cybercrime Attacks: Criminals exploit errors, hack into systems, install malware –2008 saw more targeted attacks, especially against orgs processing or storing large volumes of desirable data –Highly difficult attacks not common but very damaging –Large increase in customized, intelligent malware Assets and Data: Focus is online cashable data –Nearly all breached from servers & apps –New data types (PIN data) sought which requires new techniques and targets Discovery: Takes months and is accomplished by 3 rd parties Prevention: The basics–if done consistently–are effective in most cases –Increasing divergence between Targets of Opportunity and Targets of Choice ToO: Remove blatant opportunities through basic controls ToC: Same as above but prepare for very determined, very skilled attacks –Initial hack appears the easiest point of control

36 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Victim Commonalities False assumptions regarding information assets Low awareness of network and system activity Do not necessarily have a terrible security program Fail to consistently and comprehensively follow “the basics” Lack of assurance and validation procedures Cost of prevention orders of magnitude less than impact An inefficient approach to security –Focus too much on things that don’t happen –Focus too little on the things that do happen If you like mnemonics: Visibility Variability Viability

37 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Recommendations Align process with policy Achieve “Essential” then worry about “Excellent” Secure Business Partner Connections Create a Data Retention Plan Control data with transaction zones Monitor event logs Create an Incident Response Plan Increase awareness Engage in mock incident testing Changing default credentials is key Avoid shared credentials User Account Review Application Testing and Code Review Smarter Patch Management Strategies Human Resources Termination Procedures Enable Application Logs and Monitor Define “Suspicious” and “Anomalous” (then look for whatever “It” is)

38 Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.