15 years of Web Security © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. The Rebellious Teenage Years.

Slides:

Advertisements

Similar presentations

My Name is Todd Davis My Social Security # is

Advertisements

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

PEOPLE’S REPUBLIC OF HACKING By: Lani N, Ashley R, Michael R, Gregory R.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

Cyber Insurance cs5493(7493). AKA E-commerce insurance E-business insurance Information system insurance Network intrusion insurance.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL

Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.

By Ashlee Parton, Kimmy McCoy, & Labdhi Shah

Business Portfolio Adding Value to Investors Luiz Fernando Rolla CFO October, 2008.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Saving and borrowing in Finland Spring Survey Coverage: 2,400 persons (aged 15 to 74) Time of interviews: January 2009 Interviewed by: IRO Research.

OWASP APPSEC, 2013 JEREMIAH GROSSMAN Founder and THE REAL STATE OF WEBSITE SECURITY and THE TRUTH ABOUT ACCOUNTABILITY and “BEST-PRACTICES.”

CHAPTER 23 Consumer Finance Operations. Chapter Objectives n Identify the main sources and uses of finance company funds n Describe the risk exposure.

Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.

Group 1 MA0N0201 Elise MA0N0232 Huyen.  2003, Laura Bennett, Alex Krooglik, Chris and Natasha Ashton won the 1st place in Wharton Business Plan Competition.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Commercial Insurance Underwriting University of Illinois Urbana – Champaign Finance 230.

Identity Theft Insurance Charles P. Orlowicz November CAS Annual Meeting – Session CS04 A division of the property and casualty subsidiaries.

Overview of Cybercrime

PCI: As complicated as it sounds? Gerry Lawrence CTO

Web Chapter 27 Finance Companies. Copyright ©2015 Pearson Education, Inc. All rights reserved.27-1 Chapter Preview Suppose you need to buy a car, but.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Business Continuity from an Insurance Perspective Presented by Jim Carter Manager, Risk & Insurance.

RISK MANAGEMENT. RISK IS INEVITABLE  From your research of local businesses, what Risk was unavoidable and why?  Speculative Vs. Pure Risk  Speculative=

AUGUST 25, 2015 Cyber Insurance:

Take Charge of Your Money when you leave your job LFD [Presenter's Name] [Presenter's Title] [Presenter's Firm Information] [Date of Presentation]

© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.

Copyright © 2015 by the McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Managing Risk BONUS CHAPTER C.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

The Architect of Life Settlements SM a NASDAQ Global Select Market company In association with American Safe Retirements.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Matt Foushee University of Tulsa Tulsa, Oklahoma Cyber Insurance Matt Foushee University of Tulsa Tulsa, Oklahoma.

Indiana University SCOOP Session – Financial Opportunities September 28, 2004.

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Finance SCOOP Indiana University September 16, 2003.

Ewan Donald Cyber Security FEEL FREE A NEW APPROACH TO CYBER SECURITY.

Friday, October 23, Jacqueline Harris, CPM®, CCIM® Director of Training & Administration Digital Realty Jacqueline Harris, CPM®, CCIM® Director.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.

MORE MONEY FOR CYBER- SECURITY?. CYBER SECURITY: A TICKING TIME BOMB? Richie Sabu G/T Independent Research Howard High School Mr. Brian Price, Advisor.

The cost of Cybercrime 1 Steve Lamb Regional Marketing Manager – EMEA, Enterprise Security Products Twitter: actionlamb.

The Pitfalls of the Small Business Owner Protect Your Assets!

Security Mindset Lesson Introduction Why is cyber security important?

ShapeShifter Jennifer Nguyen, Jordan Travis, Cian Connor, Rebecca Miller.

ROSS BABINEC ELLEN DALE LAUREN FACTOR BANK OF AMERICA & WELLS FARGO.

NCBFAA Annual Conference 2015 Orlando Converging Logistics: Realities vs. Possibilities Cyber Insurance Bernie Cissek, Chairman.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

External Threats Internal Threats Nation States Cyber Terrorists Hacktivists Organised criminal networks Independent insider Insider planted by external.

 Define hacking  Types of hackers  History  Intentions  Statistics  Facts  How to Protect yourself.

Legal Aspects in IT Security Is Your Organisation Up-to-Date?? (Ref : IT Act, 2008 & IT Rules 2011) Adv Prashant Mali [BSc(Phy),MSc(Comp. Sci.),CNA,

CGL Coverage B and Specific Products Covering Data Breaches Primerus Convocation Amelia Island, FL April 2015.

Presented by: Mike Gerdes Director, Information Security Center of Expertise Cybersecurity State of the Union.

Security Testing Market to Global Analysis and Forecasts by Model, End-users No of Pages: 150 Publishing Date: Jan 2017 Single User PDF: US$ 3900.

© 2016 Global Market Insights, Inc. USA. All Rights Reserved Application Security industry analysis research and trends report for 2017-

What, when and how – are you prepared?

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

Financial Institutions – Cyber Risk

Healthcare Cybersecurity: State of Industry

Comprehensive Security and Compliance at an Affordable Price.

Gift Card Risk Mitigation – Presentation A

CYBER SECURITY MARKET Global Cyber Security Market, Size, Share, Market Intelligence, Company Profiles, Market Trends, Strategy, Analysis, Forecast

Cyber Trends and Market Update

FAIR 2018 – Cyber Risks & Markets

By Joseph Carnevale, CIP Partner & Director of Sales

Forensic and Investigative Accounting

A Secret Service Perspective on Credit Card Fraud

Figuring out CyberSecurity Return On Investment

Presentation transcript:

15 years of Web Security © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. The Rebellious Teenage Years

© 2015 WhiteHat Security, Inc. Jeremiah Grossman Hacker OWASP WebAppSec Person of the Year (2015) Brazilian Jiu-Jitsu Black Belt

WhiteHat Security Active Customers: ~1000 Fortune 500: 63 Commercial Banks 7 of the Top 18 Largest Banks 10 of the Top 50 Software 6 of the Top 16 Consumer Financial Services 4 of the Top 8 © 2015 WhiteHat Security, Inc. We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. Founded: 2001 Headquarters: Santa Clara, CA Employees: 300+

© 2015 WhiteHat Security, Inc. Threat Actors: Innovating, scaling, or both? Intersection of security guarantees and cyber- insurance Vulnerability Remediation: Lowering costs, easing the burden, and prioritization. SDLC processes that measurably improve software security Addressing the application security skill shortage My Areas of Focus

Threat Actors © 2015 WhiteHat Security, Inc. Hacktivists Organized Crime Nation-State Terrorists(?)

© 2015 WhiteHat Security, Inc.6

7 “This year, organized crime became the most frequently seen threat actor for Web App Attacks.” Verizon 2015 Data Breach Investigations Report WebApp Attacks Adversaries Use

© 2015 WhiteHat Security, Inc.8 Security Industry Spends Billions “2015 Global spending on information security is set to grow by close to 5% this year to top $75bn, according to the latest figures from Gartner.”

© 2015 WhiteHat Security, Inc. Vulnerability Likelihood

© 2015 WhiteHat Security, Inc. Average Time-to-Fix (Days)

© 2015 WhiteHat Security, Inc. A large % of websites are always vulnerable 60% of all Retail are always vulnerable 52% of all Healthcare and Social Assistance sites are always vulnerable 38% of all Information Technology websites are always vulnerable 39% of all Finance and Insurance websites are always vulnerable Windows of Exposure

© 2015 WhiteHat Security, Inc.12 Ranges of Expected Loss by # of Records Verizon 2015 Data Breach Investigations Report

“In 2014, 71% of security professionals said their networks were breached. 22% of them victimized 6 or more times. This increased from 62% and 16% respectively from % said their organizations will likely be successfully hacked in the next 12 months. This is up from 39% in 2013.” Survey of security professionals by CyberEdge © 2015 WhiteHat Security, Inc.13 Result: Every Year is the Year of the Hack

© 2015 WhiteHat Security, Inc.14 As of 2014, American businesses were expected to pay up to $2 billion on cyber-insurance premiums, a 67% spike from $1.2 billion spent in Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth. It’s usually the firms that are best prepared for cyber attacks that wind up buying insurance. Downside protection

© 2015 WhiteHat Security, Inc.15 “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.” “Home Depot reported $43 million in expenses related to its September 2014 hack, which affected 56 million credit and debit card holders. Insurance covered only $15 million.” Downside protection

© 2015 WhiteHat Security, Inc.16 “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” Insurers providing excess layers of cyber coverage include: Lloyd's of London syndicates; operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.” Downside protection

© 2015 WhiteHat Security, Inc – 2015 New Security Investment vs. Cyber- Insurance Cyber-Security Insurance ~$3.2 Billion in new spending (+67%) (Gartner: Oct, 2015) Information Security Spending (Global) ~$3.8 billion in new spending (+4.7%)

© 2015 WhiteHat Security, Inc. No Guarantees No Warrantees No Return Policies Ever notice how everything in the information security industry is sold “as is”?

© 2015 WhiteHat Security, Inc. No More Snake Oil

© 2015 WhiteHat Security, Inc.

21 “The only two products not covered by product liability are religion and software, and software shall not escape much longer.” Dan Geer (CISO, In-Q-Tel)

Software Security Maturity Metrics Analysis © 2015 WhiteHat Security, Inc. The analysis is based on 118 responses on a survey sent to security professionals to measure maturity models of application security programs at various organizations. The responses obtained in the survey are correlated with the data available in Sentinel to get deeper insights. Statistics pulled from Sentinel are for 2014 timeframe.

© 2015 WhiteHat Security, Inc. 56% of all respondents did not have any part of the organization held accountable in case of data or system breach. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance?

© 2015 WhiteHat Security, Inc. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance?

© 2015 WhiteHat Security, Inc. 15% of the respondents cite Compliance as the primary reason for resolving website vulnerabilities 6% of the respondents cite Corporate Policy as the primary reason for resolving website vulnerabilities 35% of the respondents cite Risk Reduction as the primary reason for resolving website vulnerabilities 19% of the respondents cite Customer or Partner Demand as the primary reason for resolving website vulnerabilities 25% of the respondents cite other reasons for resolving website vulnerabilities Please rank your organization’s drivers for resolving website vulnerabilities. 1 lowest priority, 5 highest.

© 2015 WhiteHat Security, Inc. Please rank your organization’s drivers for resolving website vulnerabilities. 1 the lowest priority, 5 the highest.

© 2015 WhiteHat Security, Inc.

There Are No Best-Practices

Questions? © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Thank you!