Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Crime Trends.

Similar presentations

Presentation on theme: "Cyber Crime Trends."— Presentation transcript:

1 Cyber Crime Trends

2 The New Landscape Deperimeterisation Social Media: Miracle or Menace?
Where is my data? The Rise of the Targeted attack

3 Types of Cyber Attacks Nuisance Economic Espionage Organised Crime
Hacktivists Objective Launch Points, nuisance Economic Advantage, theft of IP Financial Gain Defamation, Publicity Example Botnet, Spam Advance Persistent Threat Credit Card Theft Anonymous Targeted X Persistent

4 2013 Data Breach Investigations Report

5 2013 Data Breach Investigations Report

6 Who wants my data? 19th February 2013: APT1: Exposing One of China's Cyber Espionage Units Mandiant tracked Comment Crew for 6yrs identifying 141 attacks called APT 1 3000 indicators (domain, IP, MD5) to identify attack source all led to Pudong district of Shanghai, outside HQ of unit 61398 Comment Crew launched RSA attack the volume and sophistication of the attacks so intense that they threaten the fundamental relationship between Washington and Beijing. Unit of the People’s Liberation Army, tasked with ”computer network operations”.

7 Who else wants my data? Utah Data Center
Every cell phone call in Bahamas “archived” Call records of almost everyone inside the United States “collected” Gmail “backdoor access”, Microsoft encryption weakened, denies data center access RSA received $10 million to weaken encryption Truecrypt mysteriously goes offline

8 Next Generation attacks
Google's security team reported Heartbleed on April 1 Affects OpenSSL 17% of the Internet's secure web servers were vulnerable, at time of disclosure on 7th April Bug deemed as catastrophic, and incidents included: Canada Revenue Agency, Community Health Systems (US), Massive password changes required including Akamai, Ars Technica, Bitbucket, BrandVerity, Freenode, GitHub, Mojang, Mumsnet, Pinterest, Reddit, SourceForge, Tumblr, etc... Shellshock: 'bigger than Heartbleed' 25 September 2014! April 2014 Key Points Cannot govern what you don’t understand – and remember the goal of IIG is to mask the complexity of this new era of computing The way to start is understand what you currently have and mapping that to an enterprise view of data Interesting Story Catchy Statement Client Stories In order to define a governance strategy and a process to achieve your organization’s goal, you first have to understand what you have. Without this, you cannot create an effective plan that will support your organization. This process begins with understanding the web of information represented in your enterprise applications and databases. You must understand: - where the data exists and what data elements there are - what relationships exists within systems - what complex relationships exists across and between systems - You have to understand the complex relationships because - where is sensitive data located Many organizations rely on documentation (which is often out-dated) or on system/application experts for this information. Sometimes, this information is built into application logic and is not apparent to anyone the hidden relationships that might be enforced behind the scenes. Think about it as a using a current map to understand your heterogeneous landscape – very similar to driving in an automobile and trying to get from point A to point B. You would not use a map from 20 years ago because the road infrastructure has probably changed. Would you just start driving without any idea of the roads to take, how you are going to plan your stops for a long trip and knowing what risky areas of town you should avoid? Navigating data is the same concept. It’s all about time, cost and risk. Trying to manually understand this information (or using the ‘spot check’ approach) can you lead you down the wrong path resulting in many lost hours in the future including potentially delays for project deployment. An automated result can produce tremendous savings. For example, doing in one week what can take 10 people 10 months. The solutions necessary for the process by which we locate and understand the data relationships: Locate and inventory the databases across the enterprise Again, you can’t govern data if you don’t know where it resides. So ensure your solution can help you discover and document the data entities and the databases that reside in the enterprise. Define business objects* across heterogeneous databases & applications Understand how data is related across the enterprise to better deploy new functionality and ensure that the complete business object is captured when archiving data. Define enterprise-standard data models For example, set up in your data model to estimate database growth capacity to determine when to archive historical data Understand transformation rules to discover data relationships For example if you ever were to retire an application, you need to understand the underlying business logic to ensure you capture the needed related data to ensure your archived files make sense (See example of this in slide 15) Understand relationships required for identifying sensitive data – simple, embedded or compound. How is sensitive data related to other areas across the enterprise? Ensure it’s protected everywhere, consistently. Define and document the privacy & masking rules and propagate to ensure sensitive data will be protected How is that data going to be used? Who should have access to it and why? And as you mask sensitive data in one table, how do you ensure all related data elements are masked with the same information, keeping the referential integrity of the test data? Leverage unified scheme builder to create prototypes before deployment When you think about managing data across it’s lifecycle, at some point, you may need to retire applications and consolidate the data. By pre-testing the data that needs to be consolidated, you can ensure developers can update and/or deploy applications or new functionality with confidence.

9 What about South Africa?
Bank card details leaked - PASA “There are indications at this stage that only a limited number of card details have been accessed by outside organisations, and as a result limited fraud has been perpetrated" – Payment Association of South Africa, CEO Walter Volke “The card data emanating from these online transactions seems to have been stored in a manner which does not meet the stringent security standards expected by PASA”  There was no need for “undue concern” November

10 What about South Africa?
Dexter infects Point of Sale terminals PASA, card schemes and SA’s major banks have taken immediate steps to prevent a further leakage of card details because of a security lapse at a company processing transactions. “All the fast-food retailers have been cleaned out as far as possible, and certainly no one will be out of pocket [as the banks will honour losses].” Unique variant used in SA, original emerged in December 2012. How did the data get out? & who is liable? October

11 (i.e. may reasonably be expected to affect the company's stock price)
Designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Should review, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents, if the costs or consequences with one or more known incidents or the risk of potential incidents represent a material event (i.e. may reasonably be expected to affect the company's stock price) Estimate the impact of cyber incidents and the consequences of failing to implement adequate security. Go beyond privacy, to key operational issues

12 Where is the Risk? Market risk: Credit Risk:
Dealstream collapse in 2008 VOX telecom exposure of R30 million Single Stock Futures gives ABSA R1.4 billion liability Credit Risk: Standard Bank vehicle finance: R504m impairment loss in FY to June 2014 African Bank: R6.4 billion What about cyber crime losses and risk exposure? SABRIC estimates R480 million card fraud losses in 2013

13 Are you ready for a Security Breach?
Conclusion Payment systems are top target of attacks New threat environment: Next generation systemic vulnerabilities Shellshock: 'bigger than Heartbleed' 25 September 2014! Encryption is no longer safe? Changing legal framework New legal implications for data breaches Are you ready for a Security Breach?


Download ppt "Cyber Crime Trends."

Similar presentations

Ads by Google