The topic of security has grabbed headlines over the last few years and indeed the last few weeks, but most of this attention has focused on a small percentage of large enterprises. However, security is not an issue for them alone, as mid-market companies increasingly deal with the same threats.
Join Symantec Website Security Solutions to understand how you can take a proactive website security stance.
A webinar posted here https://www.brighttalk.com/webcast/6331/109323 looks at the size of Ecommerce market opportunity in the Netherlands, and the threat landscape in general and website security solutions that can help your protect your company.
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Website Security Threats: Spotlight on the Netherlands
1. Website Security Threats:
Spotlight on the Netherlands
2 May 2014 9.30am CET
Jane Broderick – Account Manager
Andrew Horbury – Product Marketing Manager
2. Agenda
• The growing market opportunity
• Cybercrime
• Data Breaches
• Website Vulnerabilities & Malware
• Targeted Attacks
• CA breaches
• Diginotar
• Symantec Website Security Solutions
Spotlight on the Netherlands 2
5. Netherlands Ecommerce
• 94% of 16,7 million Dutch
population used the Internet in
2012
• 10.9 million Dutch citizens
bought goods and services
online , amounting to a total
value of €9.8bn in 2012. This
represents an increase of 9,1%
compared to 2011.
Spotlight on the Netherlands 5
6. Who is affected most by cybercrime?
Spotlight on the Netherlands 6
CYBERCRIME VICTIMS
MORE LIKELY TO BE:
MALE – 64%
(COMPARED TO 58% OF FEMALES)
MILLENNIAL – 66%
(COMPARED TO 54% OF BABY BOOMERS)
AND:
• MOBILE DEVICE OWNERS – 63%
• SOCIAL NETWORK USERS – 63%
• PUBLIC / UNSECURED WI-FI USERS – 68%
• EMERGING MARKET – 68%
• PARENT OF CHILDREN 8-17 – 65%
85%
CHINA
77%
RUSSIA
73%
SOUTH AFRICA
Source: 2013 Norton Cybercrime Report
http://bit.ly/1fIP4wf
7. EUR82 BN
FRAUD 38%
THEFT OR LOSS
21%
REPAIRS 24%
OTHER 17%
83% OF DIRECT FINANCIAL COSTS
ARE A RESULT OF FRAUD,
REPAIRS, THEFT AND LOSS
EUR215
AVERAGE COST PER VICTIM
THE GLOBAL PRICE TAG OF CONSUMER CYBERCRIME
Source: 2013 Norton Cybercrime Report
http://bit.ly/1fIP4wf
REPRESENTS A 50 PERCENT INCREASE OVER 2012
ENOUGH TO HOST THE 2012 LONDON
OLYMPICS NEARLY 10 TIMES OVER
Spotlight on the Netherlands 7
8. 1
ALL AMOUNTS IN EUR (at 26 April 2014) ROUNDED TO THE NEAREST BILLION
27
USA
BN
2MEXICO
BN
6BRAZIL
BN
9 EUROPE
BN
1RUSSIA
BN
28CHINA
BN
3INDIA
BN 1
JAPAN
BN
AUSTRALIA
BN
THE GLOBAL PRICE TAG OF CONSUMER CYBERCRIME
0.2
SOUTH AFRICA
BN
CANADA 2 BN; SINGAPORE 0.7 BN; NEW ZEALAND 0.1 BN; TURKEY 1.4 BN; SAUDI ARABIA 0.4 BN; UAE 0.2 BN; COLOMBIA 0.4 BN
Source: 2013 Norton Cybercrime Report
http://bit.ly/1fIP4wf
9. • THE GLOBAL PRICE TAG OF CONSUMER CYBERCRIME
• EUR82 BILLION ANNUALLY, COST PER CYBERCRIME VICTIM UP 50 PERCENT
• THE SCALE OF CONSUMER CYBERCRIME
• 1 MILLION+ VICTIMS DAILY
• CREATING PERFECT STORM AS LINES BLUR BETWEEN
WORK/PLAY
• 49% USE THEIR PERSONAL DEVICE FOR WORK AND PLAY
• AROUND ONE-IN-FIVE SHARE WORK RELATED INFORMATION WITH
FRIENDS AND FAMILY
Spotlight on the Netherlands 9
Source: 2013 Norton Cybercrime Report
http://bit.ly/1fIP4wf
10. Netherlands: State of the nation
• 30% of adults have experienced cybercrime in
the past 12 months (61% globally)
• 3M cybercrime victims in the past 12 months
(378M globally)
• 53% of males who have been victim of
cybercrime in their lifetime (sorry no number
available for females) (64% globally)
• 137M EUR: total cost of cybercrime in the past
12 months (82Bn EUR globally)
• 53EUR: Average direct cost per cybercrime
victim in the past 12 months (215EUR globally)
• Social network users who do not log out after
each session 53% (39% globally)
• Social network users who share their social
media passwords with others 30% (keep an
eye on this one).
Spotlight on the Netherlands 10
11. We are making it easy……
The third most common password tip
found in the 2013 Adobe breach was….
Spotlight on the Netherlands 11
12. We are making it easy……
The third most common password tip
found in the 2013 Adobe breach was….
USUALDon’t share passwords or reuse them on multiple sites
Spotlight on the Netherlands 12
13. Mega Breaches
2011 2012 2013
Breaches 208 156 253
Identities Exposed 232M 93M 552M
Breaches >10M 5 1 8
Spotlight on the Netherlands 13
The Year of the Breach
14. Mega Breaches
2011 2012 2013
Breaches 208 156 253
Identities Exposed 232M 93M 552M
Breaches >10M 5 1 8
Spotlight on the Netherlands 14
15. Mega Breaches
2011 2012 2013
Breaches 208 156 253
Identities Exposed 232M 93M 552M
Breaches >10M 5 1 8
Spotlight on the Netherlands 15
2013 was the Year of the Mega Breach
16. 2013 Year of the Mega Breach
Source: 2012 Symantec ISTR
• 8 of the top 10 breaches were of more than 10 million identities
• Average Identities exposed were 4 times greater than 2012
Spotlight on the Netherlands 16
17. Breaches
• The average number of identities exposed per data breach for Hacking incidents was
approximately 4.7 million.
• Theft or loss of a device was ranked third, and accounted for
27% of data breach incidents.
Spotlight on the Netherlands 17
18. Mega Breaches – What Was Lost
Spotlight on the Netherlands 18
20. Vulnerabilities
• With so many vulnerable web sites cybercriminals have no need
to set up their own web sites to host malware
20Spotlight on the Netherlands
21. • Targeted Attacks predominantly start as spear phishing attacks
• In 2012, Watering Hole Attacks emerged
Send an email to a person
of interest
Spear Phishing
Infect a website and lie
in wait for them
Watering Hole Attack
Spotlight on the Netherlands 21
22. Effectiveness of Watering Hole Attacks
• Watering Hole attacks are targeted at specific groups
• Can capture a large number of victims in a very short time
Infected 500
Companies
Watering Hole
Attack in 2012
1
All Within
24 Hours
Spotlight on the Netherlands 22
23. Watering Hole Targeted iOS Developers
• Several high profile companies fall victim to just such an attack
Spotlight on the Netherlands 23
24. Website Security Challenges
Evolving Regulations
• Externalisation &
Virtualisation
• Consolidation
• Integration
Evolving Cyber Crime
• Web-Focused
• Targeting users
• Stealing Confidential
Information
Evolving Web Use
Enable Business Innovation
and Agility
Protect the Brand
Evolving Infrastructures
• Consumerisation
• More Mobility
• Social Augmented
‘Big Data’
Website
• Protect the Consumer
• Protect the User
• Increasing scope
Spotlight on the Netherlands 24
25. Implications of the Evolving Threat Landscape
Individual SMB’s
Large companies
and Enterprises
Symantec
Increase security of
their sites and apps
Manage, monitor and
automate security of
servers/sites/apps.
Provide our customers
with additional
security services
Consumers
Which sites can I trust?
Who can I trust?
Spotlight on the Netherlands 25
26. http://bit.ly/1oT6qwc
• DigiNotar breach
• Browser Exploit Against
SSL/TLS Attack (BEAST)
• SSL Renegotiation
Attack
• CRIME, Lucky 13
• Heartbleed
Its clear that SSL is more
newsworthy today than
ever
SSL in the news…….
26
27. Heartbleed – OpenSSL Vulnerability
• This is not a vulnerability with SSL/TLS
• SSL/TLS is not broken, nor are the SSL certificates issued by Symantec
• Users of Open SSL versions 1.0.1 through (and including) 1.0.1f are affected
Advice for Businesses
Check your version of OpenSSL and either:
• Recompile OpenSSL without the heartbeat extension
• Update to the latest fixed version of the software (1.0.1g) if you are using
OpenSSL versions 1.0.1 through (and including) 1.0.1f
• After moving to a fixed version of OpenSSL, contact the SSL certificate’s
issuing Certification Authority for a replacement
• Finally, businesses should also consider resetting end-user passwords that
potentially may have been visible in compromised server memory.
Website Security Threats: April 2014 Update
28. Spotlight on the Netherlands
Who can you trust?
On 10 July 10 2011 Diginotar issued a
wildcard certificate to Google
28
29. Spotlight on the Netherlands
Who can you trust?
On 10 July 10 2011 Diginotar issued a
wildcard certificate to Google
29
30. Spotlight on the Netherlands
Who can you trust?
On 10 July 10 2011 Diginotar issued a
wildcard certificate to Google
30
31. Spotlight on the Netherlands
Who can you trust?
On 10 July 10 2011 Diginotar issued a
wildcard certificate to Google
31
32. Spotlight on the Netherlands
Who can you trust?
On 10 July 10 2011 Diginotar issued a
wildcard certificate to Google
32
34. Spotlight on the Netherlands
More servers, more
certificates, more
developers, more
complexity
Late night calls when
a certificate expires,
or is wrongly
configured
What happens when
things do go wrong
34
35. Expired & Misconfigured Certificates
Drive Costs, Losses & Brand Damage
CALLS
TO TECH
SUPPORT
USERS TRAINED
TO IGNORE
WARNINGS
LOST
PRODUCTIVITY
MISSED SALES
OPPORTUNITIES
DEFECTION TO
COMPETITORS
DAMAGE TO
BRAND AND
CREDIBILITY
CALLS TO
CUSTOMER
SUPPORT
INTERNAL
APPLICATIONS
EXTERNAL
APPLICATIONS
Spotlight on the Netherlands 35
36. Five to do’s
1. Do you know what certificates you have?
– Their expiry dates, how to renew them?
2. Be ready: Expect the unexpected but mitigate the risk
3. How can you deliver improved reporting across your
organisation
4. New Algorithms can reduce overheads and create efficiencies
– do you know what they are?
5. Are you ready and prepared for Internal Server Name
Deprecation?
Spotlight on the Netherlands 36
37. One final to do
• Call me – I understand SSL, your challenges and needs
–Jane Broderick
–Tel: +44 20 7448 5608
–Email: jane_broderick@symantec.com
Spotlight on the Netherlands 37
38. More information?
Spotlight on the Netherlands
2013 ISTR:
www.symantec.com/threatreport/
Always-On SSL:
go.symantec.com/always-on-ssl/
Symantec Certificate Intelligence Center:
go.symantec.com/certificate-intelligence-
center
Symantec Website Security Solutions
www.symantec.com/ssl
2013 Norton Cybercrime Report
http://bit.ly/1fIP4wf
Twitter
@nortonsecured
38
40. Web-based threats: Any website can infect you
• In the past – you had to visit dangerous sites to get infected but
today it could be a legitimate site attacking you
• Web malware exploits - leverage software
vulnerabilities without users knowledge
• Which sites can infect you? Your favourites:
– News, travel, online games, real estate, government, many others
With so many vulnerable web sites cybercriminals have no need to set up
their own web sites to host malware
• 78% of scanned websites have vulnerabilities
• 1 in 8 sites had critical unpatched vulnerabilities
• In 2013, over 56,000 domains were used to host web malware
Source: Symantec ISTR
Spotlight on the Netherlands 40