SlideShare une entreprise Scribd logo

Malware & Data Breaches: Combatting the Biggest Threat

Chris Ross
Chris Ross

In a recent study regarding the current state of security risks and controls in business today, Wisegate uncovered an enlightening fact: CISOs consider malware and sensitive data breaches to be their top risk. Thanks to BYOD and cloud adoption, there’s no way to keep all data in a controlled environment, so CISOs have turned from pure prevention methods to including “detection” as a key initiative. Learn what they are doing and why in this Wisegate Drill-Down report.

Technologie
1  sur  10
Télécharger pour lire hors ligne
22
Malware & Data Breaches 2 CONTENTS Malware and Data Breaches................................................................................................... 3   Current Trends ........................................................................................................................ 4   Current Trends and the Malware Threat ................................................................................. 5   Defending the BYOD attack surface....................................................................................... 6   The Cloud and BYOD ............................................................................................................. 7   Trends and the IT Infrastructure.............................................................................................. 8   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
Combatting the Biggest Threat 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from that survey. This current document is the second in a new series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Malware and Data Breaches One of the top takeaways from the June Wisegate survey is the extent to which malware and sensitive data breaches dominate CISO concerns. The survey asked participants to name their top three risks. It was a freeform question in which participants could specify any risk at all. Malware and breaches of sensitive information were both specified by 16% of the respondents. Third and fourth were malicious outsider threat and malicious insider threat at 8% and 6% respectively, with a long following tail (see Figure 1). In all, almost 80 different ‘risks’ were specified. In reality, says Bill Burns, lead author of the survey, malware is a threat, not a risk. The risk is the breach—but respondents made no distinction between risks and threats and treated the two as one. In this instance, the close correlation in concern over malware and sensitive
Malware & Data Breaches 4 data breaches implies that it is not malware per se that causes concern to CISOs, but specifically the malware that can or does lead to a breach of sensitive information. Figure 1. Survey Question: What are your top three security risks? Source: Wisegate June 2014 “A data breach and the loss of sensitive information is not the only risk associated with malware,” explains Burns. “The malware could be destructive (think of Stuxnet and Wiper), or for competitive or domestic surveillance purposes. It could be targeted to steal personal data for blackmail (think celebrity photos or webcam controllers); or it could be economic, stealing bank details or autodialing premium rate phone numbers.” None of this seems as high on CISOs’ list of concerns as the loss of sensitive information. That sensitive information is likely to be customer/client PII or PIH, and/or company IP. It is the loss of this sort of information that will be the most painful to business, in the costs of remediation, forensic examination, breach notification, loss of brand reputation and potential legal costs. Security is increasingly led by risk management principles, which require the greatest effort in the areas of greatest risk to the company. Large-scale loss of sensitive information is clearly considered to be a major threat. Current Trends The survey also asked participants to specify the trends that most affect their security program (see Figure 2). The response shows clear concern over BYOD and cloud (a third, concern over compliance regulations, is a separate and almost self-contained issue).
Combatting the Biggest Threat 5 Figure 2. Survey Question: Which of these trends most / least affect your security program? Source: Wisegate, June 2014 When we combine these two sets of responses, it is clear that a combination of malware leading to a breach of sensitive information, BYOD and the cloud are a major concern to CISOs. Current Trends and the Malware Threat Burns believes that the malware threat and its associated data breach risk is likely to get worse over the coming years specifically because of these trends: • the continuing evolution of BYOD practices • increasing adoption of cloud technology, both public and private Malware is already unstoppable, even in a traditional IT environment that only has to defend a known and controlled perimeter with a relatively small attack surface. The combination of cloud and BYOD removes the defensible perimeter and increases the attack surface dramatically.
Malware & Data Breaches 6 Defending the BYOD attack surface “What I see,” explains Burns, “is a world where employers will actually require people to bring and use their own devices. Most companies already provide staff with equipment, and many currently tolerate BYOD. The trend will continue until eventually companies will say, ‘Well, if you’re going to have a phone and a computer in your personal life, why don’t we just keep using those?’ Why, in fact, would a company wish to buy stuff that its employee already has and is already using?” But this leads to a tension between company and personal information held on the same device. “The company will need to protect its own data, but the personal data will be in conflict with any device monitoring that the company does,” says Burns. In short, there is potential for a Big Brother inspired kickback from the employee. This is already happening. At a Wisegate roundtable discussion on BYOD practices, one member from a major O&G services company commented, “We’ve always had the ability to completely wipe the BYO device [via ActiveSync] built into the corporate email policy. We had no complaints. But when we moved to an MDM approach and explained to the users that corporate and personal data would be kept separate, and that we would know the difference, we suddenly got resistance. There were many comments about a Big Brother approach. We found the users don’t want the company they work for to know what is on their device. Some have chosen not to register with the MDM, either insisting on a company device or not having the access capability at all.”1 An MDM product that keeps corporate and personal data in separate containers on the mobile device is not enough on its own. “The savvy security team,” suggests Burns, “will earn the user’s trust by demonstrating that the company can only monitor the corporate data, and not only doesn’t, but cannot monitor anything else. As soon as Security can establish that level of trust with the employee, then two things happen. Firstly, I get greater assurance that the user is following my security guidelines and is installing the right protective measures on personal devices to protect the company and company data. Secondly, it allows the employee to say, ‘Gosh, this security stuff is really complicated—but I don’t need to worry because I can leverage the company team as my own personal security team.’” 1  BYOD Series, Part 2 - Data, Tools, Management and Rules  
Combatting the Biggest Threat 7 In short, says Burns, the employee loads the correct protective controls to protect the company in the knowledge that all personal data is private from the company and secure from the criminals. It becomes a partnership based on mutual trust, where the employee protects the company, and the company security team protects the employee and the employee’s private and family data. “This,” suggests Burns, “is doable through a combination of both product and corporate culture.” On the product front it is an extension of the container approach already used by MDMs, but specifically designed to prevent any corporate access to personal data at all, and to engender that level of trust in the user. This is one approach to minimizing the malware threat on BYO devices. The Cloud and BYOD An alternative BYOD policy, suggests Burns, is to say, “I cannot possibly defend all possible endpoint platforms, so I won’t even try. I’ll push everything into the cloud accessible by browser only. The browser will give a view of the data, but not allow any copying to or processing on the local device.” This, he suggests, is a good security posture. But it is not easily achievable in practice, and has numerous pitfalls along the route. One problem is actually implementing such an approach. “There is a tension,” suggests Burns, “between the ‘view only’ approach and the increasing power of the mobile device.” It is a tension that has not been solved—the reality is that some processing is best done locally. “Maybe it’s not a binary decision,” he continued. “Depending on the corporate culture, either is a satisfactory experience. Perhaps the decision determining whether the data stays in the cloud or can be processed locally should depend on the sensitivity of the data. Maybe it’s a data classification or data sensitivity decision point.” Using the cloud to defend against malware-inspired sensitive breaches is a strong argument. It is harder to infect the cloud than it is to infect an individual endpoint. But there is also a scale issue. “If I, as an attacker,” explains Burns, “manage to infect the cloud, I potentially get to impact many more customers and much larger datasets.” The weakness in cloud security is less the cloud itself and more how the cloud is used. This is an aspect of something that Burns considers to be one of the biggest challenges to IT security: the difference between something working correctly and something working correctly and securely. This affects everything from malware prevention to proprietary apps, open source software and websites.
Malware & Data Breaches 8 A good example of this problem is the fate of Code Spaces. Code Spaces used AWS cloud services to store customers’ code. Everything worked correctly. But when Code Spaces was compromised, everything belonging to all Code Spaces customers was affected—and in the event actually lost. Code Spaces itself went out of business. The problem wasn’t the cloud nor was it AWS—it was Code Spaces poor use of AWS. It did not use Amazon’s 2FA option; it had no DR plan; it stored its back-up effectively in the same room (that is, in the same AWS account); and it discussed its response over a compromised channel when it should have been out of band. Because of the latter, the hacker was always one step ahead, and decided to delete content and get out. AWS (that is, the cloud proper) was never itself compromised. “Working correctly is different to working securely,” explains Burns. “In the physical world we get visual clues. You can go into a brick and mortar bank and see at a glance if it doesn’t look secure. But if a web page works correctly, there is nothing to show whether it is also secure.” This “if it works OK it must be OK” thinking is why so many users get infected by malware through poisoned websites and malvertising—and indeed cleverly crafted phishing emails with weaponized attachments. Trends and the IT Infrastructure What is clear from current trends is that IT infrastructure is in the midst of the biggest structural change since user computing migrated from the computer room to the desktop. Now it is leaving the building altogether—moving to users’ mobile devices with no fixed location, and into the nebulous cloud. What this means for security is that there is neither an infrastructure perimeter to defend nor much knowledge of where company information actually resides. Traditional security controls that defend the trusted network perimeter no longer apply—which means that new security controls are necessary. The survey asked what infrastructure security controls would be prioritized over the new few years (see Figure 3). It is clear from the responses that there is less emphasis on protecting devices and greater emphasis on protecting applications and the data itself. Firewalls are now application firewalls rather than trusted network firewalls—and encryption figures in both the top and third response. Data leak prevention as the favored control demonstrates that malware prevention has been replaced by malware detection as a priority. Encryption is designed to protect the data itself, so that even if there is a breach of sensitive information, that information remains hidden from any attacker.
Combatting the Biggest Threat 9 Figure 3. Survey Question: Which of these Infrastructure controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 This is a pragmatic view of security. Faced with the impossibility of defending against malware attacks in the new cloud/BYOD paradigm, security is engaged in a massive shift from protecting devices to protecting data. This new paradigm—date centric security—will be discussed in greater detail in the third report of this series. If the data itself is safe, it doesn’t’ matter if the malware results in a breach.
Malware & Data Breaches 10 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.

Recommandé

Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeIan Lee
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityBooz Allen Hamilton
 
Cyber Resilience white paper 20160401_sd
Cyber Resilience white paper 20160401_sdCyber Resilience white paper 20160401_sd
Cyber Resilience white paper 20160401_sdSusan Darby
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives- Mark - Fullbright
 
Research insights - state of network security
Research insights - state of network securityResearch insights - state of network security
Research insights - state of network securityMiguel Mello
 
Ccs16
Ccs16Ccs16
Ccs16Andrey Apuhtin
 
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Booz Allen Hamilton
 
2013 global security report
2013 global security report2013 global security report
2013 global security reportYury Chemerkin
 

Recommandé

Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeIan Lee
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityBooz Allen Hamilton
 
Cyber Resilience white paper 20160401_sd
Cyber Resilience white paper 20160401_sdCyber Resilience white paper 20160401_sd
Cyber Resilience white paper 20160401_sdSusan Darby
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives- Mark - Fullbright
 
Research insights - state of network security
Research insights - state of network securityResearch insights - state of network security
Research insights - state of network securityMiguel Mello
 
Ccs16
Ccs16Ccs16
Ccs16Andrey Apuhtin
 
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Booz Allen Hamilton
 
2013 global security report
2013 global security report2013 global security report
2013 global security reportYury Chemerkin
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant EnterpriseBooz Allen Hamilton
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityMighty Guides, Inc.
 
6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss GremlinsIntronis MSP Solutions by Barracuda
 
The impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsThe impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsJose Lopez
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutionsJonny Nässlander
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)Dr Dev Kambhampati
 
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYSYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYIJNSA Journal
 
Securing Cloud from Cloud Drain
Securing Cloud from Cloud DrainSecuring Cloud from Cloud Drain
Securing Cloud from Cloud DrainEswar Publications
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaThe Takshashila Institution
 
4514ijmnct01
4514ijmnct014514ijmnct01
4514ijmnct01ijmnct
 
Risky Business
Risky BusinessRisky Business
Risky BusinessSamantha Park
 
Mobile Application Security
Mobile Application Security Mobile Application Security
Mobile Application Security Booz Allen Hamilton
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationBooz Allen Hamilton
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Insecure magazine - 51
Insecure magazine - 51Insecure magazine - 51
Insecure magazine - 51Felipe Prado
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014- Mark - Fullbright
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMRick Bouter
 
An Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationAn Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationIJERA Editor
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsLondon School of Cyber Security
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemBernard Marr
 
Security attacks taxonomy on
Security attacks taxonomy onSecurity attacks taxonomy on
Security attacks taxonomy onijmnct
 

Contenu connexe

Tendances

Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityMighty Guides, Inc.
 
The impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsThe impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsJose Lopez
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)Dr Dev Kambhampati
 
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYSYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYIJNSA Journal
 
Securing Cloud from Cloud Drain
Securing Cloud from Cloud DrainSecuring Cloud from Cloud Drain
Securing Cloud from Cloud DrainEswar Publications
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaThe Takshashila Institution
 
4514ijmnct01
4514ijmnct014514ijmnct01
4514ijmnct01ijmnct
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationBooz Allen Hamilton
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Insecure magazine - 51
Insecure magazine - 51Insecure magazine - 51
Insecure magazine - 51Felipe Prado
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014- Mark - Fullbright
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMRick Bouter
 
An Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationAn Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationIJERA Editor
 

Tendances (20)

The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant Enterprise
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint Security
 
6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins
 
The impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsThe impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clients
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)
 
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYSYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
 
Securing Cloud from Cloud Drain
Securing Cloud from Cloud DrainSecuring Cloud from Cloud Drain
Securing Cloud from Cloud Drain
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
 
4514ijmnct01
4514ijmnct014514ijmnct01
4514ijmnct01
 
Risky Business
Risky BusinessRisky Business
Risky Business
 
Mobile Application Security
Mobile Application Security Mobile Application Security
Mobile Application Security
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data Classification
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
Insecure magazine - 51
Insecure magazine - 51Insecure magazine - 51
Insecure magazine - 51
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBM
 
An Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationAn Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an Organization
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 

Similaire à Malware & Data Breaches: Combatting the Biggest Threat

Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemBernard Marr
 
Security attacks taxonomy on
Security attacks taxonomy onSecurity attacks taxonomy on
Security attacks taxonomy onijmnct
 
The Five Biggest Cyber Security Trends In 2022
The Five Biggest Cyber Security Trends In 2022The Five Biggest Cyber Security Trends In 2022
The Five Biggest Cyber Security Trends In 2022Bernard Marr
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing InvestmentsCaston Thomas
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdfmistryritesh
 
Using Cyber Security As a Contingency Measure To Combat Cyber Threats.pdf
Using Cyber Security As a Contingency Measure To Combat Cyber Threats.pdfUsing Cyber Security As a Contingency Measure To Combat Cyber Threats.pdf
Using Cyber Security As a Contingency Measure To Combat Cyber Threats.pdfVRS Technologies
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Booz Allen Hamilton
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationChris Ross
 
Security personnel are increasingly having to think about the locati.docx
Security personnel are increasingly having to think about the locati.docxSecurity personnel are increasingly having to think about the locati.docx
Security personnel are increasingly having to think about the locati.docxjeffreye3
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarJudgeEagle
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
Securing And Protecting Information
Securing And Protecting InformationSecuring And Protecting Information
Securing And Protecting InformationLaura Martin
 
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSI
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSIIBM MobileFrist Protect - Guerir la Mobilephobie des RSSI
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSIAGILLY
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security indexsukiennong.vn
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...Dana Gardner
 

Similaire à Malware & Data Breaches: Combatting the Biggest Threat (20)

Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data Problem
 
Security attacks taxonomy on
Security attacks taxonomy onSecurity attacks taxonomy on
Security attacks taxonomy on
 
The Five Biggest Cyber Security Trends In 2022
The Five Biggest Cyber Security Trends In 2022The Five Biggest Cyber Security Trends In 2022
The Five Biggest Cyber Security Trends In 2022
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdf
 
Using Cyber Security As a Contingency Measure To Combat Cyber Threats.pdf
Using Cyber Security As a Contingency Measure To Combat Cyber Threats.pdfUsing Cyber Security As a Contingency Measure To Combat Cyber Threats.pdf
Using Cyber Security As a Contingency Measure To Combat Cyber Threats.pdf
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in Communication
 
Security personnel are increasingly having to think about the locati.docx
Security personnel are increasingly having to think about the locati.docxSecurity personnel are increasingly having to think about the locati.docx
Security personnel are increasingly having to think about the locati.docx
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jar
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
 
Securing And Protecting Information
Securing And Protecting InformationSecuring And Protecting Information
Securing And Protecting Information
 
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSI
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSIIBM MobileFrist Protect - Guerir la Mobilephobie des RSSI
IBM MobileFrist Protect - Guerir la Mobilephobie des RSSI
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future Attacks
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Retail
Retail Retail
Retail
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
 
Challenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceChallenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber Confidence
 

Plus de Chris Ross

Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Chris Ross
 
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...Chris Ross
 
Hello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsHello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsChris Ross
 
Maximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsMaximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsChris Ross
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401Chris Ross
 
5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should KnowChris Ross
 

Plus de Chris Ross (7)

Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
 
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
 
Hello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsHello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft Skills
 
Maximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsMaximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next Steps
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401
 
5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know
 

Dernier

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Dernier (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Malware & Data Breaches: Combatting the Biggest Threat

  • 1. 22
  • 2. Malware & Data Breaches 2 CONTENTS Malware and Data Breaches................................................................................................... 3   Current Trends ........................................................................................................................ 4   Current Trends and the Malware Threat ................................................................................. 5   Defending the BYOD attack surface....................................................................................... 6   The Cloud and BYOD ............................................................................................................. 7   Trends and the IT Infrastructure.............................................................................................. 8   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
  • 3. Combatting the Biggest Threat 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from that survey. This current document is the second in a new series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Malware and Data Breaches One of the top takeaways from the June Wisegate survey is the extent to which malware and sensitive data breaches dominate CISO concerns. The survey asked participants to name their top three risks. It was a freeform question in which participants could specify any risk at all. Malware and breaches of sensitive information were both specified by 16% of the respondents. Third and fourth were malicious outsider threat and malicious insider threat at 8% and 6% respectively, with a long following tail (see Figure 1). In all, almost 80 different ‘risks’ were specified. In reality, says Bill Burns, lead author of the survey, malware is a threat, not a risk. The risk is the breach—but respondents made no distinction between risks and threats and treated the two as one. In this instance, the close correlation in concern over malware and sensitive
  • 4. Malware & Data Breaches 4 data breaches implies that it is not malware per se that causes concern to CISOs, but specifically the malware that can or does lead to a breach of sensitive information. Figure 1. Survey Question: What are your top three security risks? Source: Wisegate June 2014 “A data breach and the loss of sensitive information is not the only risk associated with malware,” explains Burns. “The malware could be destructive (think of Stuxnet and Wiper), or for competitive or domestic surveillance purposes. It could be targeted to steal personal data for blackmail (think celebrity photos or webcam controllers); or it could be economic, stealing bank details or autodialing premium rate phone numbers.” None of this seems as high on CISOs’ list of concerns as the loss of sensitive information. That sensitive information is likely to be customer/client PII or PIH, and/or company IP. It is the loss of this sort of information that will be the most painful to business, in the costs of remediation, forensic examination, breach notification, loss of brand reputation and potential legal costs. Security is increasingly led by risk management principles, which require the greatest effort in the areas of greatest risk to the company. Large-scale loss of sensitive information is clearly considered to be a major threat. Current Trends The survey also asked participants to specify the trends that most affect their security program (see Figure 2). The response shows clear concern over BYOD and cloud (a third, concern over compliance regulations, is a separate and almost self-contained issue).
  • 5. Combatting the Biggest Threat 5 Figure 2. Survey Question: Which of these trends most / least affect your security program? Source: Wisegate, June 2014 When we combine these two sets of responses, it is clear that a combination of malware leading to a breach of sensitive information, BYOD and the cloud are a major concern to CISOs. Current Trends and the Malware Threat Burns believes that the malware threat and its associated data breach risk is likely to get worse over the coming years specifically because of these trends: • the continuing evolution of BYOD practices • increasing adoption of cloud technology, both public and private Malware is already unstoppable, even in a traditional IT environment that only has to defend a known and controlled perimeter with a relatively small attack surface. The combination of cloud and BYOD removes the defensible perimeter and increases the attack surface dramatically.
  • 6. Malware & Data Breaches 6 Defending the BYOD attack surface “What I see,” explains Burns, “is a world where employers will actually require people to bring and use their own devices. Most companies already provide staff with equipment, and many currently tolerate BYOD. The trend will continue until eventually companies will say, ‘Well, if you’re going to have a phone and a computer in your personal life, why don’t we just keep using those?’ Why, in fact, would a company wish to buy stuff that its employee already has and is already using?” But this leads to a tension between company and personal information held on the same device. “The company will need to protect its own data, but the personal data will be in conflict with any device monitoring that the company does,” says Burns. In short, there is potential for a Big Brother inspired kickback from the employee. This is already happening. At a Wisegate roundtable discussion on BYOD practices, one member from a major O&G services company commented, “We’ve always had the ability to completely wipe the BYO device [via ActiveSync] built into the corporate email policy. We had no complaints. But when we moved to an MDM approach and explained to the users that corporate and personal data would be kept separate, and that we would know the difference, we suddenly got resistance. There were many comments about a Big Brother approach. We found the users don’t want the company they work for to know what is on their device. Some have chosen not to register with the MDM, either insisting on a company device or not having the access capability at all.”1 An MDM product that keeps corporate and personal data in separate containers on the mobile device is not enough on its own. “The savvy security team,” suggests Burns, “will earn the user’s trust by demonstrating that the company can only monitor the corporate data, and not only doesn’t, but cannot monitor anything else. As soon as Security can establish that level of trust with the employee, then two things happen. Firstly, I get greater assurance that the user is following my security guidelines and is installing the right protective measures on personal devices to protect the company and company data. Secondly, it allows the employee to say, ‘Gosh, this security stuff is really complicated—but I don’t need to worry because I can leverage the company team as my own personal security team.’” 1  BYOD Series, Part 2 - Data, Tools, Management and Rules  
  • 7. Combatting the Biggest Threat 7 In short, says Burns, the employee loads the correct protective controls to protect the company in the knowledge that all personal data is private from the company and secure from the criminals. It becomes a partnership based on mutual trust, where the employee protects the company, and the company security team protects the employee and the employee’s private and family data. “This,” suggests Burns, “is doable through a combination of both product and corporate culture.” On the product front it is an extension of the container approach already used by MDMs, but specifically designed to prevent any corporate access to personal data at all, and to engender that level of trust in the user. This is one approach to minimizing the malware threat on BYO devices. The Cloud and BYOD An alternative BYOD policy, suggests Burns, is to say, “I cannot possibly defend all possible endpoint platforms, so I won’t even try. I’ll push everything into the cloud accessible by browser only. The browser will give a view of the data, but not allow any copying to or processing on the local device.” This, he suggests, is a good security posture. But it is not easily achievable in practice, and has numerous pitfalls along the route. One problem is actually implementing such an approach. “There is a tension,” suggests Burns, “between the ‘view only’ approach and the increasing power of the mobile device.” It is a tension that has not been solved—the reality is that some processing is best done locally. “Maybe it’s not a binary decision,” he continued. “Depending on the corporate culture, either is a satisfactory experience. Perhaps the decision determining whether the data stays in the cloud or can be processed locally should depend on the sensitivity of the data. Maybe it’s a data classification or data sensitivity decision point.” Using the cloud to defend against malware-inspired sensitive breaches is a strong argument. It is harder to infect the cloud than it is to infect an individual endpoint. But there is also a scale issue. “If I, as an attacker,” explains Burns, “manage to infect the cloud, I potentially get to impact many more customers and much larger datasets.” The weakness in cloud security is less the cloud itself and more how the cloud is used. This is an aspect of something that Burns considers to be one of the biggest challenges to IT security: the difference between something working correctly and something working correctly and securely. This affects everything from malware prevention to proprietary apps, open source software and websites.
  • 8. Malware & Data Breaches 8 A good example of this problem is the fate of Code Spaces. Code Spaces used AWS cloud services to store customers’ code. Everything worked correctly. But when Code Spaces was compromised, everything belonging to all Code Spaces customers was affected—and in the event actually lost. Code Spaces itself went out of business. The problem wasn’t the cloud nor was it AWS—it was Code Spaces poor use of AWS. It did not use Amazon’s 2FA option; it had no DR plan; it stored its back-up effectively in the same room (that is, in the same AWS account); and it discussed its response over a compromised channel when it should have been out of band. Because of the latter, the hacker was always one step ahead, and decided to delete content and get out. AWS (that is, the cloud proper) was never itself compromised. “Working correctly is different to working securely,” explains Burns. “In the physical world we get visual clues. You can go into a brick and mortar bank and see at a glance if it doesn’t look secure. But if a web page works correctly, there is nothing to show whether it is also secure.” This “if it works OK it must be OK” thinking is why so many users get infected by malware through poisoned websites and malvertising—and indeed cleverly crafted phishing emails with weaponized attachments. Trends and the IT Infrastructure What is clear from current trends is that IT infrastructure is in the midst of the biggest structural change since user computing migrated from the computer room to the desktop. Now it is leaving the building altogether—moving to users’ mobile devices with no fixed location, and into the nebulous cloud. What this means for security is that there is neither an infrastructure perimeter to defend nor much knowledge of where company information actually resides. Traditional security controls that defend the trusted network perimeter no longer apply—which means that new security controls are necessary. The survey asked what infrastructure security controls would be prioritized over the new few years (see Figure 3). It is clear from the responses that there is less emphasis on protecting devices and greater emphasis on protecting applications and the data itself. Firewalls are now application firewalls rather than trusted network firewalls—and encryption figures in both the top and third response. Data leak prevention as the favored control demonstrates that malware prevention has been replaced by malware detection as a priority. Encryption is designed to protect the data itself, so that even if there is a breach of sensitive information, that information remains hidden from any attacker.
  • 9. Combatting the Biggest Threat 9 Figure 3. Survey Question: Which of these Infrastructure controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 This is a pragmatic view of security. Faced with the impossibility of defending against malware attacks in the new cloud/BYOD paradigm, security is engaged in a massive shift from protecting devices to protecting data. This new paradigm—date centric security—will be discussed in greater detail in the third report of this series. If the data itself is safe, it doesn’t’ matter if the malware results in a breach.
  • 10. Malware & Data Breaches 10 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.