1 Threat Awareness Presented By: Billy Spears Chief Privacy Officer
2 Agenda Threat Awareness Presentation Threat LandscapeFinancial Sector Details Threat Actors and Motives Anatomy of an Attack What We Try to Protect Electronic Black Market Data Lost… Reportable Breach Regulatory Stakeholders Engaging Law Enforcement Future Trends Next Steps HCA - Public 2
3 Threat Landscape Far-reaching vulnerabilities, faster attacks, files held for ransom and more malicious code than ever. 3x more Android apps contained malware-- 230% increase from previous year. MOBILE DEVICES 65% of targeted attacks struck small- and-medium-sized Orgs. TARGETED ATTACKS SCAMS & SOCIAL MEDIA PRIVACY BREACHES WEB THREATS 76% social media scams manually shared— % increase from previous year. Half a Billion records stolen or lost. 89% had financial or espionage motive. Cybercrime cost the global economy up to $575 billion annually Real Names 78% Home Addresses 44% Birth Dates 41% Gov. IDs 38% Medical Records 36% Top 10 Types of Information Exposed Financial Info 33% Addresses 21% Phone Numbers 19% Insurance 13% Login Credentials 11% Notes: Targeted Attacks Detail .SCR = Script file extension used to transmit a Trojan. As a script or a screen saver this file can execute other files which carry the Trojan. The SCR file may be embedded within a ZIP file which could also contain a file with a double extension. .au3 = an automated script file created with AutoIt v3, a freeware scripting program that uses a programming language similar to BASIC. It is designed for automating commands within Windows and for other general scripting purposes. AutoIt can simulate keystrokes, mouse movement, and manipulate windows, which can automate tasks that are not possible with VBScript or SendKeys. Scams & Social Media Manual Sharing: These rely on victims to actually do the work of sharing the scam by presenting them with intriguing videos, fake offers or messages that they share with their friends. Ransomware: On a human level, ransomware is one of the nastiest forms of attack for victims. Criminals use malware to encrypt the data on victims’ hard drives—family pictures, homework, music, that unfinished novel—and demand payment to unlock the files. Crypto-Ransomware: There are several different crypto-ransomware families, such as Cryptolocker, Cryptodefense and Cryptowall but their method of exploitation is the same. Rather than locking your desktop behind a ransom wall, crypto-ransomware encrypts your personal files and holds the private keys to their decryption for ransom at a remote site. This is a much more vicious attack than traditional ransomware. Sources: Internet Security Threat Report HCA - Public 3
4 50% Financial Sector DetailsPrivacy Breaches: 2, Total Records Lost: 429m Avg. Cost Per Record: $221 2 FINANCIAL INDUSTRY BY RECORD LOST 1 25% over the last 3 years BY COST 2 12% over the last 3 years 30.1% 10.3% 11.9% 12.5% BY INDUSTRY 1 *24.8% *(Unknown, Insurance, Hospitality, Non-profit, etc.) BY SOURCE 2 Malicious or Criminal 50% Insider Threat Sources: 1. (Database based on publicly-available breach disclosure information. Statistics based on number of breaches, not number of records lost) Cost of Data Breach Study: United States” by Ponemon Institute HCA - Public 4
5 Threat Actors and MotivesWho would target us and why? THREATS HACKTIVISM Hacktivists use computer network exploitation to advance their political or social causes. CRIME Individuals and sophisticated criminal enterprises steal personal information and extort victims for financial gain. INSIDER Trusted insiders steal proprietary information for personal, financial, and ideological reasons. ESPIONAGE Nation-state actors conduct computer intrusions to steal sensitive state secrets and proprietary information from private companies. TERRORISM Terrorist groups sabotage the computer systems that operate our critical infrastructure, such as the electric grid. WARFARE Nation-state actors sabotage military and critical infrastructure systems to gain an advantage in the even of conflict. HCA - Public 5
6 Targeted Information TypesAnatomy of an Attack Recon Escalate Privileges Expand Presence Establish Foothold Move Laterally Initial Compromise Internal Recon Exfiltrate Data Maintain Presence Common Attack Vectors Known Vulnerabilities SQL Injection Phishing, Spear-phishing, Whaling Weak Authentication Viruses/Malware attacks Social engineering Targeted Information Types Corporate finances Internal corporate information Customer/Employee PII Proprietary technology IT infrastructure Bandwidth (DDoS) HCA - Public 6
7 What We are Trying to ProtectIntellectual Property (IP) Proprietary Information (PI) Personally Identifiable Information (PII) Identity Theft 7% report harm post breach1 0.3% suffer actual harm2 2nd highest complaint at the FTC3 HCA Credit Card (CC)4 $1 - $8 First and last name Card # Credit Card with PIN4 $17 - $35 First / last name Card # PIN Expiration date Active Users: Credit Range $1K – $25K Driver’s License4 $100 - $150 First / last name ID # Address, DOB Social Security Card4 $250 - $400 First / last name SSN DOB Health Insurance Info1 $250 First / last name Login credentials Plan provider ID # Bank Info4 $300 - $4200 First / last name, bank, acct # Login credentials *Based on account balance Identity Profile5 $ $1300 Name, SSN, DOB Address, phone # credentials Credit card # or bank info Sources: 1. AllClear ID 2. ID Experts, LifeLock 3. FTC, Consumer Sentinel Network Data Book 4. Underground Hacker Markets by Dell SecureWorks 5. “What your information is worth on the black market” by Bankrate HCA - Public 7
8 Electronic Black MarketBlack Market sites can be found in several locations, many of which are challenging to locate. Payment is often through digital currency, such as Bitcoin. HCA - Public 8
9 Associated Costs of a Privacy Breach1Data Lost…Reportable Breach Data lost due to disasters is devastating, but losing it to hackers, malicious insiders or from malware infections can have far greater concerns Information Protection A risk management discipline that serves the objectives of Confidentiality, Integrity, Availability, and Privacy of information by applying a risk management framework and yielding confidence that risks are adequately managed. Risk Vectors Associated Costs of a Privacy Breach1 Direct Costs Financial Direct + Indirect costs Cyber insurance costs Reputational Brand damage Lost business opportunities Regulatory Monitoring Fines Operational Decreased productivity 1 2 3 4 34% $90 Legal liability and sanctions Charges of deceptive business practices Liability from identity theft Cyber Insurance deductible Outside counsel Credit monitoring services Indirect Costs 66% $174 OEM marketing to acquire new customers Damage to the reputation, brand, or business relationships Customer and / or employee distrust Lost revenues Sources: 1. “2016 Cost of Data Breach Study: United States” by Ponemon Institute HCA - Public 9
10 State Attorneys General Private Suit / Class-ActionRegulatory Stakeholders Examples of the range of complexity of Federal, State and Local privacy regulatory requirements. Customer Justice Dept. FTC CFPB State Attorneys General GLBA Class Action $11k + RAM1 Varies FACTA Private Suit / Class-Action FCRA ECOA Red Flags $11k + Required Annual Monitoring (RAM)1 UDTP TCPA CAN-SPAM Federal Civil Penalty Variations1,2 California Civ. Code § : $3k per customer, per violation New York 23 NYCRR 5002: NYDFS Cyber Security Reg. New York State Gen. Bus. Law § 899aa: Actual costs or up to $150k per incident Florida Stat : Up to $500k per breach PII also includes name and online account credentials State & Local New York City N.Y. State Tech. Law SS 208: $500 per person and $100 per violation Massachusetts Gen. Bus. Law § 899aa: Actual costs Texas Bus. & Comm. Code Ann. § et seq: Civil penalties up to $300k per violation Sources: 1. Morrison & Foerster LLP 2. White & Case: Cybersecurity Requirements for Financial Services Companies HCA - Public 10
11 Contacting Law EnforcementDomestically, the FBI has Field Offices throughout the U.S., with Special Agents dedicated to work Cyber investigations Internationally, the FBI has Special Agents, called Legal Attachés, who work in U.S. Embassies globally. They work with the local countries law enforcement agencies Engaging Law Enforcement Call the FBI as soon as possible Delays can result in loss of digital evidence Determine how your internal investigation and the criminal investigation will work together What does the FBI do? Focuses on criminal prosecution Forensically collects and analyzes evidence Can, with consent, monitor victim’s network for activity related to the attack Testifies in court Federal Prosecutor Federal prosecutors can also speak to victim’s legal team HCA - Public 11
12 Future Trends 2017 ExpectationsNumber of targeted cyber attacks to increase Cyber attacks will continue to evolve Phishing attempts to rise Dedicated Information Security & Privacy program investments to grow Mobile platforms to be targeted more Rise in the threat of Organized Crime and State Sponsored Attacks Compromises related to Internet of Things (IoT) intensifies HCA - Public 12
13 Next Steps Recommended Actions COMPANY EMPLOYEESEstablish network segmentation to reduce desktops/laptops being compromised Ensure applicable software patches are installed timely Implement filtering capabilities Implement strong authentication capabilities EMPLOYEES Identify threats reinforced from your adaptive training & awareness program Ensure compliance with Information Protection standards & practices Apply risk management practices to safeguard assets Evangelize best practices with collages across the company HCA - Public 13
14 Thank You. HCA - Public 14