A Tipping Point in the Battle

Against Cyber Attacks


A Dark Reading Webcast
Sponsored by
Webcast Logistics
Today’s Presenters

Dr. Larry Ponemon
Chairman & Founder, Ponemon Institute



Avi Chesla
Chief Technology Officer, Radware

Cyber Security on the Offense
A Study of IT Security Experts
Co-authored Research with Radware
Presentation by Dr. Larry Ponemon
November 14, 2012
About Ponemon Institute
• Ponemon Institute conducts independent research on cyber security, data protection
and privacy issues.
• Since our founding 11+ years ago our mission has remained constant, which is to
enable organizations in both the private and public sectors to have a clearer
understanding of the practices, enabling technologies and potential threats that will
affect the security, reliability and integrity of information assets and IT systems.
• Ponemon Institute research informs organizations on how to improve upon their data
protection initiatives and enhance their brand and reputation as a trusted enterprise.
• In addition to research, Ponemon Institute offers independent assessment and
strategic advisory services on privacy and data protection issues. The Institute also
conducts workshops and training programs.
• The Institute is frequently engaged by leading companies to assess their privacy and
data protection activities in accordance with generally accepted standards and
practices on a global basis.
• The Institute also performs customized benchmark studies to help organizations
identify inherent risk areas and gaps that might otherwise trigger regulatory action.

11/13/2012 Ponemon Institute: Private & Confidential Information 5
Spotlight on key findings
• Availability is now the top priority
• DoS & DDoS are two of the top three threats
• Sixty-five percent of organizations experienced 3 more more DoS
attacks over the past 12 months
• DoS & DDoS attacks cost organizations $3M on average
• Counterattack techniques are viewed as viable improvements to
normal defense posture
11/13/2012 Ponemon Institute: Private & Confidential Information 6
A sampling frame of 22,501 IT and IT security practitioners located in all
regions of the United States were selected as participants to this survey.
The final sample was 705 surveys (or a 3.1 percent response rate).
Distribution of respondents according to
primary industry classification
11/13/2012 Ponemon Institute: Private & Confidential Information 7
19%
13%
11%
8%
7%
6%
6%
5%
5%
5%
4%
4%
2%
2%
2% 1%
Financial services
Public sector
Health & pharmaceuticals
Retail (conventional)
E-commerce
Industrial
Services
Energy & utilities
Hospitality
Technology & software
Consumer products
Transportation
Communications
Education & research
Entertainment & media
Agriculture & food services
Sample size = 705
What organizational level best describes
your current position?
11/13/2012 Ponemon Institute: Private & Confidential Information 8
2%
1%
17%
23%
19%
33%
4%
1%
Senior executive
Vice president
Director
Manager
Supervisor
Technician
Staff
Consultant
Sample size = 705
The primary person you or the IT security
leader reports to within the organization
11/13/2012 Ponemon Institute: Private & Confidential Information 9
61%
21%
5%
3%
2%
2%
2%
4%
Chief Information Officer
Chief Information Security Officer
Chief Risk Officer
General Counsel
Chief Financial Officer
Compliance Officer
Chief Security Officer
Other
Sample size = 705
The person most responsible for
managing the cyber security posture

11/13/2012 Ponemon Institute: Private & Confidential Information 10
41%
21%
12%
11%
4%
3%
3%
2%
2% 1%
Chief information officer
Chief information security officer
No one person has overall responsibility
Business unit management
Outside managed service provider
Chief risk officer
Corporate compliance or legal department
Chief technology officer
Data center management
Chief security officer
Sample size = 705
Global headcount
11/13/2012 Ponemon Institute: Private & Confidential Information 11
7%
9%
19%
34%
21%
6%
4%
< 100
100 to 500
501 to 1,000
1,001 to 5,000
5,001 to 25,000
25,001 to 75,000
> 75,000
Sample size = 705

Results

Current perceptions and response to
cyber attacks
Strongly agree and agree response combined
11/13/2012 Ponemon Institute: Private & Confidential Information 13
29%
44%
44%
48%
64%
0% 10% 20% 30% 40% 50% 60% 70%
My organization has in-house expertise to launch
counter measures against cyber criminals
Security budget is sufficient for mitigating most cyber
attacks
Launching a strong offensive against cyber criminals is
very important
My organization is vigilant in monitoring cyber attacks
The severity of cyber attacks is on the rise
Effectiveness in combating cyber attacks

11/13/2012 Ponemon Institute: Private & Confidential Information 14
29%
35%
36%
0% 5% 10% 15% 20% 25% 30% 35% 40%
More effective in combating attacks and intrusions
Less effective in combating attacks and intrusions
The same in terms of its effectiveness in combating
attacks and intrusions
Over the past 12 months, my organization‟s cyber defense has been . . .
Negative consequences of a cyber attack
8 = most severe to 1 = least severe

11/13/2012 Ponemon Institute: Private & Confidential Information 15
2.2
3.2
3.5
6.1
6.2
6.4
6.8
7.5
0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0
Regulatory actions or lawsuits
Cost of outside consultants and experts
Stolen or damaged equipment
Customer turnover
Lost revenue
Reputation damage
Productivity decline
Lost intellectual property/trade secrets
Greatest areas of potential cyber security risk
Three responses permitted

11/13/2012 Ponemon Institute: Private & Confidential Information 16
6%
6%
7%
8%
13%
15%
20%
22%
24%
25%
28%
29%
31%
32%
34%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Data centers
The server environment
Within operating systems
Virtual computing environments
Removable media and/or media (CDs, DVDs)
Network infrastructure environment
Desktop or laptop computers
Malicious insiders
Mobile devices such as smart phones
Organizational misalignment and complexity
Cloud computing infrastructure and providers
Across 3rd party applications
Negligent insiders
Mobile/remote employees
Lack of system connectivity/visibility
Downtime after one DDoS attack

11/13/2012 Ponemon Institute: Private & Confidential Information 17
10%
13%
16%
22%
11%
9%
5%
4%
10%
0%
5%
10%
15%
20%
25%
Less than 1
minute
1 to 10
minutes
11 to 20
minutes
21 to 30
minutes
31 to 60
minutes
1 to 2 hours 3 to 5 hours More than 5
hours
Cannot
determine
An extrapolated average of 53.5 minutes for the sample
Cost per minute of downtime
11/13/2012 Ponemon Institute: Private & Confidential Information 18
1%
8%
12%
15% 15%
21%
11%
7%
5% 5%
0%
5%
10%
15%
20%
25%
$1 to $10 $10 to
$100
$101 to
$1,000
$1,001 to
$5,000
$5,001 to
$10,000
$10,001 to
$25,000
$25,001 to
$50,000
$50,001 to
$100,000
More than
$100,000
Cannot
determine
An extrapolated average of $21,699 per minute of downtime
Cyber defenses most important
Very important and important response combined

11/13/2012 Ponemon Institute: Private & Confidential Information 19
50%
50%
51%
51%
52%
56%
59%
64%
71%
75%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Content aware firewalls
Web application firewalls
Security intelligence systems including SIEM
Endpoint security systems
Secure network gateways
Intrusion detection systems
Intrusion prevention systems
Identity and authentication systems
Anti-DoS/DDoS
Anti-virus/anti-malware
Cyber defenses not as important
Very important and important response combined
11/13/2012 Ponemon Institute: Private & Confidential Information 20
26%
32%
36%
38%
39%
45%
47%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Mobile device management
Enterprise encryption for data at rest
ID credentialing including biometrics
Other crypto technologies including tokenization
Enterprise encryption for data in motion
Data loss prevention systems
Secure coding in the development of new applications
Cyber security threats according to risk mitigation priority
10 = highest priority to 1 = lowest priority
11/13/2012 Ponemon Institute: Private & Confidential Information 21
2.8
3.0
3.2
5.4
6.4
7.7
7.9
8.2
8.6
9.0
0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 9.0 10.0
Phishing and social engineering
Web scrapping
Cross-site scripting
Malicious insiders
Botnets
Malware
Viruses, worms and trojans
Distributed denial of service (DDoS)
Server side injection (SSI)
Denial of service (DoS)
Barriers to achieving a strong cyber security posture
Two responses permitted
11/13/2012 Ponemon Institute: Private & Confidential Information 22
1%
8%
10%
19%
22%
27%
34%
35%
44%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Other
Lack of leadership
Complexity of compliance and regulatory requirements
Lack of skilled or expert personnel
Insufficient assessment of cyber security risks
Lack of oversight or governance
Lack of effective security technology solutions
Insufficient resources or budget
Insufficient visibility of people and business processes
Ranking of cyber security objectives in
terms of a business priority objective
5 = highest priority to 1 = lowest priority

11/13/2012 Ponemon Institute: Private & Confidential Information 23
4.7
4.4
3.5
2.8
1.9
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0
Availability Compliance Integrity Confidentiality Interoperability
Counter technique capabilities most important
Very important and important response combined

11/13/2012 Ponemon Institute: Private & Confidential Information 24
67%
60%
58%
52%
54%
56%
58%
60%
62%
64%
66%
68%
Technology that neutralizes denial of
service attacks before they happen
Technology that slows down or even
halts the attacker‟s computers
Technology that pinpoints the
attacker‟s weak spots
Technologies most favored
Two responses permitted
11/13/2012 Ponemon Institute: Private & Confidential Information 25
10%
15%
21%
31%
33%
33%
57%
0% 10% 20% 30% 40% 50% 60% 70%
Perimeter security technologies
Endpoint security technologies including mobile devices
Simplifying threat reporting technologies
Insider threat minimizing technologies
Intelligence about attackers‟ motivation and weak spots
technologies
Security of information assets technologies
Intelligence about networks and traffic technologies
Ability to launch a counter technique
against a cyber criminal
1 = unable to perform counter technique to 10 = fully capable

11/13/2012 Ponemon Institute: Private & Confidential Information 26
16%
19%
17%
11%
8%
5%
7%
5%
9%
3%
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
20%
1 (weak) 2 3 4 5 6 7 8 9 10 (strong)
Reasons for not being fully capable of
launching a counter technique
More than one response permitted

11/13/2012 Ponemon Institute: Private & Confidential Information 27
71%
69%
53% 53%
2%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Lack of enabling
technologies
Lack of resources or
budget
Do not have ample
expert personnel
Not considered a
security-related
priority
Other
Methods for performing counter techniques
More than one response permitted

11/13/2012 Ponemon Institute: Private & Confidential Information 28
67%
61%
43%
2%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Manual surveillance
methods
Close examination of logs
and configuration settings
Use of security intelligence
tools
Other

Comparison of three industries
Most severe consequences of a cyber
attack for three industry sectors
8 = most severe to 1 = least severe
11/13/2012 Ponemon Institute: Private & Confidential Information 30
1.6
3.2
4.1
5.7
5.5
7.0
7.2
6.8
2.8
4.4
1.9
2.0
5.2
5.0
5.0
7.1
1.9
3.0
5.3
3.9
6.9
7.2
7.0
7.5
1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0
Cost of consultants and experts
Stolen or damaged equipment
Regulatory actions or lawsuits
Customer turnover
Lost intellectual property
Lost revenue
Reputation damage
Productivity decline
Health & pharmaceuticals Public sector Financial services
Frequency of DDoS attacks experienced
for organizations in three industries
Over the past 12 months


11/13/2012 Ponemon Institute: Private & Confidential Information 31
3.0
4.1
2.4
-
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
Financial services Public sector Health & pharmaceuticals
Average downtime organizations in three industries
Minutes of downtime

11/13/2012 Ponemon Institute: Private & Confidential Information 32
47.9
70.1
51.2
0
10
20
30
40
50
60
70
80
Financial services Public sector Health & pharmaceuticals
Estimated cost per minute of downtime
for organizations in three industries


11/13/2012 Ponemon Institute: Private & Confidential Information 33
$32,560
$15,447
$23,519
$-
$5,000
$10,000
$15,000
$20,000
$25,000
$30,000
$35,000
Financial services Public sector Health & pharmaceuticals
Conclusion and recommendations

As is revealed in this research, organizations are lagging behind in their ability to deal
with the aggressive and sophisticated tactics of cyber criminals. The IT security experts
surveyed give their organizations a below average score in their effectiveness to launch
counter measures.

To achieve a proactive cyber security posture, organizations should consider the
following practices:

• Create a strategy and plan that puts emphasis on having a strong offense against
hackers and other cyber criminals.
• Ensure internal IT staff as well as such external support as IT vendors and MSSPs
are knowledgeable and available to respond to attacks before they take place.
• Support the strategy with the right technologies to prevent and detect cyber attacks.

In this and other Ponemon Institute studies on cyber crimes, the financial and
reputational consequences are well documented. Organizations that suffer attacks face
real-world consequences. The findings of this research can help organizations make the
business case for adopting a more proactive approach to the advanced persistent threats
facing them.

11/13/2012 Ponemon Institute: Private & Confidential Information 34
Questions?

Ponemon Institute
www.ponemon.org
Tel: 231.938.9900
Toll Free: 800.887.3118
Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA
research@ponemon.org




Avi Chesla
CTO
1.9
2.8
3.5
4.4
4.7
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Interoperability Confidentiality Integrity Compliance Availability
Ranking of cyber security objectives in terms of a business priority objective
5 = Highest Priority to 1 = Lowest Priority
Slide 37
Availability is Top Priority
1.9
2.8
3.5
4.4
4.7
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Interoperability Confidentiality Integrity Compliance Availability
Ranking of cyber security objectives in terms of a business priority objective
5 = Highest Priority to 1 = Lowest Priority
Slide 38
Availability is Top Priority
• In the past, confidentiality & integrity were top priorities

• As more organizations suffer from DoS & DDoS attacks,
availability is moving up as top priority

• In today‟s online world, when availability is threatened it
has severe impact on the business‟s performance and
operations
Availability Based Threats Are on the Rise
Slide 39
2.8
3.0
3.2
5.4
6.4
7.7
7.9
8.2
8.6
9.0
0.0 2.0 4.0 6.0 8.0 10.0
Phishing and social engineering
Web scrapping
Cross site scripting
Malicious insiders
Botnets
Malware
Viruses, worms and trojans
Distributed denial of service (DDoS)
Server side injection
Denial of service (DoS)
Cyber security threats according to risk mitigation priority
10 = Highest Priority to 1 = Lowest Priority
Availability Base Threats Are on the Rise
Slide 40
2.8
3.0
3.2
5.4
6.4
7.7
7.9
8.2
8.6
9.0
0.0 2.0 4.0 6.0 8.0 10.0
Phishing and social engineering
Web scrapping
Cross site scripting
Malicious insiders
Botnets
Malware
Viruses, worms and trojans
Distributed denial of service (DDoS)
Server side injection
Denial of service (DoS)
Cyber security threats according to risk mitigation priority
10 = Highest Priority to 1 = Lowest Priority
• DDoS attacks are not rare occasions on few organizations - organizations
should expect to be under attack

• Significant change in the threat landscape as DoS & DDoS are becoming
the top risks

• On average, DDoS attacks cost companies approximately $3.5 million
annually – this is a pain that must be addressed

Average Down Time – What Does it Mean ?
Slide 41
10%
13%
16%
22%
11%
9%
5%
4%
10%
0%
5%
10%
15%
20%
25%
Less than
1 minute
1 to 10
minutes
11 to 20
minutes
21 to 30
minutes
31 to 60
minutes
1 to 2
hours
3 to 5
hours
More than
5 hours
Cannot
determine
Average downtime during one DDoS attack
Sophistication
(“APT measure”)
Time
Slide 42
Attack Campaigns “APT” Measure
• Duration: 20 days
• More than 7 attack vectors
• “Inner cycle” involvement attack
target: Government in Europe
• Duration: 3 days
• 5 Attack vectors
• Only “inner cycle” involvement
• Attack target: HKEX
• Duration: 3 days
• 4 attack vectors
• Attack target: Visa, MasterCard
• Duration: 6 Days
• 5 attack vectors
• “Inner cycle” involvement
Attack target: Israeli sites
• Duration: 30 days
• 5 attack vectors
• “Inner cycle” involvement attack
target: India (operation India)
The characteristics of cyber attack campaigns have fundamentally changed
Organizations Are Not Ready
Organizations Are Not Ready for Attacks
• Less than half reported being vigilant in
monitoring for attacks

• Much less putting into practice proactive
and preventative measures

• The majority of organizations cannot launch
or implement a counter technique
Slide 44
Emergency Response Teams & Cyber War Rooms
Slide 45
Attack Time
• Emergency Response
Team that “fights”
Get Ready
• Audits
• Policies
• Technologies
Forensics
• Analyze what happened
• Adjust policies
• Adapt new technologies
Existing Level of skills
Lack of Expertise
• Required expertise during attack campaign
– Complex risk assessment
– Tracking and modifying protections against dynamically evolved attacks
– Real time intelligence
– Real time collaboration with other parties
– Counter attack methods and plans
– Preparation with cyber “war games”
The Best Defense Is A…
Slide 46
Get Ready
Mapping Security Protection Tools
Slide 48
DoS Protection
Behavioral Analysis
IP Rep.
IPS
WAF
Large volume network flood attacks
Web attacks: XSS, Brute force
SYN flood attack
Application vulnerability, malware
Web attacks: SQL Injection
Port scan
“Low & Slow” DoS attacks (e.g.Sockstress)
Network scan
Intrusion
High and slow Application DoS attacks
Organizations should deploy an attack mitigation system that:

1. Mitigate all availability based threats

2. Performs on premise detection and mitigation for applications based attacks

3. Does not have blind spots and provides a holistic approach
Thank You
www.radware.com
Q&A Session

Dr. Larry Ponemon
Chairman & Founder, Ponemon Institute



Avi Chesla
Chief Technology Officer, Radware

Resources
To View This or Other Events On-Demand Please Visit:
http://informationweek.com/events/past

Download the entire „Cyber Security on the Offense‟ Report:
http://security.radware.com/uploadedFiles/Resources_and_Content/Att
ack_Tools/CyberSecurityontheOffense.pdf

For up-to-date information on the latest IT threats and reports please
visit:
www.ddoswarriors.com
http://www.radware.com/

Sign up to vote on this title
UsefulNot useful