https://xkcd.com/838/ Data Breaches This years study analyzed 524 - - PowerPoint PPT Presentation

https xkcd com 838
SMART_READER_LITE
LIVE PREVIEW

https://xkcd.com/838/ Data Breaches This years study analyzed 524 - - PowerPoint PPT Presentation

Nov 02, 2023 105 likes •290 views

https://xkcd.com/838/ Data Breaches This years study analyzed 524 breaches that occurred between August 2019 and April 2020, in organizations of all sizes, across 17 geographies and 17 industries. The 2020 Cost of a Data Breach

slide-1
SLIDE 1

https://xkcd.com/838/

slide-2
SLIDE 2

Data Breaches

This year’s study analyzed 524 breaches that occurred between August 2019 and April 2020, in organizations of all sizes, across 17 geographies and 17 industries. 
 
 The 2020 Cost of a Data Breach Report shows some consistency with past research, including the global total cost of a data breach, which averaged $3.86 million in the 2020 study, down about 1.5% from the 2019 study, but in line with previous years. The average time to identify and contain a data breach was 280 days in the 2020 study, nearly identical to the average of 279 days in 2019.

  • Larry Ponemon


https://securityintelligence.com/posts/whats-new-2020-cost-of-a- data-breach-report/

slide-3
SLIDE 3

COVID-19 Impact on Data Breach Management

76% of respondents whose organizations have shifted to remote work expect that working from home could increase the time it takes to identify and contain a data breach. Additionally, 70% of respondents expect remote working could increase the cost of a data breach.

Larry Ponemon
 https://securityintelligence.com/posts/whats-new-2020-cost-of-a-data-breach- report/

slide-4
SLIDE 4

from https://csrc.nist.gov/publications/detail/sp/800-86/final

slide-5
SLIDE 5

Heisenberg’s Uncertainty Principle 
 for Forensic Analyses*

Examining or collecting one part of the system will disturb

  • ther components.

It is impossible to completely capture the entire system at any point in time.

* - Farmer and Venema, Forensic Discovery, 
 http://www.porcupine.org/forensics/forensic-discovery/chapter1.html

slide-6
SLIDE 6

Life expectancy of data*

* - Farmer and Venema, Forensic Discovery, 
 http://www.porcupine.org/forensics/forensic-discovery/chapter1.html

Registers, caches, device memory nanoseconds Main memory nanoseconds Network state, caches, queues milliseconds Running processes seconds Disk data minutes Backup media, CD-ROM, DVD, paper years+

slide-7
SLIDE 7

strace of Ubuntu date command

% time seconds usecs/call calls errors syscall 17.22 0.000057 9 6 mmap 16.01 0.000053 13 4

  • penat

12.39 0.000041 10 4 mprotect 10.57 0.000035 5 6 close 10.57 0.000035 5 6 fstat 8.76 0.000029 7 4 brk 6.65 0.000022 22 1 munmap 6.04 0.00002 6 3 read 4.53 0.000015 15 1 write 3.63 0.000012 12 1 1 access 1.81 0.000006 6 1 lseek 1.81 0.000006 6 1 arch_prctl 1 execve

  • ----- ----------- ----------- --------- --------- ------------
  • 100

0.000331 39 1 total

slide-8
SLIDE 8

– adopted by World Economic Forum, 
 http://reports.weforum.org/cyber-resilience/attribution/#hide/fn-23

“Attribution — determining the identity or location

  • f an attacker or an attacker’s intermediary. In the

case of cybersecurity, attribution is a particularly difficult problem as adversaries can mask their identity or even originate attacks from deceptive and unwitting locations (e.g. using a hospital’s network as a staging ground)”

slide-9
SLIDE 9

Who cares who dunnit?

Public sector

  • political impact
  • national security
  • retaliation accuracy


Private sector

  • brand damage (theirs or the alleged attacker's)
  • as an aid to determine what was the attacker's

purpose/targets

  • legal action (retaliation)
slide-10
SLIDE 10

Sometimes it’s personal…

slide-11
SLIDE 11

swamp: [~] $ whois 43.229.53.39

% IANA WHOIS server % for more information on IANA, visit http:// www.iana.org % This query returned 1 object refer: whois.apnic.net inetnum: 43.0.0.0 - 43.255.255.255

  • rganisation: Administered by APNIC

status: LEGACY . . . person: xxxx xxxxxxx xxxx address: 21 floor,29 Sha Tsui Road, Hong Kong country: CN phone: +852-65971019 e-mail: abuse63857@gmail.com nic-hdl: ZLH33-AP mnt-by: MAINT-HOTNETLIMITED-HK last-modified: 2015-05-07T13:33:30Z source: APNIC . . .

slide-12
SLIDE 12

Cyber "False Flags"

Misleading information aimed at defeating attribution

  • origin
  • identity
  • vulnerability/exploit used
  • target
  • attack vector
slide-13
SLIDE 13
slide-14
SLIDE 14

Attribution Hints

  • IP address - mostly unreliable (private sector, at least)
  • Code (compile times, reused code, strings, language, …)
  • Common C2 infrastructure
  • Propagation/Attack patterns
  • Message (language, strings, etc., but spoofable)
slide-15
SLIDE 15

from http://reports.weforum.org/cyber-resilience/attribution/#hide/fn-23

slide-16
SLIDE 16
  • Nov 24: Sony hacked
  • Dec 1: FBI investigates; some suspect NK
  • Dec 3: NK denial
  • Dec 7: NK News calls it a "rightous deed", but denies
  • Dec 11: The Interview premieres in LA
  • Dec 16: GOP threatens 9-11 like attacks on theaters
  • Dec 17: Sony halts release
  • Dec 17: US Official says NK responsible for the hack
  • Dec 19: FBI confirms
  • Dec 22: NK experiences Internet outage for 10 hours, issues go on for days
  • Dec 25: The Interview is released
  • Dec 27: NK denies any involvement in the Sony hack; accuses US of disrupting

their Internet

Sony Hack Timeline (USA Today)

slide-17
SLIDE 17

Some references

  • Guide for Cybersecurity Event Recovery 


https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP .800-184.pdf

  • Guide to integrating forensic techniques into incident

response
 https://csrc.nist.gov/publications/detail/sp/800-86/final

  • 13th-annual Cost of Data Breach Study, Ponemon Institute

https://www.ibm.com/security/data-breach? ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security &ccy=US&cm_mc_uid=40296825486315404837644&cm_mc _sid_50200000=68399651540483764501