4/19/19

1

CYBERCRIMEONE OF THE GREAT CHALLENGES TO THIS DECADE

FACTS

ACCORDING TO THE 2019 CYBER SECURITY ALMANAC COMPILED AND PUBLISHED BY CISCO AND CYBERSECURITY VENTURES,

“CYBERCRIMINAL ACTIVITY IS ONE OF THE BIGGEST CHALLENGES THAT HUMANITY WILL FACE IN THE NEXT TWO DECADES. ”

HTTPS://CYBERSECURITYVENTURES.COM/CYBERSECURITY-ALMANAC-2019/

4/19/19

2

A PROBLEM

WITH GLOBAL SCOPE

1989

The World Wide Web was invented in 1989. The first-ever website went live in 1991. Today there are more than 1.9 billion websites.

2020

The world’s digital content is expected to grow to 96 zettabytes by 2020,up from 4 zettabytes just 3 years ago.

2022

by 2022, more IP traffic will cross global networks than in all prior “Internet years.” In other words, more traffic will be created in 2022 than in the 32 years since the Internet started.

4/19/19

3

NEARLY ALL OF

HUMANITY AFFECTED

There were nearly 4 billion Internet users in 2018, up from 2 billion in 2015. Cybersecurity Ventures predicts that there will be 6 billion Internet users by 2022 — and more than 7.5 billion Internet users by 2030.

2015

In 2004, the global cybersecurity market was worth $3.5 billion — and in 2017 it was worth more than $120 billion. The cybersecurity market grew by roughly 35X during that 13-year period

2017

EXPONENTIAL GROWTH,

EXPONENTIAL RISK

CYBERSECURITY VENTURES ESTIMATES THERE ARE 111 BILLION LINES OF NEW SOFTWARE CODE BEING PRODUCED EACH YEAR.

ZERO-DAY EXPLOITS ALONE ARE PREDICTED TO REACH ONE PER DAY BY 2021, UP FROM ONE PER WEEK IN 2015.

HACKING TOOLS AND KITS FOR CYBERATTACKS HAVE BEEN AVAILABLE IN ONLINE MARKETPLACES FOR SEVERAL YEARS — AT PRICE POINTS STARTING AS LOW AS $1 — WHICH MAKES THE COST OF ENTRY TO A LIFE OF CYBERCRIME NEARLY FREE.

4/19/19

4

DEEP WEBS, DARK

MARKETS

THE DEEP WEB IS INTENTIONALLY HIDDEN AND ESTIMATED TO BE AS MUCH AS 5,000 TIMES LARGER THAN THE SURFACE WEB, AND GROWING AT A RATE THAT DEFIES QUANTIFICATION.

THE DEEP WEB HOSTS OPEN MARKETS WHERE PRIVATE HEALTH AND OTHER RECORDS SELL FOR AS LITTLE AS PENNIES PER RECORD.

CYBERCRIME HAS HIT THE U.S. SO HARD THAT THE FEDERAL BUREAU OF INVESTIGATION TOLD THE WALL STREET JOURNAL THAT EVERY AMERICAN CITIZEN SHOULD EXPECT THAT ALL OF THEIR DATA (PERSONALLY IDENTIFIABLE INFORMATION) HAS BEEN STOLEN AND IS NOW ON THE DARK WEB.

HTTPS://WWW.CSOONLINE.COM/ARTICLE/3189869/HEALTHCARE-RECORDS-FOR-SALE-ON-DARK-WEB.HTML

TOP CYBERCRIMINAL

TARGETS

The 5 most cyber-attacked industries over the past 5 years are healthcare, manufacturing, financial services, government, and transportation.

Cybersecurity Ventures predicts that retail, oil and gas / energy and utilities, media and entertainment, legal, and education (K-12 and higher ed), will round out the top 10 targeted industries for 2019 to 2022

4/19/19

5

CyberCriminal Tools and Techniques

BUSINESS EMAIL

COMPROMISE

The FBI reported that Business Email Compromise (BEC),— a scam aimed at intercepting wire transfer payments — has cost more than $12.5 billion in losses over the past 4.5 years (as of its last tally through May 2018).

Security researchers have exposed a thriving deep-web market with hackers offering access to business email addresses to crooks who then attempt to carry out frauds.

The email accounts are compromised via spam/phishing campaigns and sold for as little as $150 each

https://www.zdnet.com/article/this-dark-web-market-is-dedicated-to-compromising-your-emails/

4/19/19

6

Ransomware

Ransomware encrypts files on an infected computer and demands a ransom to decrypt and access the files.

Ransomware attacks saw a 350 percent increase in 2018

Global ransomware damage costs are predicted to hit $20 billion in 2021, up from $11.5 billion in 2019, $5 billion in 2017, and just $325 million in 2015

Phishing

emails crafted to lure their recipients to click a link, open a document or forward information to someone they shouldn’t.

It’s widely reported that more than 90 percent of successful hacks and data breaches stem from phishing scams

Training users how to detect and react to these threats is a critical ransomware deterrent.

4/19/19

7

CYBERCRIMINAL DAMAGES

CYBERCRIME

Cybercrime costs include damage and destruction of data, stolen money, lost productivity,

theft of intellectual property, theft of personal and financial

data, embezzlement, fraud, post-attack disruption to the normal course of business,

forensic investigation, restoration and deletion of

hacked data and systems, and reputational harm.

4/19/19

8

COST OF A DATA BREACH

This year, the Ponemon Institute calculated the average healthcare data breach costs to be $380 per record. The average global cost

per record for all industries is now $141.

The average global cost of a data breach now stands at $3.62 million

https://www.hipaajournal.com/healthcare-data-breach-costs-2017-8854/

FAMOUSBREACH

The Yahoo hack was recently recalculated to have affected 3 billion

user accounts, and the Equifax breachin 2017

— with 145.5 million customers affected —

exceeds the largest publicly disclosed

hacks ever reported.

4/19/19

9

CyberSecurity Trends

Training, Training, Training

Much of this training is centered on combating phishing scams and

ransomware attacks.

Global spending on security awareness training for employees — one of the

fastest growing categories in the cybersecurity industry — is predicted to

reach $10 billion by 2027, up from around $1 billion in 2014.

4/19/19

10

TAC Ahead Of The Curve

Texas Association of Counties uses an online Cyber Security Training program internally that sends occasional phishing tests and tracks the results.

As a result, our phishing tests show TAC users clicking on suspicious emails less and less

…AND OFFERING TRAINING

TO COUNTIES

TAC is offering online Cyber Security training to Texas Counties through MediaPro.

TAC is absorbing the cost of this service in an effort to help train county employees to think before they click and become human firewalls.

Counties can get more information about this training atwww.county.org/countycyber.

4/19/19

11

INSURE

NETWORK

SECURITY

Singapore announced the launch of

the world’s first commercial cyber

risk pool, a facility for providing

cyber insurance to corporate

buyers, as cyberattacks in the Asia

Pacific region become more

pervasive. The pool will commit up

to $1 billion (USD) in risk capacity

and will be backed by capital from

traditional insurance and

insurance-linked securities markets

to provide bespoke coverage.

CYBER INSURANCE

68 percent of U.S. businesses have not purchased any form of cyber liability or data-breach coverage, showing that businesses are not adopting cyber insurance at a rate that matches the risks they face.

Government is ahead of the curve with a majority of the 25 most populous U.S. cities now have cyberinsurance or are looking into buying it, according to a Wall Street Journal survey.

4/19/19

12

TAC CYBER

INSURANCE

Members of Public Officials’ Liability (POL) receive Privacy & Data Security Liability (Cyber Liability) at no additional cost

Members with Cyber coverage have cyber resources available via eRisk Hub

Members who have a covered cyber event have access to a data breach coach, forensic vendors and other resources to assist with possible cyber breaches

Members who have cyber coverage have 1st

party and 3rd party coverages for losses

SECURITY BEST

PRACTICES

Security is as topic that is not popular in the IT domain. For Customers it is often seen as a financial investment that brings no profit.

4/19/19

13

WE

DON’T

REALLY

NEED IT…

When bringing up the topic you inevitably hear things like:

“I haven’t been hacked so why bother”

“ Don’t fix what isn’t broken.”

WHAT IS WANNACRY?

The most common and effective hacking techniques rely on social engineering, aka tricking people.

One of the most effective security counter-measures is regular cyber security training to remind people of smart, skeptical internet practices.

4/19/19

14

HOW TO DEFEND?

User Awareness

Properly Configured Perimeter Firewall

Internal Firewall / VLAN Traffic

Patching

Anti-Virus

SHOULDN’T ANTIVIRUS

STOP EVERYTHING?

Most companies don’t implement Antivirus correctly

Are you willing to wait 5 minutes for Anti-virus to check every file before you accessed it?

4/19/19

15

HOW TO DEFEND?

User Awareness

Properly Configured Perimeter Firewall

Internal Firewall / VLAN Traffic

Patching

Anti-Virus

Locking Down Systems

BACKUPS: THE LAST LINE OF

DEFENSE3-2-1 Backup Strategy

Store the copies on

2different

media

Keep 1Backup Offsite

Have a robust backup strategy

Have at least 3

copies of your data

4/19/19

16

TO SUMMARIZE

THESE:

Regular security awareness training so users don’t open suspicious attachments

Secure the network by blocking unnecessary protocols and restrict network resource access to what is actually needed

Do regular patches and have a good patch strategy

Use anti-virus and lock down your systems

Do regular backups and have a good backup strategy