MARKET TRENDS
REPORT
The State of Global Cyber Security
Training You Can Trust
08-506 668 00 • LearningTree.se
MARKET TRENDS
REPORT
The State of Global Cyber Security
Table of Contents The State Of Global Cyber Security: Highlights And Key Findings. . . . . . . . . . . . . . . . 3 The State Of Global Cyber Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Have I Been Hacked? The Answer Is Yes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Analysis Of The Threat Landscape By Sector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Situational Awareness: Infrastructure Profiling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Top Vulnerability Exploits And Security Incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Starting From Within: Cyber Security Education. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 About Learning Tree International. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 About the Author. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2
MARKETING TRENDS REPORT THE STATE OF GLOBAL CYBER SECURITY
Training You You Can Can Trust Training Can Trust Trust
The State Of Global Cyber Security: Highlights And Key Findings Technologies brought about by the fourth industrial revolution (4IR) will have a transformational impact on the global scale. Some of these changes are positive; others carry a disproportionately high risk. The importance of cyber security continues to grow as organisations enable their operations with technology and turn to digital solutions when engaging with stakeholders. A year after the outbreaks of WannaCry and NotPetya in 2017, cyber criminals in 2018 are copying the designs and techniques of these innovative campaigns to develop new, more effective malware. In this report we look at the landscape of cyber security attacks across industries, highlight the weakest links, and recommend ways to address them. Here are some of the report key findings: • The World Economic Forum Report 2018 places cyber security threats in the top 4 global risks by likelihood and scale of impact, next to environmental degradation, economic strains and geopolitical tensions. • Public sector continues to dominate as the primary target of cyberattacks followed by the financial services. • An average data breach costs large organisations $1.86 Million and as much as $386,000 for small business. • 40% of Small to Medium-sized Enterprises that experienced data breach due to cyber security attacks are likely to close within a year.
• 2018 has seen a dramatic rise in cryptojacking, with some estimates putting the value of stolen cryptocurrency over the past two years at around $1.5 billion. • Data breaches are on the rise in 2018, with 259 reported in the first half of 2018 vs. 224 reported data breaches in the first half of 2017. Seventy-one percent of the 2018 breaches were in the healthcare industry. • In the pre-WannaCry timeframe, 36% of organisations were reporting botnet activity related to ransomware. WannaCry affected 150 countries in 72 hours. • The U.S. Presidential “election hacking” scandal exposed the rising scale of information security breaches by hostile governments. • Nearly 90% of RMS (Microsoft Rights Management System) registered attacks targeted vulnerabilities which are over a decade old. • Mobile malware is gaining ground with over a third of organisations affected in Africa; while the highest volumes of unique botnet families are reported in the Middle East and Latin America. • Cloud solutions and the IoT fears remain at the top of organisational security concerns, hindering their widespread adoption. • 56% organisations admit shortage of cyber security skilled personnel, taking up to six months to recruit. • More organisations are relying on threat intelligence to transform cyber security from reactive to proactive.
Training You Can Trust
08-506 668 00 • LEARNINGTREE.SE
3
The State Of Global Cyber Security The volume and types of cyberattacks are expanding but the talent pool of defenders is not keeping up. One of the major challenges to the IT sector growth revolves around recruiting staff with strong cyber security capabilities. According to recent data:
74%
of organisation are expecting to fall victim to cyber-attacks in the next year1
82%
of senior management have growing concerns about the state of cyber security posture of their organisation.
16.2 Million SEK average cost of a data breach
4
MARKETING TRENDS REPORT THE STATE OF GLOBAL CYBER SECURITY
Training Training You You Can Can Trust Trust
Have I Been Hacked? The Answer Is Yes At present, business leaders are aware of their accountability for the cyber security posture of their organisation. A few years ago, around 40% of organisations worldwide reported no experiences of cyber-attacks. The situation has reversed, in 2017 three quarters of businesses suffered from a successful attack. The size does matter in the cyber threat landscape. Enterprises represent lucrative targets as they have greater attack surfaces to defend. Large organisations with more than 10K employees were more frequently (six times or more in 12 months) attacked than SMEs. When analyzed geographically, a higher percentage of businesses in Brazil report a successful compromise in 2016, than compared to Australia (see fig. 1 for the Top 10).
It appears that no organisation is immune to cyber threats, as in the case of WannaCry ransomware: government, healthcare, finance and law enforcement have been attacked, locking access to systems and data until a ransom is paid. With sophisticated cyber security threats on the rise, organisations have found themselves exposed, trying to reduce the risk of attacks and increase their resilience.
75%
of businesses suffered from a successful attack.
Top 10 Countries Attacked
Figure 1. Businesses compromised by at least one successful cyber-attack (in 12 months)2 1 2
Training You Can Trust
The State of Cybersecurity Survey Results 2016. PwC. 2016 Cyberthreat Defense Report. CyberEdge Group.
08-506 668 00 • LEARNINGTREE.SE
5
Analysis Of The Threat Landscape By Sector While security breaches in finance and retail sectors are widely publicised, the number of security incidents3 is not always indicative of the extent of data or monetary loss to the target organisation. From the results of a number of surveys in 2017 it is clear that no sector is safe from cyberattacks. In fact the highest number of cyber security incidents on large scale occurs within
the Public sector year on year (see fig. 2). Public sector dominates as the target for high levels of crimeware, loss of information assets and privilege misuse. On the other hand, insiders lead to a very high level of incidents due to miscellaneous errors. As more and more public services are conducted online, this sector is also becoming a popular target for the DDoS attacks.
Patterns of Incidents by Industry
Figure 2. Cyber Security Incidents by Industry4
6
MARKETING TRENDS REPORT THE STATE OF GLOBAL CYBER SECURITY
Training You Can Trust
Analysis Of The Threat Landscape By Sector
Patterns of Breaches by Industry
Figure 3. Cyber Security Breaches by Industry3
3
Training You Can Trust
Incident is a security event that compromises the integrity, confidentiality or availability of an information asset.
08-506 668 00 • LEARNINGTREE.SE
7
Analysis Of The Threat Landscape By Sector
The patterns of information security breaches (see fig. 3) paint a different picture, clearly indicating financial gain as the main motivation behind the attacks. Finance sector in 2016-2017 has been the main target of web app attacks resulting in significant losses. Espionage is a definite challenge (and continues to be one year on year) in the Manufacturing sector. The rise of this vector of attacks in the public sector in 2016/17 can be explained by the global political activity (such as elections in the U.S., France, United Kingdom, others) and the rising financial value of intelligence in this sector. We can also see the Healthcare sector suffering a considerable number of breaches owing to privilege misuse and errors, also resulting in significant data losses. While the security incidents paint a very ‘noisy’ picture of malicious activity, the patterns of cyber security breaches are indicative of the spread of attacks targeting specific industries. For example, payment card skimmer breaches are typical of Finance and Retail, while crimeware is targeting all industries alike, though fewer breaches are detected. According to the Global State of Information Security® Survey 2017 the Finance sector shows concerns about evolving complexity of technologies, threats from foreign nation states and a demand for clearer guidance on regulation.
4
However, resolving uncertainties about third-party partners, their capabilities and cyber security controls are seen as top priority.
Just over 40%
of the financial services sector highlighted assessment of third-party vendors’ security protocols and standards as their next step in the security risk management efforts.
The survey also shows that the investment into monitoring and testing of third-party partner security will be main priority in security spending in 2017. When we go into the discussion of the 2016-2017 threat landscape and incident scenarios, it is important to keep in mind that exploits do not occur in a vacuum. While situational awareness is paramount to maintain organisational security posture, its own infrastructure, configurations and user activity patterns increase (or reduce) its susceptibility to exploits.
Breach is an incident that results in the confirmed disclosure – not just potential disclosure-of data to an unauthorized party (Verizon, 2017)
8
MARKETING TRENDS REPORT THE STATE OF GLOBAL CYBER SECURITY
Training You Can Trust
Situational Awareness: Infrastructure Profiling To assess how organisations measure up in terms of their activity, controls and infrastructure which make them prone to exploits, we turn to global infrastructure profiling data. Continuously evolving threats require changes in applications, configurations, controls, and behaviors, and the link is reversible. Therefore, it is important to take into account current infrastructure trends and their role in shaping up the threat landscape. No two organisations are the same, however user activity and infrastructure analysis by Fortinet (2016) reveals steady patterns. While demographic, business, and other factors may vary significantly, the analysis indicates what a “typical” organisation in 2016 looks like and how the infrastructure profile is evolving (see fig. 4). One of the trends monitored by Fortinet is the HTTPS traffic usage. It is an interesting indicator used to achieve confidentiality; on the other hand it makes threat detection in the encrypted traffic difficult. The expectations are that the shift to HTTPS is inevitable and currently the breakdown between HTTP/HTTPS is around 50%. We need to keep in mind that some organisations require nearly all communications to be encrypted (and vice versa). Another trend observed is the number of unique applications detected per organisation, which over 2016/2017 averaged just above 200. It is not surprising that cloud applications are extending their reach, mainly SaaS and IaaS (the breakdown between them is 53% to 47%). While the views on their impact
Above 200
the average number of unique applications detected per organisation
on security are divided, the rising uptake of SaaS applications by 10% in 2016 shows that benefits may outweigh risks. The trend is there to stay for the time being bringing along challenges of technology governance and compliance. The well-known vector for social engineering attacks includes social applications. Web applications usage profile analysis shows levelling numbers of new and existing social media, streaming audio/video, and P2P applications. This trend is attributed to more stringent enterprise policies and controls put in place, as well as to the steading numbers of social apps as own devices are used for social purposes. This is reasonably positive news for minimising malware and social engineering threats passage into the corporate environment. Fortinet also reports on the trends in web-browsing, another popular vector of attacks. The numbers of distinct sites visited daily by employees, including sites registered as malicious, have levelled and range widely depending on organisational size. Still at around 600 websites visited on average per day, organisations are open to significant exposures.
DAILY BANDWIDTH
HTTPS RATIO
TOTAL APPS
SAAS APPS
IAAS APPS
STREAMING APPS
SOCIAL APPS
RAS APPS
GAMING APPS
DAILY WEBSITE VISITS
8.5G
50.80%
210
36
27
20
17
4
3
595
Figure 4. Infrastructure Trends ending Q4 20165
5
Training You Can Trust
08-506 668 00 • LEARNINGTREE.SE
Fortinet, 2016
9
Top Vulnerability Exploits And Security Incidents Known since the early 90’s, ransomware has seen such rapid progress and ingenuity, may be comparable to the arrival of Bitcoins. The simplicity of the monetisation execution powered the rise of ransomware incidents from 159 in 2016 to over 200 just in the first quarter of 2017. According to McAffee Labs, the 2015/16 timeframe has seen a continuous growth in new ransomware samples with fresh attack vectors, encryption mechanisms and exploit kits that have been introduced by adversaries.6 The trend reversed at the end of 2016 when the reduction in generic ransomware detection and the drop in Locky and CryptoWall variations occurred, notably shifting from Angler to Neutrino exploit kits, then from Neutrino to RIG. But this was not good news as attackers developed extortion and obfuscation methods for existing variants, particularly in the move away from file to master boot record locking and full disk encryption, making the ransom payment nearly inescapable in order to recover data.
5
TOP 3
Industry Sectors Targeted by Ransomware: 1. Public 2. Healthcare 3. Financial
• The largest data breach and largest DDoS attack in history were surpassed by the record-setting events of the WannaCry ransomware in 2017. • In the pre-WannaCry timeframe, 36% of organisations were reporting botnet activity related to ransomware. WannaCry affected 150 countries in just 72 hours.
Fortinet, 2016
10
MARKETING TRENDS REPORT THE STATE OF GLOBAL CYBER SECURITY
Training You Can Trust
Top Vulnerability Exploits And Security Incidents
Trends in Crimeware •M alicious email campaigns target HR, Finance, and organisational functions that work with email attachments • Ransomware: involved in 50% of incidents in 2017 so far • Command and Control (C2, malware that sits and waits to attack): 40% • Social engineering (like spearphishing): 21% • Crimeware is responsible for nearly 7,000 incidents
The ways ransomware achieved detection avoidance evolved, including execution patterns, unexpected command line arguments and lists of Microsoft Office recent files. Unsurprisingly, malicious entities started commercial support for ransomware-as-a-service taking a cut of mass extortion. This led to much more sophisticated attacks and a move from targeting individual machines to entire organisations. The malicious email campaigns aimed at organisational functions commonly working with attachments, such as HR and Finance. Still opportunistic by nature, ransomware (50% of 2017 incidents) was delivered by malicious websites, exploited unpatched vulnerabilities and traditional attack vectors. Social engineering attacks, mainly through spearphishing, were to blame in 21% of incidents. After ransomware, the next popular crimeware pattern (just under 40%) is the Command and Control (C2) – a type of malware which does not extract confidential information as such from the infected machine, but rather sits and waits for the directions from the ‘command center’ of the attack. C2 is followed by smaller groups of Backdoor, worm, downloader and spyware/ keylogger malware varieties, in all crimeware is responsible for nearly 7,000 incidents with primary targets in the Public and Manufacturing sectors7.
While ransomware seemed to have swept the globe in 2017, the largest volume of successful breaches was still attributed to web app attacks. By prevalence this group of breaches is most dominant, aided by commercialised capabilities of botnet-as-a-service. Such was the impact of botnets in the success of web app breaches that if taken out of the equation, this group of breaches would take the fifth place (after cyber-espionage, privilege misuse, miscellaneous errors and point of sale). Botnets are also to blame for the rise of DDoS incidents (an impressive 11,246 count contributing a quarter of all detected incidents in 2016). The largest DDoS attack which brought U.S. and European organisations to a standstill relied on 100,000 malicious endpoints with a major attack strength of 1.2 terabits (1,200 gigabytes) per second. The Mirai botnet notoriously targeted Dyn, an organisation which controls a significant portion of the internet DNS infrastructure. The result of the October 2016 attacks was the outage of such internet service companies as Twitter, Reddit, Netflix and many others throughout U.S. and Europe. While infecting regular computers and directing their resources for the attack, the Mirai botnet leveraged the computing power of the IoT devices, including smart domestic appliances, cameras and DVR payers.8
McAfee Labs New Ransomware samples per quarter 2015-2016 7 Verizon 2017 Data Breach Report. 10th Edition The Guardian (2016) DDoS attack that disrupted internet was largest of its kind in history. Available at: https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet 6
8
Training You Can Trust
08-506 668 00 • LEARNINGTREE.SE
11
Top Vulnerability Exploits And Security Incidents
• Propelled by the computing power of unsecured smart appliances, the Mirai botnet activity continued to expand in 2016. Espionage in cyber space, affecting public sector and political institutions in particular, has been brought to the forefront of media attention in 2016. Cyber espionage is the second cause of breaches following web app attacks. The incident to breach ratio is also the highest in this category (328 incidents and 289 confirmed data disclosures in 2017). Social engineering appears to be the main attack vector for gaining access to information. Attackers are pursuing long term goals, not necessarily with the objective of financial gain, and are highly selective of their victims. • The U.S. Presidential “election hacking” scandal exposed the rising scale of information security breaches by hostile governments. Our closing thought on this topic is that while the methods and attack vectors are evolving cyber threats are still at large ‘opportunistic’. The WannaCry ransomware exploited a Windows zero-day SMB (Server Message Block) vulnerability which led to hijacking of unpatched Windows OS systems since the support for Windows XP was stopped in 2014. • Nearly 90% of RMS (Microsoft Rights Management System) registered attacks targeted vulnerabilities which are over a decade old.
90% of RMS (Microsoft Rights Management System) registered attacks targeted vulnerabilities which are over a decade old.
Financial gain remains the core motivation for cyber security breaches, nearly 73% of the total count. The great majority of breaches are perpetrated by outsiders (75%). It is still a concern for all industries that at least a third of breaches are discovered by third parties, leaving organisations with both brand damage and long-term loss of consumer confidence. Low security awareness of employees is cited as the rising barrier to establishing effective defences.9 Emerging technologies are also considered high risk. • Mobile malware is gaining ground with over a third of organisations affected in Africa; while the highest volumes of unique botnet families are reported in the Middle East and Latin America. Cloud solutions and the IoT fears remain at the top of organisational security concerns, hindering their widespread adoption. The calls for greater governance of the emerging technologies and IoT in the wake of the latest attacks are likely to change regulatory landscape in the near future10. Skills shortage has been a recurring theme in
9
CyberEde Group 2016 PwC (2017) The Global State of Information Security ® Survey 2017. PriceWaterhouseCoopers. Available at: http:// www.pwc.com/gsiss. Accessed on [24/05/2017].
10
12
MARKETING TRENDS REPORT THE STATE OF GLOBAL CYBER SECURITY
Training You Can Trust
Starting From Within: Cyber Security Education Skills shortage has been a recurring theme in recent reports. Whether it be in the IT industry as a whole, or cyber security in particular — employers cannot find the talent they need. Although attacks are growing in frequency and sophistication, the availability of sufficiently skilled security professionals are falling behind.
According to the Global State of Cyber Security Survey 2017 to deal with cyber security challenges businesses will need expertise in four key areas: 1. Collecting meaningfull intelligence in real time 2. A ssessing the organisational impact of that intelligence 3. Identifying actions to mitigate threats
•E ight out of ten companies are more likely to hire cyber security candidate with performance — based certification. • More organisations are relying on threat intelligence to transform cyber security from reactive to proactive.
Training You Can Trust
4. T aking prompt technical, legal and operational action These focal areas involve unique skill sets requiring technical expertise and resources. Therefore, the depth and breadth of IT expertise needed by organisations to achieve cyber security goals will command skilled professionals.
08-506 668 00 • LEARNINGTREE.SE
13
Concluding Remarks 89%
of U.S. consumers believing that it is important for organisations to have cyber security certified employees.
With 89% of U.S. consumers believing that it is important for organisations to have cyber security certified employees11, a 37% rise in security specialist recruitment is projected by 2022. The outlook in the U.S. and United Kingdom are similar. While the demand continues to exceed supply, the UK National Audit Office warns that the talent shortage in the cyber security jobs market will take years to fulfil. Over £27 billion are lost to cybercrime per year in the UK, while companies carry vast
majority of these losses, only 12% of organisations have faith in law enforcement capabilities to resolve cyber crimes12. Businesses turn to recruiting cyber security specialists in order to address these threats internally. The sector is facing difficulties in finding the right staff with appropriate competencies to meet the industry needs baseline. While organisation employees are their greatest asset, professional, accredited cyber security education program will be imperative in all sectors. The issue of talent shortage in cyber security becomes more acute under the political changes across the world and Europe in particular. This makes it all the more urgent that at Learning Tree we work together to show professionals the great opportunities which are open to them if they obtain cyber security training from a trusted provider.
Learning Tree is addressing the cyber security skills gap by helping to create a global cyber security workforce. By providing opportunities at different skill levels, Learning Tree is attracting and enabling cyber security professionals at every stage of their careers, helping to bridge the security talent shortfall of over 2 million13.
To learn more about Learning Tree’s Cyber Security Training Solutions, visit: LearningTree.se/Cyber or call 08-506 668 00. 11 12 13
ISACA Risk/ Reward Barometer. Consumer Study 2015. Available at: https://www.isaca.org/pages/2015-risk-reward-barometer.aspx The Global State of Information Security® Survey 2016 UK House of Lords : Digital Skills Committee 2015
14
MARKETING TRENDS REPORT THE STATE OF GLOBAL CYBER SECURITY
Training You Can Trust
About Learning Tree International Established in 1974, Learning Tree is a leading provider of IT training to business and government organisations worldwide. Learning Tree provides Workforce Optimisation Solutions — a modern approach to delivering learning and development services that improves the adoption of skills, and accelerates the implementation of technical and business processes required to improve IT service delivery. These services include: needs assessments, skill gaps analyses, blended learning solutions, and acceleration workshops.
Over 2.5 million professionals have enhanced their skills through Learning Tree’s extensive course library including: web development, cyber security, program and project management, Agile, operating systems, networking, cloud computing, leadership, and more. To learn more, call 08-506 668 00 or visit LearningTree.se Connect with us online:
About the Author Dr. Vladlena Benson Learning Tree Consultant Vladlena Benson is an Associate Professor at Kingston University and serves on the Board of Directors for ISACA ILC as Academic Relations and Research Directorate. She publishes widely and her research is recognised by the British Computing Society and the British Academy of Management.
Training You Can Trust
Dr. Benson’s research focuses on personal information privacy online, trust formation, social networking behaviour and social commerce. Vladlena publishes her research on digital behaviour in well renowned journals such as Technology Forecasting and Social Change, Information Technology and People, Computers in Human Behaviour, International Journal of Human Computer Studies, British Journal of Educational Technology and others.
08-506 668 00 • LEARNINGTREE.SE
15
References CyberEdge Group (2016) 2016 Cyberthreat Defense Report. CyberEdge Group. Available at: https://webroot-cms-cdn.s3.amazonaws.com/4814/5954/2435/2016_cyberedge_group_cyberthreat_defense_report.pdf Accessed on: [24/05/2017] Fortinet (2016) Threat Landscape Report 2016. Fortinet. Available at: https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-report.pdf Accessed on: [24/05/2017] PwC (2016) The Global State of Information Security® Survey 2016. PricewaterhouseCoopers. Available at: http:// www.pwc.com/gsiss. Accessed on [24/05/2017]. PwC (2017a). Industry findings: Financial services. The Global State of Information Security® Survey 2017 PricewaterhouseCoopers. Available at: http://www.pwc.co.uk/industries/financial-services/insights/cbi-pwc-financial-services-survey.html. Accessed on [24/05/2017]. PwC (2017b) The Global State of Information Security® Survey 2017. PricewaterhouseCoopers. Available at: http:// www.pwc.com/gsiss. Accessed on [24/05/2017]. UK Parliament Digital Skills Committee (2016) Digital skills crisis: Government Response to the Committee’s Second Report of Session 2016–17. Available at: https://www.publications.parliament.uk/pa/cm201617/cmselect/cmsctech/936/93602.htm Accessed on:[24/05/2017]. Verizon (2017) Data Breach Investigations Report 2017. Available at: http://VerizonEnterprise.com. Accessed on [24/05/2017]. World Economic Forum (2016) Global Risks Perception Survey 2016. Available at: http://www3.weforum.org/docs/GRR17_Report_web.pdf Accessed on [24/05/2017].
16
MARKETING TRENDS REPORT THE STATE OF GLOBAL CYBER SECURITY
Training You Can Trust